Formal Methods (FM) in Software Engineering (SE) : Cell#: 0308-5059325

Formal Methods(FM) in Software
Engineering(SE)
Ikhlaq Ahmed
MS (Software Engineering), NUST
Software Engineer , NADRA HQ
Ahmed.ikhlak@gmail.com
Cell#: 0308-5059325
Marks Distributions
Quizzes(Surprised) : Marks : 10
Presentation ( Research Based / Project

Development / Tools Demo ) , Marks : 10
Mid Term : Marks 20
Final Paper : Marks 60
9/29/2017 Formal Methods(FM) in Software 2

Engineering(SE)
Overview
Formal : precise, definite, orderly ,disciplined or

methodological
FM is a branch of Computer Science (CS) and SE
Analysis and arguing of source programs using
mathematical/formal techniques
FM scope in SE : Program specification ,
Development & verification

Engineering(SE)
FM History
Dijkstra and Tony Hall are Pioneer
Why we need FM ?
What is wrong with informal methods ?
Software's history is full of notorious bugs

reported in different literatures

Engineering(SE)
Notorious Bugs BYTE, September 1995
http://www.byte.com/art/9509/sec7/art20.htm
1987 : Therac-25 The Bug that killed

1990: AT&T long distance break down

1991: Patriot Missile Hitting own

barracks, leaving 28 dead and
98 wounded.
Program to test for two equal strings
Test cases:
isEqual (cat, dog) - expected false
isEqual (Testing, Testing) - expected true
isEqual (house, home) - expected false
equal = strlen(string1) == strlen(string2);
if (equal)
for (i = 0; i < strlen(string1); i++)
equal = string1[i] == string2[i];
return equal;
Sequence
Selection if statement
Selection if-else statement
Selection case statement
Loop
Flow graph for bubble sort
1
sorted = false; // 1
while (!sorted) { // 2 2
sorted = true;
for (int i = 0; i < SIZE-1; i++) { // 3 3
if (a[i] > a[i+1]) { // 4
swap(a[i], a[i+1]); // 5 4
sorted = false;
5
}
} //6 6
} //7
//8 7
8
2N Paths
Coverage Levels
Statement Coverage : Write test cases so
that all the statements of a source program
should be executed at least once.
Branch / Decision Coverage :

Identification of all the branches and execute
them at least once through test cases
Path Coverage : Exhaust and enumerate all

possible paths of the program
Engineering(SE)
Dijkstras Game
Rules of the Game
Jar of Black and White Balls

Heap of Black Balls
A THREE-BALL
GAME
Mathematical Model
(2 black out, 1 black in) b-2+1, w b-1, w
f(b,w) = (2 white out, 1 black in) b+1, w-2
(1 of each out, 1 white in) b-1, w-1+1 b-1, w
Total number of balls is reduced by exactly one in each move.

Parity of the white ball does not change
Propositional Calculus
Implication
P Q PQ
T T T
T F F
F T T
F F T
Bi-conditional if and only if
P Q PQ
T T T
T F F
F F T
F T F
P Q means P Q Q P
A compound proposition that is always true,
irrespective of the truth values of the comprising
propositions, is called a tautology.
pp
The propositions p and q are called logically
equivalent if p q is tautology.
It is written as ,
pq
For example: (p q) p q
Some useful equivalences
p or true true p or false p
p and true p p and false false
true p p false p true

p true true p false not p

p or p p p and p p

p or p p p and p p
not not p p

p or p p p and p p
not not p p
p or not p true p and not p false

associativity of
distributivity of , , and
and over or Commutativity of

or over and , , and
or over
over and
over or Demorgans law
over
over Implication
if and only if
Logical Connectors Properties
34
Logic problem for the day
Someone asks person A, Are you

a knight? He replies, If I am a
knight then Ill eat my hat. Prove
that A has to eat his hat.
A is a knight: A
A eats his hat: H
A is a knight: A
A eats his hat: H
If I am a knight then Ill

eat my hat:
AH
We have seen that (X S)
Therefore
(A A H)
Objective is to logically deduce H

Truth Table Columns
A H AH A (A H)
Proof Using Truth Table
A H AH
T T T
F T T
T F F
F F T
A AH A (A H)
T T T
F T F
T F F
F T F
A H AH A (A H)
T T T T
F T T F
T F F F
F F T F
Proof using equivalences
A (A H)
A (not A or H)
(A and (not A or H)) or
(not A and not (not A or H))
A and (not A or H)
(A and not A) or (A and H)
false or (A and H)
A and H
not A and not (not A or H)

not A and (A and not H)
(not A and A) and not H
false and not H
false
Hence
A (not A or H)
(A and H) or false
A and H
Rules of Inference and Logical
Deduction
Introduction
Elimination
Deduction
Introduction
p q
______________
p and q
Deduction
Introduction
p q
___________________ ___________________
p or q p or q
Deduction
Elimination
p and q p and q
___________________ ___________________
p q
Deduction
Introduction
q
______________
pq
Deduction
Elimination
p pq
______________________
q
Deduction
Elimination
p not p false
____________________ _______________
false p
Does the Superman Exist?
If Superman were able and willing to

prevent evil, he would do so. If Superman
were unable to prevent evil, he would be
incapable; if he were unwilling to prevent
evil, he would be malevolent. Superman
does not prevent evil. If Superman exists,
he is neither incapable nor malevolent.
Therefore Superman does not exist.
Inference and deduction
Superman exists X
Superman is willing to prevent evil W
Superman is able to prevent evil A
Superman is malevolent M
Superman is incapable I
Superman prevents evil E
Inference and Deduction
Our objective is to prove the proposition:
((W and A) E)
and ((not A) I)
and ((not W) M)
and (not E)
and (X not (I or M))
not X
1. Assume
((W and A) E)
and ((not A) I)
and ((not W) M)
and (not E)
and (X not (I or M))
The objective is now to prove not X

2. Assume X
2. Assume X
Use Elimination Rules to break No. 1 down
into 5 premises
3. (W and A) E
4. (not A) I
5. (not W) M
6. not E
7. X not (I or M)
Now application of elimination on 2 and 7
derives another simple proposition
2. Assume X
7. X not (I or M)
8. not (I or M)
Now application of elimination on 2 and 7
derives another simple proposition
2. Assume X
7. X not (I or M)
8. not (I or M)
Now proving I or M will result in a

contradiction
Associativity of Equivalence
ABC
Associativity of Equivalence
ABC
can be evaluated as
(A B) C
or
A (B C)
Even and odd numbers
m+n is even m is even n is even
m+n is even (m is even n is even)
ABC
A B C AB (A B) C
F F F T F
F F T T T
F T F F T
F T T F F
T F F F T
T F T F F
T T F T F
T T T T T
Properties of equivalence
constant true
true p p
true = (p p)
(true p) = p
Symmetry
(p q) = (q p)
ppqprq
pppqqr
true p true r
pr
ppqprq
pppqqr
true p true r
pr
Replace the term which is repeated odd number

of times by a single occurrence of the term and
any terms which is repeated an even number of
times by removing all occurrences.
On the island of knights and knaves, it is rumored that
there is gold buried on the island. You ask one of the
natives, A, whether there is gold on the island. He
makes the following response: There is gold on this
island if and only if I am a knight.
On the island of knights and knaves, it is rumored that
there is gold buried on the island. You ask one of the
natives, A, whether there is gold on the island. He
makes the following response: There is gold on this
island if and only if I am a knight.
The problem is as follows:

a) Can it be determined whether A is a knight or a knave?
b) Can it be determined whether there is gold on the
island?
There is gold on the island G
A is a knight A
There is gold on the island G
A is a knight A
A (A G)
(A A) G
true G
G
A is a knight A
B is a knight B
A says I am the same type as B AB
A is a knight A
B is a knight B
A says I am the same type as B AB
AAB
B
Island of knights and knaves
Suppose A is the proposition person A is
a knight and suppose A makes a
statement S. Then A is true is the same as
S is true. That is:
AS
Negation
p p false
p (p false)
(p p) false
Negation
p p false
p (p false)
(p p) false
p p q p r q
p p p q q r
true p false r
pr
There are two natives A and B. A says, B is
a knight is the same as I am a knave.
What can you determine about A and B?
As statement is: BA
As statement is: BA
So, we have: ABA
AAB
false B
B
A?
Golden Rule
pqpqpq
Implication
p q p p q
p q q p q
If I am a knight, B is a knight
AB
If I am a knight, B is a knight
AB
AAB
AAAB
AB
Three of the inhabitants A, B, and C were
standing together in a garden. A stranger
passed by and asked A, Are you a knight or
a knave? A answered but the stranger could
not understand. The stranger then asked B,
What did A say?. B replied, A said that he
is a knave. At this point, the third C, said,
Dont believe B; he is lying!
What are A, B, and C?

Bs statement is: A A
Cs statement is: B
Cs statement is: B
So, we have:
(B A A) (C B)
Cs statement is: B
So, we have:
(B A A) (C B)
B (C B)
( B C) ( B B)
( B C) B
BC
A says, either I am a knave or B is a knight
AAB
A (A false ) B
A (A B false B)
AABB
AAB
A (A false ) B
A (A B false B)
AABB
AB
Rule of Sequential Composition
wp(S1;S2,Q) wp(S1, wp(S2,Q))
wp((x:= x+1; y := y+1), x = y)

wp((x:= x+1; y := y+1), x = y)

wp(x := x+1, wp(y := y+1, x = y))
wp((x:= x+1; y := y+1), x = y)

wp(x := x+1, wp(y := y+1, x = y))
wp(x := x+1, x = y+1)
wp((x:= x+1; y := y+1), x = y)

wp(x := x+1, wp(y := y+1, x = y))
wp(x := x+1, x = y+1)
x+1 = y+1
wp((x:= x+1; y := y+1), x = y)

wp(x := x+1, wp(y := y+1, x = y))
wp(x := x+1, x = y+1)
x+1 = y+1
x=y
wp((x:= 2*x+1; y := y-1), y = 3*x)
wp((x:= 2*x+1; y := y-1), y = 3*x)
wp(x := 2*x+1, wp(y := y-1, y = 3*x))
wp((x:= 2*x+1; y := y-1), y = 3*x)
wp(x := 2*x+1, wp(y := y-1, y = 3*x))
wp(x := 2*x+1, y-1 = 3*x))
wp((x:= 2*x+1; y := y-1), y = 3*x)
wp(x := 2*x+1, wp(y := y-1, y = 3*x))
wp(x := 2*x+1, y-1 = 3*x))
y-1 = 3*(2*x+1)
wp((x:= 2*x+1; y := y-1), y = 3*x)
wp(x := 2*x+1, wp(y := y-1, y = 3*x))
wp(x := 2*x+1, y-1 = 3*x))
y-1 = 3*(2*x+1)
y = 6*x + 4
Dijackstras Healthiness Conditions
1. WP (S, False)
{Q} is an empty set
Is it possible you do work and end up with nothing?
Law of excluded miracle
2. WP(S, True)
{Q} has all possible values
Universal set
Source program will actually terminates

Engineering(SE)
IF Statement Modeling
Source programs with only assignment axioms / sequential
statements is easy to verify
Source programs with control statements are more complex
to proof
Hoars consequence rule
We have If P Then Q , Mathematically we can write it as
PQ
{P} if C Then S {Q}
If we have been Given {C} S {R} Then {P} S {Q}

Engineering(SE)
Rules of Conditions have two parts i.e.; C = False and C
= True
Mathematically we can write it as
{P And C} S {Q} When C = True
{P And C} {Q} When C = False
If we reach by both conditions F & T then our source
program is correct

Engineering(SE)
IF THEN -ELSE Statement
Modeling
If C then
S1
Else
S2
End if
Mathematically we have
{P And C } S1 {Q} C= False
{P And C } S2 {Q} C=True

Engineering(SE)
if i <= j then
m := i;
else
m := j;
if i <= j then
m := i;
else
m := j;
(m i and m j) and (m = i or m = j)
ELSE PART
(m = i or m = j) and (m j and m j)
ELSE PART
(i > j)
m = j;
ELSE PART
(i > j)
m = j;
(i>j) and (j = i or j = j) and (j i and j j)
ELSE PART
(i > j)
m = j;
(i>j) and (true) and (j i and true)
ELSE PART
(i > j)
m = j;
(i>j) and (j i)
ELSE PART
(i > j)
m = j;
(i>j) and (j i)
(i>j)
IF PART
(i <= j)
m = i;
IF PART
(i <= j)
m = i;
(m = i or m = j) and (m i and m i)
IF PART
(i <= j)
m = i;
(i j) and (i = i or i = j) and (i i and i j)
IF PART
(i <= j)
m = i;
(i j) and (true) and (true and i j)
IF PART
(i <= j)
m = i;
(i j) and (i j)
IF PART
(i <= j)
m = i;
(i j) and (i j)
(i j)
Design by Contract
Design by Contract and the language that implements the Design by
Contract principles (called Eiffel) was developed in Santa Barbara
by Bertrand Meyer (he was a UCSB professor at the time, now he is
at ETH)
Bertrand Meyer won the 2006 ACM Software System Award for the
Eiffel!
Award citation: For designing and developing the Eiffel
programming language, method and environment, embodying
the Design by Contract approach to software development and
other features that facilitate the construction of reliable,
extendible and efficient software.
The company which supports the Eiffel language is located in Santa
Barbara:
Eiffel Software (http://www.eiffel.com)
The material in the following slides is mostly from the following
paper:
Applying Design by Contract, B. Meyer, IEEE Computer, pp.
40-51, October 1992.
Dependability and Object-
Orientation
An important aspect of object oriented design is reuse
For reusable components correctness is crucial since an error in
a module can effect every other module that uses it
Main goal of object oriented design and programming is to improve
the quality of software
The most important quality of software is its dependability
Availability(deliver services when requested)
Reliability(deliver services specified)
Safety(operate without catastrophic failure)
Security(defend itself against intrusion)
Design by contract presents a set of principles to produce
dependable and robust object oriented software
Basic design by contract principles can be used in any object
oriented programming language
What is a Contract?
There are two parties:
Client which requests a service
Supplier which supplies the service
Contract is the agreement between the client and the supplier
Two major characteristics of a contract

Each party expects some benefits from the contract and is prepared to incur
some obligations to obtain them
These benefits and obligations are documented in a contract document
Benefit of the client is the obligation of the supplier, and vice versa.
What is a Contract?
As an example lets think about the
contract between a tenant and a landlord
Party Obligations Benefits
Tenant Pay the rent at the Stay at the apartment.

beginning of the month.
Landlord Keep the apartment in Get the rent payment

a habitable state. every month.
What is a Contract?
A contract document between a client and a supplier protects both sides
It protects the client by specifying how much should be done to get the benefit.
The client is entitled to receive a certain result.
It protects the supplier by specifying how little is acceptable. The supplier must
not be liable for failing to carry out tasks outside of the specified scope.
If a party fulfills its obligations it is entitled to its benefits

No Hidden Clauses Rule: no requirement other than the obligations written in the
contract can be imposed on a party to obtain the benefits
How Do Contracts Relate to
Software Design?
Here is the basic idea
One can think of pre and post conditions of a procedure as obligations and
benefits of a contract between the client (the caller) and the supplier (the called
procedure)
Design by contract promotes using pre and post-conditions as a part of module

design
Eiffel is an object oriented programming language that supports design by contract

In Eiffel the pre and post-conditions are written using require and ensure
constructs, respectively
Defensive Programming vs.
Design by Contract
Defensive programming is an approach that promotes putting checks in every module
to detect unexpected situations
This results in redundant checks (for example, both caller and callee may check the
same condition)
A lot of checks makes the software more complex and harder to maintain
In Design by Contract the responsibility assignment is clear and it is part of the

module interface
prevents redundant checks
easier to maintain
provides a (partial) specification of functionality
Design by Contract in Eiffel
In Eiffel procedures are written is in the following form:
procedure_name(argument declarations) is
-- Header comment
require
Precondition
do
Procedure body
ensure
Postcondition
end
Design by Contract in Eiffel
An example:
put_child(new_child: NODE) is
-- Add new to the children of current node
require
new_child /= Void
do
... Insertion algorithm ...
ensure
new_child.parent = Current;
child_count = old child_count + 1
end -- put_child
Current refers to the current instance of the object (this in Java)

Old keyword is used to denote the value of a variable on entry to the procedure
Note that = is the equality operator (== in Java) and /= is the
inequality operator (!= in Java)
The put_child Contract
The put_child contract in English would be something like the table below.
Eiffel language enables the software developer to write this contract formally
using require and ensure constructs
Party Obligations Benefits
Client Use as argument a Get an updated tree

reference, say where the Current
new_child, to an node has one more
existing object of type child than before;
Node. new_child now has
Current as its parent.
Supplier Insert new_child as No need check if the
required. argument actually points
to an object.
Contracts
The pre and post conditions are assertions, i.e., they are expressions which evaluate
to true
The precondition expresses the requirements that any call must satisfy
The post condition expresses the properties that are ensured at the end of the
procedure execution
If there is no precondition or post condition, then the precondition or post condition is

assumed to be true (which is equivalent to saying there is no pre or post condition)
Design by contract Violations
What happens if a precondition or a postcondition fails (i.e., evaluates to false)
A precondition violation would indicate a bug at the caller
A postcondition violation would indicate a bug at the callee
Our goal is to prevent assertion violations from happening

The pre and postconditions are not supposed to fail if the software is correct
hence, they differ from exceptions and exception handling
By writing the contracts explicitly, we are trying to avoid contract violations, (i.e,
failed pre and postconditions)
Assertion Violations
In the example below, if new_child = Void then the precondition fails.
The procedure body is not supposed to handle the case where new_child = Void,
that is the responsibility of the caller
put_child(new_child: NODE) is
-- Add new to the children of current node
require
new_child /= Void
do
... Insertion algorithm ...
ensure
new_child.parent = Current;
child_count = old child_count + 1
end -- put_child
Class Invariants
A class invariant is an assertion that holds for all instances (objects) of the class
A class invariant must be satisfied after creation of every instance of the class
The invariant must be preserved by every method of the class, i.e., if we assume
that the invariant holds at the method entry it should hold at the method exit
We can think of the class invariant as conjunction added to the precondition and
postcondition of each method in the class
For example, a class invariant for a binary tree could be (in Eiffel notation)
invariant
left /= Void implies (left.parent = Current)
right /=Void implies (right.parent = Current)
Design by Contract and
Inheritance
Inheritance enables declaration of
subclasses which can redeclare some of
the methods of the parent class, or provide
an implementation for the abstract
methods of the parent class
Inheritance: Preconditions
If the precondition of the
ClassB.someMethod is stronger than the Client ClassA
precondition of the ClassA.someMethod,
then this is not fair to the Client someMethod()
The code for ClassB may have been

written after contract was written, so
Client has no way of knowing its
contractual requirements for ClassB
ClassB
someMethod()
Inheritance: Postconditions
If the postcondition of the
ClassB.someMethod is weaker than the Client ClassA
postcondition of the ClassA.someMethod,
then this is not fair to the Client someMethod()
Since Client may not have known about

ClassB, it could have relied on the
stronger guarantees provided by the
ClassA.someMethod
ClassB
someMethod()
In ClassA: In ClassB which is derived from ClassA:
invariant invariant
classInvariant newClassInvariant
someMethod() is someMethod() is
require require
Precondition newPrecondition
do do
Procedure body Procedure body
ensure ensure
Postcondition newPostcondition
end end
Client ClassA
The precondition of ClassB.aMethod is defined as:
someMethod()
newPrecondition or Precondition
The postcondition of ClassB.aMethod is defined as:

newPostcondition and Postcondition
ClassB
The invariant of ClassB is
someMethod()
classInvariant and newClassInvariant
jContractor: A Design-by-
Contract Tool for Java
jContractor is a design by contract class library for Java
http://jcontractor.sourceforge.net/
References:
jContractor Crash Course, Parker Abercrombie,
http://jcontractor.sourceforge.net/doc/crashcourse.html
jContractor: Bytecode instrumentation techniques for implementing design by
contract in Java." In Proceedings of Second Workshop on Runtime Verification,
RV 02. Copenhagen, Denmark. July 26, 2002.
"jContractor: A Reflective Java Library to Support Design By Contract". In
Proceedings of Meta-Level Architectures and Reflection, 2nd International
Conference, Reflection '99. Saint-Malo, France, July 1999.
An Example Class
class Stack extends Cloneable {
public Stack () { ... }
public Stack (Object initialContents) { ... }
public void push (Object o) { ... }
public Object pop () { ... }
public Object peek () { ... }
public void clear () { ... }
public int size () { ... }
private int searchStack (Object o) { ... }
}
Preconditions
Precondition of a method is written as a boolean method and its name is the method
name followed by "_Precondition"
A method's precondition is checked when execution enters the method.
Precondition methods return boolean and take the same arguments as the non-
contract method that they correspond to.
protected boolean push_Precondition (Object o) {
return o != null;
private boolean searchStack_Precondition (Object o) {
return o != null;
protected boolean Stack_Precondition (Object initialContents) {
return (initialContents != null) && (initialContents.length > 0);
}
Some additional rules about preconditions
The precondition for a static method must be static.
The precondition for a non-static method must not be

static.
The precondition for a non-private method must be

protected.
The precondition for a private method must be private.

Postconditions
Postcondition of a method is written as a boolean method and its name is the method
name followed by "_Postcondition"
A method's postcondition is checked just before the method returns.
Postcondition methods return boolean and take the same arguments as the non-
contract method, plus an additional argument (called RESULT) must be the last in the
list, and holds the value returned by the method.
protected boolean push_Postcondition (Object o, Void RESULT) {
return searchStack(o) && (size() == OLD.size() + 1);
}
protected boolean Stack_Postcondition (Object initialContents,

Void RESULT) {
return size() == initialContents.length;
}
Some additional rules about
postconditions
The postcondition for a static method must be static.
The postcondition for a non-static method must not be

static.
The postcondition for a non-private method must be

protected.
The postcondition for a private method must be private.

VDM: Vienna Development
Method
Originating in work done at IBM's Vienna
Laboratory in the 1970s
Vienna Development Method (VDM)

Attempted to cover all of software lifecycle
It has grown to include a group of

techniques and tools based on a formal
specification language - the VDM
The Life-cycle Model
F
i
n
a
l
P
r
o
d
u
c
t
R
e
q
u
i
r
e
m
e
nt
s Where does the
VDM technology
fit in?
System
System Test
Analysis
Software
Module Test
Design
Coding Unit Test
148
VDM for Requirements
Analysis
F
i
n
a
l
P
r
o
d
u
c
t
R
e
q
u
i
r
e
m
e
nt
s
System VDM Test

System Test
Analysis Model Cases
Modelling & Validation
Software
Module Test
Design
Coding Unit Test
149
VDM for Analysis & Design
F
i
n
a
l
P
r
o
d
u
c
t
R
e
q
u
i
r
e
m
e
nt
s
System VDM Test

Model System Test
Analysis Cases
Software
Module Test
Design
Coding Unit Test
150
VDM for the Full Life-cycle
Model
F
i
n
a
l
P
r
o
d
u
c
t
R
e
q
u
i
r
e
m
e
nt
s
System VDM Test

System Test
Analysis Model Cases
Software
Module Test
Design
Code
Unit Test
Generation
151
Case Study - Incubator
The temperature needs to be carefully controlled and monitored in order to provide
the correct conditions for a particular biological experiment to be undertaken.
The temperature of the incubator increments or decrements and each time a change
of one degree has been achieved, the software is informed of the change, which it
records.
Safety requirements dictate that the temperature of the incubator must never be
allowed to rise above 10 C, nor fall below -10 C.
UML Specifications
IncubatorMonitor
temp: integer
increment()
decrement()
getTemp(): int
Specifying the State in VDM-SL
State refers to the permanent data that must be stored by the system, and which can
be accessed by means of operations.
The state is specified by declaring variables, in a very similar manner to the way that
this is done in a programming language
variable name and type

Intrinsic types available in VDM-
SL
Mathematical Notation
: natural numbers (positive whole numbers)
1: natural numbers excluding zero
Z: integers (positive and negative whole numbers)
R : real numbers (positive and negative numbers that

can include a fractional part)
B : Boolean values (TRUE or FALSE)
Char: the set of alphanumeric characters

State Definition
state IncubatorMonitor of
temp : Z
end
increment()
wr temp: Z
pre temp < 10
post temp = temp + 1

decrement()
wr temp: Z
pre temp > -10
post temp = temp - 1

getTemp() currentTemp: Z
rd temp: Z
pre true
post temp = currentTemp

Declaring Constants
values
MAX: Z =10
MIN: Z = -10
now we can write
pre temp > MIN

Specifying a State Invariant
inv mk-IncubatorMonitor(t) MIN t MAX
This expression is itself a function, and is known

as a make function (the mk is pronounced
make).
is read is defined as

Formal Methods (FM) in Software Engineering (SE) : Cell#: 0308-5059325

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Formal Methods (FM) in Software Engineering (SE) : Cell#: 0308-5059325

Uploaded by

Copyright:

Available Formats

Formal Methods(FM) in Software

Presentation ( Research Based / Project

Mid Term : Marks 20

Final Paper : Marks 60

9/29/2017 Formal Methods(FM) in Software 2

Formal : precise, definite, orderly ,disciplined or

9/29/2017 Formal Methods(FM) in Software 3

Dijkstra and Tony Hall are Pioneer

What is wrong with informal methods ?

Software's history is full of notorious bugs

9/29/2017 Formal Methods(FM) in Software 4

1987 : Therac-25 The Bug that killed

1990: AT&T long distance break down

1991: Patriot Missile Hitting own

Branch / Decision Coverage :

Path Coverage : Exhaust and enumerate all

Rules of the Game

Jar of Black and White Balls

Total number of balls is reduced by exactly one in each move.

true p p false p true

true p p false p true

true p p false p true

true p p false p true

p or not p true p and not p false

and over or Commutativity of

Someone asks person A, Are you

If I am a knight then Ill

Objective is to logically deduce H

not A and not (not A or H)

If Superman were able and willing to

The objective is now to prove not X

Now proving I or M will result in a

Replace the term which is repeated odd number

The problem is as follows:

What are A, B, and C?

wp((x:= x+1; y := y+1), x = y)

wp((x:= x+1; y := y+1), x = y)

wp((x:= x+1; y := y+1), x = y)

wp((x:= x+1; y := y+1), x = y)

wp((x:= x+1; y := y+1), x = y)

{Q} is an empty set

Is it possible you do work and end up with nothing?

Law of excluded miracle

{Q} has all possible values

Source program will actually terminates

9/29/2017 Formal Methods(FM) in Software 105

9/29/2017 Formal Methods(FM) in Software 106

9/29/2017 Formal Methods(FM) in Software 107

9/29/2017 Formal Methods(FM) in Software 108

Contract is the agreement between the client and the supplier

Two major characteristics of a contract

Tenant Pay the rent at the Stay at the apartment.

Landlord Keep the apartment in Get the rent payment

If a party fulfills its obligations it is entitled to its benefits

Design by contract promotes using pre and post-conditions as a part of module

Eiffel is an object oriented programming language that supports design by contract

In Design by Contract the responsibility assignment is clear and it is part of the

Current refers to the current instance of the object (this in Java)

Party Obligations Benefits

Client Use as argument a Get an updated tree

If there is no precondition or post condition, then the precondition or post condition is

Our goal is to prevent assertion violations from happening

The code for ClassB may have been