Spring 20061Advanced Software Engineering An Introduction to Formal Methods Marjan Sirjani Advanced...

Spring 2006 1Advanced Software Engineering

An Introduction toAn Introduction to

Formal MethodsFormal Methods

Marjan SirjaniMarjan Sirjani

Advanced Software EngineeringAdvanced Software Engineering

Fall 2006Fall 2006


OutlineOutline

1.1. Introduction Introduction

2.2. Formal SpecificationFormal Specification

3.3. Formal VerificationFormal Verification

4.4. Model CheckingModel Checking

5.5. Theorem ProvingTheorem Proving

6.6. Future workFuture work


IntroductionIntroduction

● Good papers to begin with them:Good papers to begin with them:– ““Formal Methods: State of the Art and Future Directions”, Formal Methods: State of the Art and Future Directions”,

Edmund M. Clarke, Jeannette M. Wing, ACM Computing Edmund M. Clarke, Jeannette M. Wing, ACM Computing Surveys, 1996Surveys, 1996

– ““Ten Commandments of Formal Methods ... Ten Years Later”, Ten Commandments of Formal Methods ... Ten Years Later”, Jonathan P., Bowen and Mike Hinchey, IEEE Computer, Jonathan P., Bowen and Mike Hinchey, IEEE Computer, 39(1):40-48, January 2006.39(1):40-48, January 2006.


Scientists QuotesScientists Quotes

Teaching to unsuspecting youngsters the effective use of formal methods is one of the joys of life because it is so extremely rewarding



A more mathematical approach is inevitable.

Professional software development—not the everyday brand practiced by the public at large—will become more like a true engineering discipline, applying mathematical techniques.

I don't know how long this evolution will take, but it will happen. The basic theory is there, but much work remains to make it widely applicable.

(Bertrand Meyer, a pioneer of object technology)



Software engineers want to be real engineers.

Real engineers use mathematics.

Formal methods are the mathematics of software engineering.

Therefore, software engineers should use formal methods.

(Mike Holloway, NASA)



● Major goal of software engineersMajor goal of software engineers– Develop reliable systemsDevelop reliable systems

● Formal MethodsFormal Methods– Mathematical languages, techniques and toolsMathematical languages, techniques and tools

– Used to specify and verify systemsUsed to specify and verify systems

– Goal: Help engineers construct more reliable systemsGoal: Help engineers construct more reliable systems

● A mean to examine the entire state space of a design A mean to examine the entire state space of a design (whether hardware or software)(whether hardware or software)– Establish a correctness or safety property that is true for all Establish a correctness or safety property that is true for all

possible inputspossible inputs



● Past years of the formal methodsPast years of the formal methods– Obscure notationObscure notation

– Non-scalable techniquesNon-scalable techniques

– Inadequate tool supportInadequate tool support

– Hard to use toolsHard to use tools

– Very few case studiesVery few case studies

– Not convincing for practitionersNot convincing for practitioners



● NowadaysNowadays– Trying to find more rigorous notationsTrying to find more rigorous notations

– Model checking and theorem proving complement simulation in Model checking and theorem proving complement simulation in Hardware industryHardware industry

– More industrial sized case studiesMore industrial sized case studies

– Researchers try to gaining benefits of using formal methodsResearchers try to gaining benefits of using formal methods

– ……



● Formal methods can be applied at various points through Formal methods can be applied at various points through the development processthe development process– SpecificationSpecification

– VerificationVerification

● SpecificationSpecification: Give a description of the system to be : Give a description of the system to be developed, and its propertiesdeveloped, and its properties

● VerificationVerification: Prove or disprove the correctness of a : Prove or disprove the correctness of a system with respect to the formal specification or system with respect to the formal specification or property property


SpecificationSpecification

● Using a language with a mathematically defined syntax Using a language with a mathematically defined syntax and semanticsand semantics

● System propertiesSystem properties– Functional behaviorFunctional behavior

– Timing behaviorTiming behavior

– Performance characteristicsPerformance characteristics

– Internal structureInternal structure



● Specification has been most successful for behavioral Specification has been most successful for behavioral propertiesproperties

● A trend is to integrate different specification languagesA trend is to integrate different specification languages– Each enable to handle a different aspect of a systemEach enable to handle a different aspect of a system

● Some other non-behavioral aspects of a systemSome other non-behavioral aspects of a system– PerformancePerformance

– Real-time constraintsReal-time constraints

– Security policiesSecurity policies

– Architectural designArchitectural design



● Formal methods for specification of the sequential Formal methods for specification of the sequential systemssystems– Z (Spivey 1988)Z (Spivey 1988)

– Constructive Z (Mirian 1997)Constructive Z (Mirian 1997)

– VDM (Jones 1986)VDM (Jones 1986)

– Larch (Guttag & Horning 1993)Larch (Guttag & Horning 1993)

● StatesStates are described in rich math structures (set, are described in rich math structures (set, relation, function)relation, function)

● TransitionTransition are described in terms of pre- and post- are described in terms of pre- and post- conditionsconditions



● Formal methods for specification of the concurrent Formal methods for specification of the concurrent systemssystems– CSP (Hoare 1985)CSP (Hoare 1985)

– CCS (Milner 1980)CCS (Milner 1980)

– Statecharts (Harel 1987)Statecharts (Harel 1987)

– Temporal Logic (Pnueli 1981)Temporal Logic (Pnueli 1981)

– I/O Automata (Lynch and Tuttle 1987)I/O Automata (Lynch and Tuttle 1987)

● StatesStates range over simple domains, like integers range over simple domains, like integers

● BehaviorBehavior is defined in terms of sequences, trees, partial is defined in terms of sequences, trees, partial orders of eventsorders of events



● Formal methods for handling both rich state space and Formal methods for handling both rich state space and complexity due to concurrencycomplexity due to concurrency– RAISE (Nielsen 1989)RAISE (Nielsen 1989)

– LOTOS (ISO 1987)LOTOS (ISO 1987)


Case Studies: CICSCase Studies: CICS

● The CICS projectThe CICS project

● CICSCICS: Customer Information Control System: Customer Information Control System– The on-line transaction processing system of choice for large The on-line transaction processing system of choice for large

IBM installationsIBM installations

● In the 1980s Oxford Univ. and IBM Hursley Labs In the 1980s Oxford Univ. and IBM Hursley Labs formalized parts of CICS with Zformalized parts of CICS with Z

● There was an overall improvement in the quality of the There was an overall improvement in the quality of the productproduct

● It is estimated that it reduced 9% of the total It is estimated that it reduced 9% of the total development costdevelopment cost


Case Studies: CICSCase Studies: CICS

● This work won the Queen’s Award for TechnologicalThis work won the Queen’s Award for Technological– The highest honor that can be bestowed on a UK company. The highest honor that can be bestowed on a UK company.


Case Studies: CUTECase Studies: CUTE

● CUTE: A Concolic Unit Testing Engine for CCUTE: A Concolic Unit Testing Engine for C

● Developed by a team managed by Gul Agha – 2005Developed by a team managed by Gul Agha – 2005

● Concolic testingConcolic testing– use the symbolic execution to generate inputs use the symbolic execution to generate inputs

that direct a program to alternate pathsthat direct a program to alternate paths

– use the concrete execution to guide the use the concrete execution to guide the symbolic execution along a concrete pathsymbolic execution along a concrete path


Case Studies: CUTECase Studies: CUTE

● CUTE was used to automatically test CUTE was used to automatically test SGLIBSGLIB, a popular C , a popular C data structure library used in a commercial tooldata structure library used in a commercial tool

● CUTE took less than CUTE took less than 2 seconds2 seconds to find two previously to find two previously unknown errors!unknown errors!– a segmentation faulta segmentation fault

– an infinite loopan infinite loop

● The homepage of CUTE:The homepage of CUTE:– http://osl.cs.uiuc.edu/~ksen/cute/http://osl.cs.uiuc.edu/~ksen/cute/


Case Studies: Intel’s Successes Case Studies: Intel’s Successes http://www.cse.ogi.edu/S3S/JohnHarrison.pdfhttp://www.cse.ogi.edu/S3S/JohnHarrison.pdf

● Intel uses formal verification quite extensively– Verification of Intel Pentium 4 floating-point unit with a mixture

of STE and theorem proving

– Verification of bus protocols using pure temporal logic model checking

– Verification of microcode and software for many Intel Itanium floating-point operations, using pure theorem proving

● FV found many high-quality bugs in P4 and verified “20%” of design

● FV is now standard practice in the floating-point domain


Case Studies: NASA SATSCase Studies: NASA SATS

● Small Aircraft Transportation System (SATS) Small Aircraft Transportation System (SATS)

http://sats.nasa.gov/http://sats.nasa.gov/

● Use of a software system that will sequence aircraft into Use of a software system that will sequence aircraft into the SATS airspace in the absence of an airport controllerthe SATS airspace in the absence of an airport controller

● There are serious safety issues associated with these There are serious safety issues associated with these software systems and their underlying key algorithmssoftware systems and their underlying key algorithms


Case Studies: NASA SATSCase Studies: NASA SATS

● The criticality of such software systems necessitates that The criticality of such software systems necessitates that strong guarantees of the safety be developed for themstrong guarantees of the safety be developed for them

● Under the SATS program NASA Langley researchers are Under the SATS program NASA Langley researchers are currently investigating rigorous verification of these currently investigating rigorous verification of these software system using formal methodssoftware system using formal methods– Modeling and Verification of Air TrafficModeling and Verification of Air Traffic

– Conflict Detection and AlertingConflict Detection and Alerting

– ……


VerificationVerification

● Two well established approaches to verificationTwo well established approaches to verification– Model CheckingModel Checking

– Theorem ProvingTheorem Proving

● Model checkingModel checking– Build a finite model of system and perform an exhaustive Build a finite model of system and perform an exhaustive

searchsearch

● Theorem ProvingTheorem Proving– Mechanization of a Mechanization of a logicallogical proof proof


Model CheckingModel Checking

● The technical challenge is to devise an algorithm for The technical challenge is to devise an algorithm for handling large spaceshandling large spaces

● Rebeca uses compositional verificationRebeca uses compositional verification



● There are two general approaches in model checkingThere are two general approaches in model checking

1.1. Temporal Model CheckingTemporal Model Checking

2.2. Model checking with a automaton specModel checking with a automaton spec

● The difference is between the specificationThe difference is between the specification– First one : Temporal LogicFirst one : Temporal Logic

– Second one : AutomatonSecond one : Automaton



● Model checking is completely automaticModel checking is completely automatic

● It produces counter examplesIt produces counter examples– The counter example usually represents subtle error in designThe counter example usually represents subtle error in design

● The main disadvantage : state explosion problem!The main disadvantage : state explosion problem!



● Several approaches for facing the state explosionSeveral approaches for facing the state explosion– Ordered binary decision diagrams (BDD) – McMillanOrdered binary decision diagrams (BDD) – McMillan

– Partial Order – PeledPartial Order – Peled

– Localization reduction – KurshanLocalization reduction – Kurshan

– Semantic minimization – ElseaidySemantic minimization – Elseaidy

● Checking large systems by using appropriate abstraction Checking large systems by using appropriate abstraction techniquestechniques– Burch et al. 10 ^ 120 states!Burch et al. 10 ^ 120 states!


Theorem ProvingTheorem Proving

● Both the system and its desired properties are expressed Both the system and its desired properties are expressed in some mathematical logicin some mathematical logic

● Theorem proving is the process of finding a proof from Theorem proving is the process of finding a proof from the axioms of the systemthe axioms of the system

● It can be roughly classifiedIt can be roughly classified– Highly automated programsHighly automated programs

– Interactive systems with special purpose capabilitiesInteractive systems with special purpose capabilities

● In contrast to model checking, it can deal with infinite In contrast to model checking, it can deal with infinite spacespace

● Relies on techniques like reductionRelies on techniques like reduction


Future WorkFuture Work

● Future work needs to be done in several areasFuture work needs to be done in several areas– CompositionComposition

– DecompositionDecomposition

– AbstractionAbstraction

– Reusable models and theoriesReusable models and theories

– Combinations of mathematical theoriesCombinations of mathematical theories

– Data structure and algorithmsData structure and algorithms


Thanks for listening

Spring 20061Advanced Software Engineering An Introduction to Formal Methods Marjan Sirjani Advanced...

Documents

Transcript of Spring 20061Advanced Software Engineering An Introduction to Formal Methods Marjan Sirjani Advanced...