Formal methods What are they? Uses Tools Application to software development

Transcription

1 FormalMethods Page 1 Formal methods introduction 9:26 PM Formal methods What are they? Uses Tools Application to software development

2 FormalMethods Page 2 What are formal methods? 9:49 PM Do you have any idea?

3 FormalMethods Page 3 FM overview 9:53 PM Generally, what we mean by FM is applying mathematical rigor to the specification and verification of software. (Maybe also hardware?) But isn't that what engineering does in the normal course of component and system design and implementation? Digital logic and Boolean algebra Electric circuits and differential equations (Laplace) Structures and structural analysis?? Why do we do that? Is there something different about software engineering, or should we think this is normal, too?

4 FormalMethods Page 4 Better specification and verification? Tuesday, March 04, :03 PM Do we really need it? RISKS archive RISKS list Software problem at Heathrow LA School District payroll system Therac 25 London Ambulance Service Ariane 5 Lots more...

5 FormalMethods Page 5 Therac-25 Thursday, March 06, :27 PM Let's look at a little more detail regarding one famous software failure, the Therac-25 radiation therapy machine. This failure was the subject of a 1993 IEEE Computer article by Nancy Leveson and Clark Turner. A summary of the story was made an appendix of a later book by Leveson, who was then at the University of Washington and is now at the Massachusetts Institute of Technology. This version is available on the web: The following figures come from Leveson's description.

6 FormalMethods Page 6 Therac-25 (continued) Thursday, March 06, :56 PM A mismatch of "mode" components and settings could result in the patient receiving lethal radiation doses. A number of software design and user interface errors allowed these dangerous configurations to occur. Eleven Therac-25 machines were installed and six accidents occurred between 1985 and 1987.

7 FormalMethods Page 7 Six patients were massively overdosed In one case a patient received one or two doses of to rad The normal therapeutic dose was about 200 rad One breast had to be removed Her shoulder and arm were paralyzed At least three patients died

8 FormalMethods Page 8 Therac-25 (continued) Thursday, March 06, :08 PM Leveson reported several causal factors. Overconfidence in software Confusing reliability with safety Lack of defensive design Failure to eliminate root causes Unrealistic risk assessments Inadequate investigations and followup She specifically identified a number of software engineering practices that were not followed. Timely and complete specifications Rigorous SQA practices and standards Simple designs, avoiding dangerous coding practices Designed-in audit trails and error detection Extensive testing and formal analysis Careful design of displays and interfaces Although the Therac-25 case was 20 years ago, and the report's language is a little dated, you will find that similar problems still exist.

9 FormalMethods Page 9 FM uses 10:11 PM Suppose we knew how to use formal methods for specification and verification. How would we apply them? Requirements Requirements modeling Analysis (consistency, completeness) Design Formal design model Demonstrate consistency of requirements and design Implementation Prove that implementation (code) correctly follows design and/or requirements Program generation from specification Verification Specifications, as noted above (consistency, completeness) Runtime checking (code vs spec) Specification-guided static analysis Test-case generation

10 FormalMethods Page 10 Notation examples: Z ("zed") 10:22 PM

11 FormalMethods Page 11 Notation examples: Java Modeling Language (JML) 10:25 PM public requires size() > assignable ensures \result!= public requires size() < assignable signals_only public Integer getfirst() throws NoSuchElementException { Integer retval = null; if (list.length > 0) { retval = list[0]; } } else { throw new NoSuchElementException ("getfirst on empty list"); } return retval; JML is often used to implement "design by contract" (DBC) Invariants (predicates that must always be true) Preconditions (must be satisfied on method entry) Postconditions (should be true on method return) Case handling Normal return Exceptional (throwing exception)

12 FormalMethods Page 12 Tools 10:30 PM Types of tools Editors and syntax checkers Theorem provers Model checkers Runtime assertion checkers (RAC) Assertions added by specification "compiler" Extended static analysis (ESC)

13 FormalMethods Page 13 JML RAC 10:39 PM

14 FormalMethods Page 14 JML/JUnit unit test generation 10:41 PM Unit testing How do you use JUnit? What is the hard part? JML/JUnit testing Interesting philosophical approach! Automatically generates a JUnit test case framework from the JML specifications in source Java code Tests all constructors and methods of all classes Generates parameter values from factories that use defined strategies (think Design Patterns!) In the simplest case, only one set of possible test values for each distinct type (e.g., String, ProfData) Runs all tests with one of three outcomes i. Test data satisfies the method precondition and the result of the operation satisfies the postcondition (Good) ii. Test data satisfies the method precondition and the result of the operation does NOT satisfy the postcondition (Failure -- likely defect) iii. Test data does not satisfy the method precondition -- JML Precondition exception thrown (No problem -- code was not expected to work in this case) Bottom line Throws all available data at the system under test Disregards the data combinations that don't satisfy preconditions Automatically checks implementation against specification for all valid test cases generated Details You have to provide factory strategies for some data types (typically including your own classes) Can tailor specific test data sets as desired Can add completely new tests to the suite as needed

15 FormalMethods Page 15 Java/ESC2 (ESC4) 10:43 PM

16 FormalMethods Page 16 Issues 10:55 PM FM issues Tool maturity and support Z and Z/EVES JML: JML2, JML4 Education and training Academic On the job Research and industry practice Bridging the divide (value of application) Industry awareness and knowledge Critical applications (e.g., Praxis and aerospace)

17 FormalMethods Page 17 Questions and comments? 10:47 PM