#1 formal methods – introduction for software engineering

Preparedby:SharifOmarSalem–ssalemg@gmail.com
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
0

 Scientists Quotes
 Problems in software development
 Formal Logic
 Formal Methods
 Why to use FM techniques
 Case studies
 Specification
 Verification
 Overview of programming paradigms
 Formal Methods Tools and Notations
1

 Teaching to unsuspecting youngsters
the effective use of formal methods is
one of the joys of life because it is so
extremely rewarding
(Edgser Dijkstra)
2

 A more mathematical approach is inevitable.
Professional software development—not the everyday
brand practiced by the public at large—will become
more like a true engineering discipline, applying
mathematical techniques.
I don't know how long this evolution will take, but it will
happen. The basic theory is there, but much work
remains to make it widely applicable.
(Bertrand Meyer, a pioneer of object technology)
3

 Software engineers want to be real engineers. Real
engineers use mathematics.
Formal methods are the mathematics of software
engineering. Therefore, software engineers should
use formal methods.
(Mike Holloway, NASA)
4

 How to ensure that S is not ambiguous so that it can be correctly
understood by all the people involved?
 How can S be effectively used for inspecting and testing P?
 How can software tools effectively support the analysis of S,
transformation from S to P, and verification of P against S?
S P
Construct
Specification Program
What to do How to do it
5

Testing
Requirements
analysis
Design
Coding
Formal
Specification
Validation
Verification
Verification
6

Simulation Testing Verification
Run-time
monitoring
7

Simulation
 Means constructing a model of an existing system to be studied or a
system to be built and then executing actions allowed in this model.
 The model can be:
 a physical entity (e.g., scale clay model) or
 a computer representation.
Testing
 Is a technique for detecting errors or problems in implemented
software, hardware, or non-computer systems.
 It consists of executing or operating the system to be tested using a
finite set of inputs and then checking to see if the corresponding
outputs or behavior are correct with respect to the specifications.
8

Verification
 Is the procedure of confirming that software meets its requirement.
In other words it means checking the software with admiration to
the specification.
Real time monitoring
 Apply your final software in a real world input data.
 ( like beta release software)
9

• Multiple definitions
 Foundation for organized and careful method of thinking that
characterizes reasoned activity.
 The study of reasoning : specifically concerned with whether
something is correct or false.
 Formal logic focuses on the relationship between statements as
opposed to the content of any particular statement.
10

Either it’s the fuel filter or it’s the fuel pump.
It’s not the fuel filter.
 It’s the fuel pump.
Example 1: Imagine you’re a mechanic and you know
that either the fuel filter is clogged or the fuel pump
is defective. But you just replaced the fuel filter. So
you know the problem must be with the fuel pump.
11

 Major goal of software engineers
 Develop reliable systems………..how?
 Formal Methods
 Mathematical languages, techniques and tools
 Used to specify and verify systems
 Goal: Help engineers construct more reliable systems
 A mean to examine the entire state space of a design (whether
hardware or software)
 Establish a correctness or safety property that is true for all possible
inputs
12

 Formal methods are mathematical techniques for developing
computer-based software and hardware systems.
 In computer science and software engineering, formal methods are
a particular kind of mathematically-based techniques for the
specification, development and verification of software and
hardware systems.
13

What is formal methods?
Formal methods = Formal Specification (Formal Notation)
+
Refinement
+
Formal Verification (Logical Calculus)
Set theory, logics, algebra, etc.
14

 Past years of the formal methods
 Obscure notation
 Non-scalable techniques
 Inadequate tool support
 Hard to use tools
 Very few case studies
 Not convincing for practitioners
 Nowadays
 Trying to find more rigorous notations
 Model checking and theorem proving complement simulation in
Hardware industry
 More industrial sized case studies
 Researchers try to gaining benefits of using formal methods
 …
15

 Formal methods can be applied at various points through the
development process
 Specification
 Verification
 Specification: Give a description of the system to be developed, and
its properties
 Verification: Prove or disprove the correctness of a system with
respect to the formal specification or property
16

 The use of formal methods can contribute to the reliability and
robustness of a design.
 However, the high cost of using formal methods means that they are
usually only used in the development of high-integrity systems,
where safety or security is of utmost importance.
 Transport, communications, health and energy are all representative
examples of critical system where errors is not permitted.
 A classic approach to ensuring the adequacy of a software system
is testing or simulation.
 But most of commercial system have a bug report with every release.
 To mention some data, in 2002 the North-American Institute for
Standards and Technologies estimated the cost of bugs in the
American economy to ascend to 59 billion dollars.
17

 In 1994 an error was discovered in the implementation
of division operations by Pentium processors. Even
though millions of processors had by then been sold,
Intel was forced to exchange (free of charge) all the
units produced .
 Beyond the financial impact, the media emphasized
the loss of confidence shown by Intel users (i.e. the
computer manufacturing industry) that had a much
broader and dramatic effect to the company.
18

 It is very important to note that formal verification does not obviate
the need for testing and other assertion techniques.
 Formal verification cannot fix bad assumptions in the design, but it
can help identify errors in reasoning which would otherwise be left
unverified.
 In several cases, engineers have reported finding flaws in systems
once they reviewed their designs formally .
 So, Formal Verification if used, it will be used as an additional tools
for assertions and not as a replacement tool.
19

 The CICS project
 CICS: Customer Information Control System
 The on-line transaction processing system of choice for large IBM
installations
 In the 1980s Oxford Univ. and IBM Hursley Labs formalized parts of
CICS with Z
 There was an overall improvement in the quality of the product
 It is estimated that it reduced 9% of the total development cost
 This work won the Queen’s Award for Technological
 The highest honor that can be bestowed on a UK company.
20

 Intel uses formal verification quite extensively
 Verification of Intel Pentium 4 floating-point unit with a mixture of STE
and theorem proving
 Verification of bus protocols using pure temporal logic model checking
 Verification of microcode and software for many Intel Itanium floating-
point operations, using pure theorem proving
 FV found many high-quality bugs in P4 and verified “20%” of design
 FV is now standard practice in the floating-point domain
21

 Small Aircraft Transportation System (SATS)
 Use of a software system that will sequence aircraft into the SATS
airspace in the absence of an airport controller
 There are serious safety issues associated with these software
systems and their underlying key algorithms
22

 The criticality of such software systems necessitates that strong
guarantees of the safety be developed for them
 Under the SATS program NASA Langley researchers are currently
investigating rigorous verification of these software system using
formal methods
 Modeling and Verification of Air Traffic
 Conflict Detection and Alerting
 …
23

 Using a language with a mathematically defined syntax and
semantics
 System properties
 Functional behavior
 Timing behavior
 Performance characteristics
 Internal structure
24

 Specification has been most successful for behavioral properties
 A trend is to integrate different specification languages
 Each enable to handle a different aspect of a system
 Some other non-behavioral aspects of a system
 Performance
 Real-time constraints
 Security policies
 Architectural design
25

 Formal methods for specification of the sequential systems
 Z (Spivey 1988)
 Constructive Z (Mirian 1997)
 VDM (Jones 1986)
 Larch (Guttag & Horning 1993)
 States are described in rich math structures (set, relation, function)
 Transition are described in terms of pre- and post- conditions
26

 Formal methods for specification of the concurrent systems
 CSP (Hoare 1985)
 CCS (Milner 1980)
 Statecharts (Harel 1987)
 Temporal Logic (Pnueli 1981)
 I/O Automata (Lynch and Tuttle 1987)
 States range over simple domains, like integers
 Behavior is defined in terms of sequences, trees, partial orders of
events
27

Two well established approaches to verification
 Model Checking
 Theorem Proving
Model checking
 Build a finite model of system and perform an exhaustive search
Theorem Proving
 Mechanization of a logical proof
28

 Both the system and its desired properties are expressed in some
mathematical logic
 Theorem proving is the process of finding a proof from the axioms
of the system
 It can be roughly classified
 Highly automated programs
 Interactive systems with special purpose capabilities
 In contrast to model checking, it can deal with infinite space
 Relies on techniques like reduction.
29

Transition System
(Automaton, Kripke structure)
System Description
(VERILOG, VHDL, SMV)
Informal
Specification
Temporal Logic Formula
(CTL, LTL, etc.)
 Build a mathematical graphical model of the system:
 what are possible behaviors?
 Write correctness requirement in a specification language:
 what are desirable behaviors?
 Analysis: (Automatically) check that model satisfies specification
 Analysis is performed by an algorithm (tool)
 Analysis gives counterexamples for debugging
30

 Model checking is completely automatic
 It produces counter examples
 The counter example usually represents subtle error in design
 The main disadvantage : state explosion problem!
31

 Imperative programming
 is a programming paradigm that describes computation in terms of
statements that change a program state.
 Imperative programs define sequences of commands for the computer
to perform. It define how to achieve the system goals.
 The focus is on How (what steps) the computer should take rather
than what the computer will do
 (ex. C, C++, Java).
 Object Oriented Languages counted as advanced leases from the
original languages.
32

 Declarative programming
 is a programming paradigm that expresses the logic of a computation
without describing its control flow.
 It attempts to minimize or eliminate side effects by describing what the
program should accomplish, rather than describing how to go about
accomplishing it.
 The focus is on what the computer should do rather than how it
should do it
 (ex. SQL, ProLog, Z notation).
33

 Functional programming
 is a programming paradigm that treats computation as the evaluation
of mathematical functions and avoids state and mutable data.
 It emphasizes the application of functions.
 Functional programming has its roots in the lambda calculus.
 It is a subset of declarative languages that has heavy focus on
recursion.
 (ex. Lisp, Schema, Haskell).
34

The following is a sample of some tools and notations using Formal
Methods techniques . Keep in mind that there is many other tools.
 Z Notation: the formal specification notation Z (pronounced "zed"),
useful for describing computer-based systems, is based on Zermelo-
Fraenkel set theory and first order predicate logic.
 Alloy Analyzer: an object modeling notation that is compatible with
development approaches such as UML, and Catalysis, strongly
influenced by the Z specification language.
35

 VCC: Microsoft Research - VCC is a mechanical verifier for concurrent
C programs. VCC takes a C program, annotated with function
specifications, data invariants, loop invariants, and ghost code, and
tries to prove these annotations correct. If it succeeds, VCC promises
that your program actually meets its specifications.
 JML (Java Modeling Language): a behavioral interface specification
language for Java.
 ESC/Java2 Extended Static Checker for Java tool, using program
verification technology. It attempts to find common run-time errors in
JML-annotated Java programs by static analysis of the program code
and its formal annotations
36

You can find more information and a list of tools in the following link
 http://formalmethods.wikia.com/wiki/Formal_methods#Individual_nota
tions.2C_methods_and_tools
37

 Scientists Quotes
 Problems in software development
 Formal Logic
 Formal Methods
 Why to use FM techniques
 Case studies
 Specification
 Verification
 Overview of programming paradigms
 Formal Methods Tools and Notations
38

Prepared by: Sharif Omar Salem – ssalemg@gmail.com
39

#1 formal methods – introduction for software engineering

More Related Content

What's hot

Similar to #1 formal methods – introduction for software engineering

More from Sharif Omar Salem

Recently uploaded

#1 formal methods – introduction for software engineering