Lecture 1 Introduction to Formal Methods

Course Learning Outcomes

After completing this course, students should be able to: } explain the role of formal methods within software engineering; } formulate formal specifications for simple software components; } refine and implement formal specifications in an imperative programming language.

Course administration
}

Course assessment:
} } }

60% Final exam 20% quizzes 20% mid-term test A. Diller, An Introduction to Formal Methods, John Wiley & Sons. J.M. Spivey, The Z Notation: A Reference Manual, Prentice-Hall. } Softcopy obtainable from http://spivey.oriel.ox.ac.uk/mike/zrm/

Text Books:
} }

Outline
} } } } }

Introduction Why formal methods? Mathematical preliminaries Applying mathematical notations for formal specifications: An example. Formal specification languages.

Introduction
What is Software Engineering? The formal methods approach to software construction:
Views program and its execution as mathematical objects, Employs mathematical and logical techniques to specify and analyze the properties and behavior of these objects.

What can software engineers do with formal methods?

Given two distinct description of the same system: S is an abstract description called a specification. I is a concrete description, called an implementation. Two tasks: Verification Given S and I, validate that I is a correct implementation of S. Synthesis Given S, produce I.

How successful is the application of formal methods?

Successful in the development of of hardware. Many applications of formal methods in the development of safety-critical software, embedded software, development of communication protocols.

Why formal methods?

What is a formal method?

A method is formal if
}

It has a sound mathematical basis (formal specification language)

Consistency Completeness Correctness

Object constraint language (OCL) Vienna Development Method (VDM) Z

How do we show the correctness of software? What about UML diagrams are they formal or informal?

Why should we use formal methods?

Mandatory in certain circumstances: UK Defense Standard 0055 The Procurement of safety critical software in defense equipment. UK Defense Standard 0056 Hazard analysis and safety classification of the computer and programmable electronic system elements of defense equipment.

Potential cost savings through reduced testing time.

Deficiencies of less formal approaches (1)

}

Contradictions
}

Eg: One part of system spec. may state that the system must monitor all temperatures in a chemical reactor, while another part (maybe written by another person) may state that only temperatures occurring within a certain range are to be monitored.

Ambiguities
}

Eg: The operator identity consists of the operator name and password; the password consists of six digits. It should be displayed on the security VDU and deposited in the login file when an operator logs into the system

Deficiencies of less formal approaches (2)

}

Incompleteness
Suppose we have a storage requirement like this one:
}

The system should maintain the hourly level of the reservoir from depth sensors situated in the reservoir. These values should be stored for the past six months.

What happens if there is a command such as: } The function of the AVERAGE command is to display on a PC the average water level for a particular sensor between two times.

Why mathematics in software development?

} } } } }

Succinctly and exactly describe a physical situation, object or the outcome of an action. It supports abstraction, and thus is useful for modeling. It is an exact medium, hence minimizing ambiguity. Specifications can be mathematically validated for contradictions and incompleteness. Provides a high-level validation tool: to show that a design matches a specification.

Formal methods concepts: A soft introduction

Example 1: A symbol table
}

} }

} }

Data invariant: condition that is true throughout the execution of the system that contains a collection of data. State: Collection of the systems stored data (for the case of Z). Operation: Action that takes place within a system. It may or may not affect the system state. Precondition: Condition(s) that must be fulfilled before an operation takes place. Postcondition: Condition(s) that are guaranteed to be true after the completion of an operation.

Symbol table keeping names of OS users. Possible operations: add remove

Example 2: A block handler

Block handler (cont.)

} }

What defines the state of this system? Two possible operations are
} }

Add a collection of blocks to the end of the queue. Check whether the queue of blocks is empty.

} }

What are the pre- and post-conditions of these operations? Examples of invariants:
} } } } }

No block will be marked as both used and unused. The queue does not contain elements with the same block numbers The collection of unused blocks will have no duplicate numbers. The collection of used blocks will have no duplicate numbers. .

Mathematical preliminaries

Sets
There are two ways of specifying a set. } Enumeration: Writing down all the elements.
report = {pass, fail, pending}
These two are equivalent

report ::= pass | fail | pending. 89 .. 94 = {89, 90, 91, 92, 93, 94}

Set comprehension { n: | n 0 n mod 2 = 0 n }

declaration formula term

What does the following mean? x: | x {1,2,4,7,8} x < 11 x: Europe | x borders albania ec x

Power sets
}

The powerset of a set X is the set containing all the subset of X. ({1,2}) = {, {1}, {2}, {1,2}} 1({1,2}) = {{1}, {2}, {1,2}}
The set of non-empty subsets

Sequences
} } }

A sequence is a mathematical structure that models the fact that its elements are ordered. Example of a sequence: <intro, to, formal, methods> Operations on sequences:
}

Concatenation

Cartesian products and relations (1)

} }

} }

If X and Y are sets, then X Y is their Cartesian product (also known as cross product). Examples: {1,3} {2, 4} = {(1,2), (1,4), (3,2), (3,4)} (3,2) {1,3} {2, 4} 3 2 {1,3} {2, 4} A relation F between X and Y is a subset of the cartesian product X Y. That is, F X Y The set of all relations between elements drawn from X and Y is written as X Y.

Cartesian products and relations (2)

}

X Y == (X Y)

Further notations: } F: X Y (F is a relation between X and Y) } 3 2 F (The ordered pair (3,2) is a member of the relation F)

Applying mathematical notation for formal specification: An example

Block handler (from earlier example)

} } }

Introduce a set named BLOCKS that consists of every block number. Introduce another set called AllBlocks, which is a set of blocks that lie between 1 and MaxBlocks. The state can be described as:

Data invariant can be described as follows:

Operation 1: Remove an element from the head of the block queue.

} }

Precondition Postcondition
Notice that the three variables after the operation is primed

Operation 2: Add a collection of blocks, Ablocks, to the block queue.

} } }

Precondition: Postcondition:

Formal specification languages

Main components of a formal specification language

}

Syntax
} }

Defines the specific notation with which the specification is represented. Derived from standard set theory notation and predicate calculus (First order logic).

Semantics
} } }

Defines how a specification language represents system requirements. A programming language has a set of semantics that enables the programmer to specify how an input can be turned into output. However it is difficult to express the following in a programming language: } For all x in an infinite set A, there exists a y in an infinite set B such that property P holds for x and y

A set of relations
}

Example: a relation called telephones that relates staff names of a university to the phone numbers.

A brief overview of Z (zed)

}

Z applies
typed sets, } relations, and } functions within the context of first order predicate logic to build } schemas
}

A schema in Z gives structure to a formal specification.

}

Schemas are used to describe a specifications state space and operations.

Summary of Z notation (1)

This is how a schema looks

Summary of Z notation (2)

Learning outcomes
After completion of this lecture, you should be able to: } Explain why formal methods is important, and how it compliments the conventional software design process. } Recall and understand the fundamental mathematical structures essential to formal methods. } Recall a simple Z schema.

Further reading
Hall, A. (2007). Realizing the benefits of formal methods. Journal of Universal Computer Science, 13(5), 669-678.