Notes on: Is Proof More Cost- Effective Than Testing? by Steve King, Jonathan Hammond, Rob Chapman, Andy Pryor Prepared by Stephen M. Thebaut, Ph.D. University.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
© Fachgebiet Softwaretechnik, Heinz Nixdorf Institut, Universität Paderborn 2.4 The Z Notation [Reference: M. Spivey: The Z Notation, Prentice Hall]
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
© Colin Potts C6-1 Some future trends in requirements engineering Colin Potts Georgia Tech.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages
The Z Specification Language
Formal Specification. Approaches to formal specification Functional –The system is described as a number of functions. –Unnatural and complex for large.
High-Level Programming Languages
©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.
Verification and Validation
Chapter 1 Principles of Programming and Software Engineering.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Describing Syntax and Semantics
Chapter 10 Classes Continued
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 10 Slide 1 Formal Specification.
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 10 Slide 1 Critical Systems Specification 3 Formal Specification.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 10 Slide 1 Formal Specification.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 9 Slide 1 Formal Specification l Techniques for the unambiguous specification of software.
Verification and Validation Chapter 22 of Ian Sommerville’s Software Engineering.
©Ian Sommerville 2000Software Engineering, Chapter 10 Slide 1 Chapter 10 Formal Specification.
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
Analyzing the Requirements with Formal Specifications Vienna Development Method Specification Language (VDM-SL) Book: Formal Software Development From.
Software testing techniques 2.Verification and validation From I. Sommerville textbook Kaunas University of Technology.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 9 Slide 1 Chapter 9 Formal Specifications.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor.
Model-Based Specification CIS 376 Bruce R. Maxim UM-Dearborn.
CS.436 Software Engineering By Ajarn..Sutapart Sappajak,METC,MSIT Chapter 13 Verification and validation Slide 1 1 Chapter 13 Verification and Validation.
WXGE6103 Software Engineering Process and Practice Formal Specification.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Requirements Engineering Methods for Requirements Engineering Lecture-30.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Bzupages.com Verification and Validation.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Formal Methods in SE Software Verification Using Formal Methods By: Qaisar Javaid, Assistant Professor Formal Methods1.
Software Engineering 2 -Prakash Shrestha.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Testing Chapter 23 IB103 Week 12 (part 3). Verify that a complex (any) program works correctly, that the program meets specifications The chapter reviews.
©Ian Sommerville 2000Software Engineering, Chapter 10 Slide 1 Chapter 10 Formal Specification.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
Functional Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 21.
Slide 1 Introduction to the Z Formal Specifications Language.
Principles of Programming & Software Engineering
Formal Specification.
Verification and Validation
Principles of Programming and Software Engineering
(State) Model-Based Approaches II Software Specification Lecture 36
About the Presentations
Verification and Validation
B (The language of B-Method )
Levels of Software Assurance in SPARK
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Semantics In Text: Chapter 3.
Algebraic Specification Software Specification Lecture 34
Presentation transcript:

Notes on: Is Proof More Cost- Effective Than Testing? by Steve King, Jonathan Hammond, Rob Chapman, Andy Pryor Prepared by Stephen M. Thebaut, Ph.D. University of Florida

UK Defense Standard For procurement of safety critical software in defense equipment Perceived emphasis on formal methods (formal specification and design, proofs of correctness) Purpose of this paper: report on work showing that using formal methods on a large scale is practical and effective at both the specification and code level

SHOLIS Ship Helicopter Operating Limits Information System – safety critical system aiding safe operation of helicopters on naval vessels Z-based formal specification and SPARK programming language (subset of Ada) –Omitted features: gotos, aliasing, default parameters for subprograms, side-effects in functions, recursion, tasks, user-defined exceptions, exception handlers, & generics –simplification of other features

Proofs Specification-Based –Approx. 150 proofs in 500 pages –Consistency of global variables and constants, existence of initial states and checking of preconditions Code-Based –Approx. 9,000 verification conditions verified –Predicate transforms used for non-looping programs –Invariants used to prove partial (weak) correctness of looping programs + separate arguments for termination

Some Observations Skills needed: knowledge of Z, proof by cases and contradiction, understanding of imperative programming constructs, familiarity with proof concepts such as loop invariants (not that much!) Proof validation: formal peer + IV&V reviews; proofs were not inspected by the customer Z proof appeared to be substantially more efficient at finding faults than the most efficient testing phase.

Some Observations (cont’d) Code proofs appeared to be more efficient than unit testing, despite the fact that substantial amounts of unit testing were completed before the bulk of code proof started.

Specification using “Z” Z is a mature and expressive notation for model-based specification. It combines formal and informal descriptions and incorporates graphical highlighting. The basic building blocks of Z-based specifications are schemas. Schemas identify state variables and define constraints and operations in terms of those variables.

Schemas Schemas are comprised of three parts: a name, a signature, and a predicate. –The signature declares (state) entities introduced in a schema and their type. –Signature declarations are given in the form identifier: type. –The predicate defines logical relationships between entities in the declaration. Z is based on the predicate calculus + typed sets.

Graphical Layout of a Schema Signature Predicate

Schemas (Cont.) Schemas describe state entities or operations on state entities. –To describe state entities, declared variables comprise the entities while predicates specify their invariant properties. –To describe operations, declarations consist of initial and final state variables, inputs, and outputs, while predicates specify the relations among them.

Example 1 Container contents: N capacity: N contents  capacity Specification of a generic container entity: modeled as natural numbers invariant property

Example 1 (Cont.) Indicator light: {off, on} reading: N danger_level: N light = on  reading  danger_level Specification of a generic indicator entity:

Example 1 (Cont.) Storage_tank Container Indicator reading = contents capacity = 500 danger_level = 50 Specification of a storage tank entity: Predicates on separate lines are separated by an implicit “AND”.

Example 1 (Cont.) Storage_tank contents: N capacity: N light: {off, on} reading: N danger_level: N contents  capacity light = on  reading  danger_level reading = contents capacity = 500 danger_level = 50 Expanded specification of a storage tank entity:

Example 1 (Cont.) Fill-OK  Storage-tank amount?: N contents + amount?  capacity contents’ = contents + amount? Specification of a nominal storage tank fill operation: “dash” indicates the value of contents AFTER the operation “?” indicates that amount is an INPUT. “Delta” indicates that values of one or more variables will be changed.

Example 1 (Cont.) OverFill  Storage-tank amount?: N r!: seq CHAR capacity < contents + amount? r! = “Insufficient tank capacity – Fill cancelled” Specification of an exceptional storage tank fill operation: “Xi” indicates that NO variables will be changed by the operation. “!” indicates that r is an OUTPUT.

Example 1 (Cont.) Fill Fill-OK V OverFill Complete specification of the storage tank fill operation:

Key Points Model-based specification relies on a state model of the system using mathematical entities such as the predicate calculus and typed sets. Functions / operations may be specified by defining their effect on system state. It is normal to specify functions / operations incrementally and then combine the fragments to produce a complete specification.

Key Points (Cont.) Z specifications are comprised of a number of schemas that introduce typed names and define predicates over those names. They are distinguished from surrounding text by graphical highlighting. Schemas are building blocks which may be combined and used in other schemas. The effect of including schema A in schema B is that schema B inherits the names and predicates of schema A.

Notes on: Is Proof More Cost- Effective Than Testing? by Steve King, Jonathan Hammond, Rob Chapman, Andy Pryor Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.