Formal Methods: Industrial Use

1
Formal Methods Industrial Use

• CS 415, Software Engineering II
• Mark Ardis, Rose-Hulman Institute
• March 21, 2003

2
Outline

• Controversy over formal methods
• Where are formal methods used?
• 4 Stories
• IBM CICS project
• Tektronix oscilloscope
• LOTOS at Bell Labs
• VFSM at Bell Labs

3
Controversy Over Formal Methods

• DeMillo, Lipton and Perlis "Social Processes and
  Proofs of Theorems and Programs", CACM, May 1979.
• Fetzer "Program Verification The Very Idea,"
  CACM, September 1988.
• The "Gang of 10"

4
Where are Formal Methods Used?

• Safety critical applications
• Aviation
• Railway transportation
• MOD 00-55
• Other high-integrity systems
• Application generators
• Hardware design

5
IBM CICS Project

• Maintenance of Customer Information Control
  System (CICS)
• Used Z to reverse engineer old code
• Found more errors earlier in the lifecycle

6
Maintenance of CICS

• Old (gt 30 years)
• Large (gt500 KLOC)
• Multiple languages (assembler and special dialect
  of PL/I)
• Many users
• Several configurations

7
Restructuring of CICS

• Necessary first step before Z could be used
• Independent of any method

8
Reverse Engineering

• Z specifications derived from
• manuals
• developers
• code
• About half of CICS described in Z (230 KLOC)
• Modules added or rewritten later from Z
  specifications

9
IBM Development Process

• Used standard IBM process, including
• design reviews
• code inspections
• testing
• Used standard IBM programming languages, plus
  guarded command language
• Required training of staff in Z

10
IBM Training

• Used standard IBM courses, including
• discrete mathematics
• software engineering workshop
• Augmented with Z courses
• 4 days for writers
• 2 days for readers
• 1 day for managers

11
IBM Results

• More time spent in design
• Inspections required less preparation, but took
  longer to conduct
• More problems found earlier in design
• Fewer problems found in testing
• Overall time was 9 less than average
• Won Queen's Award for productivity

12
Cartoon of the Day
13
Tektronix

• Exploratory project
• Discovered useful abstractions
• Concentrated on process of specification, not
  product

14
Tektronix Process

• 2 researchers (DeLisle and Garlan) investigated
  general problem area
• talked to engineers
• tried to describe existing devices
• Discussed trial specifications with engineers

15
Tektronix Results

• Original descriptions were operational
• Researchers found an abstraction (waveform) that
  clarified roles of hardware and software
  engineers
• Resulting specification yielded insights about
  tradeoffs
• user interfaces
• sampling methods
• hw/sw partitioning

16
Tektronix Lessons

• Industrial engineers can understand formal
  specifications
• Abstraction was very valuable in focusing
  attention on right problem
• Specification was a process, not a product

17
LOTOS at Bell Labs

• Some formal methods used in switching
  applications
• SDL
• Promela
• VFSM
• Opportunity to try LOTOS in 1991
• Language Of Temporal Ordering Sequences
• New standard for telecommunication protocols

18
Primitive LOTOS Project

• Basic LOTOS difficult to use
• too much redundancy
• too little redundancy
• Primitive LOTOS (PLOTOS)
• added declarations
• more "C"-like

19
PLOTOS Results

• Used on parts of several projects
• Tools were popular
• Solved the wrong problem
• specification was a verb, not a noun
• spaceship theory

20
PLOTOS Lessons

• Software developers in Naperville are an oral
  culture
• work via meetings
• very little abstraction
• Need to first move to literary paradigm
• domain engineering to capture knowledge in
  writing
• domain specific languages to develop formal
  notations

21
VFSM at Bell Labs

• Manager convinced by a former teacher to try
  Virtual Finite State Machines (VFSM)
• Constructed a compiler to C
• Later adapted SPIN for model checking

22
VFSM Results

• Used on several projects
• Tools were popular
• Solved the right problem
• compiled to executable code
• testing was the most onerous job of development

23
VFSM Lessons

• Bottom-up development is more easily accepted
  than top-down
• Free lunches are a powerful force
• Revolutionary methods need crusaders

24
Summary

• Formal methods provide substantial benefits, but
  at cost
• May be most applicable in established domains
• Adoption requires cultural change for many
  organizations