COSC 4 P 42 Formal Methods in Software
- Slides: 18
COSC 4 P 42 – Formal Methods in Software Engineering COSC 4 P 42 Formal Methods in Software Engineering • Course: – Lecture: Tue & Fri, 14: 00 – 15: 30, Fall 2020, Lifesize (online) – Lab: Wed, 11: 00 - 13: 00, Fall 2020, Lifesize (online) • Instructor: Michael Winter – Office J 323 – email: mwinter@brocku. ca • Webpage: www. cosc. brocku. ca/~mwinter/Courses/4 P 42/ © M. Winter 1. 1
COSC 4 P 42 – Formal Methods in Software Engineering • Course Description (Brock Calendar): Specification and correctness of software. Topics include algebraic specifications, semantics of programming languages, Hoare/dynamic logic, specification languages, program transformation. • Prerequisites: 3. 5 COSC credits and MATH 1 P 67 or permission of the instructor • course procedures – cheating on tests/exam © M. Winter 1. 2
COSC 4 P 42 – Formal Methods in Software Engineering Textbooks • Main Text – None (course material is on the web page). • Supplemental Texts – The Formal Semantics of Programming Languages: An Introduction, G. Winskel, The MIT Press (1993), ISBN 0 -26223169 -7 (hc), 0 -262 -73103 -7 (pb) – The Design of Well-Structured and Correct Programs, S. Alagic & M. A. Arbib, Springer-Verlag (1978), ISBN 0 -38790299 -6 – Fundamentals of Algebraic Specifications 1: Equations and Initial Semantics, H. Ehrig & B. Mahr, Springer-Verlag (1985), ISBN 0 -387 -13718 -1 © M. Winter 1. 3
COSC 4 P 42 – Formal Methods in Software Engineering Course Work • Marking Scheme – Lab Tests (3 x 20%) – Final Exam (Lab D 205) 60% 40% • Important Dates © M. Winter Test Length 1 2 3 Exam 60 mins 90 mins Date (D 205)/Time Sep 30 (11: 00 -12: 00) Oct 28 (11: 00 -12: 00) Nov 18 (11: 00 -12: 00) Dec 09 (13: 00 -14: 30) 1. 4
COSC 4 P 42 – Formal Methods in Software Engineering Course Outline Week Lecture Dates Lecture Topic Lab Date 1 Sep 11, 15 Introduction Sep 09 2 Sep 18, 22 First-order logic - Syntax and Semantics Sep 16 3 Sep 25, 29 First-order logic - Natural Deduction Sep 23 4 Oct 02, 06 First-order logic - Soundness of Natural Deduction Sep 30 5* Oct 09, 20 6 Oct 23, 27 7 Oct 30, Nov 03 8 Nov 06, 10 9 Nov 13, 17 10 Nov 20, 24 11 Nov 27, Dec 01 12 Dec 04, 08 Introduction of the Programming Logic IMP and Hoare Logic Programming Language IMP - Syntax and Operational Semantics Programming Language IMP - Hoare Logic Programming Language IMP - Soundness of Hoare logic Algebraic Specifications - Motivation, Syntax and Semantics Algebraic Specifications - Homomorphisms, Initial and Terminal Models Selected topics, Review Lab Topic No lab Introduction to Coq, Natural Deduction (propositional logic) in Coq Natural Deduction (first-order logic) in Coq Test 1 Oct 07 Natural number and induction in Coq Oct 21 Hoare logic in Coq Oct 28 Test 2 Nov 04 Hoare logic in Coq Nov 11 Hoare logic (lists and pseudo-pointers) in Coq Nov 18 Test 3 Nov 25 Hoare logic (lists and pseudo-pointers) in Coq Dec 02 No lab * October 12 -16 is Reading Week, no classes © M. Winter 1. 5
COSC 4 P 42 – Formal Methods in Software Engineering • • A mark of at least 40% on the final exam is required to achieve a passing grade in this course. No electronic devices and especially no calculators will be allowed in the examination room. Consideration regarding illness for test or exam dates will only be considered if accompanied with the completed Departmental Medical Excuse form. © M. Winter 1. 6
COSC 4 P 42 – Formal Methods in Software Engineering Motivation Assume you are a project coordinator in a software company. The company wants to use encryption algorithms that are based on factorization and prime numbers (such as the RSA algorithm). They have purchased a software package providing the essential methods for this purpose. One methods implements a prime number test. But you are not sure whether the methods works properly, i. e. , is correct in the following sense: Is. Prime(long n) n is a prime number © M. Winter 1. 7
COSC 4 P 42 – Formal Methods in Software Engineering private static boolean Is. Prime(long n) { long[] as = {2, 3}; if (n <= 1) return false; else if (n <= 3) return true; else { outer: for (long a : as) { long s = 0; long d = n - 1; while (d % 2 == 0) { s++; d /= 2; }; long x = modpow(a, d, n); if (x != 1 && x != n - 1) { for (long r = 1; r < s; r++) { x = (x * x) % n; if (x == 1) return false; if (x == n - 1) continue outer; } return false; } } return true; } } © M. Winter 1. 8
COSC 4 P 42 – Formal Methods in Software Engineering Testing You decide to test the program with the following test program: private static long[] primes = {2 L, 3 L, 5 L, 7 L, 11 L, 13 L, 17 L, . . . public static void main(String[] args) { int n = 2; int i = 0; boolean result = true; while (i < primes. length) { if (Is. Prime(n)) { if (n == primes[i]) i++; else { result = false; break; } } n++; } System. out. println(result); } © M. Winter 1. 9
COSC 4 P 42 – Formal Methods in Software Engineering Testing Some results that you obtain: Number of primes tested (length of the array primes) Result of the test 10000 true 20000 true 30000 true 40000 true 50000 true 60000 true 70000 true 80000 true 90000 true 100000 true © M. Winter 1. 10
COSC 4 P 42 – Formal Methods in Software Engineering Testing Are you satisfied with the testing procedure? Yes? !? , but what if this program • is used to encode your bank pin? • is used to transfer transaction data of some brokers? • is used to grant access to the control software of a nuclear plant? • … An error in the code might cause a big financial loss for you, some company, or may even lead to fatalities. © M. Winter 1. 11
COSC 4 P 42 – Formal Methods in Software Engineering Problems with Testing may unveil errors in the code, but • You may only test finitely many examples. • Testing cannot verify that the code is bug-free. “Correctness cannot be established through testing. Testing can only delete errors, but never exclude errors. ” In fact the program Is. Prime works correctly for all numbers smaller than 1373653. But Is. Prime(1373653) = true even though we have 1373653 = 829*1657. If you would have tested the first 105223 prime numbers, you would have found the problem. © M. Winter 1. 12
COSC 4 P 42 – Formal Methods in Software Engineering Another attempt You do some research on prime number testing and you find out that the method Is. Prime implements the Miller-Rabin test for a = {2, 3} (array as). In particular, you find out that the Miller-Rabin test has been shown to work correctly for the following parameters: © M. Winter Parameter a (array as) Correct up to (excluding) 2 2, 047 2, 3 1, 373, 653 31, 73 9, 080, 191 2, 3, 5 25, 326, 001 2, 3, 5, 7 3, 215, 031, 751 2, 7, 61 4, 759, 123, 141 1. 13
COSC 4 P 42 – Formal Methods in Software Engineering Further Problems? Are you satisfied with this information and the proof provided in the literature? Yes? !? , but what if the programmer made a mistake in implementing the Miller-Rabin test? The Miller-Rabin test might be correct for the set of numbers given but the implementation could be wrong!!!!! © M. Winter 1. 14
COSC 4 P 42 – Formal Methods in Software Engineering Formal Methods An alternative approach is based on so-called formal methods in software engineering. These methods try to either mathematically prove programs to be correct or to construct programs correctly step by step. Both attempts require some formal system/calculus , i. e. , a system that is based on a fixed set of simple rules. In this course we will focus on program verification. The idea/procedure of program verification can be summarized by: • Provide a specification of the behaviour of the program in a formal system/logic. Common tools are: – Propositional Logic (hardware verification) – First-order Logic (properties of imperative programs) – Higher-order Logic (properties of functional programs) – Algebraic Specifications (specification of data types) © M. Winter 1. 15
COSC 4 P 42 – Formal Methods in Software Engineering Formal Software Verification • Provide a formal semantics of the programming language used. Common approaches are: – Operational Semantics (abstract machine) – Denotational Semantics (input/output behaviour as a function) – Axiomatic Semantics (program logic) • Use a specialized logic to verify the implementation with respect to the specification. Common logics are: – Specific Modal Logics such as Dynamic Logic – Hoare Logic – Extended Calculus of Constructions © M. Winter 1. 16
COSC 4 P 42 – Formal Methods in Software Engineering Formal Software Verification Important considerations when dealing with a formal system: • Soundness/Correctness. This property states that every property that can be obtained using the formal system/calculus is semantically true in some sense. – Slogan: “What you can prove is also true. ” • Completeness. This property is the opposite implication of correctness. It states that for every true sentence there is also a proof in the formal system/calculus. – Slogan: “What is true can also be proven. ” • Expressive power. – Slogan: “Can I formulate all my properties in the language? ” • Decidability. If a formal system is decidable, then all proofs can be found automatically by a program. – Slogan: “Can a computer do my work? ” © M. Winter 1. 17
COSC 4 P 42 – Formal Methods in Software Engineering Formal Verification of Is. Prime One formal approach to the correctness of Is. Prime is using the so-called Hoare logic. In this logic formulas are triples { } p { } consisting of a pre-condition , a program p, and a post-condition . Informally, such a Hoare triple is true if whenever is true before the execution of the program p and the program terminates, then is true after the execution of the program. { n < 1373654 } b = Is. Prime(n) { b = true n is prime } © M. Winter 1. 18
