introduction to formal methods
TRANSCRIPT
![Page 1: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/1.jpg)
Introduction to Formal Methods in Software Engineering
Inzemamul Haque22 Nov 2016
![Page 2: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/2.jpg)
Acknowledgement
• Dr. K.V. Raghavan and Dr. Deepak D’Souza for the content from their course “Formal Methods in Software Engineering”
![Page 3: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/3.jpg)
Outline
• Motivation• Definition• Alloy• Model-checking
![Page 4: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/4.jpg)
Motivation
• Software projects fail [Barry Boehm, ICSE’06]– 90% overrun on cost– 121% overrun on schedule– Delivers only 61%
• Finding and fixing bugs consume 50% of total effort in software development
![Page 5: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/5.jpg)
Causes of failure
• User requirements not specified properly
![Page 6: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/6.jpg)
Causes of failure
• User requirements not specified properly• Design does not meet user requirements
![Page 7: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/7.jpg)
Causes of failure
• User requirements not specified properly• Design does not meet user requirements– More than 50% of all defects due to above two
reasons
![Page 8: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/8.jpg)
Causes of failure
• User requirements not specified properly• Design does not meet user requirements– More than 50% of all defects due to above two
reasons• Implementation errors– Low-level errors such as null-pointer dereference ,
array index out of bounds
![Page 9: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/9.jpg)
Causes of failure
• User requirements not specified properly• Design does not meet user requirements– More than 50% of all defects due to above two
reasons• Implementation errors– Low-level errors such as null-pointer dereference ,
array index out of bounds– As software ages, size increases, hence complexity
increases– Hence implementation errors increase with age
![Page 10: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/10.jpg)
Causes of failure
• User requirements not specified properly• Design does not meet user requirements– More than 50% of all defects due to above two
reasons• Implementation errors– Low-level errors such as null-pointer dereference ,
array index out of bounds– As software ages, size increases, hence complexity
increases– Hence implementation errors increase with age
Using mathematical techniques can help
![Page 11: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/11.jpg)
Formal methods - definition
• Formal methods in software engineering are mathematical techniques employed in software development to make it more reliable and robust
• Various tools based on these techniques have been developed
![Page 12: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/12.jpg)
Alloy
• Formal modelling of entities and associations using sets and relations
• Modelling of constraints on the entities• Analyzing the consistency of the model and
identifying the errors
![Page 13: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/13.jpg)
Example – family relationships
• Relationships between “Person” entity• Constraints:– Every person has two parents– Parents of any child are married– Cannot marry a sibling or a parent– Every person is married to at most one person– a married to b implies b is married to a– A man can only marry a woman and vice-versa
![Page 14: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/14.jpg)
How Alloy works
• An Alloy model M is interpreted as a conjunctive logical formula, fM
• Constraints enforced by signatures as well as facts automatically become part of fM
• An instance or solution to the model is – A finite universe U of atoms– An assignment of subsets of U to the different signatures– An assignment of relations to different relationssuch that it satisfies fM
![Page 15: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/15.jpg)
Modelling notation to logical formula
• For example“no p: Person | some p.spouse & p.parents”
becomes
![Page 16: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/16.jpg)
![Page 17: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/17.jpg)
Model-checking
• Model-checking can be used to check if an initial design satisfies certain properties
• Given an abstract model like a state machine, and a specification of behaviour (typically in temporal logic), model checker tries to check whether model satisfies the property
• If not provides a counter-example
![Page 18: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/18.jpg)
Example
“nocreate” - Once a task has ended it is never created again.“nostarve” - Once a task is ready it eventually runs“stateseq“ - Each task follows specified state motion
![Page 19: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/19.jpg)
Temporal logic
• p: an atomic proposition• X p: property p holds starting in next state• F p: property p holds eventually in a future
state• G p: property p holds at all future states• U(p,q): property q holds eventually and p
holds till that time.
![Page 20: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/20.jpg)
Model-checking
• Property P can be expressed as LTL formula, F• Construct a “Buchi-automata”, A, for not F• Take “product” of A with transition system of
the model, T• Look for accepting path in this product• If such a path exists, this is a counter-example
to the claim that T satisfies the property P• If no such path exists, then T satisfies P
![Page 21: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/21.jpg)
![Page 22: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/22.jpg)
Buchi automata
![Page 23: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/23.jpg)
Some model checkers
• SAL – developed by Stanford Research Institute
• SLAM – developed by Microsoft Research• BLAST – developed by University of California,
Berkeley
![Page 24: Introduction to formal methods](https://reader036.vdocuments.site/reader036/viewer/2022062503/587d7b0a1a28ab634b8b63eb/html5/thumbnails/24.jpg)
VCC
• Works on Hoare Logic