Formal

Methods
Faculty(APGDST)@ncst.ernet.in
Deficiencies of less
formal approaches

 Contradictions
 Ambiguities
 Vagueness
 Incompleteness
 Formal methods
in SE
 What to formalize?
 Models of requirements knowledge (so we

can reason)
 Specifications of requirements (so we can

document precisely)
 Specifications of program design (verify

correctness)

 Why formalize?
 Removes ambiguity and improves

precision
 Verify that the requirements have been

met

Continues….
 Why people do not formalize?
 Formal methods tend to be
low level (too much detail)
 Formal methods concentrate

on consistent and correct

models
 Formal methods require more

efforts and the payoff is

deferred
Mathematics in
SE

 It describes situation Exactly.

 It provides a smooth transition
between software engineering
activities
 It supports abstraction.
 It is ideal tool to model
 It provides high level of validation
Formal Specification
Languages

 Operational
 specification is an executable
abstraction
 Good for rapid prototyping

 Example languages include

Lisp, Prolog, and Smalltalk

Continues…

 State-based
 view program as data
structures and states
 Use pre and post conditions to

specify procedures
 Examples include VDM and Z
Continues…
 Algebraic
 view program as data
structures and operations
 Operations are defined

declaratively using axioms

 Examples include Larch and

CLEAR
 Formal Method
Concepts
 Data invariant
 A condition that holds true for the
duration of the program
 State
 The stored data that the system
accesses and alters
 Operations
 Action that takes place in a system
 Has preconditions and postconditions
 Precondition circumstances under
which operation is valid
 Postcondition what happens when a
operation is complete
Example
 Computer memory block
handler
 Files in a computer are
composed of memory blocks
 The system will maintain a set

of unused and used blocks

 When blocks are released from

a deleted file they are placed

in a queue of blocks awaiting
to be added to the unused set
 Continues….
 Data invariant for this system
expressed in a natural language
 No block will be simultaneously
marked as used and free
 All the blocks in the queue will be

subsets of the collection of

currently used blocks
 No elements in the queue will

contain the same block numbers

 The collection of used and free

blocks will be the total collection of

blocks that make up files
Continues..
 The collection of free blocks
will have no duplicates
 The collection of used blocks
will have no duplicates
 Operations include
 Add blocks to the end of the
queueR
 Remove blocks from front of
queue and add to free set
 Check whether the queue of
block is empty
 Mathematical
Preliminaries
 Sets
 e.g. {C++, Pascal, Ada, COBOL, Java}

{n:N | n < 3}
 # {C++, Pascal, Ada, COBOL, Java}=5

 Set Operators
 12 ∈ {6, 1, 12, 27}, 11 ∉ {6, 1, 12, 27}
 A ⊂ B , A ∩ B, φ ∩ B, φ ∪ B, {1,2} Χ {1,2,3}
 Continues…
 Logical Operators
 ∧ and, ∨ or, ¬ Not, ⇒ implies
 Universal quantification
 ∀ For all
 Sequences
 e.g. {(1,Kumar),(2,Gopal), (3,Seeta)}
 head, tail, last, front
Applying
Mathematical
Notation
 used, free: P BLOCKS
 BlockQueue : seq P BLOCK
 Data Variant:
 Used ∩ free = φ ∧
 Used ∩ free = AllBlocks ∧

 ∀ i : dom BlockQueue* BlockQueue i ⊆

used ∧
 ∀ I, j : dom BlockQueue * i ≠ j

⇒ BlockQueue i ∩ BlockQueue j = φ
Block Operations
 Precondition
 #BlockQueue > 0
 Post condition
 used’ = used \ head BlockQueue∧
 free’ =free ∪ head BlockQueue ∧

 BlockQueue’ = tail BlockQueue

 Summary of Z
Notation
 Sets
 S:PX S is declared as a set of Xs.
 x∈S x is member of S.
 x∉S x is not member of S.
 S⊆T S is subset of T:Every member of s
is also in T.
 S∪T The Union Of S and T : It contains
every member of S or T and both.
 S∩T The intersection of S and T : It
contains every member of both
S and T
 Continues….
 S\T The difference of S and T : it
contains every member of S except
those in T.
 Φ Empty set.
 {x} Singleton set
 Ν The set of natural numbers 0, 1, 2
…
 S:FX S is declared as a finite set of Xs.
 Max(S) The maximum of the nonempty set
of numbers S
Functions
ƒ:X Y ƒ is declared as a partial
injection from X to Y
dom ƒ The domain of ƒ: the set of
values x for which ƒ(x) is
defined
ran ƒ The range of ƒ: the set of
values taken by ƒ(x) as x
varies over the domain of ƒ.
ƒ⊕{x → y} A function that agrees with ƒ
except that x is mapped to y.
{x}  ƒ A function like ƒ, except that
x is removed from its domain
 Logic
P∧Q P and Q: if both true P and are true
P⇒Q P implies Q: it is true if either Q is
true or P is false
P⇔Q Equivalence P if and only Q

θ S′ = θ S No component of schema S change

in an operation
 Ten Commandments
of Formal Methods
 Choose the appropriate notation
 Do not over-formalize
 Estimate costs
 Have a formal methods guru on call
 Do not abandon traditional development
methods
 Document sufficiently
 Do not compromise quality standards
Continues…
 Do not be dogmatic in assuming
formal specifications are flawless
 Use of formal methods does not
eliminate the need to test products
 Reuse is still important