VDM++ Tutorial Model Quality. Overview Introduction Assessing internal consistency Assessing external consistency.

Slides:



Advertisements
Similar presentations
PhUSE 2010 Unit Testing and Code Coverage Assessment with SASUnit - Key Technologies for Development of reliable SAS Macros - HMS Analytical Software.
Advertisements

Design by Contract.
Carlos D. Rivera February 28, 2007 Design-by-Contract.
Verification and Validation
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
System Integration Verification and Validation
Java Script Session1 INTRODUCTION.
Alternate Software Development Methodologies
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
The road to reliable, autonomous distributed systems
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
1 CS 106, Winter 2009 Class 4, Section 4 Slides by: Dr. Cynthia A. Brown, Instructor section 4: Dr. Herbert G. Mayer,
Semantic description of service behavior and automatic composition of services Oussama Kassem Zein Yvon Kermarrec ENST Bretagne France.
Knowledge and Systems Research Group, University of Huddersfield B vs OCL: Comparing Specification Languages for Planning Domains Diane Kitchin, Lee McCluskey,
Copyright W. Howden1 Lecture 13: Programming by Contract.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Page 1 Building Reliable Component-based Systems Chapter 6 - Semantic Integrity in Component Based Development Chapter 6 Semantic Integrity in Component.
Dependent Types for Reasoning About Distributed Systems Paul Sivilotti - Ohio State Hongwei Xi - Cincinnati.
Describing Syntax and Semantics
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Ranga Rodrigo. Class is central to object oriented programming.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Verification and Validation.
Warren He, Devdatta Akhawe, and Prateek MittalUniversity of California Berkeley This subset of the web application generates new requests to the server.
Understanding the CORBA Model. What is CORBA?  The Common Object Request Broker Architecture (CORBA) allows distributed applications to interoperate.
1 Intelligent Systems ISCRAM 2013 Validating Procedural Knowledge in the Open Virtual Collaboration Environment Gerhard Wickler AIAI, University.
Chapter 8 – Software Testing Lecture 1 1Chapter 8 Software testing The bearing of a child takes nine months, no matter how many women are assigned. Many.
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
1 A Modularity Assessment Framework for Context-dependent Formal Specifications Naoyasu Ubayashi (Kyushu University, Japan) September 14, 2010 ACoM 2010.
VDM++ Tutorial Overview John Fitzgerald Peter Gorm Larsen Paul Mukherjee Nico Plat.
VDM++ Tutorial Implementing in Java. Overview Introduction Overview of Java code generation Options for Java code generation Keep tags POP3 Example.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
CSC264 Modelling and Computation 10. Modelling State Steve Riddle, John Fitzgerald, Maciej Koutny Computing Science Semester /06.
Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Lecture 1 Introduction Figures from Lewis, “C# Software Solutions”, Addison Wesley Richard Gesick.
TIVDM1VDMTools and Logic1 Peter Gorm Larsen. TIVDM1VDMTools and Logic2 Agenda  Overview of VDMTools ® Functionality Demonstration of VDMTools ® and Rational.
1 Context-dependent Product Line Practice for Constructing Reliable Embedded Systems Naoyasu UbayashiKyushu University, Japan Shin NakajimaNational Institute.
TIVDM2Model Quality1 Peter Gorm Larsen. TIVDM2Model Quality2 Agenda  Introduction Internal Consistency External Consistency.
©Kabira Technologies Inc, 2001 May 7-9, 2001 Westward Look Resort Tucson, Arizona SMUG 2001 Execution in UML.
DEVS Based Modeling and Simulation of the CORBA POA F. Bernardi, E. de Gentili, Pr. J.F. Santucci {bernardi, gentili, University.
CS 501: Software Engineering Fall 1999 Lecture 12 System Architecture III Distributed Objects.
Chapter 3 Part II Describing Syntax and Semantics.
Week 3: Requirement Analysis & specification
Protocols Software Engineering II Wirfs Brock et al, Designing Object-Oriented Software, Prentice Hall, Mitchell, R., and McKim, Design by Contract,
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.
L13: Design by Contract Definition Reliability Correctness Pre- and post-condition Asserts and Exceptions Weak & Strong Conditions Class invariants Conditions.
VDM++ Tutorial Concurrency. Overview Introduction Concurrency primitives in VDM++ Example: POP3 Server Concurrency and VDMTools ®
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Industrial Avionics Working Group 18/04/07 The Relationship Between the Design and Safety Domains in IAWG Modular Certification Part 2: Completeness of.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
1 Contractual Consistency Between BON Static and Dynamic Diagrams Ali Taleghani July 30, 2004.
Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.
The PLA Model: On the Combination of Product-Line Analyses 강태준.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Laurea Triennale in Informatica – Corso di Ingegneria del Software I – A.A. 2006/2007 Andrea Polini XVII. Verification and Validation.
SWE 434 SOFTWARE TESTING AND VALIDATION LAB2 – INTRODUCTION TO JUNIT 1 SWE 434 Lab.
Verification and Validation
Lecture 1 Introduction Richard Gesick.
CSC 480 Software Engineering
Component Based Software Engineering
Common object request broker
Programming Languages 2nd edition Tucker and Noonan
Java Modeling Language (JML)
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

VDM++ Tutorial Model Quality

Overview Introduction Assessing internal consistency Assessing external consistency

Introduction What is model quality? Quality is... ”The totality of features and characteristics of a product, process or service that bear on its ability to satisfy stated or implied needs” (ISO 8402) Fitness for purpose So need to keep the model’s purpose clear! V&V Potential Internal and external consistency Internal: does the model describe something? External: does it describe the system we want?

Overview Introduction Assessing internal consistency Assessing external consistency

Assessing Internal Consistency Basic checks Syntax Static types Advanced checks Partial operator application Respecting invariants Satisfiability Rising confidence, falling automation (and rising cost!)

Assessing Internal Consistency public RemoveDeletedMessages: POP3Types`UserName ==> bool RemoveDeletedMessages(user) == let oldMsgs = GetUserMessages(user), newMsgs = [ oldMsgs(i) | i in set inds oldMsgs & not oldMsgs(i).IsDeleted()] in ( SetUserMessages(user, newMsgs); return true ); May be undefined … but protected here Protection of partial operators So there is an obligation on us to show i in set dom oldMsgs in this context. Such integrity properties can be generated by automated analysis.

Assessing Internal Consistency Respecting invariants & satisfiability public RemoveDeletedMessages: POP3Types`UserName ==> bool RemoveDeletedMessages(user) == let oldMsgs = GetUserMessages(user), newMsgs = [ oldMsgs(i) | i in set inds oldMsgs & not oldMsgs(i).IsDeleted()] in ( SetUserMessages(user, newMsgs); return true ); and this has side-effects on the state. We ought to be confident that, given these inputs, it will not break any invariants that apply on the state. Integrity property on SetUserMessages generated to give confidence that it does not break the invariant, given any valid inputs. Where functionality is specified implicitly, it’s necessary to show satisfiability: that a function/operation exists to satisfy the pre-/post- specification. (Difficult to do by testing alone!)

Assessing Internal Consistency Integrity Properties All these conditions that can’t be automatically checked can be formulated as proof obligations. The context appears in the hypotheses. We can build an automatic generator for obligations and use semi-automatic proof support to discharge them (see Natsuki Terada’s paper).

Assessing Internal Consistency From consistency checks into implementation Retain pre- and post-conditions alongside function/operation bodies. These, and invariants, become (conditionally compiled) assertions in the implementation. How much internal consistency checking would you do in practice? Remember you are free to choose!

Overview What is model quality? Assessing internal consistency Assessing external consistency

Assessing External Consistency VDMTools ® has a Corba API. This API exposes all of the functionality of the tool. => An external program can execute a model within the tool. This external program could be a GUI using the icons and metaphors normally used within the application domain. In this way, domain experts and even end-users can help to assess the model.

Overview of VDMTools ® API Any language for which a Corba object request broker (ORB) exists, may be used (Java, C++, Perl, Python...) The following steps must be performed: Connect to VDMTools ® Interact with tool Release resources acquired from tool (references to variables held within tool) Close connection

Example: POP3 Client POP3 client written in Java Client connects to VDMTools ® API using Sun’s ORB Client interacts with VDM++ model of POP3 server Results of interaction shown in GUI

POP3 Client

Summary Model quality is “fitness for purpose” Includes implicit qualities e.g. readability, accessibility of documentation. Internal consistency Highly formal Limited conclusions about the model Levels of automated support External consistency Does the model embody desired properties? Check through animation & testing

Summary A range of assessment technologies: Machine-assisted consistency checking Traditional syntax/type-checking Advanced checking (integrity property generation) Machine-assisted validation by test & coverage Domain and scenario-based tests Tests generated from real application data Test coverage tools Inspection-style reviews with domain experts.