Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

This research is funded in part the U. S. National Science Foundation grant CCR DEET for Component-Based Software Murali Sitaraman, Durga P. Gandi.
Carlos D. Rivera February 28, 2007 Design-by-Contract.
Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University.
School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Feb 2003 R McFadyen1 Contracts (Ch 13) Used to help understand requirements more completely based on assertions; assertions are applicable to any.
Jan 2005 Ron McFadyen1 Contracts Used to help understand requirements more completely (and so may not always be necessary) based on assertions;
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
September 2002 R McFadyen1 Domain Model Use Case Model text diagram SSD System operation contracts Design Model Figure 13.3.
1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.
Computer Science School of Computing Clemson University Mathematical Modeling Murali Sitaraman Clemson University.
Mathematics throughout the CS Curriculum Support by NSF #
Jason Hallstrom (Clemson), Joan Krone (Denison), Joseph E. Hollingsworth (IU Southeast), and Murali Sitaraman(Clemson) This workshop is funded in part.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Murali Sitaraman
Computer Science School of Computing Clemson University Mathematical Reasoning across the Curriculum Software Development Foundations and Software Engineering.
Class Specifications CpSc 372: Introduction to Software Engineering Jason O. Hallstrom Authorship Disclaimer. These slides are intended.
Lecture 16 March 22, 2011 Formal Methods CS 315 Spring Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)
Computer Science School of Computing Clemson University Introduction to Formal Specification Murali Sitaraman Clemson University.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Lecture 17 March 24, 2011 Formal Methods 2 CS 315 Spring Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Lecture 7: Requirements Engineering
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
Reasoning about programs March CSE 403, Winter 2011, Brun.
(SRS) SOFTWARE REQUIREMENT SPECIFICATION(SRS) 1. Topics to be discussed.. What is an SRS? Purpose of an SRS Who reads the SRS? Who writes the SRS? Characteristics.
Formal Methods in SE Software Verification Using Formal Methods By: Qaisar Javaid, Assistant Professor Formal Methods1.
Requirement Engineering. Recap Elaboration Behavioral Modeling State Diagram Sequence Diagram Negotiation.
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.
Software Requirements Specification Document (SRS)
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Computer Science School of Computing Clemson University Mathematical Reasoning with Objects.
Lecture 18 March 29, 2011 Formal Methods 3 CS 315 Spring Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)
 System Requirement Specification and System Planning.
Modular Decomposition, Abstraction and Specifications
Formal Specification.
Software Testing.
Modular Alternatives to Testing
Design by Contract Jim Fawcett CSE784 – Software Studio
Design by Contract Jim Fawcett CSE784 – Software Studio
Used to help understand requirements more completely
C++ Plus Data Structures
Component Implementations Using RESOLVE
Formal Specification of Java Interfaces
Lecture 2 of Computer Science II
B (The language of B-Method )
Design by Contract Fall 2016 Version.
Introduction to Components and Specifications Using RESOLVE
Requirements Analysis
Programming Languages 2nd edition Tucker and Noonan
Software Requirements Specification Document
Hoare-style program verification
Formal Specification of Interfaces
Introduction to Components and Specifications Using RESOLVE
Mathematical Reasoning
ISpec: A Compositional Approach to Interface Specification
Department of Computer Science Abdul Wali Khan University Mardan
More Mathematical Reasoning (Conditional Statements)
Requirements Document
Mathematical Reasoning with Data Abstractions
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
ENERGY 211 / CME 211 Lecture 27 November 21, 2008.
Software Development Chapter 1.
Subject Name: SOFTWARE ENGINEERING Subject Code:10IS51
Software Reviews.
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011 Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson) CS 315 Spring 2011

Requirements vs. Specifications Requirements definition Intended for customers in addition to software developers Informal descriptions are necessary Specification For use by members of a software development team Formal (mathematical) descriptions are necessary

Interface Specification Serves as a contract between component users (clients) and developers (implementers) Typically describes the demands on users and responsibilities for implementers Should present the essentials in “user-oriented” terms (abstraction) and hide the inessentials (information hiding)

Informal Specification: Examples C++ STL Template specifications Java util component specifications http://doc.java.sun.com/DocWeb/api/java.util.Stack http://doc.java.sun.com/DocWeb/api/java.util.Queue Questions for discussion Do they support information hiding? Do they support abstraction? Can they generalize? Is it possible to make them unambiguous?

Informal Specifications Straightforward descriptions Push pushes an object on a stack How much do they help? Use of metaphors A Queue is like a line at a fast food restaurant Do they generalize? Use of implementation details Push behaves like AddElement method on Vector Is this appropriate for a user-oriented cover story? CS 315 Spring 2011

Informal Specifications See Bertrand Meyer’s article on Formal Specifications in IEEE Computer: http://se.ethz.ch/~meyer/publications/ieee/formalism.pdf Problems with even very carefully designed informal specs Contradiction Noise … CS 315 Spring 2011

Formal Interface Specification Communicates precisely the demands and responsibilities to component users and developers Allows for independent development of client and implementation components in parallel in a team environment Minimizes integration costs CS 315 Spring 2011

Reasoning Benefits Formal Specifications make it possible to formally reason about correctness of software Such reasoning may be manual or mechanical (i.e. with automate support) CS 315 Spring 2011

Languages for Formal Specification ANNA (and SPARK) for Ada JML for Java Larch/C++ for C++ Spec# for C3 … Eiffel RESOLVE VDM Z CS 315 Spring 2011

Specification Language Summary Some specification languages are designed for particular programming languages Some are general purpose Some specification languages are integrated with programming constructs A few additionally integrate the ability to perform formal mathematical reasoning CS 315 Spring 2011

Introduction to Mathematical Reasoning CS 315 Spring 2011

Motivating Example What does the following code do to Integer I, where Foo1 and Bar1 are functions that modify their argument? I = Foo1(I); I = Bar1(I); CS 315 Spring 2011

Or, what does this code do to integers I and J? Motivating Example Or, what does this code do to integers I and J? I = Foo2(I,J); J = Bar2(I,J); I = Bar2(I,J); CS 315 Spring 2011

Motivating Example Now, what does this code do to Integer I? I = Next(I); I = Prev(I); How sure are we? Have to account for bounds in our analysis Summary: … Need formal descriptions beyond just names CS 315 Spring 2011

What does this code do to Integers I and J? Motivating Example What does this code do to Integers I and J? I = Sum (I,J); J = Difference (I,J); I = Difference (I,J); How sure are we? CS 315 Spring 2011

Specification of Integer Operations Think of ints as integers in math Constraints, for all Integers I: Min_Int <= I <= Max_Int Operation Next (I:Integer): Integer; requires I < Max_Int; ensures Next = I + 1; Operation Prev (I:Integer): Integer; requires I > Min_Int; ensures Prev = I – 1; CS 315 Spring 2011

Specification of Integer Operations Can parameter values change? Depending on the language Depending on how parameters are passed in Need to make it clear with a specification whether or not a parameter can be modified Operation Next (preserves I: Integer): Integer; requires I < Max_Int; ensures Next = I + 1; CS 315 Spring 2011

Specification of Integer Operation Operation Next (I: Integer): Integer; requires I < Max_Int; ensures Next = I + 1; Ambiguous Specification Operation Next (preserves I: Integer): Integer; requires I < Max_Int; ensures Next = I + 1; Clear Specification – I unchanged Operation Increment (updates I: Integer): Integer; requires I < Max_Int; ensures I = #I + 1; Clear Specification – I modified CS 315 Spring 2011

Specify Decrement Operation Exercise Specify Decrement Operation CS 315 Spring 2011

Meaning of Specifications Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions Callers are responsible for requirements Caller of Increment is responsible for making sure input I < Max_Int Guarantees hold only if callers meet their requirements CS 315 Spring 2011

Using a Specification A specification can be implemented various ways Have to judge if code meets specification Example – the Code appears to do what the Spec says but the Spec and Code don’t agree – fix them Spec Operation Do_Nothing (updates I:Integer); requires … ensures I = #I; Code Increment (I); Decrement (I); CS 315 Spring 2011

Methods for Checking Correctness Testing Tracing or Inspection Mathematical Reasoning CS 315 Spring 2011

Mathematical Reasoning Goal: To prove correctness Method: The rest of this presentation Consequences: Can provide correctness on all valid inputs Can show the absence of bugs CS 315 Spring 2011

Mathematical Reasoning: Example – Prove Correctness Spec: Operation Do_Nothing (updates I: Integer); requires I < Max_Int; ensures I = #I; Code: Increment(I); Decrement(I); CS 315 Spring 2011

Mathematical Reasoning: Example – Prove Correctness Establish the goals in state-oriented terms using a table Assume Confirm Increment (I); 1 Decrement (I); 2 I2 = I0 CS 315 Spring 2011

Mathematical Reasoning: Example – Prove Correctness Assume the requires clause at the beginning (Why?) Assume Confirm I0 < Max_Int and … Increment (I); 1 Decrement (I); 2 I2 = I0 CS 315 Spring 2011

Mathematical Reasoning: Example – Prove Correctness Assume calls work as advertised Assume Confirm I0 < Max_Int and … Increment (I); 1 I1 = I0 + 1 Decrement (I); 2 I2 = I1 - 1 I2 = I0 CS 315 Spring 2011

Mathematical Reasoning: Example – Prove Correctness Prove the goal(s) using assumptions Prove I2 = I0 I2 = I1 -1 (assumption in State 1) = (I0 + 1) – 1 (assumption in state 1) = I0 (simplification) More proof needed … CS 315 Spring 2011

Mathematical Reasoning: Example – Prove Correctness More assertions to be confirmed (Why?) Assume Confirm I0 < Max_Int and … Increment (I); 1 I1 = I0 + 1 I1 > Min_Int Decrement (I); 2 I2 – I1 - 1 I2 = I0 CS 315 Spring 2011

Basics of Mathematical Reasoning Suppose you are verifying code for some operation P Assume its required clause in state 0 Confirm its ensures clause at the end Suppose that P calls Q Confirm the requires clause of Q in the state before Q is called. Why? Assume the ensures clause of Q in the state after Q. Why? Prove assertions to be confirmed CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness Spec: Operation Do_Nothing (updates I: Integer); ensures I = #I; Code: If (I < Max_Int()) then Increment(I); Decrement(I); end; CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness These specs are the same Spec: Operation Do_Nothing (updates I: Integer); ensures I = #I; Operation Do_Nothing (restores I: Integer); CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness Establish the goals in state-oriented terms using a table Condition Assume Confirm If (I < Max_Int()) 1 Increment (I); 2 Decrement (I); 3 End; 4 I4 = I0 CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness Establish the conditions Condition Assume Confirm If (I < Max_Int()) 1 I0 < max_int Increment (I); 2 Decrement (I); 3 End; 4 I4 = I0 CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness Establish sub-goals for different conditions Condition Assume Confirm If (I < Max_Int()) 1 I0 < max_int Increment (I); 2 Decrement (I); 3 End; 4.1 not(I0 < max_int) I4 = I0 4.2 I4 = I3 CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness Fill in other assumptions and obligations as before Condition Assume Confirm If (I < Max_Int()) 1 I0 < max_int I1 = I0 Increment (I); 2 I2 = I1 + 1 Decrement (I); 3 I3 = I2 - 1 End; 4.1 not(I0 < max_int) I4 = I0 4.2 I4 = I3 CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness Prove the subgoal(s) 4.1 Case: not(I0 < max_int) Prove I4 = I0 True from assumption 4.2 Case: (I0 < max_int) Prove: I3 = I0 (assumption in state 4) Prove: (I2 – 1) = I0 (assumption in state 3) … CS 315 Spring 2011

Mathematical Reasoning: Example 2 – Prove Correctness For the condition (I0 < max_int), additional proofs are needed These proofs of assertion to be confirmed in States 1 and 2 are left as exercises. CS 315 Spring 2011

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.