Formal Methods in Software Engineering A Short Course

Скачать презентацию Formal Methods in Software Engineering A Short Course

acdca6f5d71c8e2983fb3531fbb5974e.ppt

Количество слайдов: 32

Formal Methods in Software Engineering A Short Course on When, Why, and How to use Formal Methods in Software Engineering Richard Wallace Sr. Partner, Quantum Solutions © Quantum Solutions, 1995 -2002 0 2/5

Course Outline n Foundations, Part 1 ¨ ¨ n Foundations, Part 2 ¨ ¨ n Where are the quill pens and chalkboards? (basic tools) How do I get a computer to do this? (IDE) Application, Part 4 ¨ ¨ n What is this Greek? (notation) Why can’t I just code? (methods) Tools, Part 3 ¨ ¨ n Introduction to the Introduction Who needs this? (need) When did this get created? (history) Military/Aerospace Communications Practical Issues, Part 5 ¨ ¨ Educating Program Managers Operational Considerations for the Customer Schedules – or – When is it good enough Lies, Damn lies, and Formal Methods! © Quantum Solutions, 1995 -2002 1

It’s Greek to Me (Notation) n It is mathematics, you’ve seen it before difference of dx/dt and t ? They are both symbols that have specific meaning ¨ The n n n The notation is not novel, new, or hard to understand It’s more about the semantic content than the symbology Remember this from the first session? ¨ Be able to express what is done without saying how it is done (i. e. , non-procedural) © Quantum Solutions, 1995 -2002 2

Notation n n Good notation makes the difference between a transparent interaction, where the actual problem dominates the user's attention, and a nightmare, where the user cannot get the system to do what he wants, and doesn’t understand what the system “thinks it's doing. ” We are talking about a “Begriffsschrift” auf Deutsch is a “formula language” and it is also the title of a short book on logic by Gottlob Frege, published in 1879, and is also the name of the formal system set out in that book. Begriffsschrift is usually translated as concept writing or concept notation, modelled on that of arithmetic, of pure thought. The Begriffsschrift was arguably the most important publication in logic since Aristotle founded the subject. Frege's motivation for developing his formal approach to logic resembled Leibniz's motivation for his calculus ratiocinator. Frege went on to employ his logical calculus in his research on the foundations of mathematics, carried out over the next quarter century. © Quantum Solutions, 1995 -2002 3

Notation Example Both of these aren’t hard and we’ve seen these over and over easy because It’s it is familiar © Quantum Solutions, 1995 -2002 4

Symbology Example (Propositions) © Quantum Solutions, 1995 -2002 1 5

Symbology Example (Propositions) © Quantum Solutions, 1995 -2002 2 6

Pitfalls © Quantum Solutions, 1995 -2002 7

Why can’t I just Code? n Classic reasons ¨ Systems have myriad interactions and do not control their environment as applications can ¨ There has to be an overall design that can be assured to be correct because you can never test it all The increasing size and complexity of software, coupled with concurrency and distributed systems, has made apparent the ineffectiveness of using… tests. The misuse of code coverage and avoidance of random testing has exacerbated the problem. We must start again, beginning with good design – including dependency analysis – good static checking – including model property checking… The convergence of static analysis tools with formal methods is now providing powerful tools for ensuring high-quality units, and to some extent their integration. Too Darned Big to Test, AMC Queue – Quality Assurance, Vol. 3, No. 1 - February 2005, ¨ No one person or small team (< 10) builds a system © Quantum Solutions, 1995 -2002 9

Even the Über-coder Hero Says “Design” ns atio d not hod rocesse s met p tion mal tly be r Fo c enta es ire an d de repr c co into “What Is Software Design: 13 Years Later, ”Jack W. Reeves, 2005, www. developerdotstar. com © Quantum Solutions, 1995 -2002 10

n to tatio 97 n / rese ior P on 4/28 Pr SCRA Program Construction from Formal Specifications Briefing to South Carolina Research Authority (SCRA) Richard Wallace, Senior Consultant Quantum Solutions © Quantum Solutions, 1995 -2002 11

Vision Statement n to tatio 97 n / rese ior P on 4/28 Pr SCRA Given a valid specification a valid implementation can be constructed. n A System is thus “Correct by Design. ” n © Quantum Solutions, 1995 -2002 12

n to tatio 97 n / rese ior P on 4/28 Pr SCRA Goals Reduce System Cost. n Reduce Defects in delivered Product. n Reduce System Redesign Time. n © Quantum Solutions, 1995 -2002 13

n to tatio 97 n / rese ior P on 4/28 Pr SCRA Objective An IDE for construction and proof of Formal Specifications. n Multiple back-end processing creating application specific implementations from Formal Specifications. n © Quantum Solutions, 1995 -2002 14

Situation Today n to tatio 97 n / rese ior P on 4/28 Pr SCRA Tool plethora for aiding in construction of implementations. n Few tools for the construction of specifications. n Sparseare now overtools for proving formal There commercial 25 companies that specifications. list coming up. supply tools… n © Quantum Solutions, 1995 -2002 15

Available Options n to tatio 97 n / rese ior P on 4/28 Pr SCRA Design and Implementation Calculus notations. n Automated/Animated Simulators/ Implementation Notation Generators. n Proof Tools generating application specific implementations. n © Quantum Solutions, 1995 -2002 16

Working Definitions n n to tatio 97 n / rese ior P on 4/28 Pr SCRA Formal Specification u A concise description of behavior and properties written in a mathematically-based language allowing proof via accepted axioms and theorems. n Formal Proof u A series of steps which draws conclusions from a set of accepted axioms and theorems giving a complete argument for the validity of statements that describe a system. © Quantum Solutions, 1995 -2002 17

Working Definitions (Cont. ) n n to tatio 97 n / rese ior P on 4/28 Pr SCRA Specification Animator u Non-formal, “executables” providing highlevel dynamic behavior of the specification. u The animation introduces temporal behavior. u Assists in verification of proof boundaries (temporal, dimensional, conditional). © Quantum Solutions, 1995 -2002 18

Possible Notations. . . n n n n n Acl 2 theorem prover, a successor to the Boyer-Moore theorem prover, prover. Version 1. 8 available now, 1. 9 coming soon. prover. Action Semantics, a framework for specifying formal Semantics, semantics of programming languages. Algebraic Design Language, a higher-order software Language, specification language. Assertion Definition Language Translator (ADLT), a specification based testing tool-set. Auto/Graph, model-based automatic verification of distributed Auto/Graph, communicating systems. BDDs (Binary Decision Diagrams) for finite-state verification BDDs problems. B-Method, including the B-Tool and B-Tool-kit. B-Method, Boyer-Moore theorem prover (a forerunner of Nqthm). Available via ICOT Free Software for use under Unix at ICOT (Japan), SICS (Sweden), GMD (Germany) and Univ. of Oregon (USA). CCS (Calculus of Communicating Systems). An algebra for specifying and reasoning about concurrent systems. Circal (CIRcuit CALculus) System supporting a process (CIRcuit CALculus) algebra which may be used to rigorously describe, verify and simulate concurrent systems. n n n to tatio 97 n / rese ior P on 4/28 Pr SCRA COLD (Common Object-oriented Language for Design), a wide -spectrum specification language. Concurrency Factory, a "next generation" Concurrency Factory, Workbench tool-kit. Coq proof assistant. See also Ct. Coq, a working environment assistant. Coq, for the Coq project theorem prover. COSPAN (COordinated SPecification ANalysis), a general(COordinated ANalysis), purpose rapid-prototyping tool, using the S/R (selection/resolution) language. CSP (Communicating Sequential Processes) including the FDR tool. CWB (Edinburgh Concurrency Workbench) automated toolset. See also the Concurrency Factory and CWB-NC (The Concurrency Workbench of North Carolina), which includes a LOTOS interface, diagnostic infomation, etc. infomation, Note: The CWB and CWB-NC have a common ancestor, but are each under separate development. Dis. Co specification method for reactive systems including a tool developed at the Tampere University of Technology, Finland. Estelle: EDT (Estelle Development Toolset) and example specifications. Esterel language and tools for synchronous reactive systems, including verification support. © Quantum Solutions, 1995 -2002 19

Possible Notations (Cont. ) n n n n n EVES tool, based on ZF set theory, from ORA, Canada. See also Z/EVES which provides a Z front-end to EVES. Both are now available for on-line distribution. Evolving Algebras, University of Michigan, USA. See also Algebras, here, University of Paderborn, Germany. Extended ML framework for the specification and formal development of modular Standard ML programs. GIL, a graphical interval logic tool. See also publications by GIL, Laura Dillon). HOL mechanical theorem proving system, based on Higher Order Logic. Hy. Tech (The HYbrid TECHnology Tool), an automatic tool for the analysis of embedded systems which computes the condition under which a linear hybrid system satisfies a temporal-logic requirement. IMPS, an Interactive Mathematical Proof System intended to IMPS, provide mechanical support for traditional mathematical techniques and styles of practice. Isabelle. See also the Cambridge Automated Reasoning Group Isabelle. and FTP access including an index. JAPE (Just Another Proof Editor) by Bernard Sufrin and Richard Bornat is available via anonymous FTP. See also Mac. OS JAPE. n n n to tatio 97 n / rese ior P on 4/28 Pr SCRA KIV (Karlsruhe Interactive Verifier). A tool for the development of correct software using stepwise refinement. LAMBDA toolset from Abstract Hardware Ltd, UK, supports formal verification for hardware/software co-design. Larch and LP ( Larch Prover). See also DEC SRC's Larch Prover). Home Page and the Larch Project at CMU. The Larch tool set (look at the README file first) is available. Lean. Ta. P, a tableau-based deduction theorem prover for Lean. Ta. P, classical first-order logic. LEGO proof assistant. LOTOS (Language of Temporal Ordering Specifications). See also information from Madrid, Ottawa and Stirling. Lustre synchronous declarative language for programming reactive systems, including verification. Maintainer's Assistant, a tool for reverse engineering and re. Assistant, engineering code using formal methods. Meije tools for the verification of concurrent programs. Includes ATG, a graphical editor/visualizer. Mizar tool, a long-term effort aimed at developing software to tool, support a working mathematician in preparing papers. © Quantum Solutions, 1995 -2002 20

Possible Notations (Cont. ) n n n n n Model Checking at CMU, a method formally verifying finite-state concurrent systems. Available packages include: BDD library with extensions for sequential verification. CV, a VHDL model checker. CSML and MCB, a language for compositional description of finite state machines and a (nonsymbolic) model checker for CTL. SMV (Symbolic Model Verifier) model checker for finite-state systems, using the specification language CTL (Computation Tree Logic), a propositional branching-time temporal logic. See also Word-level SMV for verifying arithmetic circuits efficiently. Mural tool to aid formal reasoning about specifications including a proof assistant and VDM support. See also the Mural Project. Murphi description language and verifier tool for finite-state verification of concurrent systems. Nqthm theorem prover and the Pc-Nqthm interactive ``Proof. Pc-Nqthm checker'' enhancement of the Boyer-Moore Theorem Prover from Computational Logic Inc. See also Nqthm users Gopher information. Nuprl tool based on intuitionistic type theory. OBJ - OBJ 3 and 2 OBJ. Otter, an automated deduction system. Otter, Petri Nets, a formal graphical notation for modelling systems Nets, with concurrency. See also conferences and tools. n n n to tatio 97 n / rese ior P on 4/28 Pr SCRA Pi-calculus, a calculus for mobile processes. See also papers by Pi-calculus, Robin Milner et al. and the Mobility Workbench (see information and a Bib. Te. X bibliography). Pobl. A development method for concurrent object-based Pobl. programs. Proof. Power is a commercial tool, developed by ICL, supporting development and checking of specifications and formal proofs in Higher Order Logic and/or Z. Support for Z uses a deep(ish) embedding of Z into HOL, but includes syntax deep(ish) and type checking customized for Z. Prover Technology, NPL, for automated proof by modelling Technology, systems in propositional logic using a unique patented algorithm. PVS (Prototype Verification System) tool based on classical typed higher-order logic developed at the SRI International Computer Science Laboratory. RAISE language and tools from CRI, Denmark. Rapide language and toolset, for building large-scale distributed multi-language systems. Refinement Calculus by Ralph Back et al. . SDL (Specification and Description Language) from the SDL Forum Society. See also previous site here. SPARK secure subset of Ada, including SPARK Examiner tool for program analysis and verification. © Quantum Solutions, 1995 -2002 21

Possible Notations (Cont. ) n n n n SPIN is an automated verification tool (model checker), using a language based on CSP, for finite state systems, such as CSP, protocols or validation models of distributed systems, developed at AT&T Bell Labs. STe. P, the Stanford Temporal Prover. STe. P, Prover. TAM. The Temporal Agent Model from the Real-Time Systems TAM. Research Group at York University. TLA (Temporal Logic of Actions) has tool support. TPS and ETPS, the Theorem Proving System and the Educational Theorem Proving System. TRIO language and tools for real-time systems, based on temporal logic. TTM/RTTL framework for real-time reactive systems. n n n to tatio 97 n / rese ior P on 4/28 Pr SCRA UNITY, a programming notation and a logic to reason about UNITY, parallel and distributed programs. UPPAAL verification and validation tools for real-time systems. Model checking and simulation with a graphical interface. VDM (Vienna Development Method). See also the Mural tool, VDM text books, VDM++ object-oriented extension, and VDM forum mailing list. VIS (Verification Interacting with Synthesis), a system formal verification, synthesis, and simulation of finite state systems, especially logic circuits. Includes a Verilog HDL frontend. Z notation formal specification. © Quantum Solutions, 1995 -2002 22

n to tatio 97 n / rese ior P on 4/28 Pr SCRA Commercial Companies. . . n n n n n Abstract Hardware Limited, Uxbridge, Middlesex, UK. Limited, Products including the LAMBDA system synthesis tool set and Poly. ML, a commercially supported version of Standard ML. Poly. ML, Services include training courses and consultancy. Adelard, London, UK. Consultancy in the areas of: Adelard, development, verification and assessment; safety cases; standards and guidelines; training and technology transfer. B-Core (UK) Limited, Oxford, UK. B-Tool-kit, based on the BTool. BT Laboratories, Martlesham, Ipswich, UK. Formal Methods Laboratories, Martlesham, Group. Cap Volmac, Utrecht, The Netherlands. VDM++ language and Volmac, tools. Chrysalis Symbolic Design, Inc. , North Billerica, MA, USA. Inc. , Produces software for creating and verifying electronic circuits and systems. Products include Symbolic Logic(tm) technology Logic(tm) to help with formal verification. COMPASS Design Automation, San Jose, CA, USA. VHDL formal verification tool for electronics design automation (EDA). See the interactive tour of the VFormal product. Computational Logic Inc. , Austin, Texas, USA. Nqthm and Inc. , Pc-Nqthm theorem proving tools. Hardware verification Pc-Nqthm including the FM 9001 microprocessor. CRI, Denmark. RAISE language and tools. CRI, CVI (Dutch Rail Automation), Utrecht, The Netherlands. n n n Computer Science Consultancy, UK. fuzz - Z type-checker Consultancy, tool. Digilog, France. Atelier B tool supporting the B-Method. Digilog, DST (Deutsche System-Technik Gmb. H), Kiel, Germany. DST System-Technik f. UZZ - Z tool. Edinburgh Portable Compilers Ltd. , UK. B-Tool. Formal Systems (Europe) Ltd. , Oxford, UK. FDR tool for CSP model checking. GEC Alsthom, Paris, France. Users of the B-Tool. Alsthom, Harlequin, Australia / UK / USA. Consultancy including Harlequin, formal software engineering and reasoning systems. IBM Hursley Park, UK. Park, Technology Center, Clear Lake, Texas USA. Center, IFAD, Odense, Denmark. Products include the VDM Toolbox IFAD, and VDM to C++ Code Generator. Inmos, Bristol, UK. (now SGS-Thomson Microelectronics) Inmos, IST (Imperial Software Technology Ltd), Reading, UK. (Also Cambridge, London, and Palo Alto, USA. ) Software engineering company, including an Advanced Technology Group specializing in the application of formal methods for high -integrity and secure systems. Products include Zola, an integrated editor, type-checker and prover for the Z notation. © Quantum Solutions, 1995 -2002 23

n to tatio 97 n / rese ior P on 4/28 Pr SCRA Commercial Companies (Cont. ) n n n 2007 update: ORA closed n n Kestrel Institute, California, USA. Undertakes research in Institute, applying formal methods and automated reasoning systems to software engineering. K&M Technologies Limited, Dublin, Ireland. Industrial Limited, exploitation of the Irish School of the VDM, etc. Lloyds Register, Croydon, UK. Register, Croydon, Logica UK Limited. Formal methods tools and services, including the Formaliser Z type-checker. Logikkonsult NP AB, Sweden. Products include Prover (a AB, theorem prover for propositional logic extended with finite integer arithmetic) and NP-Tools (a framework for mathematically proving safety properties). ORA, Ottawa, Canada. EVES tool. ORA, Philips Gmb. H Forschungslaboratorien, Aachen, Germany. Forschungslaboratorien, n n n n Praxis, Bath, UK. Praxis Critical Systems have skills in formal Praxis, specification, static analysis, safety engineering. Products include SPARK language and tool support for program verification. Program Validation Limited, UK. (now Praxis Critical Limited, Systems) Research Access Inc. , USA. Specification and verification Inc. , documents. RWTÜV Anlagentechnik, Germany. Anlagentechnik, SRI, Menlo Park, California, USA. Also, Cambridge, UK. SRI, Formal methods information and PVS tool. Telelogic AB, Malmö, Sweden. Products include SDT, a AB, Malmö, software engineering toolset based on SDL, and the ITEX test suite tool. Verilog, USA. See also France. Products include the Verilog, Object. GEODE toolset, based on the OMT, SDL and MSC standards notations, dedicated to analysis, design, verification and validation through simulation, code generation and testing of real-time and distributed applications. © Quantum Solutions, 1995 -2002 24

Which to Use? n to tatio 97 n / rese ior P on 4/28 Pr SCRA Dependent on level of risk. n Dependent on client sophistication. n Dependent on implementation desired. n © Quantum Solutions, 1995 -2002 25

Any “Silver Bullet? ” n n to tatio 97 n / rese ior P on 4/28 Pr SCRA Universal tool for all Formal Specification u None exists. u Formal Methods do not guarantee a perfect product. u “…mathematical rigour cannot eliminate mistakes entirely. All it can do is reduce their likelihood -- drastically. ” (Carroll Morgan, Oxford PRG) © Quantum Solutions, 1995 -2002 26

n to tatio 97 n / rese ior P on 4/28 Pr SCRA Future: Commercial Formal Methods u Based on F Z/EVES &B F STe. P & CSP F Concurrency Factory. Today, ACL 2, PVS, CZT (Z) and their entourage of proof tools u GUI for non-code notations and animation. u Must have multiple implementation generators. u Must have animator for all implementations. u System decomposer using incremental system proofs. © Quantum Solutions, 1995 -2002 27

Formal Methods to Procedural Code 1 n Carroll Morgan’s Programming from Specifications, Second Edition 1998 Provides a calculus to go from specification to an Algol/BCPL based language ¨ Forwards and backwards from specification to code and code to specification ¨ © Quantum Solutions, 1995 -2002 28

Morgan’s Calculus n As a calculus, there is no set “tool” or tool suite that is used as the calculus can be applied to any particular notation (we just saw 70 of them!) n Several Z tools are using this calculus. With the advent of model checking (hardware descriptions) the calculus is seeing more use © Quantum Solutions, 1995 -2002 29

Formal Methods to Procedural Code 2 n Larch ¨ The Larch family of languages supports a two-tiered, definitional style of specification. One language that is designed for a specific programming language, Larch Interface Language (LIL) and another language that is independent of any programming language, Larch Shared Language (LSL). ¨ LILs are bounded to Ada, C, C++, CLU, CORBA, ML, Modula-3, VHDL, and Smalltalk. There also "generic" Larch interface languages that can be specialized for particular programming languages or used to specify interfaces between programs in different languages. © Quantum Solutions, 1995 -2002 30

Languages & notations… À la fin c'est tout le pareil n n Don’t fight over which “color” to use Pick a color and start drawing! © Quantum Solutions, 1995 -2002 31