Formal Methods lecture 01

Formal Methods in Software
Engineering

Formal Method
• Formal method is branch of software engineering, in which
we analyze software systems.
• Develop a program in a way that each step leads to a final
solution, follow proper method to make sure that we do not
take wrong steps.
• The Encyclopedia of Software Engineering defines formal
methods in the following manner:
– Formal methods used in developing computer systems are
mathematically based techniques for describing system properties.
Such formal methods provide frameworks within which people can
specify, develop, and verify systems in a systematic, rather than ad hoc
manner.

Formal Method definition
– A method is formal if it has a sound mathematical basis, typically given
by a formal specification language. This basis provides a means of
precisely defining notions like consistency, completeness, and more
relevantly specification, implementation and correctness.
• Correctness, the property that an abstract model fulfills a set of
well defined requirements.
• Consistency, to be consistent, facts stated in one place in a
specification should not be contradicted in another place.
• Used to specify programs, what the system is suppose to do.
• Used for constructing programs.
• Used to verify the program.

Why Formal Methods are required
 History of software
 Softwares encountered notorious bugs that were the
cause of financial lose and deaths of many people.
 Famous bugs are
 Therac-25
 Computerized radiation therapy machine called the Therac-25. Killed
many people, controller could not stop radiation due to software bug.
 AT & T long distance breakdown bug 1990
 Ill placed break statement in the code, caused the 1/3rd of entire
American network to go down for 9 hours.

Why Formal Methods are required
– Patriot Missile Failure Gulf war
• This missile hit the own American troops a software
defect in 1991. Killing 28 people and many injured
– Pentium bug
• Software error in microcode of Pentium
microprocessor, which resulted in error of floating point
calculation problems. Intel had to take back all the
Pentiums, and it caused huge loss.

Importance of formal methods in
Software
 This is what we are going to study in formal methods.
 Methods to ensure that software is
 Correct
 Reliable
 These two attributes deal with the software quality.
 To achieve software quality, we apply different
techniques.
 Testing
 Verification
 Validation

Testing
• Black box testing
– Test input versus output
– Input
• Two numbers
– Output
• average
• White box testing
– Test the structure of program.
• Loops testing, condition testing

"Testing can show the presence of errors, but not
their absence."
- Edsger Dijkstra

Testing contd..
• In testing we develop test cases and define
scenarios, it is not possible to have all
scenarios .
• Program to show equalness of two strings.
• isEqual(“cat”,”dog”) expected false
• isEqual(“testing”,”testing”) expected true
• isEqual(“house”,”home”) expected false
• isEqual(“house”,”mouse”) expected false.

Testing Contd..
• Same is case with structural testing, white box testing.
• What is wrong with the following code?

How Formal Methods are developed?
• We develop models of system.
• With the help of models we will argue and
prove correctness of models.
• What is a model?
– An item, a structure, a style,….
– Lets play Dijkstra’s game to define a model.

Dijkstra’s game
 Consider the following game to be played by a single person with an
urn/jar and as many w white balls and b black balls as he needs.
 To begin with, an arbitrary positive number of balls is put into the urn and
as long as the urn contains two or more balls, the player repeats the
following moves:
 He shakes the urn and, without looking, he takes two balls from the urn;
 If those two balls have the same color
 he throws one black ball into the urn,
 otherwise he returns one white ball into the urn
 Because each move decreases the total number of balls into the urn by 1, the
game is guaranteed to terminate after a finite number of moves and it is not
difficult to see that the game ends with exactly 1 ball in the urn.
 The question is:
 What can we say about the color of the final ball when we are given the initial
contents of the urn?’”

Dijkstra’s game contd..
• What is the color of last ball?
• Difficult to answer
• Lets play the same game with different
number of balls.

• One ball game
– The game will end
without playing
• Two balls game
– Three different
combinations of balls
– One Black, one white
– One White ,one white
– One Black, one black

two ball game

• Mathematical models use functions.
• What is a function?
• Putting the balls in jar is a function

Conclusion from 2 and 3 balls game
• Depends on parity of white balls, even or odd
parity.
• Even number of white balls, last ball is black
color.
• Odd number of balls, last ball is of white.
• If we play with 100 balls, then can we argue or
prove our hypothesis?
• What is the color of last ball, given w white
balls and b black balls?

Mathematical model and its proof
F(b,w)=
2 black out,1 black in b-2+1, (b-1,w)
We reduce the number of black balls by 1 and we maintain the number
of white balls.
2 white out,1 black in w-2,b+1
We reduce the number of white balls by 2 and increase the number of
black balls by 1.
1 of each out,1 white in b-1,w-1+1,(w)
we reduce the number of black balls by 1 and maintain the number of
white balls.
 Total number of balls removed in each move is 1.
 Parity(even/odd number) of whit balls does not change.
 Yes we will say the parity of white balls determine the
outcome of the game.
 Hence hypothesis is correct.

Formal method steps
 We will define state based model for our computer
programs using formal methods.
1. Define the specifications of the system(Formal
specification).
2. Define abstract model specifications.
 Define the states of system (steps of a model)
 Define invariant(condition)
 Define set of operations for model to function.
 System/model operation is associated with two conditions
 Pre-condition
 Post condition
 Model verification and Implementation
 Make formal model and use tools to prove mechanically that formal
execution model satisfies formal requirements.

Written Requirement
Informal requirements expressed in English:
 A tank of cooling water shall be refilled when its low level
sensor comes on. Refilling consists of adding 9 units of
water to the tank.
 Notes:
> The maximum capacity of the tank is 10 units of water.
> From one reading of the water level to the next reading of the
water level, 1 unit of water will be used.
> The low level sensor comes on when the tank contains 1 unit of
water or less.
A Simple Formal Methods Example

Assigning Types
• The above statement contains several descriptions, including two key notions:
the water level in the tank and the water usage. Formally, these notions can be
modeled as follows (statements 1 and 2):
1 level is represented by a restricted integer type: a
number between 0 and 10, inclusive
2 usage is represented as the integer constant 1
• That is, level describes an amount of water that the tank may hold at any point
in time and usage describes the amount of water used during one cycle.

Function Description
• The primary requirement is that 9 units of water will be added
to the tank whenever the level is less than or equal to 1. This
can be more precisely stated as (statement 3):
3 Function fill takes, as input, a water level and returns, as
output, a water level. Given an input of Lvl units of water,
fill returns Lvl +9, if Lvl is one or less, otherwise it returns Lvl.
• That is, we claim that fill(Lvl) accounts for any filling of water
in the tank.

Properties
• A common sense property of this system is that, at
the next cycle, the new water level will be the
current water level, plus any amount that was added,
minus the amount that was used. That is, given Lvl
as the current level of water, the level at the next
cycle should be given by statement 4:
4 level = Lvl + fill(Lvl) - usage

Properties (continued)
• One approach to checking this specification is to ensure that each reference to
a level of water is consistent with the definition of level, i.e., it should always be
a number between 0 and 10. It turns out that the specification for fill given in 3
above is consistent with the definition of level if the following two logical
statements are true:
5 FORALL levels Lvl
(Lvl <= 1) IMPLIES THAT
(0 <= Lvl + 9) AND
(Lvl + 9 <= 10)
6 FORALL levels Lvl
(0 <= Lvl + fill(Lvl) - usage) AND
(Lvl + fill(Lvl) - usage <= 10)

Analysis by Proof
• The following statements (statements 5.1 and 5.2) constitute an informal
proof that the first FORALL statement (statement 5) is true:
• Property: “5” FORALL levels Lvl (Lvl <= 1) IMPLIES THAT
(0 <= Lvl + 9) AND (Lvl + 9 <= 10)
• Proof:
5.1 Lvl+9 >= 0 because Lvl >= 0 (and the sum of any two numbers greater than
zero is greater than zero)
5.2 Lvl+9 <= 10 because Lvl <=1 (and any number less than or equal to 1 plus 9 is
less than or equal to 10)

Verification of Property #6?
• Property “6” FORALL levels Lvl
(0 <= Lvl + fill(Lvl) - usage) AND
(Lvl + fill(Lvl) - usage <= 10)
• Proof Attempts Fails!
• Counter-example*
– Consider the case when Lvl is 9:
Lvl + fill(Lvl) - 1 = Lvl + Lvl -1 = 9+9-1 = 17 (which is not <= 10)
• The specification is flawed and must be corrected.

Correcting the Specification
• Upon closer examination, it is found that statement 4, our expression
for the water level at the next cycle, is in error:
4 level = Lvl + fill(Lvl) - usage (incorrect)
• This statement is inconsistent with the definition of fill because fill
returns the new level of water, not just the amount of water added.
The (corrected) expression for level, denoted by 4', is simply:
4' level = fill(Lvl) - usage (correct)
• The (corrected) FORALL statement (statement 6) is:
6' FORALL levels L:
(0 <= fill(Lvl) - usage) AND
(fill(Lvl) - usage <= 10) (correct)

This Simple Example Illustrates:
• Formal Specification: Modeling informal English statements using
mathematical expressions
• Type Checking: Checking that all types of items are used
consistently (e.g., level)
• Stating Properties: Identifying and defining expected behavior of
the system (e.g., the expected new level in the tank)
• Proving Logical Conditions: Constructing logical proofs which
show that a given condition holds under all possible situations

Formal Methods lecture 01

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Formal Methods lecture 01 (20)

Recently uploaded (20)

Formal Methods lecture 01

Editor's Notes