22c181: Formal Methods in Software Engineering. The University of Iowa. Spring Introduction

Similar documents
The Course.

Model Checking based Software Verification

CIS 771: Software Specifications. Lecture 1: Course Overview

Software testing. Objectives

Specification and Analysis of Contracts Lecture 1 Introduction

INF5140: Specification and Verification of Parallel Systems

Software Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Software Verification/Validation Methods and Tools... or Practical Formal Methods

T Reactive Systems: Introduction and Finite State Automata

Software Verification and System Assurance

SCADE Suite in Space Applications

CSE4213 Lecture Notes

How To Improve Software Quality

Know or Go Practical Quest for Reliable Software

Introducing Formal Methods. Software Engineering and Formal Methods

Software Testing. System, Acceptance and Regression Testing

Software Engineering. How does software fail? Terminology CS / COE 1530

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

x64 Servers: Do you want 64 or 32 bit apps with that server?

System-on-Chip Design Verification: Challenges and State-of-the-art

Model Checking of Software

Minimizing code defects to improve software quality and lower development costs.

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

Model Checking: An Introduction

Formal Verification and Linear-time Model Checking

Rigorous Software Development CSCI-GA

Chapter 8 Software Testing

Software Requirements Specification

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

When COTS is not SOUP Commercial Off-the-Shelf Software in Medical Systems. Chris Hobbs, Senior Developer, Safe Systems

Achieving business benefits through automated software testing. By Dr. Mike Bartley, Founder and CEO, TVS

Best Practices for Verification, Validation, and Test in Model- Based Design

Introduction to Automated Testing

IBM Rational Rhapsody

Certification of a Scade 6 compiler

Table of contents. Enterprise Resource Planning (ERP) functional testing best practices: Ten steps to ERP systems reliability

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

Static Program Transformations for Efficient Software Model Checking

Smart Cards a(s) Safety Critical Systems

Automated Theorem Proving - summary of lecture 1

Virtualization for Cloud Computing

Ethical Issues in the Software Quality Assurance Function

Die wichtigsten Use Cases für MISRA, HIS, SQO, IEC, ISO und Co. - Warum Polyspace DIE Embedded Code-Verifikationslösung ist.

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

The Model Checker SPIN

Instruction Set Design

C# and Other Languages

Professional Organization Checklist for the Computer Science Curriculum Updates. Association of Computing Machinery Computing Curricula 2008

Quality Management. Lecture 12 Software quality management

School of Computer Science

BY STEVE BROWN, CADENCE DESIGN SYSTEMS AND MICHEL GENARD, VIRTUTECH

Automation can dramatically increase product quality, leading to lower field service, product support and

Software Engineering Reference Framework

Kirsten Sinclair SyntheSys Systems Engineers

Coverability for Parallel Programs

RATP safety approach for railway signalling systems

Subject knowledge requirements for entry into computer science teacher training. Expert group s recommendations

Transactional Support for SDN Control Planes "

Industry-Driven Testing: Past, Present, and Future Activities at Simula

Software Testing. Quality & Testing. Software Testing

The ProB Animator and Model Checker for B

V.34 Fax Verification

TEACHING MODEL CHECKING TO UNDERGRADUATES

Chap 1. Software Quality Management

A closer look at HP LoadRunner software

Trends in Embedded Software Development in Europe. Dr. Dirk Muthig

Motivations 1. What is (or should be) the essential preoccupation of computer scientists?

Network Protocol Testing Overview - InterWorking Labs

The CompCert verified C compiler

Oracle Solaris Studio Code Analyzer

In this Lecture you will Learn: Implementation. Software Implementation Tools. Software Implementation Tools

Testing for the Unexpected: An Automated Method of Injecting Faults for Engine Management Development

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

Six ways to accelerate Android mobile application development

Testing, Debugging, and Verification

Engineering Process Software Qualities Software Architectural Design

User interface design. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 16 Slide 1

SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT

Smarter Balanced Assessment Consortium. Recommendation

Aerospace Software Engineering

Anwendung von Polyspace im Software Entwicklungsprozess nach IEC München, , Dr.-Ing. Jörg Barrho

WHAT WE NEED TO START THE PERFORMANCE TESTING?

Business white paper. Best practices for implementing automated functional testing solutions

TIA Portal vs Studio 5000

An Easier Way for Cross-Platform Data Acquisition Application Development

Secure Software Programming and Vulnerability Analysis

Introducing the Dezyne Modelling Language

Reduce Medical Device Compliance Costs with Best Practices.

Course Goals. Solve Non-Technical Customer problem Server side: Ruby on Rails Client side: HTML, CSS, AJAX, JavaScript Deploy using cloud computing

Real-time Power Analytics Software Increasing Production Availability in Offshore Platforms

Test What You ve Built

How To Improve Software Quality

Mobile Testing That s Just a Smaller Screen, Right?

COMPUTER SCIENCE TRIPOS

Rigorous Software Development An introduction

The Eighth International Conference INCOSE_IL Formal Methods Security Tools in the Service of Cyber Security

Integrating MBD and CBD Workflows for Automotive Control Software

Regression Verification: Status Report

Transcription:

22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 Introduction Copyright 2007-8 Reiner Hähnle and Cesare Tinelli. Notes originally developed by Reiner Hähnle at Chalmers University and modified by Cesare Tinelli at the University of Iowa. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. 22c181: Formal Methods in Software Engineering p.1

A Truism Software has become critical to modern life. Process Control (oil, gas, water,... ) Transportation (air traffic control,... ) Health Care (patient monitoring, device control... ) Finance (automatic trading, bank security... ) Defense (intelligence, weapons control,... ) Manufacturing (precision milling, assembly,... ) Failing software costs money and life! 22c181: Formal Methods in Software Engineering p.2

Failing Software Costs Money Thousands of dollars for each minute of factory down-time Huge losses of monetary and intellectual investment Rocket boost failure (e.g., Arianne 5) Business failures associated with buggy software (e.g., Ashton-Tate dbase) 22c181: Formal Methods in Software Engineering p.3

Failing Software Costs Lives Potential problems are obvious: Software used to control nuclear power plants Air-traffic control systems Spacecraft launch vehicle control Embedded software in cars A well-known and tragic example: Therac-25 radiation machine failures 22c181: Formal Methods in Software Engineering p.4

The Peculiarity of Software Systems Tiny faults can have catastrophic consequences Software seems particularly prone to faults: Ariane 5 Mars Climate Orbiter, Mars Sojourner London Ambulance Dispatch System Denver Airport Luggage Handling System Pentium-Bug... 22c181: Formal Methods in Software Engineering p.5

Observation Building software is what the majority of you will do after graduation You ll be developing systems in the context we just mentioned Given the increasing importance of software, you may be liable for errors your job may depend on your ability to produce reliable systems What are the challenges in building reliable software? 22c181: Formal Methods in Software Engineering p.6

Achieving Reliability in Engineering Some well-known strategies from civil engineering: Precise calculations/estimations of forces, stress, etc. Hardware redundancy ( make it a bit stronger than necessary ) Robust design (single fault not catastrophic) Clear separation of subsystems Any airplane flies with dozens of known and minor defects Design follows patterns that are proven to work 22c181: Formal Methods in Software Engineering p.7

Why This Does Not Work For Software Software systems compute non-continuous functions Single bit-flip may change behaviour completely Redundancy as replication doesn t help against bugs Redundant SW development only viable in extreme cases No physical or modal separation of subsystems Local failures often affect whole system Software designs have very high logic complexity Most SW engineers untrained in correctness Cost efficiency more important than reliability Design practice for reliable software in immature state 22c181: Formal Methods in Software Engineering p.8

How to Ensure Software Correctness/Compliance? A Central Strategy: Testing (others: SW processes, reviews, libraries,... ) Testing against inherent SW errors ( bugs ) Design test configurations that hopefully are representative and ensure that the system behaves intentionally on them Testing against external faults Inject faults (memory, communication) by simulation or radiation 22c181: Formal Methods in Software Engineering p.9

Limitations of Testing Testing can show the presence of errors, but not their absence (exhaustive testing viable only for trivial systems) Representativeness of test cases/injected faults subjective How to test for the unexpected? Rare cases? Testing is labor intensive, hence expensive 22c181: Formal Methods in Software Engineering p.10

A Complement to Testing: Formal Verification A Sorting Program: public s t a t i c Integer[] sort(integer[] a) {... } 22c181: Formal Methods in Software Engineering p.11

A Complement to Testing: Formal Verification A Sorting Program: public s t a t i c Integer[] sort(integer[] a) {...} Testing sort(): sort({3,2,5}) == {2,3,5} sort({}) == {} sort({17}) == {17} 22c181: Formal Methods in Software Engineering p.12

A Complement to Testing: Formal Verification A Sorting Program: public s t a t i c Integer[] sort(integer[] a) {...} Testing sort(): sort({3,2,5}) == {2,3,5} sort({}) == {} sort({17}) == {17} Missed Test Cases! sort({2,1,2}) == {1,2,2} sort(null) == {1,2,2} 22c181: Formal Methods in Software Engineering p.13

Formal Verification as Theorem Proving Theorem. The program sort() is correct. For any given array of integers a, calling the program sort(a) returns an array of integers that is sorted and is a permutation ofa. Proof. Methodology differs from Mathematics! 1. Formalize the claim in a logical representation 2. Prove the claim with the help of a theorem prover 22c181: Formal Methods in Software Engineering p.14

Formal Methods: The Scenario Rigorous methods used in system design and development Mathematics and symbolic logic formal Increase confidence in a system Two aspects: System specification System implementation Make formal model of both and use tools to prove mechanically that formal execution model of the implementation satisfies formal requirements of the specification 22c181: Formal Methods in Software Engineering p.15

Formal Methods: The Vision Complement other analysis and design methods Are good at finding bugs (in code and specification) Reduce development (and test) time Can ensure certain properties of the formal system model Should ideally be automatic 22c181: Formal Methods in Software Engineering p.16

Formal Methods and Testing Run the system at chosen inputs and observe its behaviour Randomly chosen Intelligently chosen (by hand: expensive!) Automatically chosen (need formalized spec) What about other inputs? (test coverage) What about the observation? (test oracle) Challenges can be addressed by/require formal methods 22c181: Formal Methods in Software Engineering p.17

Specifications What the System Should Do Simple properties Safety properties Something bad will never happen Liveness properties Something good will happen eventually Non-functional properties Runtime, memory, usability,... Complete behaviour specification Equivalence check Refinement Data consistency... 22c181: Formal Methods in Software Engineering p.18

Formal Specifications The expression in some formal language and at some level of abstraction of a collection of properties that some system should satisfy [van Lamsweerde] Formal language Syntax can be mechanically processed and checked Abstraction: Above the level of source code Several levels possible 22c181: Formal Methods in Software Engineering p.19

Formal Specifications The expression in some formal language and at some level of abstraction of a collection of properties that some system should satisfy [van Lamsweerde] Properties: Expressed in some formal logic Have a well-defined semantics Satisfaction: Ideally (but not usually) decided mechanically 22c181: Formal Methods in Software Engineering p.20

The Main Point of Formal Methods is Not To show correctness of entire systems What IS correctness? Always go for specific properties! To replace testing entirely Formal methods work on source code or, at most, bytecode level Non-formalizable properties To replace good design practices There is no silver bullet! No correct system w/o clear requirements & good design This holds as well for Formal Methods 22c181: Formal Methods in Software Engineering p.21

But... Formal proof can replace (infinitely) many test cases Formal methods can be used in automatic test case generation Formal methods improve the quality of specs (even without formal verification) 22c181: Formal Methods in Software Engineering p.22

Successful Formal Methods... are integrated into the development process, in particular at early design stages... avoid unreasonable new demands or skills from the user FM should be learnable as part of Masters in CS... work at large scale... save time or money in getting a good quality product out... increase the feasible complexity of products 22c181: Formal Methods in Software Engineering p.23

Typical Areas Saving time Time to market 22c181: Formal Methods in Software Engineering p.24

Typical Areas Saving time Time to market Saving money Intel Pentium bug Smart cards in banking 22c181: Formal Methods in Software Engineering p.24

Typical Areas Saving time Time to market Saving money Intel Pentium bug Smart cards in banking More complex products Modern processors, fault tolerant software 22c181: Formal Methods in Software Engineering p.24

Typical Areas Saving time Time to market Saving money Intel Pentium bug Smart cards in banking More complex products Modern processors, fault tolerant software Saving human lives Avionics, X-by-wire 22c181: Formal Methods in Software Engineering p.24

A Fundamental Fact Formalisation of system requirements is hard 22c181: Formal Methods in Software Engineering p.25

Difficulties in Creating Formal Models Formal Execution Model Real World Abstraction Formal Requirements Specification 22c181: Formal Methods in Software Engineering p.26

Difficulties in Creating Formal Models wrong assumption eg, zero delay Real World Formal Model 22c181: Formal Methods in Software Engineering p.26

Difficulties in Creating Formal Models Real World missing requirement eg, stack overflow Formal Model 22c181: Formal Methods in Software Engineering p.26

Difficulties in Creating Formal Models Real World Formal Model misunderstood problem eg, wrong integer model 22c181: Formal Methods in Software Engineering p.26

Formalization Helps to Find Bugs in Specs Wellformedness and consistency of formal specs checkable with tools Fixed signature (symbols) helps to spot incomplete specs Failed verification of implementation against spec gives feedback on erroneous formalization 22c181: Formal Methods in Software Engineering p.27

Another Fundamental Fact Proving properties of systems can be hard 22c181: Formal Methods in Software Engineering p.28

Level of System (Implementation) Description Low level Finitely many states Tedious to program, worse to maintain Automatic proofs are (in principle) possible High level Complex datatypes and control structures, general programs Easier to program Automatic proofs (in general) impossible! 22c181: Formal Methods in Software Engineering p.29

Expressiveness of Specification Simple Finitely many cases Approximation, low precision Automatic proofs are (in principle) possible Complex General properties High precision, tight modeling Automatic proofs (in general) impossible! 22c181: Formal Methods in Software Engineering p.30

Main Approaches High-level programs, Complex properties Low-level programs, Complex properties High-level programs, Simple properties Low-level programs, Simple properties 22c181: Formal Methods in Software Engineering p.31

Main Approaches High-level programs, Complex properties Low-level programs, Complex properties High-level programs, Simple properties Low-level programs, Simple properties Lustre 1 st part of course 22c181: Formal Methods in Software Engineering p.31

Main Approaches KeY 2 nd part of course High-level programs, Complex properties Low-level programs, Complex properties High-level programs, Simple properties Low-level programs, Simple properties Lustre 1 st part of course 22c181: Formal Methods in Software Engineering p.31

Proof Automation Automatic Proof No interaction Sometimes help is required anyway Formal specification still by hand Semi-Automatic Proof Interaction may be required Very often proof tool suggests proof rules Proof is checked by tool 22c181: Formal Methods in Software Engineering p.32

Model Checking System Model System Property G(x Fy) Model Checker no yes x=t,t,f,f,... y=f,f,f,t,... 22c181: Formal Methods in Software Engineering p.33

Model Checking in Industry Hardware verification Good match between limitations of technology and application Intel, Motorola, IBM,... Software verification Specialized software: control systems, protocols Typically no checking of executable source code, but of abstraction thereof Ericsson, Microsoft, Rockwell-Collins 22c181: Formal Methods in Software Engineering p.34

Proof Based Methods (I) System Implementation Formal Requirements compilation compilation F yes/no P Proof rules establish relation implementation conforms to specs 22c181: Formal Methods in Software Engineering p.35

Proof Based Methods (II) [ System Implementation ] Formal Requirements yes/no Apply proof rules to establish validity of formula that encodes relation implementation conforms to specs 22c181: Formal Methods in Software Engineering p.36

Proof Methods in Industry Hardware verification For large systems Intel, Motorola, AMD,... Software verification Safety critical systems, libraries Paris driverless metro (Meteor), Emergency closing system Rockwell-Collins, Avionics software 22c181: Formal Methods in Software Engineering p.37

SPIN at Bell Labs Feature interaction for telephone call processing software Tool works directly on C source code, automatic abstraction Web interface to track properties Work farmed out to large numbers of computers Finds shortest possible error trace 18 months, 300 versions, 75 bugs found Main burden: Defining meaningful properties 22c181: Formal Methods in Software Engineering p.38

Static Driver Verifier/SLAM at Microsoft Device drivers running in kernel mode should respect API Third-party device drivers do not respect APIs responsible for 90% of Windows crashes SLAM inspects C code, builds a finite state machine, checks requirements Static Driver Verifier β-released as part of the Windows Driver Foundation 22c181: Formal Methods in Software Engineering p.39

Static Driver Verifier/SLAM at Microsoft Device drivers running in kernel mode should respect API Third-party device drivers do not respect APIs responsible for 90% of Windows crashes SLAM inspects C code, builds a finite state machine, checks requirements Static Driver Verifier β-released as part of the Windows Driver Foundation 22c181: Formal Methods in Software Engineering p.39

Future Trends Design for formal verification Combining semi-automatic methods with SAT, theorem provers Combining static analysis of programs with automatic methods and with theorem provers Combining test and formal verification Integration of formal methods into SW development process Integration of formal method tools into CASE tools Applying formal methods to dependable systems design 22c181: Formal Methods in Software Engineering p.40

Summary Formal Methods... Are (more and more) used in practice Can shorten development time Can push the limits of feasible complexity Can increase product quality 22c181: Formal Methods in Software Engineering p.41

Summary Formal Methods... Are (more and more) used in practice Can shorten development time Can push the limits of feasible complexity Can increase product quality Those responsible for software management should consider formal methods, especially within the realm of safety-critical, security-critical, and cost-intensive software 22c181: Formal Methods in Software Engineering p.41

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information