FORMAL METHODS:

1
FORMAL METHODS

• Proving Programs Correct in
• Safety-Critical Situations

Lindsay Matteo Department of Computing Sciences
Villanova University Fall 2006
2
Things to Forget

• I dont need to do math, I majored in computer
  science
• I dont care about formal methods, I just want to
  write computer code
• Unlike everyone else in the world, I write
  flawless code all the time

3
Hoare Logic The Basics

• P Q R - If assertion P is true before
  initiation of a program Q, then the assertion R
  will be true after its completion
• x f - x is a identifier for an expression x
  that has no side effects
• Rules
• Assignment - P0 x f P
• Consequence - P Q R and - R gt S then - P
  Q S
• - P Q R and - S gt P then - S Q R
• Composition - P Q1 R1 and R1 Q2 R then P
  Q1 Q2 R
• Iteration - P /\ B S P then - P while B do
  S B /\ P

4
Math vs. Implementation

• Okay but math has a lot of stuff that computers
  will never encompass. Math is infinite!
  Computers have overflow!
• Math there exists an x for every y (y lt x)
• Finite Arithmetic for ever x (x lt max)
• Implementations for max
• there exists an x (x max 1) (strict
  interpretation)
• max 1 max (firm boundary)
• max 1 0 (modulo arithmetic)
• Remember! Hoare Logic assumes the absence of
  side effects AND it gives no basis for proving
  the program actually terminates.
• Youd also have to prove the correctness of the
  program, compiler, AND hardware and THEN the
  proof would be totally DEPENDENT

5
What are they?

• Formal methods are mathematical techniques used
  for specification, development, and verification
  usually only used on high-integrity systems,
  where security or safety errors are catastrophic
• Because of the mismatch between the mathematical
  system and reality, we can never guarantee
  arbitrary correctness but only correctness with
  respect to specification
• There are three general levels to which formal
  methods can be employed

6
The Levels
7
Specification Languages

• Model-based languages use an abstract model such
  as a finite state automaton in addition to
  logical predicates and invariants
• Process algebras for concurrent systems where
  timing is critical uses message passing
  (synchronous or asynchronous) and algebraic laws

8
Example Z Notation

• known P NAME
• birthday NAME -gt BIRTHDAY
• --------------------------------------------------
  --
• known dom birthday
• A Valid State
• known George, Amy, Paolo
• birthday George -gt 26-MAR
• Amy -gt 20-DEC
• Paolo -gt 03-APR

• Based on axiomatic set theory, lambda calculus,
  and first order predicate logic
• ISO standardized it 2002 ISO/IEC 135682002
• Below the line is the checked invariant

9
Formal Development

• Describes the entire process of transforming the
  formal specification into executable code
• Steps of refinement usually generate proofs from
  an automated Proof Obligation Generator, most of
  which may be fed into an automatic Theorem Prover

• Biggest challenge bridge the gap between
  set-theoretic and non-deterministic constructs to
  computerizable objects

10
Example B Method

• Abstract Model
• Basically extracting elements from the natural
  language specification into a formal
  specification language (in this case B)
• Transitions are non-deterministic
• B is lower level than Z because it is more
  focused on actual refinement than just
  specification
• B notation has support tools

11
Example B Method

• Proofs
• Proof Obligation Generator will generate proofs
  in two categories
• Invariant preservation proof
• Proof of correct refinement
• Proofs can be handled one of two ways
• Automatic prover
• Human intervention

12
Example B Method

• Concrete Model
• Still contains set-theoretical objects
• But has data in 1-1 correspondence with
  computerizable objects (arrays, pointers, etc.)
• Transitions are deterministic loops, procedure
  calls

• Will have to go back to Proofs stage because of
  refinements from Abstract Model

13
Example B Method

• Executable Code
• Concrete Model is automatically translated into a
  classical programming language (like C or Ada)
• The programming language is compiled into an
  executable
• Two steps may be combined

14
Machine-Checked Proofs

• Automated provers come in two varieties
  automatic and interactive
• In many interactive provers, a highly-skilled
  user actually provides the proof, and the prover
  validates it

• Underlying logic of different provers vary
• Theorem provers are not magic! They cannot prove
  statements that we already know are arbitrarily
  unprovable!

15
HOL Theorem Prover

• Higher Order Logic systems implemented as a
  library in the ML programming language
• Library implements an abstract data type of
  proven theorems
• Functions in the library are inference rules
• You can only create an object of the abstract
  data type using functions in the library

16
Simple Promela INterpreter

• SPIN is an open-source model-checking tool
• It generates a finite state model of a system,
  and, for a given logical property, systematically
  checks that it holds
• So M F holds where M is a finite state machine
  and F is a statement expressed in Linear Temporal
  Logic

Design
(manual) abstractions
Abstract Verification Model
Model Checker
refinement techniques
Implementation
17
Using SPIN

• User interface Xspin
• Necessary tools
• Cygwin Linux-like environment for Windows
• Tcl/Tk XSpin is a Tcl application
• C compiler Spin supports embedded C code and is
  also written in C

18
SPIN in the real world

• Computer Management group of Netherlands to
  verify algorithms to that manage Flood Control
  barriers
• Mission Critical Software used it on a number of
  space missions Cassini (right), Mars Exploration
  Rovers motor management algorithms

19
The Best of Both Worlds

• SPIN generates message sequence charts on
  simulation, checks LTL invariants on
  verification, and provides finite state models of
  individual processes
• It copes with state space explosion by using a
  Depth First Search Algorithm to generate the
  model then SPIN checks it on the fly

• SPIN is meant to analyze the logical consistency
  of concurrent programs (usually data comm.
  protocols)
• It allows for the dynamic creation of processes,
  which communicate through message channels
• It takes input in the form of Promela
  (Protocol/Process Meta Language) code, a C-like
  language that also contains elements of CSP

20
PROcess MEta LAnguage

• Processes can communicate synchronously or
  asynchronously
• Kind of like C, but allows assert and never
  statements
• SPIN augments this with a Linear Temporal Logic
  editor, which can also be used to form invariants

21
Messaging

• 4 proctype Add (int x, y)
• 5
• 6 if
• 7 (x!y) -gt ch ! 1, xy
• 8 (xy) -gt ch ! 1, x-y
• 9 fi
• 10

Promela code snippet if x ! y, send the value
xy to the corresponding process else send x-y
Message sequence chart x and y have been set to
4 and 5. The Add (pid 2) sends the value 9 to
the init process (pid 1) that ran it. The
monitor process is constantly checking
invariants. All processes terminate at state 10.
22
SPIN Automata

• Promela is nondeterministic
• If several guards are enabled, one statement will
  be selected at random
• SPIN will generate a finite state model for every
  process declaration this one shows the
  different paths available for the Add process

23
Do people ACTUALLY do this?

• YES! But unless lives are at stake, software
  engineers are extremely reluctant because formal
  methods require lots of math, lots of formal
  training, and a possibly large upfront cost
• But it can pay off IBM subjected only 10 of
  their CICS system to formal development and saved
  9 over conventional methods
• Cost should be amortized long term due to higher
  quality, maintainability, and reusability

Requirements phase cost compared with project
overrun cost (source W. Gruhl, NASA
Comptrollers Office
24
Future of Formal Methods

• TRENDS
• Combining certain aspects of formal methods with
  traditional development methods (usually the
  Cleanroom process)
• More support especially in the form of toolsets
  (Java PerfectDeveloper claims to work for
  object-oriented code)
• Automated tool generator customized tools for
  different types of systems

Want to learn more? For more information and
further reading, visit http//hawk.csc.villanova.
edu/f06g01/