Σχολή Εφαρμοσμένων Μαθηματικών και Φυσικών Επιστημών Εθνικό Μετσόβιο Πολυτεχνείο Thales Workshop, 1-3 July 2015 Integrating Behavioural Algebraic Specifications and Design by Contract Nikolaos Triantafyllou
Άδεια Χρήσης Το παρόν εκπαιδευτικό υλικό υπόκειται σε άδειες χρήσης Creative Commons. Για εκπαιδευτικό υλικό, όπως εικόνες, που υπόκειται σε Άδεια χρήσης άλλου τύπου, αυτή πρέπει να αναγράφεται ρητώς.
Towards Integrating Behavioural Algebraic Specifications and Design by Contract: Nikolaos Trinatafyllou Formal Methods Laboratory λ-form National Technical University of Athens
Introduction Road Map Road Map Formal Specification and Verification approaches What are Behavioural Algebraic Specification What is Design By Contract Comparison Cafe2JML
Introduction Road Map Formal Specification and Verification Describe a System in a Mathematically rigorous way Prove desired system properties Usually, using a computer Approaches: 1. Algebraic Specifications (Maude, CASL) 2. Behavioural (Algebraic) Specifications (CAFEOBJ) 3. State-transition systems (PETRI-NETS) 4. Set Theory (Z) 5. Event Calculus (Event-B) 6. Design by Contract (JML)
Introduction Road Map Formal Specification and Verification- Problems Each methodology has each strengths and weaknesses Behavioural Specifications: Pros:: model the logical structure and organization of OO programs arbitrarily-large programs be represented abstractly uncluttered by implementation minutiae verify high level security and behavioural properties of the system verify the behaviour of heterogeneous (infinite) state systems Cons:: verify implementation against specification properties test implementation at runtime automatically detect conflicts between design and implementation
Introduction Road Map Formal Specification and Verification- Problems Design by Contract: Pros:: model the logical structure and organization of OO programs verify implementation against specification properties test implementation at runtime automatically detect conflicts between design and implementation verify high level security properties Cons:: arbitrarily-large programs be represented abstractly uncluttered by implementation minutiae verify behavioural properties of the system verify the behaviour of heterogeneous (infinite) state systems
Decision Why combine Behavioural Alg. Spec. with DbC Behavioural Specifications unique features: allow a level of freedom very close to the way software is built (e.g. sets in LISP) ideal for designing distributed systems highly successful in verifying security properties support infinite state space systems support for modular/hierarchical specification Problems generating code: 1. Due to the abstraction level - Not possible to automatically generate code 2. Solution: Generate a specification instead!!
Towards Combining B. Algebraic Specifications with DbC Cafe2JML A middle ground; Cafe2JML: Verify Design using Behavioural Algebraic Specifications Verify Implementation using Design by Contract How: 1. Specify the system using CafeOBJ (OTS/CafeOBJ method) 2. Verify that the CafeOBJ specification has the desired safety/behavioural properties 3. Generate an equivalent JML specification, using the Cafe2JML tool 4. Implement the system in Java 5. Verify the implementation using existing tools (ESC2/Java, KeY)
Towards Combining B. Algebraic Specifications with DbC Why not generate code instead? We believe this separation of concerns is good: 1. Design Engineer focuses on design and its properties 2. Programmer focuses on implementation and optimization 1. Verification uncluttered by implementation details 2. Programmer does not need to know about verification
Cafe2JML Cafe2JML We achieved this via: Defining a translation from CafeOBJ specifications to Proved the soundness of the translation Developed a tool to automate the translation conducted case studies
Cafe2JML Soundness We proved that every model of a CafeOBJ specification is a model of the translated JML specification: 1. first we constructed the term algebra for the subset of the JML used by Cafe2JML 2. next, we showed that from an arbitrary JML specification we can generate a hidden theory for which all behavioural operators are congruent. 3. next we proved that any model of a JML specification will be isomorphic to the JML term algebra (closed under equational deduction rules). 4. thus we can use the term algebra instead of an arbitrary JML model 5. The proof concludes by showing that the reduct of this JML term algebra, from the cafe2jml operation, is always a model of the original OTS/CafeOBJ specification
Cafe2JML Example We conducted several case studies, and continue to do so: 1. ATM system 2. Binary search algorithm 3. DRM algorithm (wip) In the near future: 1. Web Services 2. Android Applications
Thank you! Cafe2JML
Χρηματοδότηση - Το παρόν εκπαιδευτικό υλικό έχει αναπτυχθεί στα πλαίσια του εκπαιδευτικού έργου του διδάσκοντα. - Το έργο «Ανοικτά Ακαδημαϊκά Μαθήματα Ε.Μ.Π.» έχει χρηματοδοτήσει μόνο την αναδιαμόρφωση του εκπαιδευτικού υλικού. - Το έργο υλοποιείται στο πλαίσιο του Επιχειρησιακού Προγράμματος «Εκπαίδευση και Δια Βίου Μάθηση» και συγχρηματοδοτείται από την Ευρωπαϊκή Ένωση (Ευρωπαϊκό Κοινωνικό Ταμείο) και από εθνικού πόρους.