1 / 18

Formal Methods in Software Engineering: Ensuring Program Correctness

Learn about algebraic specifications, program semantics, logic, and how to ensure software correctness. Hands-on labs and exams reinforce theoretical knowledge. Prerequisites: COSC credits and MATH 1P67. Essential for project coordinators in software companies.

marcelg
Download Presentation

Formal Methods in Software Engineering: Ensuring Program Correctness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COSC 4P42Formal Methods in Software Engineering • Course: • Lecture: Wed 12:30-14:00 & Fri, 15:30 – 17:00, Fall 2019, Room: TH244 • Lab: Tue, 13:00 - 15:00, Fall 2019, Room: MCD205 • Instructor: Michael Winter • Office J323 • Office Hours: Mon & Thu 14:00 - 16:00 • email: mwinter@brocku.ca • Webpage: www.cosc.brocku.ca/~mwinter/Courses/4P42/

  2. Course Description (Brock Calendar): Specification and correctness of software. Topics include algebraic specifications, semantics of programming languages, Hoare/dynamic logic, specification languages, program transformation. • Prerequisites: 3.5 COSC credits and MATH 1P67 or permission of the instructor • course procedures • cheating on tests/exam

  3. Textbooks • Main Text • None (course material is on the web page). • Supplemental Texts • The Formal Semantics of Programming Languages: An Introduction, G. Winskel, The MIT Press (1993), ISBN 0-262-23169-7 (hc), 0-262-73103-7 (pb) • The Design of Well-Structured and Correct Programs, S. Alagic & M.A. Arbib, Springer-Verlag (1978), ISBN 0-387-90299-6 • Fundamentals of Algebraic Specifications 1: Equations and Initial Semantics, H. Ehrig & B. Mahr, Springer-Verlag (1985), ISBN 0-387-13718-1

  4. Course Work • Marking Scheme • Lab Tests (3x20%) 60% • Final Exam (Lab D205) 40% • Important Dates Test Length Date (D205)/Time 1 60 mins Oct 01(13:00-14:00) 2 60 mins Oct 29 (13:00-14:00) 3 60 mins Nov 19 (13:00-14:00) Exam 90 mins Dec 04 (10:00-11:30)

  5. Course Outline *October 14-18 is Reading Week, no classes

  6. A mark of at least 40% on the final exam is required to achieve a passing grade in this course. No electronic devices and especially no calculators will be allowed in the examination room. • Consideration regarding illness for test or exam dates will only be considered if accompanied with the completed Departmental Medical Excuse form.

  7. Motivation Assume you are a project coordinator in a software company. The company wants to use encryption algorithms that are based on factorization and prime numbers (such as the RSA algorithm) . They have purchased a software package providing the essential methods for this purpose. One methods implements a prime number test. But you are not sure whether the methods works properly, i.e., is correct in the following sense: IsPrime(long n)  n is a prime number

  8. private static boolean IsPrime(long n) { long[] as = {2, 3}; if (n <= 1) return false; else if (n <= 3) return true; else { outer: for (long a : as) { long s = 0; long d = n - 1; while (d % 2 == 0) { s++; d /= 2; }; long x = modpow(a, d, n); if (x != 1 && x != n - 1) { for (long r = 1; r < s; r++) { x = (x * x) % n; if (x == 1) return false; if (x == n - 1) continue outer; } return false; } } return true; } }

  9. Testing You decide to test the program with the following test program: private static long[] primes = {2L,3L,5L,7L,11L,13L,17L,... public static void main(String[] args) { int n = 2; int i = 0; boolean result = true; while (i < primes.length) { if (IsPrime(n)) { if (n == primes[i]) i++; else { result = false; break; } } n++; } System.out.println(result); }

  10. Testing Some results that you obtain:

  11. Testing Are you satisfied with the testing procedure? Yes?!?, but what if this program • is used to encode your bank pin? • is used to transfer transaction data of some brokers? • is used to grant access to the control software of a nuclear plant? • … An error in the code might cause a big financial loss for you, some company, or may even lead to fatalities.

  12. Problems with Testing Testing may unveil errors in the code, but • You may only test finitely many examples. • Testing cannot verify that the code is bug-free. “Correctness cannot be established through testing. Testing can only delete errors, but never exclude errors.” In fact the program IsPrime works correctly for all numbers smaller than 1373653. But IsPrime(1373653) = true even though we have 1373653 = 829*1657. If you would have tested the first 105223 prime numbers, you would have found the problem.

  13. Another attempt You do some research on prime number testing and you find out that the method IsPrime implements the Miller-Rabin test for a = {2,3} (array as). In particular, you find out that the Miller-Rabin test has been shown to work correctly for the following parameters:

  14. Further Problems? Are you satisfied with this information and the proof provided in the literature? Yes?!?, but what if the programmer made a mistake in implementing the Miller-Rabin test? The Miller-Rabin test might be correct for the set of numbers given but the implementation could be wrong!!!!!

  15. Formal Methods An alternative approach is based on so-called formal methods in software engineering. These methods try to either mathematically prove programs to be correct or to construct programs correctly step by step. Both attempts require some formal system/calculus , i.e., a system that is based on a fixed set of simple rules. In this course we will focus on program verification. The idea/procedure of program verification can be summarized by: • Provide a specification of the behaviour of the program in a formal system/logic. Common tools are: • Propositional Logic (hardware verification) • First-order Logic (properties of imperative programs) • Higher-order Logic (properties of functional programs) • Algebraic Specifications (specification of data types)

  16. Formal Software Verification • Provide a formal semantics of the programming language used. Common approaches are: • Operational Semantics (abstract machine) • Denotational Semantics (input/output behaviour as a function) • Axiomatic Semantics (program logic) • Use a specialized logic to verify the implementation with respect to the specification. Common logics are: • Specific Modal Logics such as Dynamic Logic • Hoare Logic • Extended Calculus of Constructions

  17. Formal Software Verification Important considerations when dealing with a formal system: • Soundness/Correctness . This property states that every property that can be obtained using the formal system/calculus is semantically true in some sense. • Slogan: “What you can prove is also true.” • Completeness. This property is the opposite implication of correctness. It states that for every true sentence there is also a proof in the formal system/calculus. • Slogan: “What is true can also be proven.” • Expressive power. • Slogan: “Can I formulate all my properties in the language?” • Decidability. If a formal system is decidable, then all proofs can be found automatically by a program. • Slogan: “Can a computer do my work?”

  18. Formal Verification of IsPrime One formal approach to the correctness of IsPrime is using the so-called Hoare logic. In this logic formulas are triples {} p {} consisting of a pre-condition , a program p, and a post-condition . Informally, such a Hoare triple is true if whenever  is true before the execution of the program p and the program terminates, then  is true after the execution of the program. { n < 1373654 } b = IsPrime(n) { b = true  n is prime }

More Related