Formal methods
|
In computer science, formal methods refers to mathematically based techniques for the specification, development and verification of software and hardware systems (Foldoc:formalmethods). Formal methods is a sub-discipline of software engineering.
Contents |
Taxonomy
As with the sub-discipline of programming language semantics, formal methods may be roughly classified as follows:
- Denotational semantics, in which the meaning of a system is expressed as a mathematical function. Proponents of such methods rely on the well-understood nature of functions to give meaning to the system; critics point out that not every system may be intuitively viewed as a function.
- Operational semantics, in which the meaning of a system is expressed as a sequence of actions of a (presumably) simpler computational model. Proponents of such methods point to the simplicity of their models as a means to expressive clarity; critics counter that the problem of semantics has just been delayed (who defines the semantics of the simpler model?).
- Axiomatic semantics, in which the meaning of the system is expressed in terms of preconditions and postconditions which are true before and after the system performs a task, respectively. Proponents note the connection to classical logic; critics note that such semantics never really describe what a system does (merely what is true before and afterwards).
Uses
Formal methods can be applied at various points through the development process. (For convenience, we use terms common to the waterfall model, though any development process could be used.)
Specification
Formal methods may be used to give a description of the system to be developed, at whatever level(s) of detail desired. This formal description can be used to guide further development activities (see following sections); additionally, it can be used to verify that the requirements for the system being developed have been completely and accurately specified.
The need for formal specification systems has been noted for years. In the ALGOL 60 Report, John Backus presented a formal notation for describing programming language syntax (later named Backus normal form (BNF)); Backus also described the need for a notation for describing programming language syntax. The report promised that a new notation, as definitive as BNF, would appear in the near future; it never appeared.
Development
Once a formal specification has been developed, the specification may be used as a guide while the concrete system is developed (i.e. realized in software and/or hardware). Examples:
- If the formal specification is in an operational semantics, the observed behavior of the concrete system can be compared with the behavior of the specification (which itself should be executable or simulateable). Additionally, the operational commands of the specification may be ameneable to direct translation into executable code.
- If the formal specification is in an axiomatic semantics, the preconditions and postconditions of the specification may become assertions in the executable code.
Verification
Once a formal specification has been developed, the specification may be used as the basis for proving properties of the specification (and hopefully by inference the developed system).
Human-Directed Proof
Sometimes, the motivation for proving the correctness of a system is not the obvious need for re-assurance of the correctness of the system, but a desire to understand the system better. Consequently, some proofs of correctness are produced in the style of mathematical proof: handwritten (or typeset) using natural language, using a level of informality common to such proofs. A "good" proof is one which is readable and understandable by other human readers.
Critics of such approaches point out that the ambiguity inherent in natural language allows errors to be undetected in such proofs; often, subtle errors can be present in the low-level details typically overlooked by such proofs. Additionally, the work involved in producing such a good proof requires a high level of mathematical sophistication and expertise.
Automated Proof
In contrast, there is increasing interest in producing proofs of correctness of such systems by automated means. Automated techniques fall into two general categories:
- Automated theorem proving, in which a system attempts to produce a formal proof from scratch, given a description of the system, a set of logical axioms, and a set of inference rules.
- Model checking, in which a system verifies certain properties by means of an exhaustive search of all possible states that a system could enter during its execution.
Neither of these techniques work without human assistance. Automated theorem provers usually require guidance as to which properties are "interesting" enough to pursue; model checkers can quickly get bogged down in checking millions of uninteresting states if not given a sufficiently abstract model.
Proponents of such systems argue that the results have greater mathematical certainty than human-produced proofs, since all the tedious details have been algorithmically verified. The training required to use such systems is also less than that required to produce good mathematical proofs by hand, making the techniques accessible to a wider variety of practitioners.
Critics note that such systems are like oracles: they make a pronouncement of truth, yet give no explanation of that truth. There is also the problem of "verifying the verifier"; if the program which aids in the verification is itself unproven, there may be reason to doubt the soundness of the produced results.
Criticisms
In addition to the internal criticisms pointed out above, the field of formal methods as a whole has its critics. At the current state of the art, proofs of correctness (whether handwritten or computer-assisted) require significant time (and therefore money) to produce, with limited utility other than the assurance of correctness. This makes them more likely to be used in fields where the benefits of having such proofs (or the danger in having undetected errors) makes them worth the resources. For example, in aerospace engineering, where undetected errors may lead to death, formal methods are more popular than in other application areas.
At times, proponents of formal methods have claimed that their techniques would be the silver bullet to the software crisis. Of course, there is no silver bullet for software development, and some have written off formal methods due to those overreaching claims.
Related Topics
References
- Formal methods publications (http://vl.fmnet.info/pubs/)
External links
- Virtual Library formal methods (http://vl.fmnet.info/)
- Z notation (http://vl.zuser.org/)
fr:Méthode formelle (informatique)
- This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.