Comparative Formal Methods

By the end of this lecture you will be able to

• explain the problem of implementation bias;

• distinguish between model based and algebraic formal methods;

• use the algebraic approach to specify types;

• identify the issues raised by concurrent system specification;

• list some international standards governing the use of formal methods.

Classifying formal methods

Algebraic Model-based

Sequential systems

Larch Vienna Development Method (VDM)

Z

B

Concurrent Systems

Calculus of Communicating Systems (CCS) OBJ

Prototype Verification System (PVS) Concurrent Sequential Processes (CSP)

Problems with a model based approach

Model

Client Specifier

"there cannot be more than 50 patients on the register"

"the cardinality of the register set must not be greater than 50".

Implementation Bias

types

Patient = TOKEN

values

LIMIT : = 200

state PatientRegister of

reg: Patient-set

inv mk-PatientRegister (r) card r LIMIT

init mk-PatientRegister (r) r = { }

Patient *

len r LIMIT

i,j inds i j r(i) r(j)

r = [ ]

Implementation bias: An example

addPatient (patientIn: Patient)

ext wr reg: Patient*

pre patientIn elems reg

post reg = ^ [patientIn]reg

This model allows patients A, B and C to be recorded in either of the following 6 ways:

[A, B, C] [A, C, B] [B, A, C]

[B, C, A] [C, A, B] [C, B, A]

A test for bias

"If there are two or more different data values that cannot be distinguished by any of the operations, the model is biased."

addPatient (Patient)

removePatient (Patient)

getPatients ( ): Patient [*]

isRegistered (Patient): Boolean

numberRegistered ( ):Integer

getFirst( ) : Patient

Algebraic methods

• The algebraic approach to formal software development is one that does not require a model to be constructed.

• Instead of describing the behaviour of operations via a model, the behaviour is described by the relationship between operations.

• Some algebraic methods (such as LARCH) are suitable sequential system specification and others (such as CCS) are suitable for concurrent systems.

• We will look at a LARCH-like specification of a Stack.

Algebraic specification of a Stack

sort < name>

imports <LIST OF SPECIFICATION NAMES>

Operation Signatures

Axioms

<SPECIFICATION NAME> STACK (Elem)

sort Stack

imports BOOL, INT

Operation Signatures

init:

push:

pop:

top:

isEmpty:

size:

Stack

Elem Stack Stack

Stack Stack

Stack Elem

Stack Bool

Stack Int

Creating Stacks

From the list of operations, there must always be :

• one operation that creates an empty value of the type

• and one operation that allows new values to be constructed

init

push

[A, B, C] push (C, )

push (B, )

push (A, )

push (C, init)

push (B, )push (C, init)

init

Axioms

Each operation is described by specifying its effect on the empty value and the non-empty value.

isEmpty ( ) init = true

isEmpty ( ) push (e, stk) = false

pop ( init )

pop ( push (e, stk) )

top ( init )

top ( push (e, stk) )

= ERROR

= stk

= ERROR

= e

The Size Operation

size ( init )

size ( push (e, stk) )

= 0

= 1 + size( stk )

size ( push (A, push (B, push (C, init)))

= 1 + size (push (B, push (C, init)) )

= 1 + 1 + size (push (C, init) )

= 1 + 1 + 1 + size ( init )

= 1 + 1 + 1 + 0 = 3

Concurrent Methods

withdraw

precondition

balance - amount > MIN

deposit

Livelock and deadlock

?deadlock

livelock

Examples of use: Standards

MOD 00-55This is a standard from the UK Ministry of Defence for defence software procurement.

DO-178BThis is an industry standard in the field of civil avionics.

IEC 61508This is a generic standard for critical systems development for those industries (such as civil avionics) that do not yet have their own specific standards.

ITSECThis is a security standard developed jointly by France, Germany, the Netherlands and the United Kingdom.

Examples of use: Industry

Medical Instruments Control Systems

London Air Traffic Control System

Factory Control System

Operating System Security

Railway Signalling Systems

Information Control System

Smart Cards