Formal Methods Software Engineering 2008 Bernd Schoeller ETH - - PowerPoint PPT Presentation

formal methods
SMART_READER_LITE
LIVE PREVIEW

Formal Methods Software Engineering 2008 Bernd Schoeller ETH - - PowerPoint PPT Presentation

Mar 18, 2024 480 likes •806 views

Formal Methods Software Engineering 2008 Bernd Schoeller ETH Zurich The Grand Challenge The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding of how to describe what

slide-1
SLIDE 1

Formal Methods

Software Engineering 2008 Bernd Schoeller ETH Zurich

slide-2
SLIDE 2

The Grand Challenge

The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding

  • f how to describe what programs do, how they do it, and why they

work. This understanding has already been applied to the design, development and manual verification of simple programs of moderate size that are used in critical applications. Automatic verification could greatly extend the benefits of this technology. [...] the time is ripe to embark on an international Grand Challenge project to construct a program verifier that would use logical proof to give an automatic check of the correctness of programs submitted to it. (Hoare and Misra, July 2005)

slide-3
SLIDE 3

Lecture Contents

  • Software verification overview

– Bottom-up verification – Top-down verification

  • Specification problems for verification

– Specify what software does – Specify what software does not

  • Tool demonstration

– Rodin, Slam, (Spec#)

slide-4
SLIDE 4

Proof Overview

Prover Specification Implementation

slide-5
SLIDE 5

Verification Problems

  • State space explosion
  • Combinatorial explosion
  • Overall complexity
  • Specification problems
slide-6
SLIDE 6

Implementation vs. Specification

Implementation

  • Concrete
  • Constructive
  • Deterministic (mostly)
  • All is finite
  • Describes everything
  • Can be executed by a

machine Specification

  • Abstract
  • Descriptive
  • Non-deterministic
  • Can describe infinity
  • Describes only parts
  • Can not be executed

by a machine

slide-7
SLIDE 7

Bottom-Up Verification

Implementation A Implementation B Implementation D Implementation C

slide-8
SLIDE 8

Information Hiding

Implementation A Implementation D Interface C Interface A Implementation B Interface B Implementation C Interface D

slide-9
SLIDE 9

Modular verification

Implementation A Interface A

slide-10
SLIDE 10

Modular verification

Implementation B Interface B

slide-11
SLIDE 11

Modular verification

Interface C Interface A Interface B Implementation C

slide-12
SLIDE 12

Modular verification

Implementation D Interface C Interface B Interface D

slide-13
SLIDE 13

Assumption of System Correctness If each implementation is correct with respect to its interface, based

  • n the interfaces of the modules it

uses, then the overall system is correct.

slide-14
SLIDE 14

Verification Technology

  • Axiomatic Semantics

– Hoare triples: {P} S {Q} – Weakest precondition computation

  • Provers

– Automatic (Simplify, Z3) – Interactive (Isabelle, COQ) – Model checking (blast, slam, ...)

slide-15
SLIDE 15

The ideal specification

too strong

– implementation inefficient / impossible – difficult to change (information hiding)

too weak

– reasoning difficult for clients – not composable – side-effects: proofs impossible

slide-16
SLIDE 16

Specification problems of Design by Contract

Contracts on unbounded data Possible Solution: model-based contracts Frame problem Possible Solution: Dynamic Frame Contracts (DFC)

slide-17
SLIDE 17

17

Unbound data

class LINKED_QUEUE[G] feature put (v: G)

  • - Put `v' into the queue.

ensure ? remove

  • - Remove the oldest element from the queue.

ensure ? item: G

  • - Oldest element in the queue

ensure ? end

slide-18
SLIDE 18

18

Model-based contracts

class LINKED_QUEUE[G] feature put (v: G)

  • - Put `v' into the queue.

ensure model = old model.prepended (v) remove

  • - Remove the oldest element from the queue.

ensure model = old model.front item: G

  • - Oldest element in the queue

ensure Result = model.last model: MML_SEQUENCE[G]

  • - Contents of queue viewed as a sequence

end

slide-19
SLIDE 19

19

Frame Problem

  • You have a green box in Zürich and you want to

have a red box in Luzern.

Move Boxes Inc Specification: Give us the box and some money in Zürich, and we will transport the box to Luzern within 2 days. All-red Painters AG Specification: Give the box and some money, and we will change the color of the box to red.

Does it work?

slide-20
SLIDE 20

Frame Problem and DbC

class PERSON feature

  • - Interface view

last_name: STRING set_last_name (name: STRING) ensure last_name = name end class CIVIL_REGISTRY_OFFICE feature marry (first_person, second_person: PERSON) require first_person /= second_person do second_person.set_last_name (first_person.last_name) ensure first_person.last_name = second_person.last_name end end

slide-21
SLIDE 21

Frames

State

FRAME A (“Set of Resources”) FRAME B (“Set of Resources”)

second_person. set_last_name (command) first_person. last_name (query)

modify (“write effect”) use (“read effect”)

Resource can be: memory (fields), file, network state, ...

slide-22
SLIDE 22

Hidden dependencies

PERSON A PERSON B first_person second_person

slide-23
SLIDE 23

23

Frame specifications

class PERSON feature

  • - Interface view

last_name: STRING use { Current } set_last_name (name: STRING) ensure last_name = name modify { Current } end class PERSON feature

  • - Interface view

last_name: STRING use personal_data set_last_name (name: STRING) ensure last_name = name modify personal_data personal_data: FRAME end

strong specification weak specification

slide-24
SLIDE 24

24

Video Ballet Verifier

slide-25
SLIDE 25

Top-Down Verification

Specification

  • 2. Specification
  • 3. Specification
  • 4. Specification

Implementation

slide-26
SLIDE 26

B Method

  • Development by stepwise refinement
  • Invented by J. R. Abrial (currently giving

lectures at ETH!)

  • Provers: Atelier B, B4Free, Rodin Platform
  • Animator and Model Checker: ProB
  • Industrial application:

– Embedded devices – > 100000 LOC verified for the Paris Metro

slide-27
SLIDE 27

Example: Traffic Light

driveNS: BOOL driveEW: BOOL INVARIANT: not (driveNS and driveEW) EVENT: goNS := WHERE driveNS = FALSE THEN driveEW := TRUE END

slide-28
SLIDE 28

Example: Traffic Light

redLightNS,yellowLightNS,greenLightNS: BOOL redLightEW,yellowLightEW,greenLightEW: BOOL INV: greenLightNS = driveNS, greenLightEW = driveEW EVENT: goEW := WHERE redLightNS = FALSE THEN redLightEW, yellowLightEW, greenLightEW := FALSE,FALSE,TRUE END

slide-29
SLIDE 29

Prove Obligations

  • Within a machine, you have to prove:

– That the initialization establishes the invariant – That each event re-establishes the invariant

  • Within a refinement, you also have to prove

– That the new initialization implies the old

initialization

– That refined events imply the old state change – That the new events refine SKIP

slide-30
SLIDE 30

Demo Rodin Workbench

slide-31
SLIDE 31

Problems with Top-Down Verification

  • It is a mind-twister
  • One needs to know all specifications from very

early on

  • Composition is difficult
  • Reuse is very difficult
  • Uncommon thinking
  • Many common SE practice cannot be easily

transfered: Information hiding, OO, pointers, ... But they are working on it, so keep your eyes open