formal methods: industrial use cs 415, software engineering ii mark ardis, rose-hulman institute...
Post on 21-Dec-2015
216 views
TRANSCRIPT
![Page 1: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/1.jpg)
Formal Methods: Industrial Use
CS 415, Software Engineering II
Mark Ardis, Rose-Hulman Institute
March 21, 2003
![Page 2: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/2.jpg)
2
OutlineControversy over formal methodsWhere are formal methods used?4 Stories
IBM CICS project Tektronix oscilloscope LOTOS at Bell Labs VFSM at Bell Labs
![Page 3: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/3.jpg)
3
Controversy Over Formal MethodsDeMillo, Lipton and Perlis "Social
Processes and Proofs of Theorems and Programs", CACM, May 1979.
Fetzer "Program Verification: The Very Idea," CACM, September 1988.
The "Gang of 10"
![Page 4: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/4.jpg)
4
Where are Formal Methods Used?Safety critical applications
Aviation Railway transportation MOD 00-55
Other high-integrity systemsApplication generatorsHardware design
![Page 5: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/5.jpg)
5
IBM CICS ProjectMaintenance of Customer Information
Control System (CICS)Used Z to reverse engineer old codeFound more errors earlier in the
lifecycle
![Page 6: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/6.jpg)
6
Maintenance of CICSOld (> 30 years)Large (>500 KLOC)Multiple languages (assembler and
special dialect of PL/I)Many usersSeveral configurations
![Page 7: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/7.jpg)
7
Restructuring of CICSNecessary first step before Z could be
used Independent of any method
![Page 8: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/8.jpg)
8
Reverse EngineeringZ specifications derived from:
manuals developers code
About half of CICS described in Z (230 KLOC)
Modules added or rewritten later from Z specifications
![Page 9: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/9.jpg)
9
IBM Development ProcessUsed standard IBM process, including:
design reviews code inspections testing
Used standard IBM programming languages, plus guarded command language
Required training of staff in Z
![Page 10: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/10.jpg)
10
IBM TrainingUsed standard IBM courses, including:
discrete mathematics software engineering workshop
Augmented with Z courses 4 days for writers 2 days for readers 1 day for managers
![Page 11: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/11.jpg)
11
IBM ResultsMore time spent in design Inspections required less preparation,
but took longer to conductMore problems found earlier in designFewer problems found in testingOverall time was 9% less than averageWon Queen's Award for productivity
![Page 12: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/12.jpg)
12
Cartoon of the Day
![Page 13: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/13.jpg)
13
TektronixExploratory projectDiscovered useful abstractionsConcentrated on process of
specification, not product
![Page 14: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/14.jpg)
14
Tektronix Process2 researchers (DeLisle and Garlan)
investigated general problem area: talked to engineers tried to describe existing devices
Discussed trial specifications with engineers
![Page 15: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/15.jpg)
15
Tektronix Results Original descriptions were operational Researchers found an abstraction (waveform)
that clarified roles of hardware and software engineers
Resulting specification yielded insights about tradeoffs: user interfaces sampling methods hw/sw partitioning
![Page 16: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/16.jpg)
16
Tektronix Lessons Industrial engineers can understand
formal specificationsAbstraction was very valuable in
focusing attention on right problemSpecification was a process, not a
product
![Page 17: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/17.jpg)
17
LOTOS at Bell Labs Some formal methods used in switching
applications SDL Promela VFSM
Opportunity to try LOTOS in 1991 Language Of Temporal Ordering Sequences New standard for telecommunication protocols
![Page 18: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/18.jpg)
18
Primitive LOTOS ProjectBasic LOTOS difficult to use
too much redundancy too little redundancy
Primitive LOTOS (PLOTOS) added declarations more "C"-like
![Page 19: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/19.jpg)
19
PLOTOS ResultsUsed on parts of several projectsTools were popularSolved the wrong problem
specification was a verb, not a noun spaceship theory
![Page 20: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/20.jpg)
20
PLOTOS Lessons Software developers in Naperville are an oral
culture work via meetings very little abstraction
Need to first move to literary paradigm domain engineering to capture knowledge in
writing domain specific languages to develop formal
notations
![Page 21: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/21.jpg)
21
VFSM at Bell LabsManager convinced by a former teacher
to try Virtual Finite State Machines (VFSM)
Constructed a compiler to CLater adapted SPIN for model checking
![Page 22: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/22.jpg)
22
VFSM ResultsUsed on several projectsTools were popularSolved the right problem
compiled to executable code testing was the most onerous job of
development
![Page 23: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/23.jpg)
23
VFSM LessonsBottom-up development is more easily
accepted than top-downFree lunches are a powerful forceRevolutionary methods need crusaders
![Page 24: Formal Methods: Industrial Use CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 21, 2003](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d5e5503460f94a3e16c/html5/thumbnails/24.jpg)
24
SummaryFormal methods provide substantial
benefits, but at costMay be most applicable in established
domainsAdoption requires cultural change for
many organizations