Transcript Slide 1
SD3049 Formal Methods
Formal Methods
Module Leader Dr Aaron Kans ( [email protected]
)
What is this module about?
What is this module about?
What is this module about?
Ariane5 rocket crash
What is this module about?
NASA’s Mars Climate Orbitor November 1999 Total project cost : $327.6 million
Ariane5 rocket crash
What is this module about?
Developing software like an ENGINEER
High Integrity Software Development By the end of this lecture you should be able to:
• • • • •
define the term high integrity software ; distinguish between different types of critical software ; identify the weaknesses of testing as an approach to software verification; identify the weaknesses of natural language specifications ; distinguish between formal and development; informal methods of software
Introduction
Often software is integrated into a mechanical or electronic system Such software is known as
embedded software
Costs of software failure in these systems can be dangerously high Require a higher degree of confidence in the correctness of the software.
Such software is known as
HIGH INTEGRITY SOFTWARE
.
Critical Software business critical software mission critical software safety critical software
Integrity Levels Integrity level 5 Integrity level 1
The importance of the specification CLIENT SPECIFICATION FINAL APPLICATION TESTING DEVELOPER
Limitations of Testing
1. Testing cannot take place until some implementation is available.
2. Testing can only help to uncover errors - it cannot guarantee the absence of them. 3. Testing is always carried out with respect to requirements as laid down in the specification.
UML: a review
BankAccount accountNumber: String accountName: String balance: Real deposit (Real) withdraw (Real) : Boolean currentBalance(): Real
Weakness of natural language specifications
Withdraw:
“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.
Returns a boolean value indicating success or failure of the attempt to withdraw money from the account
.”
Natural language descriptions do not have a fixed meaning, they are ambiguous .
These notations do not have a fixed semantics
Incomplete specifications
A specification can be considered
incomplete
when the behaviour is not completely defined.
Withdraw:
“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.
Returns a boolean value indicating success or failure of the attempt to withdraw money from the account
.”
Inconsistent specifications
A specification is
inconsistent
when it contains within it contradictions.
Withdraw:
“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.
Returns a boolean value indicating success or failure of the attempt to withdraw money from the account
.”
OVERDRAFT?
Formal languages
It is desirable to use a specification notation with a
fixed
,
unambiguous
,
semantics
. Notations that have a fixed semantics are known as
formal notations
, or
formal languages
. A fixed semantics is achieved by defining a language in a completely unambiguous way using a
mathematical framework
.
Formal Methods
initial formal specification 1st transformation 2nd transformation
n
th transformation A formal method includes a
proof system
for demonstrating that each transformation preserves the formal meaning captured in the previous step. final program
Advantages of formal methods
• •
Generates good test cases ; increases confidence that the specification accurately captures the real system requirements;
•
important properties of the initial specification can be checked mathematically ;
•
proofs can help uncover design errors as soon as they are made;
•
a proof of program correctness can be constructed.
Classifying formal methods
Algebraic Model-based Sequential systems
Larch Vienna Development Method (VDM) Z B
Concurrent Systems
Calculus of Communicating Systems (CCS) OBJ Prototype Verification System (PVS) Concurrent Sequential Processes (CSP)