Lecture 1 – Introduction to Formal Methods

Course Learning Outcomes
After completing this course, students should be able to: }  explain the role of formal methods within software engineering; }  formulate formal specifications for simple software components; }  refine and implement formal specifications in an imperative programming language.

Course administration

Course assessment:
}  }  } 

60% Final exam 20% quizzes 20% mid-term test A. Diller, An Introduction to Formal Methods, John Wiley & Sons. J.M. Spivey, The Z Notation: A Reference Manual, Prentice-Hall. }  Softcopy obtainable from http://spivey.oriel.ox.ac.uk/mike/zrm/


Text Books:
}  } 

.Outline }  }  }  }  }  Introduction Why formal methods? Mathematical preliminaries Applying mathematical notations for formal specifications: An example. Formal specification languages.

Introduction •  What is Software Engineering? •  The formal methods approach to software construction: •  Views program and its execution as mathematical objects. . •  Employs mathematical and logical techniques to specify and analyze the properties and behavior of these objects.

produce I. Two tasks: •  Verification – Given S and I. validate that I is a correct implementation of S. . called an implementation. •  Synthesis – Given S.What can software engineers do with formal methods? Given two distinct description of the same system: •  S is an abstract description called a specification. •  I is a concrete description.

. •  Many applications of formal methods in the development of safety-critical software. development of communication protocols.How successful is the application of formal methods? •  Successful in the development of of hardware. embedded software.

Why formal methods? .

What is a formal method? A method is formal if }  It has a sound mathematical basis (formal specification language) Consistency Completeness Correctness Object constraint language (OCL) Vienna Development Method (VDM) Z How do we show the correctness of software? What about UML diagrams… are they formal or informal? .

Why should we use formal methods? •  Mandatory in certain circumstances: •  UK Defense Standard 0055 – The Procurement of safety critical software in defense equipment. . •  Potential cost savings through reduced testing time. •  UK Defense Standard 0056 – Hazard analysis and safety classification of the computer and programmable electronic system elements of defense equipment.

the password consists of six digits. may state that the system must monitor all temperatures in a chemical reactor. while another part (maybe written by another person) may state that only temperatures occurring within a certain range are to be monitored. It should be displayed on the security VDU and deposited in the login file when an operator logs into the system . }  Ambiguities }  Eg: The operator identity consists of the operator name and password.Deficiencies of less formal approaches (1) }  Contradictions }  Eg: One part of system spec.

.Deficiencies of less formal approaches (2) }  Incompleteness Suppose we have a storage requirement like this one: }  The system should maintain the hourly level of the reservoir from depth sensors situated in the reservoir. What happens if there is a command such as: }  The function of the AVERAGE command is to display on a PC the average water level for a particular sensor between two times. These values should be stored for the past six months.

and thus is useful for modeling. Provides a high-level validation tool: to show that a design matches a specification. object or the outcome of an action. It is an exact medium. It supports abstraction. Specifications can be mathematically validated for contradictions and incompleteness. .Why mathematics in software development? }  }  }  }  }  Succinctly and exactly describe a physical situation. hence minimizing ambiguity.

Possible operations: •  add •  remove . State: Collection of the systems stored data (for the case of Z). Operation: Action that takes place within a system. Symbol table keeping names of OS users. Precondition: Condition(s) that must be fulfilled before an operation takes place.Formal methods concepts: A soft introduction Example 1: A symbol table }  }  }  }  }  Data invariant: condition that is true throughout the execution of the system that contains a collection of data. It may or may not affect the system state. Postcondition: Condition(s) that are guaranteed to be true after the completion of an operation.

Example 2: A block handler .

.and post-conditions of these operations? Examples of invariants: }  }  }  }  }  No block will be marked as both used and unused. The collection of used blocks will have no duplicate numbers. Check whether the queue of blocks is empty. }  }  What are the pre.) }  }  What defines the state of this system? Two possible operations are }  }  Add a collection of blocks to the end of the queue.Block handler (cont. The queue does not contain elements with the same block numbers The collection of unused blocks will have no duplicate numbers. ….

Mathematical preliminaries .

‘pending’} These two are equivalent report ::= ‘pass’ | ‘fail’ | ‘pending’. 94} .. ‘fail’. 93. 92. 91. }  Enumeration: Writing down all the elements.Sets There are two ways of specifying a set. 90. 94 = {89. report = {‘pass’. 89 .

4.}  Set comprehension { n: ℕ | n ≠0 ˄ n mod 2 = 0 ∙ n } declaration formula term }  What does the following mean? ∀x: ℤ | x ∈ {1.8} ∙ x < 11 ∃x: Europe | x borders albania ∙ ec x .2.7.

2}} ℙ1({1. {1.2}) = {{1}. {1}. {1. ℙ({1. {2}.Power sets }  The powerset of a set X is the set containing all the subset of X. {2}.2}} The set of non-empty subsets }  }  .2}) = {∅.

formal. Example of a sequence: <intro.Sequences }  }  }  A sequence is a mathematical structure that models the fact that its elements are ordered. to. methods> Operations on sequences: }  Concatenation .

2).3} × {2.4).3} × {2. 4} A relation F between X and Y is a subset of the cartesian product X × Y. Examples: {1. (3. 4} = {(1. (3. then X × Y is their Cartesian product (also known as cross product).4)} (3.Cartesian products and relations (1) }  }  }  }  If X and Y are sets. .2). That is.2) ∈ {1. (1. 4} 3 ↦ 2 ∈ {1.3} × {2. F ⊆ X × Y The set of all relations between elements drawn from X and Y is written as X ↔ Y.

Cartesian products and relations (2) }  X ↔ Y == ℙ(X × Y) Further notations: }  F: X ↔ Y (F is a relation between X and Y) }  3 ↦ 2 ∈ F (The ordered pair (3.2) is a member of the relation F) .

Applying mathematical notation for formal specification: An example .

Introduce another set called AllBlocks. The state can be described as: }  Data invariant can be described as follows: . which is a set of blocks that lie between 1 and MaxBlocks.Block handler (from earlier example) }  }  }  Introduce a set named BLOCKS that consists of every block number.

}  }  Precondition Postcondition Notice that the three variables after the operation is primed .}  Operation 1: Remove an element from the head of the block queue.

}  }  }  Precondition: Postcondition: . to the block queue. Ablocks.}  Operation 2: Add a collection of blocks.

Formal specification languages .

Main components of a formal specification language }  Syntax }  }  Defines the specific notation with which the specification is represented. However it is difficult to express the following in a programming language: }  “For all x in an infinite set A. Derived from standard set theory notation and predicate calculus (First order logic). A programming language has a set of semantics that enables the programmer to specify how an input can be turned into output. }  Semantics }  }  }  Defines how a specification language represents system requirements. there exists a y in an infinite set B such that property P holds for x and y” .

.}  A set of relations }  Example: a relation called telephones that relates staff names of a university to the phone numbers.

}  relations. . }  Schemas are used to describe a specification’s state space and operations.A brief overview of Z (‘zed’) }  Z applies typed sets. and }  functions within the context of first order predicate logic to build }  schemas }  }  A schema in Z gives structure to a formal specification.

Summary of Z notation (1) This is how a schema looks .

Summary of Z notation (2) .

.Learning outcomes After completion of this lecture. }  Recall a simple Z schema. and how it compliments the conventional software design process. }  Recall and understand the fundamental mathematical structures essential to formal methods. you should be able to: }  Explain why formal methods is important.

Journal of Universal Computer Science.Further reading Hall. 13(5). 669-678. . (2007). Realizing the benefits of formal methods. A.

Sign up to vote on this title
UsefulNot useful