Tools for VDM in Industry Peter Gorm Larsen

Tools for VDM in Industry Peter Gorm Larsen March 2007 Tools for VDM in Industry 1

Personal Background • Theoretical Work • VDM-SL Semantics (ISO standard) • VDM-SL Proof Rules (Ph. D work) • More Practical Work • • VDM and SA in combination IFAD VDMTools Transfer VDM to Industry Intensive use Industrially • Employed by • For 13 years: IFAD • For 3, 5 years: Systematic • For 2 years: Engineering College of Aarhus March 2007 Tools for VDM in Industry 2

Tools for VDM in Industry Ø IFAD Clients Experiences • ”Bootstrapping” VDMTools • Overview of VDMTools • The Overture/Eclipse Initiative • Vision for the future March 2007 Tools for VDM in Industry 3

References, World-wide, 2001 More than 150 VDMTools clients world-wide France Aerospatiale Espace et Defense Dassault Aviation Dasssault Electronique CISI CEA et Defense CEA Leti Cap Gemini LAAS Matra Bae Dynamics U. K. British Aerospace Systems & Equipment British Aerospace Defense Adelard ICL Enterprise Engineering Rolls Royce Transitive Technologies March 2007 Italy ENEA Ansaldo The Netherlands Dutch Dept. of Defence Origin Chess Portugal Sidereus Denmark Baan Nordic Odense Steel Shipyard DDC International Tools for VDM in Industry North America Boeing Rockwell Collins Lockheed Martin DDC-I, Inc. Rational Software Corp. Formal Systems Inc. Concordia University Japan RTRI (Japan Railways) JFITS Felica Networks Germany GAO mb. H 4

Con. Form (1994) • Organisation: British Aerospace (UK) • Domain: Security (gateway) • Tools: The CSK VDM-SL Toolbox • Experience: • Prevented propagation of error • Successful technology transfer • At least 4 more applications without support • Statements: • “Engineers can learn the technique in one week” • “VDMTools can be integrated gradually into a traditional existing development process” March 2007 Tools for VDM in Industry 5

Dust. Expert (1995 -7) • • Organisation: Adelard (UK) Domain: Safety (dust explosives) Tools: The CSK VDM-SL Toolbox Experience: • Delivered on time at expected cost • Large VDM-SL specification • Testing support valuable • Statement: • “Using VDMTools we have achieved a productivity and fault density far better than industry norms for safety related systems” March 2007 Tools for VDM in Industry 6

Adelard Metrics • 31 faults in Prolog and C++ (< 1/kloc) • Most minor, only 1 safety-related • 1 (small) design error, rest in coding March 2007 Tools for VDM in Industry 7

CAVA (1998 -) • Organisation: Baan (Denmark) • Domain: Constraint solver (Sales Configuration) • Tools: The CSK VDM-SL Toolbox • Experience: • Common understanding • Faster route to prototype • Earlier testing • Statement: • “VDMTools has been used in order to increase quality and reduce development risks on high complexity products” March 2007 Tools for VDM in Industry 8

Dutch Do. D (1997 -8) • Organisation: Origin, The Netherlands • Domain: Military • Tools: The CSK VDM-SL Toolbox • Experience: • Higher level of assurance • Mastering of complexity • Delivered at expected cost and on schedule • No errors detected in code after delivery • Statement: • “We chose VDMTools because of high demands on maintainability, adaptability and reliability” March 2007 Tools for VDM in Industry 9

Do. D, NL Metrics (1) • Estimated 12 C++ loc/h with manual coding! March 2007 Tools for VDM in Industry 10

Do. D - Comparative Metrics Traditional: 900 2000 ANALYSIS & DESIGN CODING 700 TESTING VDMTools®: 1200 ANALYSIS & DESIGN 500 CODING 600 TESTING 100% 64% 0% March 2007 Tools for VDM in Industry Cost 11

BPS 1000 (1997 -) • Organisation: GAO, Germany • Domain: Bank note processing • Tools: The CSK VDM-SL Toolbox • Experience: • Better understanding of sensor data • Errors identified in other code • Savings on maintenance • Statement: • VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle. March 2007 Tools for VDM in Industry 12

Flower Auction (1998) • Organisation: Chess, The Netherlands • Domain: Financial transactions • Tools: The CSK VDM++ Toolbox • Experience: • Successful combination of UML and VDM++ • Use iterative process to gain client commitment • Implementers did not even have a VDM course • Statement: • “The link between VDMTools and Rational Rose is essential for understanding the UML diagrams” March 2007 Tools for VDM in Industry 13

SPOT 4 (1999) • Organisation: CS-CI, France • Domain: Space (payload for SPOT 4 satellite) • Tools: The CSK VDM-SL Toolbox • Experience: • 38 % less lines of source code • 36 % less overall effort • Use of automatic C++ code generation • Statement: The cost of applying Formal methods is significantly lower than without them. March 2007 Tools for VDM in Industry 14

IFAD VDM Applications • VDMTools • • March 2007 VDM interpreter VDM static semantics VDM to C++ code generator Specification manager UML mapper Java static semantics Java VDM++ translator MUSTER: Emergency response training Tools for VDM in Industry 15

Japanese Railways (2000 -2001) • Domain: Railways (database and interlocking) • Experience: • Prototyping important • Subsequent also using it for ATC system • Engineer working at IFAD for two years March 2007 Tools for VDM in Industry 16

Stock-options (2000 - ) • • March 2007 Organisation: JFITS, Japan Domain: Financial Tools: The CSK VDM++ Toolbox Ongoing and still expanding Tools for VDM in Industry 17

Mass producted chicps (2005 - ) • • Organisation: Felica Networks (Sony), Japan Domain: Used inside mobile phones Tools: The CSK VDM++ Toolbox Status: • • March 2007 Over 100000 lines (677 pages) of VDM++ More than 10 million test cases 110000 lines of C++ in firmware 56 members (did not know FM in advance) Project on schedule (3 years) More than 10 million chips shipped in 2006 Not a single bug discovered so far Tools for VDM in Industry 18

Further Information • Applying Formal Specification in Industry. P. G. Larsen, J. Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996 • A Lightweight Approach to Formal Methods S. Agerholm and P. G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October 1998. • Applications of VDM in Banknote Processing P. Smith and P. G. Larsen. + Application of VDM-SL to the Development of the SPOT 4 Programming Messages Generator, A. Puccetti and J. Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M. Verhoef et. al. Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September 1999. March 2007 Tools for VDM in Industry 19

Tools for VDM in Industry ü IFAD Clients Experiences Ø ”Bootstrapping” VDMTools • Overview of VDMTools • The Overture/Eclipse Initiative • Vision for the future March 2007 Tools for VDM in Industry 20

Development Choices Taken J Executable models þTesting and animation J Partial “analysis” (validation) þSystem level testing J Code generation þVDM for source code L Formal refinement and formal verification March 2007 Tools for VDM in Industry 21

Staff Overview 91 92 MV PGL ETN NP PBL MA HC HV NK JNJ SA LTO JWT OS JKP KS +JR PM March 2007 93 94 95 96 97 BF BA Kd. B CA SN JKP VS 98 OO 99 00 GW JKP WS +ML +RM Tools for VDM in Industry JSF 22

Development Environment • • March 2007 GNU C++/Visual C++ Generic VDM C++ library GUI: Previously: Tcl/Tk, Now: Qt flex and bison CVS/Ediff version control OSs: Windows, Linux, Unix Test environments Development procedures Tools for VDM in Industry 23

The “Bootstrapping” Process VDM++ VDM-SL VDM-SL DS spec SS spec CG spec SM spec PM spec VDM++ VDM-SL VDM-SL DS impl SS impl CG impl SM impl PM impl Implicit time line March 2007 Tools for VDM in Industry 24

Specification Sizes March 2007 Tools for VDM in Industry 25

Component Categories • Purely hand-coded • VDM + hand coding • VDM + code generation March 2007 Tools for VDM in Industry 26

Purely Hand-coded Components • • Scanner/parser (lex/yacc) pretty-printer (simple C++ component) GUI (previously: Tcl/Tk, now: Qt) Interface to third party tools • Rational Rose • Corba for API • ML for HOL • Generic VDM C++ library March 2007 Tools for VDM in Industry 27

VDM + Hand Coding • • • March 2007 Dynamic semantics (SL and ++) Static semantics (SL and ++) Java/C++ Code generators (SL and ++) Test environments for each component Reused at implementation level Java/C++ code generators now themselves partially code generated Tools for VDM in Industry 28

Maintenance Approach • • • March 2007 Bugs first reproduced at specification level Tested using the VDM debugger Check that all tests are satisfactory Implement changes of specification Rerun all tests at implementation level Tools for VDM in Industry 29

VDM + code generation • • Animator for SA/RT Specification Manager (SL and ++) VDM++ to/from UML translation Proof support (SL) Parts of GUI now code generated VDM model becomes source Trade-off with abstraction March 2007 Tools for VDM in Industry 30

Further Information • An Executable Subset of Meta-IV with Loose Specification, P. G. Larsen, P. B. Lassen, VDM '91: Formal Software Development Methods, 1991 • The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P. G. Larsen, P. B. Lassen, ACM Sigplan Notices, September 1994 • Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995 • Ten Years of Historical Development - ”Bootstrapping” VDMTools, P. G. Larsen, Journal of Universal Computer Science, 2001 March 2007 Tools for VDM in Industry 31

Tools for VDM in Industry ü IFAD Clients Experiences ü ”Bootstrapping” VDMTools Ø Overview of VDMTools • The Overture/Eclipse Initiative • Vision for the future March 2007 Tools for VDM in Industry 32

VDMTools® Overview Syntax & Type Checker Java to VDM++ Integrity Checker The Rose-VDM++ Link Interpreter (Debugger) Document Generator API (Corba), DL Facility Code Generators - C++, Java March 2007 Tools for VDM in Industry 33

Japanese Support via Unicode March 2007 Tools for VDM in Industry 34

Validation with VDMTools® VDM specs Actual results Comparison Execution Test cases March 2007 Expected results Tools for VDM in Industry 35

Documentation in MS Word/RTF One compound document: • Documentation • Specification • Test coverage statistics March 2007 Tools for VDM in Industry 36

Architecture of the Rose VDM++ Link VDM++ Toolbox Rational Rose 2000 UML Diagrams Class Repository Merge Tool Class Repository UML model file VDM++ Files March 2007 Tools for VDM in Industry 37

Integrity checker March 2007 Tools for VDM in Industry 38

Reference Material • • March 2007 The VDM++ Language for VICE, CSK, 2005 The VDM++ User Manual, CSK, 2005 The VDM++ Installation Guide, CSK, 2005 Rational Rose Link Plug-in Installation and User Guide, CSK, 2005 Tools for VDM in Industry 39

Further Information • An Executable Subset of Meta-IV with Loose Specification, P. G. Larsen, P. B. Lassen, VDM '91: Formal Software Development Methods, 1991 • The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P. G. Larsen, P. B. Lassen, ACM Sigplan Notices, September 1994 • Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995 • Ten Years of Historical Development - ”Bootstrapping” VDMTools, P. G. Larsen, Journal of Universal Computer Science, 2001 March 2007 Tools for VDM in Industry 40

Tools for VDM in Industry ü IFAD Clients Experiences ü ”Bootstrapping” VDMTools ü Overview of VDMTools Ø The Overture/Eclipse Initiative • Vision for the future March 2007 Tools for VDM in Industry 41

Overture versus VDMTools • VDMTools (http: //www. vdmtools. jp/en) • Closed source, proprietary (available under NDA) • Monolithic architecture (single binary), C++ • Optimized for performance, industry strength • Overture Tool project (http: //www. overturetool. org) • Open source, GPL license • Plug-in architecture, Eclipse, Java • Optimized for flexibility, targets academic use • (partly) developed using VDMTools

Overture – an open-source initiative • Based on the Eclipse platform • Extendible open VDM++ tool support • Initial tool support produced in MSc project in NL • MSc project carried out at TUD • Jacob Porsborg Nielsen and Jens Kielsgaard Hansen • MSc project at Aarhus University • Thomas Christensen • New MSc projects at Engineering College of Aarhus • Hugo Macedo, Minho University • Sander Vermolen, University of Nijmegen March 2007 Tools for VDM in Industry 43

Overture Architecture Overview GUI generators UML, Sys. ML AADL Visualisation Support Refactoring support Syntax Check Type Check Interpreter (Debugger) With API capabilities Basic automatic checks and GUI Test Generation support Eclipse AST Visualization Support for Execution traces Verification support Model Checking support Not yet available Januar 2006 OML editor With syntax highlighting Interactive Proof support Automatic Proof support Currently under development IHA præsentation Proof Obligation generation Validation support Reverse Engineering support Connection to standard development environments Code Generators - C++, Java Pretty Printing With coverage Planned 44

Automatic AST generation specified in VDM++ ● code generated ● OVERTURE AST spec (VDM-SL subset) ASTGEN JAVA interfaces “implements” sed script sed VDM++ classes other users can use these specs to specify their own OVERTURE extensions (in VDM++) modified java classes VDMTools

Tracefile Viewer (1)

Tracefile Viewer (2)

Tracefile Viewer (3)

Tools for VDM in Industry ü IFAD Clients Experiences ü ”Bootstrapping” VDMTools ü Overview of VDMTools ü The Overture/Eclipse Initiative Ø Vision for the future March 2007 Tools for VDM in Industry 49

VDMTools future • IFAD went bankrupt April 2004 • CSK (mother company for JFITS) from Japan bought the IPR for VDMTools from the bankruptcy • VDMTools executable and documentation is available again • • Academic version Non-commercial version Commercial version All freely available!! • A new book on VDM++ was released January 2005 March 2007 Tools for VDM in Industry 50

Extending VDM++ with better support for distributed real-time • Today embedded real-time systems are increasingly distributed • Hard to master complexity within tight time schedules • Current research work extend VDM++ with better support for describing and analyzing this • Possibility to use CPU’s and BUS’es inside system • Deployment of objects to CPUs • Setting priorities of operations • Introduction of asynchronous operations • Cycles statement in addition to duration statement March 2007 Tools for VDM in Industry 51

Combining with continuous time

An email from an old (very good) student … At that time I understood that a formal specification would be an advantage for big projects but I had no idea how desperately this is also needed in smaller projects when there are many people involved. Today I do know: At the moment I am working at BMW in the communications department. We work on the integration of the car telephone (including a telematics unit with GPS coordinates) into the overall car. There is a lot of interaction between the telephone and the HMI of the car and there are different versions and types of all the involved devices. There also five companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who develop the different units. The system should not be so complex because many of the devices should (!) behave similarly. But the specifications we write are English plain text (hundreds of pages), in our department more than 10 people are involved and we do not know anymore how the devices will behave ourselves. . . every external company has an own interpretation of the specs and this interpretation changes over time. If you ask the same person twice you get different answers (I frankly admit that I am no exception). . . You can imagine how "efficient" everything is and its a miracle that the system still works (with a number of bugs though). . . March 2007 Tools for VDM in Industry 53

Go out and use the principles at least! March 2007 Tools for VDM in Industry 54