3BA31 Formal Methods 1 How To Build ( VDM ♣ ) Models We are now going to explore how to go about building good formal models of systems of interest. The key notions are: Entities things, concepts, individuals, . . . Collections groups, birds of a feather, . . . Relationships connections, interactions, constraints, “knock-on effects” . . . Adequacy Have we captured all relevant aspects of problem ? 3BA31 Formal Methods 2 Entities • Basic elements of model • What are key attributes: equality ? ordering ? numeric, or identifiers ?
3BA31 Formal Methods 3 Collections • What’s in a collection? • Does order or multiplicity matter ? – Membership ? – Ordering, Priority, Queueing ? – Counting ? Measuring ? • Collections of collections ? 3BA31 Formal Methods 4 Relationships • Multiplicity again — many/one-to-many/one ? • Uniqueness ? • “Intentional” vs “Inherent” ! • Experiment
3BA31 Formal Methods 5 Scribbles 7 : Entity Examples Consider a Birthday Book Example: entities are Persons and Birthdays A Person simply needs a unique identifier, for which the only operation need be an equality check: p ∈ Person = � Id The basic type Id is simply an unbounded set of values to be used as identifiers. For a Birthday, we could give it structure (Day/Month/Year), or simply record the day number (1 . . . 366): b ∈ Birthday = � N Ordering might be useful, to establish which birthday is next. etc. 3BA31 Formal Methods 6 Scribbles 7 : Collection Examples Ordering Multiplicity Example Math. X X Set ( P A ) Class Attendance X Bag/Multiset ( A � → N 1 ) � Balls on Pool Table X � Unique Sequences ( A ∗ Queue ! ) � � Sequences ( A ∗ ) Text String
3BA31 Formal Methods 7 Scribbles 7 : Relationship Examples Multiplicity Examples Math. P ( P × H ) , Many-to-Many Persons to Holiday Dest. P 1 ... m ↔ 1 ... n H P → P H H → P P relation inverse switches between these two P → B many-to-one Person to Birthday P 1 ... n ↔ 1 B S N (here denotes injective fn.) One-to-One Student to Id-No S 1 ↔ 1 N N S An injective function maps different inputs to different outputs: f : A B ∧ f ( a 1 ) = f ( a 2 ) ⇒ a 1 = a 2 3BA31 Formal Methods 8 Mini-Exercise 3 Provide convincing examples of 1. All four types of collections, depending on the importance of otherwise of ordering and multiplicity 2. A three types of relationships, based on their many/one-to-many/one nature (for the many-to-one relationship be clear about which side is “many” and which side is “one” Give a short reason for each example of why it belongs in the category it is in. Due: at start of 12noon Lecture, Thursday, February 22nd, 2007.
3BA31 Formal Methods 9 Formal Model: Reminder of Goals State Type Invariant Initial-State Operations State-Change Build vs. Run State-Query 3BA31 Formal Methods 10 Developing/Determining Relationships • “Intentional” vs “Inherent” ! Intentional: Relationships we want as modellers Inherent: Relationships we obtain from the mathematics • Experiment
3BA31 Formal Methods 11 Experimentation • Pick a structure • Write down examples • Ask — does it make sense ? • If not, figure out how to “stop it happening” Key idea here: “Initialise & Build”. 3BA31 Formal Methods 12 Operations • How does system change? • How do users interact with system? • What do we want to observe about the system? • Under what conditions do certain actions make sense?
3BA31 Formal Methods 13 Adequacy • Have we covered the problem space? • Can we represent all relevant entities? • Can we describe the key collections ? • Have we captured all relationships ? • Do we have descriptions (as Operations) of everything relevant that can happen ? 3BA31 Formal Methods 14 State Construction What do we do if it is not possible to build a safe (invariant preserving) state bit-by-bit ? Issue: can we start with a blank-slate or does the initial system have to be fully formed ?
3BA31 Formal Methods 15 Real Life: BASE Trusted Gateway Goal — Trusted Gateway for transferring messages between different security levels, for British Aerospace Systems & Equipment. Approach — Two teams, one conventional, the other using formal methods. Method — Formal team employed VDM-SL, using IFAD Toolkit. Who — T.M.Brookes, J.S.Fitzgerald & P .G.Larsen, “Formal and Informal Specifications of a Secure System Component” in FME’96: Industrial Benefit and Advances in Formal Methods , Springer-Verlag, LNCS 1051, pp214–227, 1996. 3BA31 Formal Methods 16 BASE: Key Results (1) • Formal approach spent more time up front in System Design (43% as against 34%). • Formal approach uncovered an implicit special condition from requirements. Informal code had to be re-written at late stage to cope. • Formal code was less complex (“McCabe Complexity”) • Formal code one-fifth the size of informal code.
3BA31 Formal Methods 17 BASE: Key Results (2) Formal system started up slower (4 times) 1. Formal System Invariant better understood, so more care was taken by resulting initialisation code. 2. Not a big issue as the system is meant to stay up and running. 3BA31 Formal Methods 18 BASE: Key Results (3) Formal system throughput higher (almost 14 times !) 1. The informal system had to have a last-minute fix, so the code speed got worse. 2. If code is formally verified, then you don’t need so many run-time checks (array bounds, etc.)
3BA31 Formal Methods 19 Scribbles 8 : Modelling the “World Cup” Initial Q&A: • Which countries ? Only those in tournament • Whole tournament,or just knock-out phase? Stick with knock-out phase These choices all impact on initial state and invariant 3BA31 Formal Methods 20 Scribbles 8 : Main Concepts Entities Countries Events Playing a Match Relationships Contest Draw A first stab: c ∈ Country = Id = P Country × . . . � State The state mentions only those countries still in the contest.
3BA31 Formal Methods 21 Scribbles 8 : Modelling the Draw A draw looks like: England Ireland Brazil Samoa � � � ��������� � ��������� � � � � � � � � � � � � � � England Ireland � � ������������������ � � � � � � � � � � � � � � � ? The green entries shows how the contest might evolve ! We see we have a binary tree of slots, where a slot can be empty or contain a country. 3BA31 Formal Methods 22 Scribbles 8 : Badly Drawn An invalid draw might be England Ireland Brazil Brazil � � � �������� ��������� � � � � � � � � � � � � � � Japan � � ������������������ � � � � � � � � � � � � � � � The picture above violates a number of well-formedness conditions: • the winner of a match must be one or other contestant (i.e. not Japan) • a country can only occur once in the draw at a level (Brazil can’t occur twice). We need to find a way to capture this mathematically as an invariant.
3BA31 Formal Methods 23 Scribbles 8 : Attempt 1 — A Binary Tree • The leaf slots (1st round) have countries, while intermediate nodes in the tree may be empty. • We use a tree built from leaf-nodes with a country, and match-nodes with left and right sub-trees, and a slot. • A leaf node is either empty, or identifies the Winning country = L EAF Country | M ATCH Draw Slot Draw � Draw = E MPTY | W INNER Country � Slot 3BA31 Formal Methods 24 Scribbles 8 : Attempt 1 Example M ATCH ( L EAF Ireland ) E MPTY ( L EAF Brazil ) Ireland Brazil � � ��������� � � � � � � � M ATCH ( L EAF Ireland ) ( W INNER Ireland ) ( L EAF Brazil ) Ireland Brazil � � �������� � � � � � � � Ireland . . . which might then be reduced to . . . L EAF Ireland Ireland
3BA31 Formal Methods 25 Scribbles 8 : Attempt 1 Invariant We need to define an invariant that looks (semi-formally) like: invariant ( L EAF ) = T RUE invariant ( M ATCH d 1 slot d 2 ) = invariant d 1 ∧ invariant d 2 slot = E MPTY ∧ ∨ slot = W INNER p where p won d 1 ∨ p won d 2 ∧ countriesof d 1 ∩ countriesof d 2 = ∅ This is a complex invariant. Can it be simplified? One idea is that once a match is decided, we simply replace it by a leaf with the winner, so no slots are required. 3BA31 Formal Methods 26 Scribbles 8 : Attempt 2 — A different Binary Tree • The leaf slots have countries. • We use a tree built from leaf-nodes with a country, and match-nodes with left and right sub-trees. = L EAF Country | M ATCH Draw Draw � Draw
3BA31 Formal Methods 27 Scribbles 8 : Attempt 2 Example M ATCH ( L EAF Ireland ) ( L EAF Brazil ) Ireland Brazil � � � � � � � � � � � � � � � � • . . . which then reduces to . . . L EAF Ireland Ireland 3BA31 Formal Methods 28 Scribbles 8 : Attempt 2 Invariant We need to define an invariant that looks (semi-formally) like: invariant ( L EAF ) = T RUE invariant ( M ATCH d 1 d 2 ) = invariant d 1 ∧ invariant d 2 ∧ countriesof d 1 ∩ countriesof d 2 = ∅ This is a much less complex invariant. The red stuff about slots has disappeared.
Recommend
More recommend
