Formal Methods: Industrial Use

CS 415, Software Engineering II

Mark Ardis, Rose-Hulman Institute

March 21, 2003

2

OutlineControversy over formal methodsWhere are formal methods used?4 Stories

IBM CICS project Tektronix oscilloscope LOTOS at Bell Labs VFSM at Bell Labs

3

Controversy Over Formal MethodsDeMillo, Lipton and Perlis "Social

Processes and Proofs of Theorems and Programs", CACM, May 1979.

Fetzer "Program Verification: The Very Idea," CACM, September 1988.

The "Gang of 10"

4

Where are Formal Methods Used?Safety critical applications

Aviation Railway transportation MOD 00-55

Other high-integrity systemsApplication generatorsHardware design

5

IBM CICS ProjectMaintenance of Customer Information

Control System (CICS)Used Z to reverse engineer old codeFound more errors earlier in the

lifecycle

6

Maintenance of CICSOld (> 30 years)Large (>500 KLOC)Multiple languages (assembler and

special dialect of PL/I)Many usersSeveral configurations

7

Restructuring of CICSNecessary first step before Z could be

used Independent of any method

8

Reverse EngineeringZ specifications derived from:

manuals developers code

About half of CICS described in Z (230 KLOC)

Modules added or rewritten later from Z specifications

9

IBM Development ProcessUsed standard IBM process, including:

design reviews code inspections testing

Used standard IBM programming languages, plus guarded command language

Required training of staff in Z

10

IBM TrainingUsed standard IBM courses, including:

discrete mathematics software engineering workshop

Augmented with Z courses 4 days for writers 2 days for readers 1 day for managers

11

IBM ResultsMore time spent in design Inspections required less preparation,

but took longer to conductMore problems found earlier in designFewer problems found in testingOverall time was 9% less than averageWon Queen's Award for productivity

12

Cartoon of the Day

13

TektronixExploratory projectDiscovered useful abstractionsConcentrated on process of

specification, not product

14

Tektronix Process2 researchers (DeLisle and Garlan)

investigated general problem area: talked to engineers tried to describe existing devices

Discussed trial specifications with engineers

15

Tektronix Results Original descriptions were operational Researchers found an abstraction (waveform)

that clarified roles of hardware and software engineers

Resulting specification yielded insights about tradeoffs: user interfaces sampling methods hw/sw partitioning

16

Tektronix Lessons Industrial engineers can understand

formal specificationsAbstraction was very valuable in

focusing attention on right problemSpecification was a process, not a

product

17

LOTOS at Bell Labs Some formal methods used in switching

applications SDL Promela VFSM

Opportunity to try LOTOS in 1991 Language Of Temporal Ordering Sequences New standard for telecommunication protocols

18

Primitive LOTOS ProjectBasic LOTOS difficult to use

too much redundancy too little redundancy

Primitive LOTOS (PLOTOS) added declarations more "C"-like

19

PLOTOS ResultsUsed on parts of several projectsTools were popularSolved the wrong problem

specification was a verb, not a noun spaceship theory

20

PLOTOS Lessons Software developers in Naperville are an oral

culture work via meetings very little abstraction

Need to first move to literary paradigm domain engineering to capture knowledge in

writing domain specific languages to develop formal

notations

21

VFSM at Bell LabsManager convinced by a former teacher

to try Virtual Finite State Machines (VFSM)

Constructed a compiler to CLater adapted SPIN for model checking

22

VFSM ResultsUsed on several projectsTools were popularSolved the right problem

compiled to executable code testing was the most onerous job of

development

23

VFSM LessonsBottom-up development is more easily

accepted than top-downFree lunches are a powerful forceRevolutionary methods need crusaders

24

SummaryFormal methods provide substantial

benefits, but at costMay be most applicable in established

domainsAdoption requires cultural change for

many organizations