formal methods
play

Formal Methods Software Engineering 2008 Bernd Schoeller ETH - PowerPoint PPT Presentation

Mar 18, 2024 •480 likes •806 views

Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding of how to describe what

  1. Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich

  2. The Grand Challenge The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding of how to describe what programs do, how they do it, and why they work. This understanding has already been applied to the design, development and manual verification of simple programs of moderate size that are used in critical applications. Automatic verification could greatly extend the benefits of this technology. [...] the time is ripe to embark on an international Grand Challenge project to construct a program verifier that would use logical proof to give an automatic check of the correctness of programs submitted to it. (Hoare and Misra, July 2005)

  3. Lecture Contents ● Software verification overview – Bottom-up verification – Top-down verification ● Specification problems for verification – Specify what software does – Specify what software does not ● Tool demonstration – Rodin, Slam, (Spec#)

  4. Proof Overview Specification Implementation Prover

  5. Verification Problems ● State space explosion ● Combinatorial explosion ● Overall complexity ● Specification problems

  6. Implementation vs. Specification Implementation Specification ● Concrete ● Abstract ● Constructive ● Descriptive ● Deterministic (mostly) ● Non-deterministic ● All is finite ● Can describe infinity ● Describes everything ● Describes only parts ● Can be executed by a ● Can not be executed machine by a machine

  7. Bottom-Up Verification Implementation D Implementation C Implementation A Implementation B

  8. Information Hiding Interface D Implementation D Interface C Implementation C Interface A Interface B Implementation A Implementation B

  9. Modular verification Interface A Implementation A

  10. Modular verification Interface B Implementation B

  11. Modular verification Interface C Implementation C Interface A Interface B

  12. Modular verification Interface D Implementation D Interface C Interface B

  13. Assumption of System Correctness If each implementation is correct with respect to its interface, based on the interfaces of the modules it uses, then the overall system is correct.

  14. Verification Technology ● Axiomatic Semantics – Hoare triples: {P} S {Q} – Weakest precondition computation ● Provers – Automatic (Simplify, Z3) – Interactive (Isabelle, COQ) – Model checking (blast, slam, ...)

  15. The ideal specification too strong – implementation inefficient / impossible – difficult to change (information hiding) too weak – reasoning difficult for clients – not composable – side-effects: proofs impossible

  16. Specification problems of Design by Contract Contracts on unbounded data Possible Solution: model-based contracts Frame problem Possible Solution: Dynamic Frame Contracts (DFC)

  17. Unbound data class LINKED_QUEUE[G] feature put (v: G) -- Put `v' into the queue. ensure ? remove -- Remove the oldest element from the queue. ensure ? item: G -- Oldest element in the queue ensure ? end 17

  18. Model-based contracts class LINKED_QUEUE[G] feature put (v: G) -- Put `v' into the queue. ensure model = old model.prepended (v) remove -- Remove the oldest element from the queue. ensure model = old model.front item: G -- Oldest element in the queue ensure Result = model.last model: MML_SEQUENCE[G] -- Contents of queue viewed as a sequence 18 end

  19. Frame Problem ● You have a green box in Zürich and you want to have a red box in Luzern. Move Boxes Inc All-red Painters AG Specification : Give us the Specification : Give the Does it work? box and some money in box and some money, Zürich, and we will and we will change the transport the box to color of the box to red. Luzern within 2 days. 19

  20. Frame Problem and DbC class PERSON feature -- Interface view last_name: STRING set_last_name (name: STRING) ensure last_name = name end class CIVIL_REGISTRY_OFFICE feature marry (first_person, second_person: PERSON) require first_person /= second_person do second_person.set_last_name (first_person.last_name) ensure first_person.last_name = second_person.last_name end end

  21. Frames State FRAME A modify (“Set of (“write effect”) first_person. Resources”) last_name (query) second_person. set_last_name FRAME B use (“Set of (“read effect”) (command) Resources”) Resource can be: memory (fields), file, network state, ...

  22. Hidden dependencies first_person second_person PERSON A PERSON B

  23. Frame specifications strong specification weak specification class PERSON feature class PERSON feature -- Interface view -- Interface view last_name: STRING last_name: STRING use use { Current } personal_data set_last_name (name: STRING) set_last_name (name: STRING) ensure ensure last_name = name last_name = name modify modify { Current } personal_data end personal_data: FRAME end 23

  24. Video Ballet Verifier 24

  25. Top-Down Verification Specification 2. Specification 3. Specification 4. Specification Implementation

  26. B Method ● Development by stepwise refinement ● Invented by J. R. Abrial (currently giving lectures at ETH!) ● Provers: Atelier B, B4Free, Rodin Platform ● Animator and Model Checker: ProB ● Industrial application: – Embedded devices – > 100000 LOC verified for the Paris Metro

  27. Example: Traffic Light driveNS: BOOL driveEW: BOOL INVARIANT: not (driveNS and driveEW) EVENT: goNS := WHERE driveNS = FALSE THEN driveEW := TRUE END

  28. Example: Traffic Light redLightNS,yellowLightNS,greenLightNS: BOOL redLightEW,yellowLightEW,greenLightEW: BOOL INV: greenLightNS = driveNS, greenLightEW = driveEW EVENT: goEW := WHERE redLightNS = FALSE THEN redLightEW, yellowLightEW, greenLightEW := FALSE,FALSE,TRUE END

  29. Prove Obligations ● Within a machine, you have to prove: – That the initialization establishes the invariant – That each event re-establishes the invariant ● Within a refinement, you also have to prove – That the new initialization implies the old initialization – That refined events imply the old state change – That the new events refine SKIP

  30. Demo Rodin Workbench

  31. Problems with Top-Down Verification ● It is a mind-twister ● One needs to know all specifications from very early on ● Composition is difficult ● Reuse is very difficult ● Uncommon thinking ● Many common SE practice cannot be easily transfered: Information hiding, OO, pointers, ... But they are working on it, so keep your eyes open

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING LOGIC Peter Olveczky University of Oslo FMfun19, December 3, 2019 OUTLINE How to introduce formal methods to undergraduates? Fun!

1.95k views • 171 slides
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004 Purpose of the Course - Giving some insights about Formal Methods - Showing that Formal Methods can be made practical - Illustrating Formal Methods

1.25k views • 112 slides
Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

F F F Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T M&&T June 27, 03 Formal Methods && Tools Group - ISTI CNR CAF - 1 F F F Outline Overview of the Formal Methods

276 views • 23 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in Mathematics January 8, 2020 1 / 35 marijn@cmu.edu Computer-Aided Mathematics Chromatic Number of the Plane Clausal Proof Optimization

634 views • 52 slides
!"#$%&'()*)+,&')-)./012345062/)02),610478) 9/:612/;</0=>)#6?<3)@<7860A)

!"#$%&'()*)+,&')-)./012345062/)02),610478) 9/:612/;</0=>)#6?<3)@<7860A)

!"#$%&'()*)+,&')-)./012345062/)02),610478) 9/:612/;</0=>)#6?<3)@<7860A) !"#$%&'()"*+& ,*-.+/#*%/&$0&1$#-(/*+&!2"*%2*& 3%"4*+5"/6&1$))*7*&8$%9$%&

1.4k views • 111 slides
Introduction to Experimental Robotics CSCI 1108 Lecture 2 Introduction to Aseba CSCI 1108

Introduction to Experimental Robotics CSCI 1108 Lecture 2 Introduction to Aseba CSCI 1108

Introduction to Experimental Robotics CSCI 1108 Lecture 2 Introduction to Aseba CSCI 1108 Lecture 2 1 / 18 Administrivia For Section 2 (1-2:30pm): A note taker is required to assist one of your peers. If you are interested, please go to

636 views • 18 slides
AnimeNintendo Tue 25 Feb 2020 10:39:30 AM CST

AnimeNintendo Tue 25 Feb 2020 10:39:30 AM CST

The company History Start Mario Language Mario & Luigis Plumbing Plantastrophe! Luigi Luigis Mansion 3 Super Mario Bros Super Show AnimeNintendo Tue 25 Feb 2020 10:39:30 AM CST

677 views • 35 slides
Detecting Manipulation in Cup and Round Robin Sports Competitions Peter van Beek University of

Detecting Manipulation in Cup and Round Robin Sports Competitions Peter van Beek University of

Detecting Manipulation in Cup and Round Robin Sports Competitions Peter van Beek University of Waterloo 24th IEEE International Conference on Tools with Artificial Intelligence November 79, 2012, Athens, Greece Joint work with Tyrel Russell

574 views • 25 slides
Artificial Intelligence: Methods and applications Lecture 5: Hybrid robot architectures Ola

Artificial Intelligence: Methods and applications Lecture 5: Hybrid robot architectures Ola

Artificial Intelligence: Methods and applications Lecture 5: Hybrid robot architectures Ola Ringdahl Ume University November 18, 2014 Contents Hybrid (reactive/deliberative) paradigm Examples of different hybrid architectures

1.12k views • 42 slides
CS 330 - Artificial Intelligence - Introduction II Instructor: Renzhi Cao Computer Science

CS 330 - Artificial Intelligence - Introduction II Instructor: Renzhi Cao Computer Science

1 CS 330 - Artificial Intelligence - Introduction II Instructor: Renzhi Cao Computer Science Department Pacific Lutheran University Fall 2017 Special appreciation to Ian Goodfellow, Joshua Bengio, Aaron Courville, Michael Nielsen, Andrew Ng,

713 views • 52 slides
SUBJECT CHOICES FOR 5 TH YEAR 2019/20 INTRODUCTION The purpose of this booklet is to provide you

SUBJECT CHOICES FOR 5 TH YEAR 2019/20 INTRODUCTION The purpose of this booklet is to provide you

SUBJECT CHOICES FOR 5 TH YEAR 2019/20 INTRODUCTION The purpose of this booklet is to provide you with information that should prove useful in making decisions regarding Leaving Certificate subjects. The choosing of subjects for Leaving

588 views • 31 slides
The birth of the hoplite I Mediterranean trade routes 2 The Spartan cons;tu;on (rhetra)

The birth of the hoplite I Mediterranean trade routes 2 The Spartan cons;tu;on (rhetra)

Warfare and Society in Ancient Greece Lecture 5 The birth of the hoplite I Mediterranean trade routes 2 The Spartan cons;tu;on (rhetra) Dark-age armour (Pre)-hoplite armour from Argos (ca. 725) 6 (Pre)-hoplite armour from Argos (ca. 725) 7

307 views • 28 slides

More recommend