SD3049 Formal Methods. Formal Methods Module Leader Dr Aaron Kans ([email protected])

SD3049 Formal Methods

Formal Methods

Module Leader

Dr Aaron Kans ([email protected])

What is this module about?


Ariane5 rocket crash


Ariane5 rocket crash

NASA’s Mars Climate Orbitor November 1999

Total project cost : $327.6 million


Developing software like an ENGINEER

High Integrity Software Development

By the end of this lecture you should be able to:

• define the term high integrity software;

• distinguish between different types of critical software;

• identify the weaknesses of testing as an approach to software verification;

• identify the weaknesses of natural language specifications;

• distinguish between formal and informal methods of software development;

Introduction

Often software is integrated into a mechanical or electronic system

Such software is known as embedded software

Costs of software failure in these systems can be dangerously high

Require a higher degree of confidence in the correctness of the software.

Such software is known as HIGH INTEGRITY SOFTWARE.

Critical Software

business critical software

mission critical software

safety critical software

Integrity Levels

Integrity level 5Integrity level 1

CLIENTDEVELOPER

FINAL APPLICATION

TESTING

SPECIFICATION

The importance of the specification

Limitations of Testing

1. Testing cannot take place until some implementation is available.

2. Testing can only help to uncover errors - it cannot guarantee the absence of them.

3. Testing is always carried out with respect to requirements as laid down in the specification.

UML: a review

BankAccount

accountNumber: StringaccountName: Stringbalance: Real

deposit (Real)withdraw (Real) : BooleancurrentBalance(): Real

Weakness of natural language specifications

Withdraw:

“Receives a requested amount to withdraw from the bank account and, if there are sufficient funds in the account, meets the request.

Returns a boolean value indicating success or failure of the attempt to withdraw money from the account.”

Natural language descriptions do not have a fixed meaning, they are ambiguous.

These notations do not have a fixed semantics

Incomplete specifications

A specification can be considered incomplete when the behaviour is not completely defined.

Withdraw:



Inconsistent specifications

A specification is inconsistent when it contains within it contradictions.

Withdraw:



OVERDRAFT?

Formal languages

It is desirable to use a specification notation with a fixed, unambiguous, semantics.

Notations that have a fixed semantics are known as formal notations, or formal languages.

A fixed semantics is achieved by defining a language in a completely unambiguous way using a mathematical framework.

Formal Methods

initial formal specification

1st transformation

2nd transformation

nth transformation

final program

A formal method includes a proof system for demonstrating that each transformation preserves the formal meaning captured in the previous step.

Advantages of formal methods

• Generates good test cases;

• increases confidence that the specification accurately captures the real system requirements;

• important properties of the initial specification can be checked mathematically;

• proofs can help uncover design errors as soon as they are made;

• a proof of program correctness can be constructed.

Classifying formal methods

Algebraic Model-based

Sequential systems

Larch Vienna Development Method (VDM)

Z

B

Concurrent Systems

Calculus of Communicating Systems (CCS) OBJ

Prototype Verification System (PVS) Concurrent Sequential Processes (CSP)

SD3049 Formal Methods. Formal Methods Module Leader Dr Aaron Kans ([email protected])

Documents

Transcript of SD3049 Formal Methods. Formal Methods Module Leader Dr Aaron Kans ([email protected])