Formal Methods Lawrence Chung Department of Computer Science

Formal Methods Lawrence Chung Department of Computer Science The University of Texas at Dallas 1

Desirable Properties of Specifications n n Clarity – void of any ambiguities Completeness – nothing important missing Consistency – no contradictions; no inconsistencies … no over-specification, no mixed levels of abstraction Formal Specification n Objectives – achieve the desirable properties of a specification n Formal semantics enables requirements or design to be interpreted in only one way, hence enhancing clarity by eliminating ambiguity that often occurs with a natural language (e. g. , English) or a graphical notation. n Consistency is enhanced by mathematical proofs - Facts and inference rules do not lead to counter facts. 2

Formal Specification Languages n Three primary components: n a syntax that defines the specific notation with which the specification is represented - often based on a syntax that is derived from standard set theory notation and predicate calculus. example: n semantics to help define a "universe of objects" [WIN 90] that will be used to describe, and interpret, the system example: n a set of relations/rules which should be obeyed by all objects and propositions. example: 3

Basics: A Brief Review Set Theory n Sets: n n one. Two. Three == {1, 2, 3} Person == {Adam, Eve} S: P X == 2 X --- S is a set of X’s powerset, i. e. , the set of all subsets of X n one. Two. Three. Set == P one. Two. Three == P {1, 2, 3} == ? n person. Set == P person == P {Adam, Eve} == ? n |P X| == ? From [Chung, SA Lecture Notes] 4

Basics Set Theory n n Sets (cont’d) x member. Of S ? 1 member. Of {1, 2, 3} ? 1 memberof P {1, 2, 3} ? {1} memberof P {1, 2, 3} ? Adam member. Of P Person ? Adam member. Of Person ? {Adam, Eve} member. Of P Person 5

Basics Set Theory n n Sets (cont’d) S subset. Of S’ ? 1 subset. Of {1, 2, 3} ? {1, 2} subset. Of P {1, 2, 3} ? {{1, 2}} subset. Of P {1, 2, 3} ? Adam subset. Of P Person ? Adam subset. Of Person ? Person subset. Of Person ? {Person} subset. Of P Person 6

Basics Set Theory n n Sets (cont’d) S X S’ (cross/cartesian product) one. Two. Three X person == {1, 2, 3} X {Adam, Eve} == {{1, Adam}, {1, Eve}, {2, Adam}, {2, Eve}, {3, Adam}, {3, Eve}} ? {1, 2} subset. Of {1, 2} X {1, 2} n S U S’, S intersect S’, SS’, etc. (skip) 7

Basics Functions n dom f --- The set of values x for which f(x) is defined f(x) = x 2 , dom f = {n member. Of N| 1 <= n <= 5} ran f --- The set of values yielded by f(x), where x member. Of dom f ran f = ? f: X -> Y --- f is a total function from X to Y i. e. , f is defined for all x member. Of dom(f), i. e. , dom(f) = X f: X -|-> Y --- f is a partial function from X to Y i. e. , f is defined for some values in X n n n if f(x) = 1/x, ? dom(f) = Z ? spouse: Person -> Person 8

Basics Functions n Functions (cont’d) n (lambda x: T. t) returns the value of the term t (lambda x: N. X 2 ) 5 == 25 (lambda x: N. (X 2 , 1/x) == ? (lambda x, y: N. (X 2 + y, y - 1/x) 5 1 == ? 9

Basics First Order Logic n First Order Logical connectives: AND, OR, NOT, =>, <=> n Quantifiers n ? Exists n: N. n = n 2 ? Exists p: Person. P == father (Adam) ? Forall i: N. I 2 >= I ? Forall i, j: N. i > j => i 2 > j 2 ? Forall x, y: Person, x == spouse(y) <=> y == spouse(x) 10

Introduction to Z n Based on typed set theory and first order logic n Schemas A schema consists of a set of declarations of variables and a predicate constraining these variables (i. e. , state space and operations) ----- Birthday. Book --------------------| known: P Person | birthday: Person -|-> Date --------------------------------| known = dom birthday --------------------------------One possible state: known = {Adam, Caine, Eve} birthday = {Adam |-> Apr/01, Eve |-> Apr/01} 11

Block. Handler in Z nnotation described in Table 28. 2 The following example of a schema describes the state of the block handler and the data invariant: ———Block. Handler——————— used, free : P BLOCKS Block. Queue : seq P BLOCKS ———————————— used > free = used < free = All. Blocks i: dom Block. Queue i # used i, j : dom Block. Queue i ≠ j => Block. Queue i > Block. Queue j = ———————————— See Section 28. 6. 2 for further expansion of the specification 12

13

¬ 14

Larch: Linear. Container (E, C): trait introduces new: -> C insert: C; E -> C first: C -> E rest: C -> C is. Empty: C -> Bool is. In : E; C -> Bool asserts C generated by new, insert C partitioned by first, rest, is. Empty forall c: C, e, e’: E first(insert (new, e)) == e rest(insert (new, e)) == new is. Empty(new) ~is. Empty(insert (c, e)) ~is. In (e, new) is. In (e, insert (c, e’)) == e = e’ | is. In (e, c) implies forall c: C, e: E is. Empty (c) => ~is. In (e, c) converts is. In, is. Empty 15

16

Larch: Queue : trait introduces new -> Q insert: Q, E -> Q first: Q -> E rest: Q -> Q is. Empty: Q -> Bool is. In: Q, E -> Bool constrains Q so that Q generatedby [ new, insert ] for all q: Q, e, e 1: E first(insert (new), e)) =el first (insert(q, e)) = if is. Empty(q) then e else first(q) rest(insert(q, e)) = if is. Empty(q) then new else insert(rest(q), e) is. Empty(new) = true is. Empty(insert(q, e)) = false is. In(new, e) = false is. In(insert(q, e), e 1) = (e = e 1 | is. In(q, e 1)) 17

Object Constraint Language (OCL) n A formal notation for adding more precision to UML specifications n All of the power of logic and discrete mathematics is available n Only ASCII characters (not conventional mathematical notation) - See Table 28. 1 for summary of OCL notation n Like an OOPL, an OCL expression involves operators operating on objects. Each complete expression is a predicate, i. e. , Boolean valued (true or false). Objects can be instances of the OCL Collection class, of which Set, Sequence and Bag are subclasses. 18

OCL Quick Reference [http: //www. eoinwoods. info/doc/ocl_quick_reference. pdf] Invariants: Can have as many “inv” statements as required, optionally named, and the resulting invariant is their conjunction (“i 1 and i 2 and. . . ”). context Class 1 inv attr 1 > 100 context Class 2 inv second. Invariant: attr 1 < 10 The “@pre” notation refers to the “before” state (VDM’s “hook” notation) and “result” is a reserved word for the result of the operation (if it has one). Pre and Post Conditions: context Class 1: : method 1(v 1: Integer) : Integer pre value. Is. Large. Enough: v 1 >= 100 post: attr 1 >= attr 1@pre + 100 and result > v/10 Query Definitions Queries don’t change state and so pre/post-condition form isn’t used to define them. Instead, they use a single expression in a “body” statement. context Class 1: : query 1(v: Integer) : Integer body: v + 100 + attr 1 19

OCL Quick Reference [http: //www. eoinwoods. info/doc/ocl_quick_reference. pdf] Operations are applied to collections using the “->” operator (e. g. items->is. Empty(), where “items” is a collection). Number of times that obj appears in a collection. Collection Manipulation Operations count(obj) excludes. All(coll) first() includes(obj) includes. All(coll) is. Empty() size() Does count(obj) = 0 ? Does count(obj) = 0 hold for all items in collection coll? The first item in the ordered collection. Is count(obj) > 0 ? Does count(obj) > 0 hold for all items in collection coll? Is collection’s size() = 0 ? Number of items in the collection. Loop Operations collect(expr) Returns a bag containing the value of the expression for each of the items in the collection (e. g. items->collect(value)). A simpler synonym for this operation is the period (“. ”) operator (e. g. items. value). for. All(expr) Does expression expr hold for all items in the collection? select(expr) Returns the sub-collection of items in a collection for which expression expr holds. set 1 ->select(attr 1 > 10) These two examples are equivalent. set 1 ->select(i | i. attr 1 > 10) “i” is an “iterator” variable and can be thought of as being set to each of the elements of set 1 in turn. 20

Examples Person 21

Person Examples: OCL and Coding Class sex { static final int MALE = 1; static final int FEMALE = 2; } class Person { public int sex; public Person spouse; } public void marry(Person p) { assert p != this; assert p. sex != this. sex; assert this. spouse = null && p. spouse = null; this. spouse = p; p. spouse = this; } Defensive programming style class Person { public int sex; public Person spouse; } public void marry(Person p) throws Argument. Exception { if(p == this) { throw new Argument. Exception("cannot marry self"); } if(p. sex == this. sex) { throw new Argument. Exception("spouse is same sex"); } if((p. spouse != null || this. spouse != null) { throw new Argument. Exception("already married"); } this. spouse = p; p. spouse = this; } 22

Examples Banking 23

Banking Examples: OCL and Coding class Account { private float balance = 0; } public void withdraw(float amount) { assert amount <= balance; } public void test. Withdraw() { Account account = new Account(); balance = balance - amount; account. deposit(500); public void deposit(float amount) { balance = balance + amount; } float balance. At. Pre = account. get. Balance(); public float get. Balance() { return balance; } account. withdraw(amount); float amount = 250; } assert. True(account. get. Balance() == balance. At. Pre. amount); 24

Examples http: //maude. sip. ucm. es/itp/ocl/tutorial. html Train context Train inv at. Least. One. Wagon: self. wagon->size() >= 1 context Wagon inv belong. To. The. Same. Train: self. succ->not. Empty() implies self. succ->for. All(w | w. train = self. train) simplification? context Train inv same. Number. Of. Wagons: Train. all. Instances->for. All(t 1 | (self. wagon->size() = t 1. wagon->size())) context Wagon inv not. In. Cyclic. Way: (Wagon. all. Instances)->for. All(w 2 | self <> w 2 implies not ((self. succ)->includes(w 2) and (w 2. succ)->includes(self)) 25

Specifications vs. Modeling http: //www. cs. york. ac. uk/hise/safety-critical-archive/2002/0171. html Nancy Leveson wrote: <<< Is there data that software developed without FM does not make money for the customers? >>> For many customers, yes. See: J. Johnson, “Chaos: The Dollar Drain of IT Project Failures, ” Application Development Trends, pp. 41 -47, Jan. 1995. ( $80 B/yr soon adds up to real money). That's not to say that FMs alone would have prevented this waste (although that's not what you asked); probably most of it was the fault of people ignoring other aspects of software engineering. Sorry, I stated my question wrong. Of course there have been development failures -- but most of them did not use good software engineering or had other problems. It is a leap to suggest that because projects fail, that formal methods would have saved the day (which is what the original message implied). <<< As long as the costs are great and the arguments are only anecdotal, . . . >>> Cheap shot: such papers as I have seen published by people using FMs in i ndustry have reported that the use of FMs (short of full proof) does not cost mor e than other methods, even if all the savings in maintenance are ignored. See, f or example, Anthony Hall's IEEE Software paper "Seven Myths of Formal Method s". It was not meant as a cheap shot. Simply a statement that business people want evidence before investing a lot of money. I've read Halls' paper, and I did not agree with his argument. Retraining employess and changing tools in any way is an enormous investment for industry. Most of the successful uses of formal methods in industry have involved a university professor and/or Ph. D. students (like CICS, for example). The question is whether, after the Ph. D. leaves, does the company still use formal methods? Does the IBM Hursley group now use Z on all their software projects? After Dave Garlan left Textronics, I was told they never used formal methods again. Formal methods Textronics, will never be widely accepted until a large number of practitioners know and use it, not simply university people and a few consulting firms such as Martyn's. Without Martyn's. realistic comparative data, I don't think a large number of people are going to buy. I'm not trying to be a naysayer here -- my research involves formal methods. I'm just suggesting that it has been 30 years now and we do not see a lot of formal methods use in industry. If that is to change, then there needs to be a realistic assessment of why and an attempt made to change those factors. I just don't think more sales talk without hard evidence will do it. Nancy http: //www. cs. york. ac. uk/hise/safety-critical-archive/2002/0135. html The specification language does count. There is a concept called "semantic distance" in the human-interface literature. The closer the specification notation matches the reviewers' mental models of the system, the more likely they will be able to understand find errors in the specification. It is not by coincidence that the most popular use of "formal methods" in industry involves specification languages that are simply control-block diagrams that are then automatically translated into code. 26