Tools for Formal Software Engineering

We propose a collaboration project to integrate the research effort and results obtained at UNU-IIST on formal techniques in component and object systems with research at TRDDC in modelling and development of tools that support object-oriented and component-based design. The main theme is an integration of verification techniques with engineering methods of modelling and design, and an integration of verification tools and transformation tools. This will result in a method in which a correct program can be developed through transformations that are either proven to be correct or by showing that the transformed model can be proven correct by a verification tool. Transformations include those for model construction and those that invoke verification tools. 1 Formal Software Engineering and the Grand Challenge The goal of the Verifying Compiler Grand Challenge [14] is to build a verifying compiler that “uses mathematical and logical reasoning to check the programs that it compiles.” This implies that “a program should be allowed to run only if it is both syntactically and semantically correct” [28]. To achieve this goal, the whole computing community have to deal with a wide range of issues and to overcome a great deal of difficulties, among which are [13] 1. arriving at automated, or even manual, procedures of abstraction that enables a compiler to work in combination with different program development and testing tools, 2. studying what, where, when and how the correctness properties, i.e. assertions and annotations, are identified and specified, 3. identifying properties that can be verified compositionally, and designing specification notations and models to support more compositional specification, analysis and verification. 4. making tools that are scalable even with specified correctness criteria, In our view, theories and techniques are a long way from being able to solve the first three problems, and solutions to these problems will be useful in dealing with the fourth problem. In this position paper, we propose the development Formal Software Engineering as a method to develop large software systems using engineering methods and tools that are verifiable. We propose formal modelling of requirements and design, and the automatic generation of code to achieve this. We believe that this effort will contribute towards a solution to the problems stated earlier. In particular, we propose a collaborative project on software development technology and tools that helps in correctness by construction [28]. 1.1 The state of the art in software engineering Software engineering is mainly concerned with the systematic development of large and complex systems. To cope with the required scale traditional software engineers divide the problem along three axes development phases, aspects and evolutions. The development phases are Requirements, Design and Implementation. Each development phase is divided into different aspects, such as: – static data model, control flow or processes and operations in the requirements phase; – design strategies for concurrency, efficiency and security in the design phase. These strategies are commonly expressed as design patterns [6]; and – databases, user interface and libraries for security in the implementation phase. The third axis is that of system evolution [15, 16] where each evolutionary step enhances the system by iterating through the requirements implementation cycle. Unfortunately all aspects are specified using informal techniques and therefore this approach does not give the desired assurances and productivity. The main problems are: – Since the requirements description is informal there is no way to check for its completeness, often resulting in gaps. – The gaps in requirements are often filled by ad-hoc decisions taken by programmers who are not qualified for the same. This results in rework during testing and commissioning. – There is no traceability between requirements and the implementation, making it very expensive to accommodate changes and maintain the system. – Most of the available tools are for project management and system testing. Although these are useful, they are not enough to ensure the semantic alignment of the implementation w.r.t a requirements specification and semantic consistency of any changes made in the system. 1.2 The state of the art of formal methods Formal methods, on the other hand, attempt to complement informal engineering methods by techniques for formal modelling, specification, verification and refinement [30, 7]. In principle, a formal system development starts with an abstract specification and transforms it into a program through a number of refinement steps. The method is supported by a sound logical framework but it is only suited for the development of relatively small programs. In practice, only some significant properties of a part of the system are formally specified and verified for an abstract model of the implementation by a model checking tool or a theorem prover or even by hand. It is still a great challenge to scale up formal methods to industry scale because of the problems listed below. – Each development is usually a new development with very little reuse of past development. – There is no clear separation between requirements, design and implementation making it difficult for domain experts, architects and programmers to collaborate towards a single solution. – Because of the theoretical goal of completeness and independence, refinement calculi provide rules only for a small change in each step. Refinement calculi therefore do not scale up in practice. Data refinement requires definition of a semantic relation between the programs (their state space) and is hard to be applied systematically. – Given low level designs or implementations it is not easy for software engineers to build correct and proper models that can be verified by model checking tools. – There is no explicit support for productivity enhancing techniques such as componentbased development or aspect-oriented development. Both formal methods and the methods adopted by software engineers are far from meeting the quality and productivity needs of the industry, which continues to be plagued by high development and maintenance costs. Complete assurance of correctness requires too much to specify and verify and thus a full automation of the verification is in feasible. However, recently there have been encouraging developments in both approaches. The software engineering community has started using precise models for early requirement analysis and design [26, 5]. Theories and methods for object-oriented, componentbased and aspect-oriented modelling and development are gaining the attention of the formal methods community. There are attempts to investigate formal aspects of objectoriented refinement, design patterns, refactoring and coordination [3, 12, 4, 20].