course summary

Course Summary

© Katz, 2007Formal Specifications of Complex Systems -- Real-time 2

Topics (1)

• Families of specification methods, evaluation criteria

• Safety and liveness• Expressing properties in predicate calculus

(logic)• Input/output assertions, partial correctness,

Hoare logic, invariants• Z notations: dom ran and special symbols• Z schemas: defining the state, operations• Z examples: symb. table, Unix files, telephone,...


Topics (2)

• Schema calculus: modularity, hiding,...• Refinement in Z: applying mapping functions,

data and operation refinement, applicability and correctness

• State machine: pure graph, traces, using Z for state machines

• Statecharts: superstates, parallelism, joint transitions, history, micro-steps, activities

• Temporal logics, linear: [], <>,..., next• Anchored version, past operators, classes of

properties, fairness


Topics (3)

• Branching time: E, A, F, G, X, CTL• Real time: TIME, Zeno, ranges, bound vars.

with temp. logic; for statecharts• Lamport’s textual state machines: open versus

closed system, critical moment• Allowed changes, parameter passing• Fault tolerance, lossy queue and fairness,

alternating bit protocol impl. of queue• Process algebras and LOTOS• Nondeterminism, gates, actions, • Process declaration and instantiation


Topics (4)

• Parallel comp.: |||, |[ gates ]|, | |, hiding• Offering (!) and accepting (?), negotiation• Stop, hiding, i, and multiway gates• Semantic views: bisimulation equivalence,

testing equiv., trace equiv.• Algebraic specification and Larch, algebraic

axioms, initial/final algebra• Generated by, partitioned by, converts• Shared versus Interface Languages


Three kinds of specifications

• Data and transition modeling: Z vrs. Larch shared lang.; For individual steps; textual, sequential

• Control: Statecharts vrs. LOTOS (vrs. Esterelle vrs...) For concurrency, overlap, synchronization

• Global liveness (and safety too): Temporal logic in some version


Present Use of Formal Specifications

• Invariants and I/O assertions: added to UML designs, appear as run-time checks, assert statements and checkers (in recent systems, around 10% of Microsoft code)

• Elements of Z are in OCL (Object Constraint Language) extension of UML

• Software model checkersBandera, accepts Java programs annotated with a version of temporal logicSLAM, a Microsoft product for checking temporal logic assertions about driver software; now SDVJava Pathfinder: NASA tool for model checking Java


Present use (cont.)

• Feasibility checks for Java applets>No memory segment violations, no illegal operations

• Legal requirements for formal specification and verification using a tool, in addition to testing

>Aircraft control>Railway control in Europe and the US

>Software controlling nuclear reactors in Europe

• Description languages for test data generation• Hardware (design) verification using model

checking and/or simulation: widely used in Intel, IBM, Motorola


Trends

• Use formal methods selectively for problem areas• Develop tools with clear added value• Use for error detection as well as showing

correctness• Set up environment where methods can be

combined (not yet widespread): >VeriTech: project to translate among verification tools

and their specification notations>AOSD Formal Methods Lab: apply specification

notations and verification tools to Aspect-Oriented Programming


Realistically....

• Potential benefits are known.

• Problems with formal methods have become evident.

• Modeling and tools have helped on real projects in particular application areas.

• Software development is in so much trouble, there is new willingness to invest in formal methods.

course summary

Documents