Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011

Published byΣπυριδούλα Παπάζογλου Modified over 5 years ago

Similar presentations

Presentation on theme: "Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011"— Presentation transcript:

1 Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011
Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson) CS Spring 2011

2 Requirements vs. Specifications
Requirements definition Intended for customers in addition to software developers Informal descriptions are necessary Specification For use by members of a software development team Formal (mathematical) descriptions are necessary

3 Interface Specification
Serves as a contract between component users (clients) and developers (implementers) Typically describes the demands on users and responsibilities for implementers Should present the essentials in “user-oriented” terms (abstraction) and hide the inessentials (information hiding)

4 Informal Specification: Examples
C++ STL Template specifications Java util component specifications Questions for discussion Do they support information hiding? Do they support abstraction? Can they generalize? Is it possible to make them unambiguous?

5 Informal Specifications
Straightforward descriptions Push pushes an object on a stack How much do they help? Use of metaphors A Queue is like a line at a fast food restaurant Do they generalize? Use of implementation details Push behaves like AddElement method on Vector Is this appropriate for a user-oriented cover story? CS Spring 2011

6 Informal Specifications
See Bertrand Meyer’s article on Formal Specifications in IEEE Computer: Problems with even very carefully designed informal specs Contradiction Noise CS Spring 2011

7 Formal Interface Specification
Communicates precisely the demands and responsibilities to component users and developers Allows for independent development of client and implementation components in parallel in a team environment Minimizes integration costs CS Spring 2011

8 Reasoning Benefits Formal Specifications make it possible to formally reason about correctness of software Such reasoning may be manual or mechanical (i.e. with automate support) CS Spring 2011

9 Languages for Formal Specification
ANNA (and SPARK) for Ada JML for Java Larch/C++ for C++ Spec# for C3 Eiffel RESOLVE VDM Z CS Spring 2011

10 Specification Language Summary
Some specification languages are designed for particular programming languages Some are general purpose Some specification languages are integrated with programming constructs A few additionally integrate the ability to perform formal mathematical reasoning CS Spring 2011

11 Introduction to Mathematical Reasoning
CS Spring 2011

12 Motivating Example What does the following code do to Integer I, where Foo1 and Bar1 are functions that modify their argument? I = Foo1(I); I = Bar1(I); CS Spring 2011

13 Or, what does this code do to integers I and J?
Motivating Example Or, what does this code do to integers I and J? I = Foo2(I,J); J = Bar2(I,J); I = Bar2(I,J); CS Spring 2011

14 Motivating Example Now, what does this code do to Integer I?
I = Next(I); I = Prev(I); How sure are we? Have to account for bounds in our analysis Summary: … Need formal descriptions beyond just names CS Spring 2011

15 What does this code do to Integers I and J?
Motivating Example What does this code do to Integers I and J? I = Sum (I,J); J = Difference (I,J); I = Difference (I,J); How sure are we? CS Spring 2011

16 Specification of Integer Operations
Think of ints as integers in math Constraints, for all Integers I: Min_Int <= I <= Max_Int Operation Next (I:Integer): Integer; requires I < Max_Int; ensures Next = I + 1; Operation Prev (I:Integer): Integer; requires I > Min_Int; ensures Prev = I – 1; CS Spring 2011

17 Specification of Integer Operations
Can parameter values change? Depending on the language Depending on how parameters are passed in Need to make it clear with a specification whether or not a parameter can be modified Operation Next (preserves I: Integer): Integer; requires I < Max_Int; ensures Next = I + 1; CS Spring 2011

18 Specification of Integer Operation
Operation Next (I: Integer): Integer; requires I < Max_Int; ensures Next = I + 1; Ambiguous Specification Operation Next (preserves I: Integer): Integer; requires I < Max_Int; ensures Next = I + 1; Clear Specification – I unchanged Operation Increment (updates I: Integer): Integer; requires I < Max_Int; ensures I = #I + 1; Clear Specification – I modified CS Spring 2011

19 Specify Decrement Operation
Exercise Specify Decrement Operation CS Spring 2011

20 Meaning of Specifications
Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions Callers are responsible for requirements Caller of Increment is responsible for making sure input I < Max_Int Guarantees hold only if callers meet their requirements CS Spring 2011

21 Using a Specification A specification can be implemented various ways
Have to judge if code meets specification Example – the Code appears to do what the Spec says but the Spec and Code don’t agree – fix them Spec Operation Do_Nothing (updates I:Integer); requires … ensures I = #I; Code Increment (I); Decrement (I); CS Spring 2011

22 Methods for Checking Correctness
Testing Tracing or Inspection Mathematical Reasoning CS Spring 2011

23 Mathematical Reasoning
Goal: To prove correctness Method: The rest of this presentation Consequences: Can provide correctness on all valid inputs Can show the absence of bugs CS Spring 2011

24 Mathematical Reasoning: Example – Prove Correctness
Spec: Operation Do_Nothing (updates I: Integer); requires I < Max_Int; ensures I = #I; Code: Increment(I); Decrement(I); CS Spring 2011

25 Mathematical Reasoning: Example – Prove Correctness
Establish the goals in state-oriented terms using a table Assume Confirm Increment (I); 1 Decrement (I); 2 I2 = I0 CS Spring 2011

26 Mathematical Reasoning: Example – Prove Correctness
Assume the requires clause at the beginning (Why?) Assume Confirm I0 < Max_Int and … Increment (I); 1 Decrement (I); 2 I2 = I0 CS Spring 2011

27 Mathematical Reasoning: Example – Prove Correctness
Assume calls work as advertised Assume Confirm I0 < Max_Int and … Increment (I); 1 I1 = I0 + 1 Decrement (I); 2 I2 = I1 - 1 I2 = I0 CS Spring 2011

28 Mathematical Reasoning: Example – Prove Correctness
Prove the goal(s) using assumptions Prove I2 = I0 I2 = I (assumption in State 1) = (I0 + 1) – 1 (assumption in state 1) = I0 (simplification) More proof needed … CS Spring 2011

29 Mathematical Reasoning: Example – Prove Correctness
More assertions to be confirmed (Why?) Assume Confirm I0 < Max_Int and … Increment (I); 1 I1 = I0 + 1 I1 > Min_Int Decrement (I); 2 I2 – I1 - 1 I2 = I0 CS Spring 2011

30 Basics of Mathematical Reasoning
Suppose you are verifying code for some operation P Assume its required clause in state 0 Confirm its ensures clause at the end Suppose that P calls Q Confirm the requires clause of Q in the state before Q is called. Why? Assume the ensures clause of Q in the state after Q. Why? Prove assertions to be confirmed CS Spring 2011

31 Mathematical Reasoning: Example 2 – Prove Correctness
Spec: Operation Do_Nothing (updates I: Integer); ensures I = #I; Code: If (I < Max_Int()) then Increment(I); Decrement(I); end; CS Spring 2011

32 Mathematical Reasoning: Example 2 – Prove Correctness
These specs are the same Spec: Operation Do_Nothing (updates I: Integer); ensures I = #I; Operation Do_Nothing (restores I: Integer); CS Spring 2011

33 Mathematical Reasoning: Example 2 – Prove Correctness
Establish the goals in state-oriented terms using a table Condition Assume Confirm If (I < Max_Int()) 1 Increment (I); 2 Decrement (I); 3 End; 4 I4 = I0 CS Spring 2011

34 Mathematical Reasoning: Example 2 – Prove Correctness
Establish the conditions Condition Assume Confirm If (I < Max_Int()) 1 I0 < max_int Increment (I); 2 Decrement (I); 3 End; 4 I4 = I0 CS Spring 2011

35 Mathematical Reasoning: Example 2 – Prove Correctness
Establish sub-goals for different conditions Condition Assume Confirm If (I < Max_Int()) 1 I0 < max_int Increment (I); 2 Decrement (I); 3 End; 4.1 not(I0 < max_int) I4 = I0 4.2 I4 = I3 CS Spring 2011

36 Mathematical Reasoning: Example 2 – Prove Correctness
Fill in other assumptions and obligations as before Condition Assume Confirm If (I < Max_Int()) 1 I0 < max_int I1 = I0 Increment (I); 2 I2 = I1 + 1 Decrement (I); 3 I3 = I2 - 1 End; 4.1 not(I0 < max_int) I4 = I0 4.2 I4 = I3 CS Spring 2011

37 Mathematical Reasoning: Example 2 – Prove Correctness
Prove the subgoal(s) 4.1 Case: not(I0 < max_int) Prove I4 = I0 True from assumption 4.2 Case: (I0 < max_int) Prove: I3 = I0 (assumption in state 4) Prove: (I2 – 1) = I0 (assumption in state 3) CS Spring 2011

38 Mathematical Reasoning: Example 2 – Prove Correctness
For the condition (I0 < max_int), additional proofs are needed These proofs of assertion to be confirmed in States 1 and 2 are left as exercises. CS Spring 2011

Download ppt "Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011"

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
This research is funded in part the U. S. National Science Foundation grant CCR-0113181. DEET for Component-Based Software Murali Sitaraman, Durga P. Gandi.

This research is funded in part the U. S. National Science Foundation grant CCR DEET for Component-Based Software Murali Sitaraman, Durga P. Gandi.
Carlos D. Rivera February 28, 2007 Design-by-Contract.

Carlos D. Rivera February 28, 2007 Design-by-Contract.
Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University.

Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University.
School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid.

School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
91.3913Feb 2003 R McFadyen1 Contracts (Ch 13) Used to help understand requirements more completely based on assertions; assertions are applicable to any.

Feb 2003 R McFadyen1 Contracts (Ch 13) Used to help understand requirements more completely based on assertions; assertions are applicable to any.
92.3913Jan 2005 Ron McFadyen1 Contracts Used to help understand requirements more completely (and so may not always be necessary) based on assertions;

Jan 2005 Ron McFadyen1 Contracts Used to help understand requirements more completely (and so may not always be necessary) based on assertions;
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
91.3913September 2002 R McFadyen1 Domain Model Use Case Model text diagram SSD System operation contracts Design Model Figure 13.3.

September 2002 R McFadyen1 Domain Model Use Case Model text diagram SSD System operation contracts Design Model Figure 13.3.
1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.

1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.

From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.
Computer Science School of Computing Clemson University Mathematical Modeling Murali Sitaraman Clemson University.

Computer Science School of Computing Clemson University Mathematical Modeling Murali Sitaraman Clemson University.
Mathematics throughout the CS Curriculum Support by NSF #

Mathematics throughout the CS Curriculum Support by NSF #
Jason Hallstrom (Clemson), Joan Krone (Denison), Joseph E. Hollingsworth (IU Southeast), and Murali Sitaraman(Clemson) This workshop is funded in part.

Jason Hallstrom (Clemson), Joan Krone (Denison), Joseph E. Hollingsworth (IU Southeast), and Murali Sitaraman(Clemson) This workshop is funded in part.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Murali Sitaraman

Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Murali Sitaraman
Computer Science School of Computing Clemson University Mathematical Reasoning across the Curriculum Software Development Foundations and Software Engineering.

Computer Science School of Computing Clemson University Mathematical Reasoning across the Curriculum Software Development Foundations and Software Engineering.
Class Specifications CpSc 372: Introduction to Software Engineering Jason O. Hallstrom Authorship Disclaimer. These slides are intended.

Class Specifications CpSc 372: Introduction to Software Engineering Jason O. Hallstrom Authorship Disclaimer. These slides are intended.
Lecture 16 March 22, 2011 Formal Methods CS 315 Spring 2011 1 Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)

Lecture 16 March 22, 2011 Formal Methods CS 315 Spring Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)

Similar presentations

Ads by Google