Formal Methods


Deficiencies of less formal approaches
   

Contradictions Ambiguities Vagueness Incompleteness

Formal methods in SE

What to formalize?  Models of requirements knowledge (so we can reason)  Specifications of requirements (so we can document precisely)  Specifications of program design (verify correctness) Why formalize?  Removes ambiguity and improves precision  Verify that the requirements have been met


Why people do not formalize?
Formal methods tend to be low level (too much detail)  Formal methods concentrate on consistent and correct models  Formal methods require more efforts and the payoff is deferred

Mathematics in SE
 

  

It describes situation Exactly. It provides a smooth transition between software engineering activities It supports abstraction. It is ideal tool to model It provides high level of validation

Formal Specification Languages

specification is an executable abstraction  Good for rapid prototyping  Example languages include Lisp, Prolog, and Smalltalk


view program as data structures and states  Use pre and post conditions to specify procedures  Examples include VDM and Z


view program as data structures and operations  Operations are defined declaratively using axioms  Examples include Larch and CLEAR

Formal Method Concepts

Data invariant

A condition that holds true for the duration of the program The stored data that the system accesses and alters Action that takes place in a system Has preconditions and postconditions Precondition circumstances under which operation is valid Postcondition what happens when a operation is complete


  


Computer memory block handler
Files in a computer are composed of memory blocks  The system will maintain a set of unused and used blocks  When blocks are released from a deleted file they are placed in a queue of blocks awaiting to be added to the unused set


Data invariant for this system expressed in a natural language
No block will be simultaneously marked as used and free  All the blocks in the queue will be subsets of the collection of currently used blocks  No elements in the queue will contain the same block numbers  The collection of used and free blocks will be the total collection of blocks that make up files

The collection of free blocks will have no duplicates  The collection of used blocks will have no duplicates

Operations include
Add blocks to the end of the queueR  Remove blocks from front of queue and add to free set  Check whether the queue of block is empty

Mathematical Preliminaries

Sets  e.g. {C++, Pascal, Ada, COBOL, Java} {n:N | n < 3}  # {C++, Pascal, Ada, COBOL, Java}=5 Set Operators
 

12 ∈ {6, 1, 12, 27}, 11 ∉ {6, 1, 12, 27} A ⊂ B , A ∩ B, φ ∩ B, φ ∪ B, {1,2} Χ {1,2,3}


Logical Operators

∧ and, ∨ or, ¬ Not, ⇒ implies ∀ For all e.g. {(1,Kumar),(2,Gopal), (3,Seeta)} head, tail, last, front

Universal quantification

 

Applying Mathematical Notation
  

used, free: P BLOCKS BlockQueue : seq P BLOCK Data Variant:
Used ∩ free = φ ∧  Used ∩ free = AllBlocks ∧  ∀ i : dom BlockQueue* BlockQueue i ⊆ used ∧  ∀ I, j : dom BlockQueue * i ≠ j ⇒ BlockQueue i ∩ BlockQueue j = φ

Block Operations


#BlockQueue > 0

Post condition
used’ = used \ head BlockQueue∧  free’ =free ∪ head BlockQueue ∧  BlockQueue’ = tail BlockQueue

Summary of Z Notation

   

S:PX x∈S x∉S S⊆T

S is declared as a set of Xs. x is member of S. x is not member of S. S is subset of T:Every member of s is also in T. S∪T The Union Of S and T : It contains every member of S or T and both. S∩T The intersection of S and T : It contains every member of both S and T



  

Φ {x} Ν S:FX Max(S)

 

The difference of S and T : it contains every member of S except those in T. Empty set. Singleton set The set of natural numbers 0, 1, 2 … S is declared as a finite set of Xs. The maximum of the nonempty set of numbers S

ƒ:X dom ƒ Y ƒ is declared as a partial injection from X to Y The domain of ƒ: the set of values x for which ƒ(x) is defined The range of ƒ: the set of values taken by ƒ(x) as x varies over the domain of ƒ. A function that agrees with ƒ except that x is mapped to y. A function like ƒ, except that x is removed from its domain

ran ƒ

ƒ⊕{x → y} {x}  ƒ

P∧Q P⇒Q P⇔Q P and Q: if both true P and are true P implies Q: it is true if either Q is true or P is false Equivalence P if and only Q

θ S′ = θ S No component of schema S change in an operation

Ten Commandments of Formal Methods
    

Choose the appropriate notation Do not over-formalize Estimate costs Have a formal methods guru on call Do not abandon traditional development methods

 

Document sufficiently Do not compromise quality standards


Do not be dogmatic in assuming formal specifications are flawless Use of formal methods does not eliminate the need to test products Reuse is still important