Formal methods: some definitions rigorous techniques, based on mathematical foundations, for the specification and verification of software [D. Craigen] “the application of mathematical synthesis and analysis techniques to the development of computer controlled systems”. DEF STAN 00-55: “a software specification and production method that comprises: - a collection of mathematical notations addressing the specification, design and development phases; - a well-founded logical inference system in which formal verification proofs and other properties can be formulated; - a methodological framework within which software can be developed from the specification to the implementation in a formally verifiable manner” Metodi asserzionali per la specifica e lo sviluppo formale VDM, Z, B ! Un sistema è visto come un insieme di stati, e di operazioni che modificano lo stato ! Viene definito un INVARIANTE, un predicato che deve essere soddisfatto in tutti gli stati ! Per ogni operazione viene definito un predicato detto PRECONDIZIONE. L’operazione può essere effettuata solo se la sua precondizione è vera sullo stato corrente. ! Per ogni operazione viene definito un predicato detto POSTCONDIZIONE. Questo predicato è vero sullo stato modificato dall’operazione.
20
Embed
Viene definio un INVARIANTE, un predicato che deve … · Viene definio un INVARIANTE, un predicato che deve essere ... Formula in logica temporale ... In questa tecnica, lo spazio
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Formal methods: some definitions
rigorous techniques, based on mathematical foundations, for the specification
and verification of software
[D. Craigen]
“the application of mathematical synthesis and analysis techniques
to the development of computer controlled systems”.
DEF STAN 00-55:
“a software specification and production method that comprises:
- a collection of mathematical notations addressing the specification,
design and development phases;
- a well-founded logical inference system in which formal
verification proofs and other properties can be formulated;
- a methodological framework within which software can be
developed from the specification to the implementation in a formally
verifiable manner”
Metodi asserzionali per la specifica e lo
sviluppo formale
VDM, Z, B
! Un sistema è visto come un insieme di stati, e di operazioni che
modificano lo stato
! Viene definito un INVARIANTE, un predicato che deve essere
soddisfatto in tutti gli stati
! Per ogni operazione viene definito un predicato detto
PRECONDIZIONE. L’operazione può essere effettuata solo se la sua
precondizione è vera sullo stato corrente.
! Per ogni operazione viene definito un predicato detto
POSTCONDIZIONE. Questo predicato è vero sullo stato modificato
dall’operazione.
i=0;
while (i<n)
{
A[i] = 0;
i++;
}
i==0 precondizione
0<j<=n => A[j-1]==0
and i== n
postcondizione
0<j<=k => A[j-1]==0
and i== k
Invariante(al k-esimo ciclo)
• Un invariante viene dimostrato per induzione:
• Si dimostra che la precondizione implica l’invariante al primo
passo;
• Si dimostra che se l’invariante vale al passo k, allora vale anche al
passo k+1.
• Si dimostra poi che l’invariante al passo finale implica la
postcondizione.
• Le dimostrazioni avvengono sulla base della conoscenza della
semantica dei comandi del linguaggio di programmazione.
The Z specification
method
• refinement
precondition
postcondition
The B method
(based on Abstract Machines -
Jean-Raymond Abrial, BP Research, Oxford Programming Research Group)
ASSERTIONAL METHOD
to simplify the development of the system the method uses the same notation
for all the stages of the development, that goes on for successive refinement steps
" verification amounts to check that the preconditions and postconditions
of lower level operations verify the preconditions and postconditions
of higher level operations
Basic concepts:
Set theory, predicate calculus.
An Abstract Machine (AM) is given by
- STATE
- variable set
- STATE INVARIANT, to be permanently verified
- a set of OPERATIONS that can be activated to modify the STATE
- defined in terms of pre-conditions and post-conditions on the
STATE
PROOF OBLIGATIONS:
every time that an operation has been specified, it must be verified that its
specification preserves the STATE INVARIANT
The method includes :
- logic system for the expression and the proof of PROOF
OBLIGATIONS based on the SUBSTITUTION principle
OPERATIONS:
modify the STATE within the constraints imposed by the INVARIANT
PROOF OBLIGATION
" it must be proved that the specification of the operation preserves the
invariant
ASSUMPTION:
the STATE verifies the INVARIANT before the operation
PROOF:
the INVARIANT is satisfied after the operation
A specification in AMN (Abstract
Machine Notation)
Example: check-departure
Example: Check-departure AMN
Specification
Example: Check-departure AMN
Specification
A REFINEMENT machine is defined by adding implementation details
to a machine
the preconditions and postconditions of lower level operations must
verify the preconditions and postconditions of higher level operations
"A PROOF OBLIGATION is generated to carry on this verification.
RE
FIN
EM
EN
T
• The development methodology is made up of a sequence of refinement
steps: at each step, the PROOF OBLIGATIONS have to be proved (with
the support of a theorem prover)
• At a certain step of refinement, the machine is very close to an
implementation, so it can be translated (almost automatically) into code.
We add to the specification how the departure can be validated.
A departure is validated whenever a button is kept pushed more than a
period called the threshold duration.
We add information about the physical status of the button in the
specification.
Refinement of Check-departure
Refinement of Check-departure
From DEF STAN 00-55
• The proof obligations for a particular formal method are the properties that the
designer is obliged to discharge in order to have assurance that the specification is
self consistent, or that a design correctly implements a specification (refinement).
• Refinement proofs are required to verify the first stage of the design against the
specification and to verify each subsequent design stage against the previous one.
• Manual generation of proof obligations is an extremely arduous and error prone task
and a more assured method is to use a proof obligation generator.
• Proof obligations are discharged using formal arguments. Formal arguments can be
constructed in two ways: by formal proof or by rigorous argument.
• A formal proof is strictly a well formed sequence of logical formulae such that each
formula can be deduced from formulae appearing earlier in the sequence or is one of
the fundamental building blocks (axioms) of the proof theory.
• Tools should be used to assist in the generation of formal proofs and checking of
formal proofs.
Applicazioni industriali dei metodi
formali
- Problemi di accettazione dovuti a:
• complessità notazionale
• scarsità di strumenti di supporto
• difficoltà di scelta di un metodo tra i tanti proposti