march 2009tools for vdm in industry1 professor peter gorm larsen engineering college of aarhus...
Post on 20-Dec-2015
213 views
TRANSCRIPT
March 2009 Tools for VDM in Industry 1
Tools for VDM in Industry
Professor Peter Gorm LarsenProfessor Peter Gorm LarsenEngineering College of AarhusEngineering College of Aarhus
(([email protected]))Also adjunct professor at Aarhus University Also adjunct professor at Aarhus University
March 2009 Tools for VDM in Industry 2
Personal Background• Theoretical Work
• VDM-SL Semantics (ISO standard)• VDM-SL Proof Rules (PhD work)
• More Practical Work• VDM and Structured Analysis in combination• VDMTools architect• Transfer VDM to Industry• Intensive use Industrially
• Employed by• For 13 years: IFAD A/S• For 3,5 years: Systematic Software Engineering A/S• For 3,5 years:
• Engineering College of Aarhus
March 2009 Tools for VDM in Industry 3
Tools for VDM in Industry
Industrial Experience with VDM
• ”Bootstrapping” VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future
March 2009 Tools for VDM in Industry 4
References, World-wide, 2001
FranceFranceAerospatiale Espace et DefenseAerospatiale Espace et DefenseDassault AviationDassault AviationDasssault ElectroniqueDasssault ElectroniqueCISI CEA et DefenseCISI CEA et DefenseCEA LetiCEA LetiCap GeminiCap GeminiLAASLAASMatra Bae DynamicsMatra Bae Dynamics
U.K.U.K.British Aerospace Systems & British Aerospace Systems & EquipmentEquipmentBritish Aerospace DefenseBritish Aerospace DefenseAdelardAdelardICL Enterprise EngineeringICL Enterprise EngineeringRolls RoyceRolls RoyceTransitive TechnologiesTransitive Technologies
ItalyItalyENEAENEAAnsaldoAnsaldo
The NetherlandsThe NetherlandsDutch Dept. of DefenceDutch Dept. of DefenceOriginOriginChessChess
PortugalPortugalSidereusSidereus
DenmarkDenmarkBaan NordicBaan NordicOdense Steel ShipyardOdense Steel ShipyardDDC InternationalDDC International
North AmericaNorth AmericaBoeingBoeingRockwell CollinsRockwell CollinsLockheed MartinLockheed MartinDDC-I, Inc.DDC-I, Inc.Rational Software Corp.Rational Software Corp.Formal Systems Inc.Formal Systems Inc.Concordia UniversityConcordia University
JapanJapanRTRI (Japan Railways)RTRI (Japan Railways)JFITSJFITSFelica NetworksFelica Networks
GermanyGermanyGAO mbHGAO mbH
More than 150 VDMTools clients world-wide
March 2009 Tools for VDM in Industry 5
ConForm (1994)• Organisation: British Aerospace (UK)• Domain: Security (gateway)• Tools: The VDM-SL Toolbox
• Experience:
• Prevented propagation of error
• Successful technology transfer
• At least 4 more applications without support
• Statements:
• “Engineers can learn the technique in one week”
• “VDMTools can be integrated gradually into a traditional existing development process”
March 2009 Tools for VDM in Industry 6
DustExpert (1995-7)
• Organisation: Adelard (UK)• Domain: Safety (dust explosives)• Tools: The VDM-SL Toolbox • Experience:
• Delivered on time at expected cost
• Large VDM-SL specification
• Testing support valuable
• Statement:
• “Using VDMTools we have achieved a productivity and fault density far better than industry norms for safety related systems”
March 2009 Tools for VDM in Industry 7
Adelard Metrics
• 31 faults in Prolog and C++ (< 1/kloc)• Most minor, only 1 safety-related• 1 (small) design error, rest in coding
Initial requirements 450 pages
VDM specification 16kloc (31 modules)12kloc (excl comments)
Prologimplementation
37kloc16kloc (excl comments)
C++ GUIimplementation
23kloc18kloc (excl comments)
March 2009 Tools for VDM in Industry 8
CAVA (1998-)
• Organisation: Baan (Denmark)
• Domain: Constraint solver (Sales Configuration)
• Tools: The VDM-SL Toolbox
• Experience:
• Common understanding
• Faster route to prototype
• Earlier testing
• Statement:
• “VDMTools has been used in order to increase quality and reduce development risks on high complexity products”
March 2009 Tools for VDM in Industry 9
Dutch DoD (1997-8)
• Organisation: Origin, The Netherlands
• Domain: Military
• Tools: The VDM-SL Toolbox
• Experience:
• Higher level of assurance
• Mastering of complexity
• Delivered at expected cost and on schedule
• No errors detected in code after delivery
• Statement:
• “We chose VDMTools because of high demands on maintainability, adaptability and reliability”
March 2009 Tools for VDM in Industry 10
DoD, NL Metrics (1)
• Estimated 12 C++ loc/h with manual coding!
kloc hours loc/hour
spec 15 1196 13
manual impl 4 471 8.5
automatic impl 90 0 NA
test NA 612 NA
total code 94 2279 41.2totAL
March 2009 Tools for VDM in Industry 11
DoD - Comparative Metrics
CODING TESTING
CODING TESTINGANALYSIS &
DESIGN
Traditional:Traditional:
VDMToolsVDMTools®®::
CostCost
ANALYSIS & DESIGN
900900 20002000 700700
12001200 500500 600600
0% 64%
100%
March 2009 Tools for VDM in Industry 12
BPS 1000 (1997-)• Organisation: GAO, Germany• Domain: Bank note processing• Tools: The VDM-SL Toolbox• Experience:
• Better understanding of sensor data
• Errors identified in other code
• Savings on maintenance
• Statement:
• VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle.
March 2009 Tools for VDM in Industry 13
Flower Auction (1998)
• Organisation: Chess, The Netherlands
• Domain: Financial transactions
• Tools: The VDM++ Toolbox
• Experience:
• Successful combination of UML and VDM++
• Use iterative process to gain client commitment
• Implementers did not even have a VDM course
• Statement:
• “The link between VDMTools and Rational Rose is
essential for understanding the UML diagrams”
March 2009 Tools for VDM in Industry 14
SPOT 4 (1999)
• Organisation: CS-CI, France
• Domain: Space (payload for SPOT4 satellite)
• Tools: The VDM-SL Toolbox
• Experience:
• 38 % less lines of source code
• 36 % less overall effort
• Use of automatic C++ code generation
• Statement:
The cost of applying Formal methods is significantly lower than without them.
March 2009 Tools for VDM in Industry 15
IFAD VDM Applications
• VDMTools• VDM interpreter• VDM static semantics• VDM to C++ code generator• Specification manager• UML mapper• Java static semantics• Java VDM++ translator
• MUSTER: Emergency response training
March 2009 Tools for VDM in Industry 16
Japanese Railways (2000-2001)
• Domain: Railways (database and interlocking)
• Experience:
• Prototyping important
• Subsequent also using it for ATC system
• Engineer working at IFAD for two years
March 2009 Tools for VDM in Industry 17
TradeOne, CSK, 2000 - 2001
• Full TradeOne system is 1.3 MLOC system• Mission-critical backbone system keeping track of
financial transactions conducted• Used by securities companies and brokerage houses
Tax exemption subsystem has particularly complex regulations to implement. Modelled in VDM++.
Options Subsystem handles the business process for trading options. Modelled in VDM++
March 2009 Tools for VDM in Industry 18
TradeOne Cost Effectiveness
Subsystem COCOMO estimate
Real time Time saving
Tax exemption
Effort:38.5 PM
Schedule:9M
Options Effort:147.2 PM
Schedule:14.3M
Effort:14 PMSchedule: 3.5 M
Effort:74%Schedule:61%
Effort: 60.1 PMSchedule:7M
Effort: 60%Schedule: 51%
Overall sizesTotal TradeOne 1,342,858 Tax exemption subsystem 18,431 Option subsystem 60,206
March 2009 Tools for VDM in Industry 19
The FeliCa Mobile Chip Project
• Mobile FeliCa IC chips can be embedded inside mobile phones
• Used for different on-line services including payment• Uses Near-Field-Communication technology• Used for example for metro ticking in Tokyo• The IC Chips contains an operating system as
firmware for 50 million mobile phones• This is fully developed using the VDM++ technology• Between 50 and 60 people in total on the project
23.5 mm
March 2009 Tools for VDM in Industry 20
Specification and Implementation Growth
/ / 形式仕様と実装のコミットした累計行数 仕様変更数 各種イベント
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
100,000
110,000
120,000
130,000
140,000
2004
/7
2004
/8
2004
/9
2004
/10
2004
/11
2004
/12
2005
/1
2005
/2
2005
/3
2005
/4
2005
/5
2005
/6
2005
/7
2005
/8
2005
/9
2005
/10
2005
/11
2005
/12
2006
/1
2006
/2
2006
/3
2006
/4
コミットした累計行数
0
10
20
30
40
50
60
70
80
90
100
仕様変更数
仕様変更形式仕様実装
1.0
外部仕様書
形式仕様本開発スタート
1.0
形式仕様書
OS
1.0
定義書
RR
1.0
RR
2.0 パイロット移動機メーカ
RR
3.0 パイロット移動機メーカ
RR
4.0 パイロット移動機メーカ
RR
5.0 全移動機メーカ
2 +課 椎木さんレビュー 設計者・評価者レビューα 版評価
クロスチェック評価 ・カバレッジ評価
RR
7.0 全移動機メーカ
設計構想会議
(3M)本開発準備フェーズ (8M)本開発フェーズ (6M)内部リリース後フェーズ (6M)外部リリース後フェーズ
Specification v.1.0
Specification Phase Implementation Phase
形式
仕様
書0.
9
2004/7 2006/4
Specification
Implementation140
0
70
100
kLOC
The average productivity of VDM++ code for the formal specifications was about 1,900 LOC per engineer per month.
March 2009 Tools for VDM in Industry 21
Number of Changes
/ / 形式仕様と実装のコミットした累計行数 仕様変更数 各種イベント
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
100,000
110,000
120,000
130,000
140,000
2004
/7
2004
/8
2004
/9
2004
/10
2004
/11
2004
/12
2005
/1
2005
/2
2005
/3
2005
/4
2005
/5
2005
/6
2005
/7
2005
/8
2005
/9
2005
/10
2005
/11
2005
/12
2006
/1
2006
/2
2006
/3
2006
/4
コミットした累計行数
0
10
20
30
40
50
60
70
80
90
100
仕様変更数
仕様変更形式仕様実装
1.0
外部仕様書
形式仕様本開発スタート
1.0
形式仕様書
OS
1.0
定義書
RR
1.0
RR
2.0 パイロット移動機メーカ
RR
3.0 パイロット移動機メーカ
RR
4.0 パイロット移動機メーカ
RR
5.0 全移動機メーカ
2 +課 椎木さんレビュー 設計者・評価者レビューα 版評価
クロスチェック評価 ・カバレッジ評価
RR
7.0 全移動機メーカ
設計構想会議
(3M)本開発準備フェーズ (8M)本開発フェーズ (6M)内部リリース後フェーズ (6M)外部リリース後フェーズ
形式
仕様
書0.
9
Specification v.1.0
Specification Phase Implementation Phase2004/7
Number of Changes
0
50
2006/4
March 2009 Tools for VDM in Industry 22
Further Information• Applying Formal Specification in Industry. P.G. Larsen, J.
Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996
• A Lightweight Approach to Formal Methods S.Agerholm and P.G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October 1998.
• Applications of VDM in Banknote Processing P. Smith and P.G. Larsen. + Application of VDM-SL to the Development of the SPOT4 Programming Messages Generator, A. Puccetti and J.Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M.Verhoef et. al.Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September 1999.
• Application of a Formal Specification Language in the Development of the ``Mobile FeliCa'' IC Chip Firmware for Embedding in Mobile Phone, Taro Kurita and Miki Chiba and Yasumasa Nakatsugawa, Springer-Verlag, FM2008, May 2008.
March 2009 Tools for VDM in Industry 23
Tools for VDM in Industry
Industrial Experience with VDM
”Bootstrapping” VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future
March 2009 Tools for VDM in Industry 24
Development Choices Taken
Executable modelsTesting and animation
Partial “analysis” (validation)System level testing
Code generationVDM for source code
Formal refinement and formal verification
March 2009 Tools for VDM in Industry 25
Staff Overview
PGL
PBLMA
ETN
HCHVNKJNJSALTOJWTOSJKPKSPM
91 92 93 94 95 96 97 98 99 00
NPMV KdB CA BF BA
SN JKP
VS JKP
WS
JSF
GWOO
+JR +ML +RM
March 2009 Tools for VDM in Industry 26
Development Environment
• GNU C++/Visual C++• Generic VDM C++ library• GUI: Previously:Tcl/Tk, Now: Qt• flex and bison• CVS/Ediff version control• OSs: Windows, Linux, Unix • Test environments• Development procedures
March 2009 Tools for VDM in Industry 27
VDM++VDM++VDM++VDM++
VDM++VDM++VDM++VDM++
The “Bootstrapping” Process
VDM-SL
DS spec
VDM-SL
DS impl
VDM-SL
SM spec
VDM-SL
SM impl
VDM-SL
PM spec
VDM-SL
PM impl
VDM-SL
CG spec
VDM-SL
CG impl
VDM-SL
SS spec
VDM-SL
SS impl
Implicit time line
March 2009 Tools for VDM in Industry 28
Specification Sizes
Abstract Syntax etc 3196Static Semantics 20289Interpreter 29738Code generators 32891Specification Manager 3822Dependency 792Rose-VDM++ Link 1518Proof Obligation Generation 15475Java Static Semantics 7025Java 2 VDM++ Translator 7702In total 122448
March 2009 Tools for VDM in Industry 29
Component Categories
• Purely hand-coded• VDM + hand coding• VDM + code generation
March 2009 Tools for VDM in Industry 30
Purely Hand-coded Components
• Scanner/parser (lex/yacc)• pretty-printer (simple C++ component)• GUI (previously: Tcl/Tk, now: Qt)• Interface to third party tools
• Rational Rose and XMI based UML tools
• Corba for API
• ML for HOL
• Generic VDM C++ library
March 2009 Tools for VDM in Industry 31
VDM + Hand Coding
• Dynamic semantics (SL and ++)• Static semantics (SL and ++)• Java/C++ Code generators (SL and ++)• Test environments for each component• Reused at implementation level• Java/C++ code generators now themselves
partially code generated
March 2009 Tools for VDM in Industry 32
Maintenance Approach
• Bugs first reproduced at specification level• Tested using the VDM debugger• Check that all tests are satisfactory• Implement changes of specification• Rerun all tests at implementation level
March 2009 Tools for VDM in Industry 33
VDM + code generation
• Animator for SA/RT• Specification Manager (SL and ++)• VDM++ to/from UML translation• Proof support (SL)• Parts of GUI now code generated• VDM model becomes source• Trade-off with abstraction
March 2009 Tools for VDM in Industry 34
Tools for VDM in Industry
Industrial Experience with VDM
”Bootstrapping” VDMTools
Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future
March 2009 Tools for VDM in Industry 35
VDMTools Overview
Rose-VDM++ Link
Document Generator
Code Generators- C++, Java
Syntax & Type Checker
API (Corba), DL Facility
Interpreter (Debugger)
Integrity CheckerJava to VDM++
Round Trip Engineering support
Experimentally linked to HOL
Syntax & Type Checker
Integrity Checker
March 2009 Tools for VDM in Industry 36
Japanese Support via Unicode
March 2009 Tools for VDM in Industry 37
Validation with VDMTools®
VDM specsVDM specs
Test casesTest cases Expected resultsExpected results
Actual resultsActual results
ComparisonComparison
ExecutionExecution
March 2009 Tools for VDM in Industry 38
Documentation in MS Word/RTF
One compound document:One compound document:
• Documentation
• Specification
• Test coverage
• Test coverage
statistics
March 2009 Tools for VDM in Industry 39
Architecture of the Rose VDM++ Link
VDM++ ToolboxVDM++ Toolbox Rational Rose 2000Rational Rose 2000
ClassClassRepositoryRepository
ClassClassRepositoryRepositoryMerge ToolMerge Tool
VDM++ FilesVDM++ Files
UMLUMLDiagramsDiagrams
UML modelUML modelfilefile
March 2009 Tools for VDM in Industry 40
Integrity checker
March 2009 Tools for VDM in Industry 41
Toolbox API
RequestRequest
ResultResult
March 2009 Tools for VDM in Industry 42
Dynamic Link Facility
VDMSpecification
Dynamic LinkModule
ExternalCode Type
ConversionModule
March 2009 Tools for VDM in Industry 43
Further Information• An Executable Subset of Meta-IV with Loose Specification, P.G.
Larsen, P.B. Lassen, VDM '91: Formal Software Development Methods, 1991
• The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM Sigplan Notices, September 1994
• Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995
• Ten Years of Historical Development - ”Bootstrapping” VDMTools, P.G. Larsen, Journal of Universal Computer Science, 2001
• VDMTools: advances in support for formal modeling in VDM, J. S. Fitzgerald and P. G. Larsen and S. Sahara, ACM Sigplan Notices, February 2008
March 2009 Tools for VDM in Industry 44
Tools for VDM in Industry
Industrial Experience with VDM
”Bootstrapping” VDMTools
Overview of VDMTools
The Overture/Eclipse Initiative
• Vision for the future
March 2009 Tools for VDM in Industry
Overture versus VDMTools
• VDMTools (http://www.vdmtools.jp/en)• Closed source, proprietary (available under NDA)• Monolithic architecture (single binary), C++• Optimized for performance, industry strength
• Overture Tool project (http://www.overturetool.org)• Open source, GPL license• Plug-in architecture, Eclipse, Java• Optimized for flexibility, targets academic use• (partly) developed using VDMTools
March 2009 Tools for VDM in Industry 46
Overture – an open-source initiative
• Based on the Eclipse platform• Extendible open VDM++ tool support• Initial tool support produced in MSc project in NL• MSc project carried out at TUD
• Jacob Porsborg Nielsen and Jens Kielsgaard Hansen• MSc project at Aarhus University
• Thomas Christensen• MSc projects at Engineering College of Aarhus
• Hugo Macedo, Minho University• Sander Vermolen, University of Nijmegen• Adriana Sucena, Minho University• Carlos Vilhena, Minho University• Augusto Ribeiro, Minho University• Kenneth Lausdahl and Hans Christian Lintrup, IHA
March 2009 Tools for VDM in Industry 47
Basic automatic checks and GUI
Overture Architecture Overview
Syntax Check
Connection to standard developm
ent environments
UML, SysMLAADL
VisualisationSupport
Code Generators- C++, Java
GUIgenerators
ReverseEngineering
support
Type Check
Refactoringsupport
OML editorWith
syntaxhighlighting
Validation support
PrettyPrinting
Withcoverage
Interpreter (Debugger)
With APIcapabilities
Test Generation
support
VisualizationSupport forExecution
tracesVerification support
ProofObligationgeneration
AutomaticProof
support
InteractiveProof
support
ModelCheckingsupport
EclipseAST
Not yet available PlannedA version is available
Connection to JML
March 2009 Tools for VDM in Industry 48
Example Screen dump
March 2009 Tools for VDM in Industry
Automatic AST generation
OVERTUREAST spec
(VDM-SL subset)ASTGEN sed script
JAVAinterfaces
VDM++classes
VDMTools
javaclasses
sed
modified javaclasses“implements”● specified in VDM++
● code generated
other users can use these specs to specify their own OVERTURE extensions (in VDM++)
March 2009 Tools for VDM in Industry
Tracefile Viewer (1)
March 2009 Tools for VDM in Industry
Tracefile Viewer (2)
March 2009 Tools for VDM in Industry
Tracefile Viewer (3)
March 2009 Tools for VDM in Industry 53
Tools for VDM in Industry
Industrial Experience with VDM
”Bootstrapping” VDMTools
Overview of VDMTools
The Overture/Eclipse Initiative
Vision for the future
March 2009 Tools for VDM in Industry 54
Extending VDM++ with better support for distributed real-time
• Today embedded real-time systems are increasingly distributed
• Hard to master complexity within tight time schedules• Current research work extend VDM++ with better
support for describing and analyzing this• Possibility to use CPU’s and BUS’es inside system• Deployment of objects to CPUs• Setting priorities of operations• Introduction of asynchronous operations• Cycles statement in addition to duration statement
March 2009 Tools for VDM in Industry
Combining with continuous time
March 2009 Tools for VDM in Industry 56
Beyond the Ordinary: Design of Embedded Real-time Control
•BODERC project @ ESI
•Sept 2002 - Apr 2007
•Multi-disciplinary design•mechanics
•electronics
•software
•High-tech systems focus
•Early life cycle trade-off analysis
•Industry as a laboratory
•http://www.esi.nl/boderc
March 2009 Tools for VDM in Industry 57
continuousvalidation
Printer paper path - case study
VDM++ VDMTools
Bondgraphs
20-sim
co-simresults
VDM++ VDMTools
Bondgraphs
20-sim SIL simresults
C++ HOSTCOMPILER DLL
VDM++ VDMTools C++ TARGETCOMPILER ctrl app
measure-ments
March 2009 Tools for VDM in Industry 58
An email from an old (very good) student
… At that time I understood that a formal specification would be an advantage for big projects but I had no idea how desperately this is also needed in smaller projects when there are many people involved. Today I do know:
At the moment I am working at BMW in the communications department. We work on the integration of the car telephone (including a telematics unit with GPS coordinates) into the overall car. There is a lot of interaction between the telephone and the HMI of the car and there are different versions and types of all the involved devices. There are also five companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who develop the different units. The system should not be so complex because many of the devices should (!) behave similarly. But the specifications we write are English plain text (hundreds of pages), in our department more than 10 people are involved and we do not know anymore how the devices will behave ourselves...every external company has an own interpretation of the specs and this interpretation changes over time. If you ask the same person twice you get different answers (I frankly admit that I am no exception)... You can imagine how "efficient" everything is and its a miracle that the system still works (with a number of bugs though)...
March 2009 Tools for VDM in Industry 59
Go out and use the principles at least!