Jeannette M. Wing, Carnegie Mellon Unive F xm methods used in developing cally based techniques for deseris ing system properties, Such formal meth ‘ods provide frameworks within which peo- plecanspecity, develop and verify systems Inasystemati, atherthan ad hoe, manner ‘A method is formal if i has a sound mathematical basis, typically given by formal specification language. This basis Provides the means of prey defining rotons ike consistency an completeness and. more relevant, specification, imple lation. and correctness. provides the means of proving thi a realizable, proving that a system hasbeen implemented correctly, and proving prop hing determine its behavior ' formal method also addresses amu ber of pragmatic considerations who uses iL wha i use foe, when its sed, and how i is used, Most commonly. sytem designers use formal method o speci systems desired Behavior and structural ropes osever, anyone involved in any sage of system development can make use of formal methods. Tey can be used in the inital statement of a customer's require ‘ents, through sytem design implemen: tation, testing, debuge verification, and evaluation Formal methods reused torevea ambi ity. incompleteness, aed inconsistency ‘nasstem, When usd etry inthe system ‘development process, the can reveal de 8 Applied to computer systems development, formal methods provide mathematically based techniques that describe system properties. As such, they present a framework for systematically specifying, developing, and verifying systems. sigh flaws that otherwise might be disc. cred only daring costly testing and debug fing phises. When used Inter, they ean help determine the come implementation and the equivalence of ferent implementations. For method tobe formal, it most have a well-defined mathematical bass. teed nese ofasystem A Specifier’s Introduction to Formal Methods noc address any pragmatic considerations hut lacking such considerations wouldren der it useless, Hence, a formal method should possess a set of guidelines of style shee that ell the user the etc stances under which the method can and shold be applied a5 well as how ican be applied mort effectively ‘One tangible produc f applying for smal method is 3 formal specification, A specificaion serves a 8 contact, val: able piece of dacumenation, and 3 means iter andan implemeater. Because of their mal specifications are more precise and usally ore concise ‘han informal ones ‘Since a formal method ipa meth and ray or may not have tool support. I he Stax of formal methods spesifistion lamgoage is made expt providing sta dard syntax analysis tools fr frial spec language's semantics are suiienty re stricted varying ysiscan be performed with machine aids as ‘well Ths, Fora speciieations ve the xsiional advantage over informal onesof being amenable to machine analysis and ‘manipulation For more onthe benefits of formal spec distinction between s method anda lan fge, and what specifying a computer "stem means, see Lamport. Continued om p10 COMPUTERWhat is a specification language? [A formal specification language pro ides formal method's mathemati ba Sis. borrowed the terms and definitions that follow from Guttaget al? Borstal and CGogvenhavesedtheterm language” and more recently theteminsiution” forthe notion of formal speification language Sauipe cmon Sot ahr on ‘Sette demi Semis seman ont Definition: Given» specteation aguas Spevtcaon sw Syms the st of all Less formally, a formal specification language provides a notation its syntactic. domain) a universe of objets its seman tie domain, and a precise rule defining hich objects satisfy each specification. A specification isa sentence written in ters ofthe elements ofthe syntactic domain. It denotes a speciticand set, a subset ofthe Semantic domin. A spesifiand isan ob {et satsfyinga specification. The aisles ‘elation provides the meaning. o inlerre= tation. for she syntacti elements Backus-Naur form isan example of a simple formal specification language. witt 4 sot of grammars a te syotactc domain land ase of sings ats semantic domain. very string isa speeiicand of each gra rarthat generates it Every spcifcand set is formal language Inprinciple.a formal methodisbasedon some welldefined formal specification language. practice, however, this ln swage may not have been explicitly given ‘The more explicit the specification la guage’sdefinicion, the more well-defined The formal method, Formal methods differ because their specification languages have aiferent syntactic andor semanticdomains. Even if they have identical syntactic and semantic domains they may have diferemt satis telations. ‘Syntacte domains, Weusully define specification language's symtactic domain interms ofa et of symbols (for example, ‘constants, variables, and logical connes tives) and set of grammatical roles for combining hese symbols into well-formed Sentences. For example, vsing standard ‘notation or eniversal quantification and logical implication (=), lt «be a logical ‘arable and P and Qe predicate symbols. ‘Thenthissenence, Vx.P.s)-> Ota) would be well-formed in predicate logic, bt this fone, Vs. = PEL) = OC, Would not Be ‘cause = is a binary logies! connective “Asyntatic domain ned nt be restrict esd text: graphical elements sochas box: ‘itl, lines, arrows, and icons can be tivena formal semantics ust ax precisely astextal ones. A well-frmedness cond ‘om on sucha visual specification might be ‘hat all arrows start and top at boxes. Semantic domains. Specification la. guages differ most in thr choice of se ‘mantic domain, The following are some examples + Absiac-ditacype specification lan guages ae wed 1a specify algebras, theo ries and programs. Though specifications ‘wniten in these languages range over dit {erent semantic dona, they often look syntactically similar Concurrent and distributed systems specification languages arcusedtspesify state sequences, eventsequenees. stale and ‘uation sequences, steams, synch ation tees, partl oder, ad Sate ma chines. * Programming languages are used 10 specify functions from Input t ouput computations, predicate transformers, lations, and machin insrotions, Eachprogramminglanguage(withawel- ‘Aefined Torta semantics) is a specifics ion Language, bu the revere isnot te, hecause specifications in general do not have to be executable on some machine whereas programs do. By using a more tbsract specification language. we asin the advantage of not being resteted (0 expressing onl computable functions. ts perfectly reasonable in 2 specication to {expres motions ike"Foeall inset there existsayinset Bsuchthal propery Pols fof rand "where A and might he infinite Programs, however ae formal objects, susceptible to formal manipulation (Tor example,compiltionandexection) Ths, Drogrammers cant escape from formal rmethods. Theqestioniswhetherthey work with normal requiremenss and formal Programs, or whether they use adtionl Formalism to asist them daring requie ments speciation. Whena specification anguage’sseman= tic domains over progeams or systems of programs, the erm implements i used for the satisfies elation, and the term imple -mentationisused fora specficandin Sem. ‘An implementation prog fs corect with respection given specificationspecifprog satisfies spec. More formally, Detnton: Give a specifion agua. ‘Si Sem, Sean mpementtion roy Secon pein Standen San per Satisties relation, We often would lke o specify aiferent aspects of single specificand, perhaps using ilferent spee= iictionlanguages Forexample, youight want o specify the functional Behavior of 4 olecion of program modules as the ‘composition ofthe functional behaviors oF the individual modules, You might addi tionally ant to specify strytural rela- tionship between the modules suchas what st of modules each module ditety in vokes. “To accommodate these ferent views ‘of a speciticand, we fies associate with cach specification language a semantic thstrection function, which partitions Specificands ita equivalence classes, rl Sem 3 hac tage For a ziven specification language, we choose semantic abstraction Taneton (0 indoceanabstracrsariies relation beeen specifications and equivalence clases of spcificands. Ths elation defines a view fn speciicands. Definition: Given «specifi anaes fonction A setina om Sem an hact Indosed lation sch hat spec. Symprog eSem= (Sarspecpce) = ASanapec ACprog) Different semantic abstraction functions smakeit posible vodeserbemultpl views ‘ofthe sine equivalence clas of systems, ‘or similarly. pose ditferentkindsof con ‘Strunts on these systems, Having several specifiestion languages with different se- ‘ante abstraction functions for a single Semantic domain can be useful. This en ‘courages and supports complementary specifications of differen aspects of ay comPUTERFor example, in Figure 1,3 single se: mantic domain, Sem, son the Fight, One Semantic abstraction function pariions specifcands in Sem into a set of equiva lenoe classes. three of which are drawn as bobs in sold lines. Another partitions specifcands into afferent set of equiva lence clases, two of which are drain as blobs in dashed lines. Via he abst st Isfies relation ASatl, specification A of syntictic domain Syn maps to one equi lence clas of specficands (denoted by & Solid-lined bob) and vi ASa2, specifica: tion of syotactc domain Syn2 maps to Sifferentequivalence cass of specifcands denoted hy dashedine blob). Note the foveraphetucenthe sold liedand dashed ine blobs “Tobe concrete, suppose Semis library cof Ada program modules, Imagine that A specifies (perhaps through a predieate in First-order logic) all procedures that sort arrays and B species (perhaps dough a Call graph) al procedures that eal func ions om a aser-defined enumeration type EE. Then, procedure that sons arays of E smight be intheiaterseetionot ASAIN) snd ASB). “Two broad clases of semantic abs tion functions are those that abstract pe- serving each system's behavior and those that abstract preserving each sstem’s structure. Incheexampleabove.A pecitis {behavioral aspect of the Ada program ‘modules, bt deserts astral aspect. Behavioral specifications, Behavil specifications describe only contains on the observable behavior of speificands ‘Thebshaviorlconstraintthat most formal methods address is 1 system's required antigay hts. mapping fom pats to outputs). Catent research in formal rcthodsdresesotherbehasioal aspects teh as fault Tolerance, safety. security. responce tte, and spate eliciency ‘ten, some hese behavioral aspects. such as secity, ae included as part of father han separate from, systems func tionality. Ifthe overall coreciess of & sytem is defined so tha it must satisty ore than one behavioral constrain. asys- temthatsatisiesone botnet another would be tncoret. For example. if furetionality ad rexponse time were the constants of Interest asysemprodscing corectanswers past deadlines would be jos 8 unacept fable as a system producing incorrect an Structural specifications. Steetural specifications describe constants on the September 1990 ‘ternal composition of speciticands, Ex ample srt specification languages fre modle interconnection languages. Structural specifications cape vous Kinds f hierarchical and ses relations such as those represented by procedure= tallgrphs. dat dependency diagrams 2nd {efnition-use chains, Systems that ais ‘the sane suctural constraints do not ne ssl sail the same behavioral con Strains, Moreover, the structure of @ Specification need not beara dete Tionshiptothe stuctire ats specificands Properties of specifications. Each spccification language shouldbe defined Soeach wel-frmedspecfication isn biguous Detnon: Given speifiain anuag. Sone Sas aspeccaton sa Se Snumbieuus i and oly Sa aps ‘owt ne speciean st nformaly. specification sunambigu ‘ous if and only i has exactly one mean- ing. This key property of formal speciica- tions means hatany specification anguage based on or incorporating @ natural [a uage (ike English) isnot formal since ‘atral languages are inherently ambi fost aso meats that avis specifics tion language that ports mulple intr Pretaions of box andlor arrow is iietined, and hence not formal. ‘Another desirable propery of specifies Detnon: Given # pein language. Sin Sem, Ss aspectication ni Sims omit (or sil) and ony Sar fraps tox nn py peticad se Informally specification is consistent if and only i 8 speciicand set is non- tpt In ferms of programs, consistency Isimportant because tmeans ther is some implementation that will Satis the spe Feation. I you view a specification asset “of factsconsisteney implies that oucannot ‘erive anything contradictory trom the specification, ‘Were yo to pose a question based on a consistent specification you would not get mutually exclusive answers. Obviously tre want consistent specications, An in consistent specification, which negates on fone oscasin what it ascents on anther Ieans you have no Knowledge a ‘Specifications need not be complete in thesenseusedinmathematica ogi though certain reltve-completness properties ‘night be desirable or example, suicient Completeness ofan alaebraiespeciication’) In practice, you must usualy deal with incomplete specifications. Why” Speci fe may intentionally Teave some things Unspecified, giving the implementer some freedom to choose among diffrent data sfructres and algorithms. Also, specifiers annot realistically anticipate all possible Scenarios in whicha system willberun and thus, perhaps unitingy, have let some things unspecified. Finally, specifiers de velop specifications gradually and tera tively, perhaps in response to changing customer requirements, and hence werk ‘ith unfinished products move often than finished ona