formal methods – introduction for software engineering
Part of formal class notes of the module "Formal Methods"
designed for software engineering students of BSc. level.
4. Preparedby:SharifOmarSalem–ssalemg@gmail.com
A more mathematical approach is inevitable.
Professional software development—not the everyday
brand practiced by the public at large—will become
more like a true engineering discipline, applying
mathematical techniques.
I don't know how long this evolution will take, but it will
happen. The basic theory is there, but much work
remains to make it widely applicable.
(Bertrand Meyer, a pioneer of object technology)
3
5. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Software engineers want to be real engineers. Real
engineers use mathematics.
Formal methods are the mathematics of software
engineering. Therefore, software engineers should
use formal methods.
(Mike Holloway, NASA)
4
6. Preparedby:SharifOmarSalem–ssalemg@gmail.com
How to ensure that S is not ambiguous so that it can be correctly
understood by all the people involved?
How can S be effectively used for inspecting and testing P?
How can software tools effectively support the analysis of S,
transformation from S to P, and verification of P against S?
S P
Construct
Specification Program
What to do How to do it
5
9. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Simulation
Means constructing a model of an existing system to be studied or a
system to be built and then executing actions allowed in this model.
The model can be:
a physical entity (e.g., scale clay model) or
a computer representation.
Testing
Is a technique for detecting errors or problems in implemented
software, hardware, or non-computer systems.
It consists of executing or operating the system to be tested using a
finite set of inputs and then checking to see if the corresponding
outputs or behavior are correct with respect to the specifications.
8
10. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Verification
Is the procedure of confirming that software meets its requirement.
In other words it means checking the software with admiration to
the specification.
Real time monitoring
Apply your final software in a real world input data.
( like beta release software)
9
11. Preparedby:SharifOmarSalem–ssalemg@gmail.com
• Multiple definitions
Foundation for organized and careful method of thinking that
characterizes reasoned activity.
The study of reasoning : specifically concerned with whether
something is correct or false.
Formal logic focuses on the relationship between statements as
opposed to the content of any particular statement.
10
12. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Either it’s the fuel filter or it’s the fuel pump.
It’s not the fuel filter.
It’s the fuel pump.
Example 1: Imagine you’re a mechanic and you know
that either the fuel filter is clogged or the fuel pump
is defective. But you just replaced the fuel filter. So
you know the problem must be with the fuel pump.
11
13. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Major goal of software engineers
Develop reliable systems………..how?
Formal Methods
Mathematical languages, techniques and tools
Used to specify and verify systems
Goal: Help engineers construct more reliable systems
A mean to examine the entire state space of a design (whether
hardware or software)
Establish a correctness or safety property that is true for all possible
inputs
12
14. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Formal methods are mathematical techniques for developing
computer-based software and hardware systems.
In computer science and software engineering, formal methods are
a particular kind of mathematically-based techniques for the
specification, development and verification of software and
hardware systems.
13
16. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Past years of the formal methods
Obscure notation
Non-scalable techniques
Inadequate tool support
Hard to use tools
Very few case studies
Not convincing for practitioners
Nowadays
Trying to find more rigorous notations
Model checking and theorem proving complement simulation in
Hardware industry
More industrial sized case studies
Researchers try to gaining benefits of using formal methods
…
15
17. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Formal methods can be applied at various points through the
development process
Specification
Verification
Specification: Give a description of the system to be developed, and
its properties
Verification: Prove or disprove the correctness of a system with
respect to the formal specification or property
16
18. Preparedby:SharifOmarSalem–ssalemg@gmail.com
The use of formal methods can contribute to the reliability and
robustness of a design.
However, the high cost of using formal methods means that they are
usually only used in the development of high-integrity systems,
where safety or security is of utmost importance.
Transport, communications, health and energy are all representative
examples of critical system where errors is not permitted.
A classic approach to ensuring the adequacy of a software system
is testing or simulation.
But most of commercial system have a bug report with every release.
To mention some data, in 2002 the North-American Institute for
Standards and Technologies estimated the cost of bugs in the
American economy to ascend to 59 billion dollars.
17
19. Preparedby:SharifOmarSalem–ssalemg@gmail.com
In 1994 an error was discovered in the implementation
of division operations by Pentium processors. Even
though millions of processors had by then been sold,
Intel was forced to exchange (free of charge) all the
units produced .
Beyond the financial impact, the media emphasized
the loss of confidence shown by Intel users (i.e. the
computer manufacturing industry) that had a much
broader and dramatic effect to the company.
18
20. Preparedby:SharifOmarSalem–ssalemg@gmail.com
It is very important to note that formal verification does not obviate
the need for testing and other assertion techniques.
Formal verification cannot fix bad assumptions in the design, but it
can help identify errors in reasoning which would otherwise be left
unverified.
In several cases, engineers have reported finding flaws in systems
once they reviewed their designs formally .
So, Formal Verification if used, it will be used as an additional tools
for assertions and not as a replacement tool.
19
21. Preparedby:SharifOmarSalem–ssalemg@gmail.com
The CICS project
CICS: Customer Information Control System
The on-line transaction processing system of choice for large IBM
installations
In the 1980s Oxford Univ. and IBM Hursley Labs formalized parts of
CICS with Z
There was an overall improvement in the quality of the product
It is estimated that it reduced 9% of the total development cost
This work won the Queen’s Award for Technological
The highest honor that can be bestowed on a UK company.
20
22. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Intel uses formal verification quite extensively
Verification of Intel Pentium 4 floating-point unit with a mixture of STE
and theorem proving
Verification of bus protocols using pure temporal logic model checking
Verification of microcode and software for many Intel Itanium floating-
point operations, using pure theorem proving
FV found many high-quality bugs in P4 and verified “20%” of design
FV is now standard practice in the floating-point domain
21
23. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Small Aircraft Transportation System (SATS)
Use of a software system that will sequence aircraft into the SATS
airspace in the absence of an airport controller
There are serious safety issues associated with these software
systems and their underlying key algorithms
22
24. Preparedby:SharifOmarSalem–ssalemg@gmail.com
The criticality of such software systems necessitates that strong
guarantees of the safety be developed for them
Under the SATS program NASA Langley researchers are currently
investigating rigorous verification of these software system using
formal methods
Modeling and Verification of Air Traffic
Conflict Detection and Alerting
…
23
25. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Using a language with a mathematically defined syntax and
semantics
System properties
Functional behavior
Timing behavior
Performance characteristics
Internal structure
24
26. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Specification has been most successful for behavioral properties
A trend is to integrate different specification languages
Each enable to handle a different aspect of a system
Some other non-behavioral aspects of a system
Performance
Real-time constraints
Security policies
Architectural design
25
27. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Formal methods for specification of the sequential systems
Z (Spivey 1988)
Constructive Z (Mirian 1997)
VDM (Jones 1986)
Larch (Guttag & Horning 1993)
States are described in rich math structures (set, relation, function)
Transition are described in terms of pre- and post- conditions
26
28. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Formal methods for specification of the concurrent systems
CSP (Hoare 1985)
CCS (Milner 1980)
Statecharts (Harel 1987)
Temporal Logic (Pnueli 1981)
I/O Automata (Lynch and Tuttle 1987)
States range over simple domains, like integers
Behavior is defined in terms of sequences, trees, partial orders of
events
27
29. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Two well established approaches to verification
Model Checking
Theorem Proving
Model checking
Build a finite model of system and perform an exhaustive search
Theorem Proving
Mechanization of a logical proof
28
30. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Both the system and its desired properties are expressed in some
mathematical logic
Theorem proving is the process of finding a proof from the axioms
of the system
It can be roughly classified
Highly automated programs
Interactive systems with special purpose capabilities
In contrast to model checking, it can deal with infinite space
Relies on techniques like reduction.
29
31. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Transition System
(Automaton, Kripke structure)
System Description
(VERILOG, VHDL, SMV)
Informal
Specification
Temporal Logic Formula
(CTL, LTL, etc.)
Build a mathematical graphical model of the system:
what are possible behaviors?
Write correctness requirement in a specification language:
what are desirable behaviors?
Analysis: (Automatically) check that model satisfies specification
Analysis is performed by an algorithm (tool)
Analysis gives counterexamples for debugging
30
33. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Imperative programming
is a programming paradigm that describes computation in terms of
statements that change a program state.
Imperative programs define sequences of commands for the computer
to perform. It define how to achieve the system goals.
The focus is on How (what steps) the computer should take rather
than what the computer will do
(ex. C, C++, Java).
Object Oriented Languages counted as advanced leases from the
original languages.
32
34. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Declarative programming
is a programming paradigm that expresses the logic of a computation
without describing its control flow.
It attempts to minimize or eliminate side effects by describing what the
program should accomplish, rather than describing how to go about
accomplishing it.
The focus is on what the computer should do rather than how it
should do it
(ex. SQL, ProLog, Z notation).
33
35. Preparedby:SharifOmarSalem–ssalemg@gmail.com
Functional programming
is a programming paradigm that treats computation as the evaluation
of mathematical functions and avoids state and mutable data.
It emphasizes the application of functions.
Functional programming has its roots in the lambda calculus.
It is a subset of declarative languages that has heavy focus on
recursion.
(ex. Lisp, Schema, Haskell).
34
36. Preparedby:SharifOmarSalem–ssalemg@gmail.com
The following is a sample of some tools and notations using Formal
Methods techniques . Keep in mind that there is many other tools.
Z Notation: the formal specification notation Z (pronounced "zed"),
useful for describing computer-based systems, is based on Zermelo-
Fraenkel set theory and first order predicate logic.
Alloy Analyzer: an object modeling notation that is compatible with
development approaches such as UML, and Catalysis, strongly
influenced by the Z specification language.
35
37. Preparedby:SharifOmarSalem–ssalemg@gmail.com
VCC: Microsoft Research - VCC is a mechanical verifier for concurrent
C programs. VCC takes a C program, annotated with function
specifications, data invariants, loop invariants, and ghost code, and
tries to prove these annotations correct. If it succeeds, VCC promises
that your program actually meets its specifications.
JML (Java Modeling Language): a behavioral interface specification
language for Java.
ESC/Java2 Extended Static Checker for Java tool, using program
verification technology. It attempts to find common run-time errors in
JML-annotated Java programs by static analysis of the program code
and its formal annotations
36