Embed Size (px)
DESCRIPTION
Formal techniques for getting software right: some old ideas and some new tools. Applied Formal Methods Research Group 2012-11-02 David Lightfoot: [email protected] Department of Computing and Communication Technologies Oxford Brookes University England. Abstract. - PowerPoint PPT Presentation
Citation preview
Formal techniques for getting software right: some old ideas and some new tools
Applied Formal Methods Research Group
2012-11-02
David Lightfoot: [email protected]
Department of Computing and Communication Technologies
Oxford Brookes University
England
Abstract
Getting software right is difficult and the more so if we don’t have a clear idea of what it is supposed to do before we start writing it.
There are some simple ideas that were devised nearly fifty years ago that help in specifying formally what software is to do, that is, by the use of simple discrete mathematics.
These ideas are gaining acceptance in programming languages and modern languages, such as Eiffel and Spec# (‘spec sharp’) now contain features to make use of these ideas.
Motivating example: hotel
What does ‘available’ mean?
Check rooms available at affordable hotel:
‘18 rooms available’
Book (expensive) flight.
Try to book rooms:
‘Sorry, no rooms available’
Problem!
Check rooms available at affordable hotel, again:
‘18 rooms available’
What is the explanation?
Motivating example: hotel
Hotel closed for Christmas break!
So, no rooms booked, hence
‘18 rooms available’
But hotel closed, so
‘Sorry, no rooms available’
What does ‘available’ mean?
We need specifications!
What does ‘available’ mean?
Here’s another one: (from an exam paper):
‘Write a Pascal program to return a pointer to the element in the linked list ls that has key value x:
function Find(ls: Pointer; x: integer): Pointer;’
•What if there isn’t one? Can we assume there is?•Which one, if there are several?
Answer: return NIL. Why?
What’s the requirement?
‘Write a program to input a three integer numbers, each of them is between 1 and 1000, and determine whether the first number is the multiple of the other two numbers.
Print a message to tell if the first number is the multiple of the other two numbers. [22 marks]’
8 of the 22 marks were for checking that the three integer numbers were in range 1 to 1000 and writing a message. (But it says ‘each of them is …’).
(and no marks for checking that a well formed integer was input)
Campaign for clear specifications
In order to write correct programs we need clear specifications:•A program is syntactically correct with respect to its language definition•It is logically/semantically correct with respect to its specification
We can check syntactic correctness with a (correct) compiler.
We can check logical correctness by:•testing•use of suitable notation and of provers
State-based specification
Both at the system level and at program level we can specify by a state-based approach:•Observe state of system before an operation•Observe state of system after an operation
This puts emphasis on what is achieved, not how it is achieved.
Specification notations, such as:
Z, VDM, B, Event B …
Not a new idea: Professor Sir Tony Hoare
Formerly Head of Programming Research Group (PRG), Oxford University, EnglandSenior Researcher, Microsoft Research, Cambridge, England
Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of the ACM 12 (1969) 576-580 [WH66]
N. Wirth and C. A. R. Hoare. A contribution to the development of Algol. Comm. ACM, 9(6):413-432, June 1966
Also famous as deviser of Quicksort.
‘Hoare triple’
{ pre }
prog
{ post }
Starting in a before-state where the Boolean expression pre holds, running the program prog results in an after-state where the Boolean expression post holds.
pre is ‘precondition’
post is ‘postcondition’
Example
{ x >= 0 }
IntegerSqrt
(z*z <= x and x < (z+1)*(z+1)
Precondition means:
IntegerSqrt is only applicable to non-negative x
Postcondition means
z has been set to the ‘integer square-root’ of x
Specification of a function
function IntegerSqrt(x: integer): integer;
{ pre: x >= 0
post: result*result <= x and x < (result+1)*(result+1) }
result is here a special key word denoting the result of a function
Techniques for programming
Hoare developed techniques based on axioms (rules) for devising programs that can be shown (proved) to satisfy their specifications.
Assignment axiom
(* P[var/exp ] *)
var := exp
(* P *)
If P is true of var after the assignment, then P must have been true of exp before.
P[var/exp ] means P, with all (free) occurrences of var replaced by exp.
Composition axiom
if we can prove (* P *) S1 (* Q *) and we can prove (* Q *) S2 (* R *)
___________then it follows that (* P *) S1 ; S2 (* R *) If doing S1 when P is true makes Q true and doing S2 when Q is true makes R true, then doing S1 ; S2 when P is true makes R true.
Selection axiom
(* P & guard *) S1 (* Q *) (* P & ¬guard *) S2 (* Q *)___________(* P *) if guard then S1 else S2 end (* Q *)
If performing S1 when P is true and guard is true makes Q true and performing S2 when P is true and guard is false makes Q true, Then performing
if guard then S1 else S2 end when P is true makes Q true.
Repetition axiom
(* pre *)initialisation(* invariant *)while guard do (* invariant & guard *) body (* invariant *)end(* invariant & ~guard => post *)
Dijkstra
E.W.Dijkstra observed that rather than proving an existing program correct, it is easier to develop a program hand-in-hand with showing it to be correct.
Developed weakest-precondition, wp notation
For example:
wp(var := exp, P) is P[var/exp ]
Also famous for P and V and Travelling-Salesman problem, …
What’s the precondition?: a real example
Recent student work:
Required to implement undo.
Keep stack of visited nodes.
Undo then means pop from stack.
In method undo, do we need to guard with:
if(!stack.isEmpty()) node = stack.pop(); ?
Or do we have precondition: !stack.isEmpty(),
so can just implement undo as:
node = stack.pop(); ?
Design by Contract™
Hoare’s ideas given a business flavour by Bertrand Meyer, currently Professor of Software Engineering at ETH Zurich.
Precondition and postcondition are expressed as a contract between the supplier and the client of a service.
Also designer of Eiffel programming language.
Eiffel contains facilities for run-time checking of precondition and postcondition…
IntegerSqrt as contract: supplier’s view
Supplier is writer of IntegerSqrt
Supplier’s expectation:
x >= 0
Supplier’s obligation:
must deliver result such that
result*result <= x and x < (result+1)*(result+1)
IntegerSqrt as contract: client’s view
Client is user of IntegerSqrt
Client’s expectation:
obtains result such that
result*result <= x and x < (result+1)*(result+1)
Client’s obligation:
give x such that
x >= 0
integerSqrt in Eiffel
integerSqrt (x: INTEGER) : INTEGER-- return the integer square-root of non-negative x
requirenon-negative_x:
x >= 0ensure
result is floor of square-root of x:result*result <= x and x < (result+1)*(result+1)
Embodied in Eiffel
The ideas of pre- and post-conditions are embodied in the keywords require and ensure in the Eiffel programming language.
Eiffel compilers embed code to test these at run time (can be selectively turned on and off by compiler switches).
Failure leads to diagnostic information being displayed.
Use of assert
We can simulate the effects of require and ensure by use of assert statement, provided by many programming-language implementations:
assert(b), where b is a Boolean expression.•If b is true, all is well•If b is false, program halted and message displayed.
Sometimes assert has a second parameter, which is message to be displayed.
Example of use of assert
function IntegerSqrt(x: integer): integer;
begin
assert (x >= 0);
calculate result
assert (result*result <= x and x < (result+1)*(result+1) );
return result;
end;
A new style of programming: ‘offensive’!
Practical context for the ‘formal’, Hoare style.
An ‘attitude’ – the opposite of ‘defensive programming’ – Meyer calls it ‘offensive programming!’.
Pre- and post-conditions are used to specify a (business) contract between the supplier of a software component and the component’s clients.
Design by Contract by Example, Richard Mitchell and Jim McKim, Addison Wesley, 2002
Since ‘Design by Contract’ is a trademark, it is often referred to as 'Programming by Contract'.
New style
With Design by Contract™ we don’t check preconditions:
Responsibility of client to ensure.
Example:function DaysEarlier(y1, m1, d1, y2, m2, d2: integer); integer;
{ return number of days by which
date y1-m1-d1 is earlier than date y2-m2-d2}
This formalised as …
function DaysEarlier(y1, m1, d1, y2, m2, d2: integer); integer;
{ require
y1-m1-d1 denotes a date and
y2-m2-d2 denotes a date
ensure
result is number of days by which
y1-m1-d1 is earlier than y2-m2-d2 }
‘Defensive’ programming
Always check parameters.
Problem, what if there is nothing to be done in case of error?
What is Sqrt(-16.0)? (real square-root, not complex)
What do you think of this (real) example?function Sqrt(x: real): real;
begin
if x < 0 then x := -x:
calculate square-root of x
…
DaysEarlier: ‘defensive’ version
function DaysEarlier(y1, m1, d1, y2, m2, d2: integer); integer;
{ return number of days by which
y1-m1-d1 is earlier than y2-m2-d2
or -999 if either or both not a valid date}
days := DaysEarlier(2012, 11, 02, 1943, 06, 31);
if days = -999 then writeln(‘One or both dates not valid’)
else writeln(‘days earlier is’, days);
Says ‘One or both dates not valid’! What is wrong?
Problem
days := DaysEarlier(2012, 05, 21, 2010, 02, 07);
if days = -999 then writeln(‘One or both dates not valid’)
else writeln(‘days earlier is’, days);
Says ‘One or both dates not valid’! What is wrong?
True story: Took three weeks to solve!
Java Modeling Language: JML
The ideas of Design by Contract and Eiffel are extended and made available for Java in
JML: Java Modeling Language
http://www.eecs.ucf.edu/~leavens/JML/
Lots of @ and \.
Includes quantifiers (, , , …)
Following examples are from:An overview of JML tools and applications
Lilian Burdy1, Yoonsik Cheon2, David R. Cok3, Michael D. Ernst4, Joseph R. Kiniry5, Gary T.Leavens6?, K. Rustan M. Leino7, Erik Poll51
Software Tools for Technology Transfer
JML: Special comments
JML is simply extending Java
uses special comments with lots of @, \
Keywords are
requires
ensures
\ result
\ old(x)
\ forall
…
JML example
/*@ requires amount >= 0;
@ assignable balance;
@ ensures balance == \old(balance) - amount
@ && \result == balance;
@*/
int debit(int amount) throws PurseException {
if (amount <= balance) {
balance -= amount;
return balance;
} else { throw new PurseException("overdrawn by " + amount);
}
}
JML quantifiers
/*@ requires 0 < mb && 0 <= b && b <= mb
@ && p != null && p.length == 4
@ && (\forall int i; 0 <= i && i < 4;
@ 0 <= p[i] && p[i] <= 9);
@ assignable MAX_BALANCE, balance, pin;
@ ensures MAX_BALANCE == mb && balance == b
@ && (\forall int i; 0 <= i && i < 4; p[i] == pin[i]);
@*/
Purse(int mb, int b, byte[] p) {
MAX_BALANCE = mb; balance = b; pin = (byte[]) p.clone();
‘Symbol abuse’?
Provers
Showing that assertions (requires, ensures ..) are true when program runs only demonstrates correctness for chosen test cases.
(Dijkstra famously observed; testing can show presence of errors, not their absence’)
Much better is to use software tools called provers, that reason about whether program matches its specification.
These exist for JML and for Spec#.
Spec#
‘Spec sharp’: based on the C# programming language.
http://research.microsoft.com/en-us/projects/specsharp/
Similar to JML, but neater syntax, since a new language based on C#; not just C# with special comments.
Spec# is available (free of charge) as a plug-in to Visual Studio™.
Spec# keywords
requires
ensures
result
old(x)
forall
exists
…
Simple example of Spec#
int max(int x, int y)
ensures (result == x && x >= y) || (result == y && y >= x);
{
if (x >= y) return x;
else return y;
}
Note: no requires, because no precondition.
Is this correct?
What about when x == y?
What if it is wrong?
int max(int x, int y)
ensures (result == x && x > y) || (result == y && y > x);
{
if (x >= y) return x;
else return y;
}
What about when x == y?
Result from Spec#
Unsatisfied postcondition
Example with a loop: DivMod
void DivMod(int x, int y, ref int q, ref int r)
requires x >= 0 && y > 0;
ensures x == q*y + r && 0 <= r && r < y;
{ r= x; q= 0;
while (r >= y)
invariant x == q*y + r && 0 <= r;
{
r= r - y; q= q + 1;
}
}
invariant will be true at this point every time round.
Spec# happy
Quantifiers and ranges in Spec#
forall
exists
Ranges
int i in (m..n) means: all i m <= i <= n
int i in (m:n) means: all i m <= i < n
Second form useful; saves lots of -1’s
What do you think of this?
static int Min(int[] a)
requires a != null && a.Length != 0;
ensures a == old(a) && (forall {int i in (0:a.Length); result <= a[i]};
{ int min = 0;
for (int j = 0; j < a.Length; j++)
invariant forall {int i in (0:j); min <= a[i]};
if (a[j] < min)
min = a[j];
return min;
}
Example with quantifiers
int First(int[] a, int x)
ensures forall{k in (0: result); a[k] != x} &&
(result == -1 || 0 <= result && result < a.Length && a[result] == x);
{
int i;
i = 0;
while (i != a.Length && a[i] != x)
invariant 0 <= i && i <= a.Length && forall{k in (0: i); a[k] != x};
{
i++;
}
if (i == a.Length) return -1; else return i;
}
Further useful feature of Spec#
What does this do?
float AverageLength(string [ ] s)
{
int sum = 0;
for (int i = 0; i < s.Length; i++)
sum += s[i].Length;
return float(sum)/s.Length;
}
What is it precondition?
AverageLength
Returns average length of the strings in array of strings s.
Precondition? s.Length > 0float AverageLength(string [] s)
requires s.Length > 0;
{ int sum = 0;
for (int i = 0; i < s.Length; i++)
sum += s[i].Length;
return float(sum)/s.Length;
}
Anything else?
Precondition of AverageLength
s.Length > 0
But arrays implemented by pointers in Java, C# …
So we need to add
s != null
s != null
float AverageLength(string [] s)
requires s != null &&
s.Length > 0;
{ int sum = 0;
for (int i = 0; i < s.Length; i++)
sum += s[i].Length;
return float(sum)/s.Length;
}
s[j] != null
But strings implemented by pointers in Java, C# …
So we need to add
s[i] != null for all the indexes of s
forall{int j in (0: s.Length); s[j] != null};
s[j] != null
float AverageLength(string [] s)
requires
s != null &&
forall{int j in (0: s.Length); s[j] != null} &&
s.Length > 0;
{ int sum = 0;
for (int i = 0; i < s.Length; i++)
sum += s[i].Length;
return float(sum)/s.Length;
}
Non-null pointers
Very often we require a pointer not to be null.
Easy to forget;
Untidy to check or to add as precondition.
Special syntax in Spec# !
float AverageLength(string ! [] ! s)
requires s.Length > 0;
! means must be non-null type.
Enforced by compiler.
Proving termination
What we have shown so far is partial correctness.; program satisfies its specification, if it terminates.
We prove termination by finding a relationship between the variables on a loop that is initially non-negative and that is strictly reduced by each iteration.
No support for this in Spec#, but can make our own by introducing auxiliary variables to hold value of bound.
Example of bound in Spec#
void DivMod(int x, int y, ref int q, ref int r)
requires x >= 0 && y > 0;
ensures x == q*y + r && 0 <= r && r < y;
{ int bound; r= x; q= 0;
while (r >= y)
invariant x == q*y + r && 0 <= r &&
bound = r && bound >= 0;
{ r= r - y; q= q + 1;
assert(r < bound);
}
}
Unresolved so far (by me, at least)…
assert does run-time check. How to check termination without resorting to run-time check.
How to specify processes that modify a structure (such as sorting). Need to be able to use old (or equivalent) inside the body (old only useable in postcondition).
Summary
Techniques are not new – 1960’s
Not widely known outside universities.
Not even known to nuclear-physicist researchers in England.
Now taken seriously by Microsoft in Spec# and similar projects and in Eiffel and JML.
Advantages:
Can get programs right much earlier in development hence much less time in debugging.
Reduced danger of erroneous programs.
Current use
• JKU Linz course: Romanian-speaking Hungarian students.
• Politechnika Warszawska• P00401 Formal Software Engineering• U08186 Advanced Object-Oriented Programming
Contact information
www.brookes.ac.uk
David Lightfoot
Email: [email protected]
Telephone: +44 18 65 48 45 39
School of Technology
Oxford Brookes University
Wheatley Campus
Oxford OX33 1HX
United Kingdom
Dziękuję!
