REQUIREMENTS ANALYSIS. What versus how

Similar documents
Formal Specification. Objectives

Chapter 3. Describing Syntax and Semantics ISBN

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Lecture 5 - Axiomatic semantics

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Chapter 3. Describing Syntax and Semantics

Chapter 3 (part 3) Describing Syntax and Semantics

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Chapter 3. Describing Syntax and Semantics

An Annotated Language

Introduction to Axiomatic Semantics

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

An Evolution of Mathematical Tools

Chapter 3. Describing Syntax and Semantics ISBN

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Z Notation. June 21, 2018

Programming Languages Third Edition

Introduction to Formal Methods

Proof Carrying Code(PCC)

Hoare Logic: Proving Programs Correct

CITS5501 Software Testing and Quality Assurance Formal methods

Lectures 20, 21: Axiomatic Semantics

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

COMP 507: Computer-Aided Program Design

Abstract Data Types and Software Validation. Algebraic Specifications of Abstract Data Types. Constructor. Every operation is one of.

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

CSE 307: Principles of Programming Languages

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Lecture Notes: Hoare Logic

Introduction to Axiomatic Semantics (1/2)

Arguing for program correctness and writing correct programs

6. Hoare Logic and Weakest Preconditions

Key Features. Defect Rates. Traditional Unit testing: 25 faults / KLOC System testing: 25 / KLOC Inspections: / KLOC

Axiomatic Specification. Al-Said, Apcar, Jerejian

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

Chapter 10 Formal Specification

Introduction to Axiomatic Semantics (1/2)

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Formal Methods. CITS5501 Software Testing and Quality Assurance

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2011!

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Abstract Specifications: A Review. Algebraic Specification

CMSC 330: Organization of Programming Languages

Discrete Mathematics Lecture 4. Harper Langston New York University

Hoare Logic and Model Checking

Abstract Interpretation

The Rule of Constancy(Derived Frame Rule)

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 11 p. 1/38

AN ECLECTIC COMPREHENSIVE APPROACH TO THE V&V OF SOFTWARE MODULES. Ali Mili, NJIT NII, Tokyo, Japan January 13, 2012

Basic Verification Strategy

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Fundamental Concepts. Chapter 1

Programming Languages

Defining Languages GMU

Hardware versus software

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

SOFTWARE ENGINEERING DESIGN I

Computer Science 520/620 Spring 2014 Prof. L. Osterweil" Modeling Data and Types" Software Models and Representations" Part 5"

Secure Information Flow by Self-Composition

PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE

Verification Condition Generation

Algebraic Specifications:Organised and focussed approach in software development

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.

Chapter 3. Syntax - the form or structure of the expressions, statements, and program units

Circuit analysis summary

Symbolic Execution and Proof of Properties

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

MONIKA HEINER.

Lesson 4 Typed Arithmetic Typed Lambda Calculus

Computing Fundamentals 2 Introduction to CafeOBJ

Q Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.

Programming with Math and Logic

CS158 Section B Exam 1 Key

CIS 500 Software Foundations. Final Exam. May 3, Answer key

Automated verification of termination certificates

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Natural Numbers. We will use natural numbers to illustrate several ideas that will apply to Haskell data types in general.

Forward Assignment; Strongest Postconditions

AJAX: Automating an Informal Formal Method for Systematic JUnit Test Suite Generation

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

CMPSCI 250: Introduction to Computation. Lecture #14: Induction and Recursion (Still More Induction) David Mix Barrington 14 March 2013

Formal Specification. Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 10 Slide 1

Engineering and Computer Job Fair

LECTURE 6: INTRODUCTION TO FORMAL METHODS. Software Engineering Mike Wooldridge

Introduction to dependent types in Coq

A Partial Correctness Proof for Programs with Decided Specifications

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Proving Programs Correct

Program Verification. Program Verification 307/434

Computer Science 520/620 Spring 2013 Prof. L. Osterweil" Course Housekeeping" Software Models and Representations" Part 5" Modeling Data and Types"

Transcription:

REQUIREMENTS ANALYSIS Typical life stages of development: Requirements Specifications Top level design (often called architecture) Detailed design Code and unit test Integration testing Goal now is first two of these. 1 What versus how Each stage defines a transformation: Specification Æ Implementation What to build Æ How to build it Requirements Æ Specification Specification Æ Design Design Æ Code Software development is the process of converting whats to hows. Process is a series of transformations as you need to show the equivalence of the how to its defining what. But: Requirements are a how with no what. 2 1

Requirements Process Customer and designer must develop a shared understanding of what to build Team members not meeting customer must develop own understanding of problem All team members need to develop common understanding Organization (beyond developers) must also understand problem 3 Requirements process - II Since we don t have a clear notation (a what ), the process is often cyclical iterating to get desired solution: Requirements documentation stakeholders (e.g., customers) write down proposed requirements. This can be a detailed document or one or two pages of goals. Techniques: Review existing requirements document of new system or previous systems that were similar Scenario analysis a proposed use of the system use cases (used with OO design), scripts, action tables 4 2

1. Requirements discussion Stakeholders challenge proposed requirements: Rapid prototyping a method for evaluating scenarios. Questions asked: What is (meant by ) How to (do ) Who (is the agent to ) What kinds of ( ) will do When (will ) What relationship (between req 1 and 2) What if (something went wrong ) 5 2. Requirements evolution Stakeholders change requirements based upon discussion: Challenges assumptions made by group. Trace changes to discussion items. Traceability a major issue in system design. Changes: Mutation a change or addition to the requirements Restriction a change that restricts possible actions, removes ambiguity Editorial a rewrite or rewording of an existing requirement. Grammatical changes 6 3

Requirements Issues No good precise notation. English often used. English often ambiguous. Concept often not clear with customer After a discussion of requirements issues: will look at more formal specification models will look at slightly less formal specification notations will look at cleanroom development 7 Formal Specifications Every program can be represented by a flowchart: S1 Fcn2 P3 Fcn3 S4 P1 S3 Fcn4 Fcn1 P2 S2 8 4

Basic mathematical model Signatures: function: domain Æ range fun1: S1 and P1 Æ S3 fun2: S1 and not(p1) Æ S3 fun3: S3 and not(p3) Æ S4 fun4: S3 and P3 Æ S4 S2 and P2 == S4 S2 and not(p2) == S3 A program is then some complex function C: C(fun1, fun2, fun3, fun4, p1, p2, p3):s1æs4 If we could derive these relationships formally, then we have a mathematical proof that given S1 we would HAVE to end with S4. Problem: Such proofs are hard. 9 Proof Models Axiomatic verification (closest to previous figure) Tony Hoare 1969. Each program statement obeys a formal axiomatic definition. All models following this approach, more or less. This is the fundamental formal method. Weakest precondition Edsgar Dijkstra 1972. Similar to axiomatic verification, but allows for some nondeterminism. Algebraic data types John Guttag 1975. Formal specifications obey algebraic properties. Functional correctness Harlan Mills 1975. Formalize symbolic execution. Execution traces. Often part of cleanroom development. Others: Model checking, Petri nets, State machines, 10 5

Proof Models - II As we will see, all are hard to use in real systems. However, this formalism is a goal worth striving for in order to eliminate the ambiguity of alternative methods. Practical formal methods are derived from these models. We will briefly look at 2 such models as examples of formal systems: axiomatic verification algebraic data types 11 Scalability of Formal Methods Small grain methods (e.g., axiomatic, statement oriented) have a mathematical basis but are hard to scale up, and are hard to handle changes. Large grain methods involve module composition allow for simpler specifications, but are less precise. VDM and Z can be considered large grain methods Huge grain methods are typically systems. They may involve system-level protocols, such as TCP/IP, web browsers (HTML), 12 6

Terminology Validation Demonstrating that a program meets its specifications by testing the program against a series of data sets Verification Demonstrating that a program meets its specifications by a formal argument based upon the structure of the program. Validation assumes an execution of the program; verification generally does not. 13 AXIOMATIC VERIFICATION {P1}S{P2} means that if P1 is true and S executes, then if S terminates, P2 will be true. A B Means if A is true then you can state that B is true. 14 7

Axioms of Logic Composition Consequence1 {P}S1{Q},{Q}S2{R} {P}S1;S2{R} {P}S{R}, RÎQ {P}S{Q} Consequence 2 PÎR, {R}S{Q} {P}S{Q} These embed programming constructs into mathematical logic. 15 Conditional 1 Conditional 2 While Assignment Statement axioms {P^B}S{Q}, P^not(B)ÎQ {P}if B then S{Q} {P^B}S1{Q},{P^not(B)S2{Q} {P}if B then S1 else S2{Q} {P^B}S{P} {P}while B do S{P ^ not(b)} where P is an invariant {P(e)}x:=e{P(x)} where P(x) is some predicate in x. 16 8

AXIOMATIC PROGRAM PROOF Given program: s1; s2; s3; s4; sn and specifications P and Q: P is the precondition Q is the postcondition Show that {P}s1; sn{q} by showing: {P}s1{p1} {p1}s2{p2} {pn-1}sn{q} Repeated applications of composition: {P}s1; ; sn{q} 17 Example: Prove the following {B 0} 1 X:=B 2 Y:=0 3 while X>0 do 4 begin 5 Y:= Y+A 6 X:= X-1 7 end {Y=AB} 18 9

Proof Outline General method is to work backwards. Look for loop invariant first: Y is part of partial product, and X is count of what remains So Y and XA should be the product needed, i.e., invariant Y+XA = AB is proposed invariant Try: (Y+XA=AB and X 0) 19 Proof - Steps 1-4 {(Y+(X-1)A=AB and X-1 0)} X:=X-1 {(Y+XA=AB and X 0)} Axiom of assignment (6) {((Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A {(Y+(X-1)A=AB and X-1 0)} Axiom of assignment (5) {(Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of composition (5,6) Y+XA=AB and X>0 Î ((Y+A)+(X-1)A=AB and X-1 0) Mathematical Theorem { Y+XA=AB and X>0} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of consequence 20 10

Proof - Steps 1-4 {(Y+(X-1)A=AB and X-1 0)} X:=X-1 {(Y+XA=AB and X 0)} Axiom of assignment (6) {((Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A {(Y+(X-1)A=AB and X-1 0)} Axiom of assignment (5) {(Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of composition (5,6) Y+XA=AB and X>0 Î ((Y+A)+(X-1)A=AB and X-1 0) Mathematical Theorem { Y+XA=AB and X>0} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of consequence 21 Proof steps 5-8 (Y+XA=AB and X 0) and (X>0) Î Y+XA=AB and X>0 Mathematical theorem {(Y+XA=AB and X 0)and (X>0)} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of consequence ** {Y+XA=AB and X 0}while X>0 do Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0) and not(x>0)} While axiom (Y+XA=AB and X 0) and not(x>0) Î(Y+XA=AB and X=0) ÎY=AB Mathematical theorem 22 11

Proof - Steps 9-12 {Y+XA=AB and X 0}while X>0 do Y:=Y+A; X:=X-1 {Y+AB} Axiom of consequence {0+XA=AB and X 0} Y:=0 {Y+XA=AB and X 0} Axiom of assignment {0+BA=AB and B 0} X:=B {0+XA=AB and X 0)} Axiom of assignment {0+BA=AB and B 0} X:=B; Y:=0 {Y+XA=AB and X 0)} Axiom of composition 23 Proof - Steps 13-15 (B 0) Î 0+BA=AB and B 0 Mathematical theorem { B 0} X:=B; Y:=0 {Y+XA=AB and X 0)} Axiom of consequence { B 0} program { Y=AB} Composition 24 12

Summary Axiomatic verification Need to develop axioms for all language features. Can do it for simple arrays, procedure calls, parameters Difficult, even on small programs Very hard to scale up to larger programs Does not translate well to non-mathematical problems Extremely expensive to implement Hard to automate. Manual process leads to many errors. A cult following Every program must formally verified 25 BUT Precise clearly delineates the what with the how Basis for most other verification methods, including semiformal specification notations. For critical applications, it may be worth the cost. 26 13

Algebraic data types Specification of a function, not implementation. Closely tied to abstract data type issues. Example: stacks Functions: newstack, push, pop, top, empty, size 27 Axioms pop(newstack) = newstack pop(push(s,i)) = s top(newstack) = undefined top(push(s,i)) = i empty(newstack) = true empty(push(s,i)) = false size(newstack) = 0 size(push(s,i)) = size(s)+1 newstack is a constructor, push is a generator, others operators. Heuristic combine each constructor and generator with each operator to get axioms. We say that any implementation of the given functions that preserves these relationships is a valid implementation of a stack. 28 14

Proof methods Data type induction Similar to mathematical induction Let f be constructor, g generator, p predicate Show p(f) is true (base case) Show p(s) Î p(g(s)) Then true for all s. Theorem: size(push(s,x))>size(s) P(s) == size(push(s,x))>size(s) 29 Data type induction proof (Base case) s = newstack (Read bottom up) Show: Size(push(newstack,i)) > size(newstack) Size(push(newstack,i)) = size(newstack)+1 Axiom 8 Size(newstack)+1 = 0 + 1 = 1 Axiom 7 Size(push(newstack,i)) > size(newstack) Mathematical theorem, Axiom 7 (Generating case) s=push(s, x) Size(push(s,x))>size(s) Goal Size(push(push(s,x),x))> size(push(s,x)) Definition of s Size(push(s,x))+1> size(push(s,x) Axiom 8 1+Y>Y Theorem 30 15

Example 2 -- Addition Axioms: Add(0,x) =x Add(succ(x),y) = succ(add(x,y)) 0-constructor, succ-generator, add-operator Theorem: 1+1=2 (Note: 1=succ(0), 2=succ(1)) Add(succ(0),succ(0))= succ(add(0,succ(0))) Axiom 2 Add(succ(0),succ(0))= succ(succ(0)) Axiom 1 1+1=2 Substitution 31 Example 3 - Associativity add(add(x,y),z) = add(x,add(y,z)) Proof: Base case: Add(add(0,y),z)=add(0,add(y,z)) Goal Add(y,z)=add(y,z) Axiom 1 Inductive case: Add(add(x,y),z)=add(x,add(y,z)) Add(add(succ(x),y),z)= add(succ(add(x,y)),z) Axiom 2 Add(add(succ(x),y),z)= succ(add(add(x,y),z)) Axiom 2 Add(add(succ(x),y),z)= succ(add(x,add(y,z))) Ind. Hyp. Add(add(succ(x),y),z)= add(succ(x),add(y,z)) Axiom 2 32 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback