Formal Specification. Objectives

Similar documents
REQUIREMENTS ANALYSIS. What versus how

Techniques for the unambiguous specification of software

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Formal Specification. Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 10 Slide 1

Specification language Z. Some notation

Chapter 10 Formal Specification

Chapter 27 Formal Specification

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Chapter 3. Describing Syntax and Semantics

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Lecture 5 - Axiomatic semantics

Chapter 3. Describing Syntax and Semantics ISBN

Programming Languages Third Edition

An Annotated Language

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Chapter 3 (part 3) Describing Syntax and Semantics

Z Notation. June 21, 2018

CITS5501 Software Testing and Quality Assurance Formal methods

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

6. Hoare Logic and Weakest Preconditions

CSE 307: Principles of Programming Languages

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Q Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.

Arguing for program correctness and writing correct programs

Introduction to Axiomatic Semantics

The Specification Phase

Introduction to Formal Methods

Chapter 3. Syntax - the form or structure of the expressions, statements, and program units

Tail Calls. CMSC 330: Organization of Programming Languages. Tail Recursion. Tail Recursion (cont d) Names and Binding. Tail Recursion (cont d)

COMP 507: Computer-Aided Program Design

An Evolution of Mathematical Tools

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Circuit analysis summary

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Lectures 20, 21: Axiomatic Semantics

CMSC 330: Organization of Programming Languages. Operational Semantics

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Topic Formal Methods. ICS 121 Lecture Notes. What are Formal Methods? What are Formal Methods? Formal Specification in Software Development

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Introduction to Axiomatic Semantics (1/2)

Programming Languages

CMSC 330: Organization of Programming Languages

Computer Science 520/620 Spring 2013 Prof. L. Osterweil" Course Housekeeping" Software Models and Representations" Part 5" Modeling Data and Types"

Computation Club: Gödel s theorem

Proof Carrying Code(PCC)

Hoare Logic: Proving Programs Correct

PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE

Formal Foundations of Software Engineering

Formal Methods. CITS5501 Software Testing and Quality Assurance

MONIKA HEINER.

Hoare Logic and Model Checking

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2011!

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Defining Languages GMU

Key Features. Defect Rates. Traditional Unit testing: 25 faults / KLOC System testing: 25 / KLOC Inspections: / KLOC

Computer Science 520/620 Spring 2013 Prof. L. Osterweil" Software Models and Representations" Part 5" Modeling Data and Types" Course Housekeeping"

AN ECLECTIC COMPREHENSIVE APPROACH TO THE V&V OF SOFTWARE MODULES. Ali Mili, NJIT NII, Tokyo, Japan January 13, 2012

Abstract Data Types and Software Validation. Algebraic Specifications of Abstract Data Types. Constructor. Every operation is one of.

Introduction to Axiomatic Semantics (1/2)

Programming with Math and Logic

Verification Condition Generation

Symbolic Execution and Proof of Properties

You have 45 minutes to work on this exam. It is a "closed-book/closed-notes" test.

Axiomatic Specification. Al-Said, Apcar, Jerejian

Abstract Specifications: A Review. Algebraic Specification

Formal Specification: Z Notation. CITS5501 Software Testing and Quality Assurance

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Reading 1 : Introduction

Formal Validation of DNA Database Using Theorem Proving Technique

Lecture Notes: Hoare Logic

Computer Science 520/620 Spring 2014 Prof. L. Osterweil" Modeling Data and Types" Software Models and Representations" Part 5"

Abstract Interpretation

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 11 p. 1/38

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Engineering and Computer Job Fair

Fundamental Concepts. Chapter 1

Chapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction

Part 5. Verification and Validation

Software Quality Assurance

Software Engineering Lecture Notes

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

Formal Validation of DNA Database Using Theorem Proving Technique

A Small Interpreted Language

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.

SOFTWARE ENGINEERING DESIGN I

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

CIS 500 Software Foundations. Final Exam. May 3, Answer key

Fall Lecture 3 September 4. Stephen Brookes

CMPSCI 250: Introduction to Computation. Lecture #14: Induction and Recursion (Still More Induction) David Mix Barrington 14 March 2013

Tracing Ambiguity in GADT Type Inference

Pet: An Interactive Software Testing Tool

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

The Cleanroom Method

Transcription:

Formal Specification cmsc435-1 Objectives To explain why formal specification techniques help discover problems in system requirements To describe the use of algebraic techniques for interface specification To describe the use of model-based techniques for behavioral specification cmsc435-2

Formal methods Formal specification is part of a more general collection of techniques that are known as formal methods. These are all based on mathematical representation and analysis of software. Formal methods include Formal specification; Specification analysis and proof; Transformational development; Program verification. cmsc435-3 Why formal methods? cmsc435-4

Formal Specifications Every program can be represented by a flowchart: S1 Fcn2 P3 Fcn3 P1 Fcn4 S3 S4 Fcn1 P2 S2 Predicate true at this point in a program: S1 and S4 represent the specifications. cmsc435-5 Basic mathematical model Signatures: function: domain range fun1: S1 and P1 S3 fun2: S1 and not(p1) S3 fun3: S3 and not(p3) S4 fun4: S3 and P3 S4 S2 and P2 == S4 S2 and not(p2) == S3 A program is then some complex function C: C(fun1, fun2, fun3, fun4, p1, p2, p3):s1 S4 If we could derive these relationships formally, then we have a mathematical proof that given S1 we would HAVE to end with S4. Problem: Such proofs are hard. cmsc435-6

Proof Models Axiomatic verification (closest to previous figure) Tony Hoare 1969. Each program statement obeys a formal axiomatic definition. All models following this approach, more or less. This is the fundamental formal method. Weakest precondition Edsgar Dijkstra 1972. Similar to axiomatic verification, but allows for some nondeterminism. Algebraic data types John Guttag 1975. Formal specifications obey algebraic properties. Functional correctness Harlan Mills 1975. Formalize symbolic execution. Execution traces. Often part of cleanroom development. Others: Model checking, Petri nets, State machines, cmsc435-7 Acceptance of formal methods Formal methods have not become mainstream software development techniques as was once predicted A. Other software engineering techniques have been successful at increasing system quality. Hence the need for formal methods has been reduced; B. Market changes have made time-to-market rather than software with a low error count the key factor. Formal methods do not reduce time to market; C. The scope of formal methods is limited. They are not wellsuited to specifying and analyzing user interfaces and user interaction; D. Formal methods are still hard to scale up to large systems. One of these is false, another is unfortunately true, the other two are true. Which fit into each category? cmsc435-8

Use of formal methods The principal benefits of formal methods are in reducing the number of faults in systems. Consequently, their main area of applicability is in critical systems engineering. There have been several successful projects where formal methods have been used in this area. In this area, the use of formal methods is most likely to be cost-effective because high system failure costs must be avoided. cmsc435-9 Scalability of Formal Methods Small grain methods (e.g., axiomatic, statement oriented) have a mathematical basis but are hard to scale up, and are hard to handle changes. Large grain methods involve module composition allow for simpler specifications, but are less precise. VDM and Z can be considered large grain methods Huge grain methods are typically systems. They may involve system-level protocols, such as TCP/IP, web browsers (HTML), cmsc435-10

Terminology Validation Demonstrating that a program meets its specifications by testing the program against a series of data sets Verification Demonstrating that a program meets its specifications by a formal argument based upon the structure of the program. Validation assumes an execution of the program; verification generally does not. cmsc435-11 Use of formal specification Formal specification involves investing more effort in the early phases of software development. This reduces requirements errors as it forces a detailed analysis of the requirements. Incompleteness and inconsistencies can be discovered and resolved. Hence, savings as made as the amount of rework due to requirements problems is reduced. cmsc435-12

Cost profile The use of formal specification means that the cost profile of a project changes There are greater up front costs as more time and effort are spent developing the specification; However, implementation and validation costs should be reduced as the specification process reduces errors and ambiguities in the requirements. We ll see this again with cleanroom cmsc435-13 Example specification techniques Algebraic specification The system is specified in terms of its operations and their relationships. Model-based specification Specification is a mathematical proof of correctness The system is specified in terms of a state model that is constructed using mathematical constructs such as sets and sequences. Operations are defined by modifications to the system s state. cmsc435-14

Interface specification Large systems are decomposed into subsystems with well-defined interfaces between these subsystems. Specification of subsystem interfaces allows independent development of the different subsystems. Interfaces may be defined as abstract data types or object classes. The algebraic approach to formal specification is particularly well-suited to interface specification as it is focused on the defined operations in an object. cmsc435-15 Specification operations Constructor operations. Operations which create entities of the type being specified. Inspection operations. Operations which evaluate entities of the type being specified. To specify behaviour, define the inspector operations for each constructor operation. cmsc435-16

Algebraic data types Specification of a function, not implementation. Closely tied to abstract data type issues. Example: stacks Functions: newstack, push, pop, top, empty, size cmsc435-17 Axioms 1. pop(newstack) = newstack 2. pop(push(s,i)) = s 3. top(newstack) = undefined 4. top(push(s,i)) = i 5. empty(newstack) = true 6. empty(push(s,i)) = false 7. size(newstack) = 0 8. size(push(s,i)) = size(s)+1 newstack is a constructor, push is a generator, others operators. Heuristic combine each constructor and generator with each operator to get axioms. We say that any implementation of the given functions that preserves these relationships is a valid implementation of a stack. cmsc435-18

Proof methods Data type induction Similar to mathematical induction Let f be constructor, g generator, p predicate Show p(f) is true (base case) Show p(s) p(g(s)) Then true for all s. Theorem: size(push(s,x))>size(s) P(s) is defined as size(push(s,x))>size(s) cmsc435-19 Data type induction proof (Base case) s = newstack Show: Size(push(newstack,i)) > size(newstack) Size(push(newstack,i)) = size(newstack)+1 Axiom 8 Size(newstack)+1 = 0 + 1 = 1 Axiom 7 Size(push(newstack,i)) > size(newstack) Mathematical theorem, Axiom 7 (Generating case) s=push(s, x) Size(push(s,x))>size(s) Goal Size(push(push(s,x),x))> size(push(s,x)) Definition of s Size(push(s,x))+1> size(push(s,x) Axiom 8 1+Y>Y Theorem cmsc435-20

Example 2 -- Addition Axioms: 1. Add(0,x) =x 2. Add(succ(x),y) = succ(add(x,y)) 0-constructor, succ-generator, add-operator Theorem: 1+1=2 (Note: 1=succ(0), 2=succ(1)) Add(succ(0),succ(0))= succ(add(0,succ(0))) Axiom 2 Add(succ(0),succ(0))= succ(succ(0)) Axiom 1 1+1=2 Substitution cmsc435-21 Example 3 - Associativity add(add(x,y),z) = add(x,add(y,z)) Proof: Base case: add(add(0,y),z)=add(0,add(y,z)) Goal add(y,z)=add(y,z) Axiom 1 Inductive case: add(add(x,y),z)=add(x,add(y,z)) add(add(succ(x),y),z)= add(succ(add(x,y)),z) Axiom 2 add(add(succ(x),y),z)= succ(add(add(x,y),z)) Axiom 2 add(add(succ(x),y),z)= succ(add(x,add(y,z))) Ind. Hyp. add(add(succ(x),y),z)= add(succ(x),add(y,z)) Axiom 2 cmsc435-22

AXIOMATIC VERIFICATION {P1}S{P2} means that if P1 is true and S executes, then if S terminates, P2 will be true. A B Means if A is true then you can state that B is true. cmsc435-23 Axioms of Logic Composition {P}S1{Q},{Q}S2{R} {P}S1;S2{R} Consequence1 {P}S{R}, R Q {P}S{Q} Consequence 2 P R, {R}S{Q} {P}S{Q} These embed programming constructs into mathematical logic. cmsc435-24

Statement axioms Conditional 1 {P&B}S{Q}, P&not(B) Q {P}if B then S{Q} Conditional 2 {P&B}S1{Q},{P&not(B)}S2{Q} {P}if B then S1 else S2{Q} While Assignment {P&B}S{P} {P}while B do S{P & not(b)} where P is an invariant {P(e)}x:=e{P(x)} where P(x) is some predicate in x. cmsc435-25 AXIOMATIC PROGRAM PROOF Given program: s1; s2; s3; s4; sn and specifications P and Q: P is the precondition Q is the postcondition Show that {P}s1; sn{q} by showing: {P}s1{p1} {p1}s2{p2} {pn-1}sn{q} Repeated applications of composition: {P}s1; ; sn{q} cmsc435-26

Example: Prove the following {B 0} 1 X:=B 2 Y:=0 3 while X>0 do 4 begin 5 Y:= Y+A 6 X:= X-1 7 end {Y=AB} cmsc435-27 Proof Outline General method is to work backwards. Look for loop invariant first: Y is part of partial product, and X is count of what remains So Y and XA should be the product needed, i.e., invariant Y+XA = AB is proposed invariant Try: (Y+XA=AB and X 0) cmsc435-28

Proof - Steps 1-4 {(Y+(X-1)A=AB and X-1 0)} X:=X-1 {(Y+XA=AB and X 0)} Axiom of assignment (6) {((Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A {(Y+(X-1)A=AB and X-1 0)} Axiom of assignment (5) {(Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of composition (5,6) Y+XA=AB and X>0 ((Y+A)+(X-1)A=AB and X-1 0) Mathematical Theorem { Y+XA=AB and X>0} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of consequence cmsc435-29 Proof - Steps 1-4 {(Y+(X-1)A=AB and X-1 0)} X:=X-1 {(Y+XA=AB and X 0)} Axiom of assignment (6) {((Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A {(Y+(X-1)A=AB and X-1 0)} Axiom of assignment (5) {(Y+A)+(X-1)A=AB and X-1 0)} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of composition (5,6) Y+XA=AB and X>0 ((Y+A)+(X-1)A=AB and X-1 0) Mathematical Theorem { Y+XA=AB and X>0} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of consequence cmsc435-30

Proof steps 5-8 (Y+XA=AB and X 0) and (X>0) Y+XA=AB and X>0 Mathematical theorem {(Y+XA=AB and X 0)and (X>0)} Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0)} Axiom of consequence ** {Y+XA=AB and X 0}while X>0 do Y:=Y+A; X:=X-1 {(Y+XA=AB and X 0) and not(x>0)} While axiom (Y+XA=AB and X 0) and not(x>0) (Y+XA=AB and X=0) Y=AB Mathematical theorem cmsc435-31 Proof - Steps 9-12 {Y+XA=AB and X 0}while X>0 do Y:=Y+A; X:=X-1 {Y+AB} Axiom of consequence {0+XA=AB and X 0} Y:=0 {Y+XA=AB and X 0} Axiom of assignment {0+BA=AB and B 0} X:=B {0+XA=AB and X 0)} Axiom of assignment {0+BA=AB and B 0} X:=B; Y:=0 {Y+XA=AB and X 0)} Axiom of composition cmsc435-32

Proof - Steps 13-15 (B 0) 0+BA=AB and B 0 { B 0} X:=B; Y:=0 {Y+XA=AB and X 0)} Mathematical theorem Axiom of consequence { B 0} entire program { Y=AB} Composition cmsc435-33 Summary Axiomatic verification Need to develop axioms for all language features. Can do it for simple arrays, procedure calls, parameters Difficult, even on small programs Very hard to scale up to larger programs Does not translate well to non-mathematical problems Extremely expensive to implement Hard to automate. Manual process leads to many errors. A cult following Every program must formally verified cmsc435-34

BUT Precise clearly delineates the what with the how Basis for most other verification methods, including semiformal specification notations. For critical applications, it may be worth the cost. cmsc435-35 Behavioral specification Algebraic specification can be cumbersome when the object operations are not independent of the object state. Model-based specification exposes the system state and defines the operations in terms of changes to that state. The Z notation is a mature technique for model-based specification. It combines formal and informal description and uses graphical highlighting when presenting specifications. cmsc435-36

Specification language Z Defines the data, types, functions, and relationships among these in a specification General syntax: cmsc435-37 Some notation ΞX State X doesn t change X State X changes ΘS =ΘS S invariant P X a set of X; F X a finite set of X dom domain; ran range f: X + > Y a function from X to Y f: X > + > Y a partial injection (Not every X is defined and each Y has a unique X) f {X > Y} f appended with f(x) = Y {X} < f f with x removed from domain of f x final value of x x? x is an input data item x! x is an output data item cmsc435-38

Z Example MSWE 607 grading ClassRegistration ClassRoster EnrolledInUMUC: F students EnrolledInUMCP: F students UMUCClasses: F ClassNumbers UMCPClasses: F ClassNumbers InUMUC: EnrolledInUMUC + >UMUCClasses InUMCP: EnrolledInUMCP + >UMCPClasses ClassList!: F students UMCPClassList: F students ClassList! = {x:enrolledinumuc InUMUC(x) {607} } UMCPClassList = {x:enrolledinumcp InUMCP(x) {607} } UMCPClassLIst = ClassList! cmsc435-39 Z specification - 2 PaperGradePart ClassRoster ClassList: F students PaperGrade?: ClassList + >N PartialGrade!: ClassList + > {Letter >N} dom(partialgrade!) = ClassList {x: ClassList PartialGrade!(x) = {p >PaperGrade?(x)}} cmsc435-40

Z specification - 3 ExamOneGradePart ClassRoster ClassList: F students ExamOneGrade?: ClassList + >N PartialGrade!: ClassList + > F {Letter >N} {x: ClassList PartialGrade!(x) =PartialGrade(x) {e >ExamOneGrade?(x)}} cmsc435-41 Z specification - 4 ExamTwoGradePart ClassRoster ClassList: F students ExamTwoGrade?: ClassList + >N PartialGrade!: ClassList + > F {Letter >N} {x: ClassList PartialGrade!(x) =PartialGrade(x) {t >ExamTwoGrade?(x)}} cmsc435-42

Z specification - 5 ExamTwoGradePart ClassRoster ClassList: F students ExamTwoGrade?: ClassList + >N PartialGrade!: ClassList + > F {Letter >N} {x: ClassList PartialGrade!(x) =PartialGrade(x) {t >ExamTwoGrade?(x)}} cmsc435-43 Z specification - 6 FinalGradePart ClassRoster ClassList: F students Curve: R + > Letter PartialGrade: ClassList + > F {Letter >N} FinalGrade!: ClassList + > Letter dom(finalgrade!) = ClassList ran(finalgrade!) = {A,B,C,F} {x:classlist dom(partialgrade(x))={p,e,t,f} Curve(X) = (X 90 A) ( X 80 X<90 B) ( X 70 X<80 C) (X<70 F) {x: ClassList FinalGrade!(x) = Curve(.10*PartialGrade(x)(p) +.25*PartialGrade(x)(e) +.25*PartialGrade(x)(t) +.40*PartialGrade(x)(f)) cmsc435-44

Z summary Precise description of functionality Have we proven the functionality correct? We ve replaced low level code with more abstract descriptions of the functionality Need to verify these, but easier to do than the previous axiomatic example cmsc435-45 Key points Formal system specification complements informal specification techniques. Formal specifications are precise and unambiguous. They remove areas of doubt in a specification. Formal specification forces an analysis of the system requirements at an early stage. Correcting errors at this stage is cheaper than modifying a delivered system. Formal specification techniques are most applicable in the development of critical systems and standards. cmsc435-46

Key points Algebraic techniques are suited to interface specification where the interface is defined as a set of object classes. Model-based techniques model the system using sets and functions. This simplifies some types of behavioural specification. Operations are defined in a model-based spec. by defining pre and post conditions on the system state. cmsc435-47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback