research-article

Formal methods: Practice and experience

Authors:

Peter Gorm Larsen,

Juan Bicarregui,

John FitzgeraldAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 41, Issue 4

Article No.: 19, Pages 1 - 36

https://doi.org/10.1145/1592434.1592436

Published: 09 October 2009 Publication History

Abstract

Formal methods use mathematical models for analysis and verification at any part of the program life-cycle. We describe the state of the art in the industrial use of formal methods, concentrating on their increasing use at the earlier stages of specification and design. We do this by reporting on a new survey of industrial use, comparing the situation in 2009 with the most significant surveys carried out over the last 20 years. We describe some of the highlights of our survey by presenting a series of industrial projects, and we draw some observations from these surveys and records of experience. Based on this, we discuss the issues surrounding the industrial adoption of formal methods. Finally, we look to the future and describe the development of a Verified Software Repository, part of the worldwide Verified Software Initiative. We introduce the initial projects being used to populate the repository, and describe the challenges they address.

References

[1]

Abrial, J.-R. 1996. The B-book: Assigning Programs to Meanings. Cambridge University Press, Cambridge, MA.

[2]

Abrial, J.-R. 2007. Formal methods: Theory becoming practice. JUCS 13, 5, 619--628.

[3]

Allen, R. 1997. A formal approach to software architecture. Ph.D. dissertation, School of Computer Science, Carnegie Mellon University. Issued as CMU Technical Report CMU-CS-97-144.

Digital Library

[4]

Allen, R. B. and Garlan, D. 1992. A formal approach to software architectures. In Algorithms, Software, Architecture—Information Processing '92, Volume 1, Proceedings of the IFIP 12th World Computer Congress, Madrid, Spain, 7--11 Sep. 1992, J. van Leeuwen, Ed. IFIP Transactions, vol. A-12. North-Holland, Amsterdam, 134--141.

Digital Library

[5]

Arvind, Dave, N., and Katelman, M. 2008. Getting formal verification into design flow. In FM 2008: Formal Methods. Lecture Notes in Computer Science, vol. 5014. Springer-Verlag, Berlin, Heidelberg, Germany, 12--32.

Digital Library

[6]

Austin, S. and Parkin, G. 1993. Formal methods: A survey. Tech. rep., National Physical Laboratory, Teddington, Middlesex, UK. Mar.

[7]

Avigad, J. 2007. Course: Practical decision procedures. www.andrew.cmu.edu/user/avigad/practical/. Cited 9 Mar. 2009.

[8]

Aydal, E. G., Paige, R. F., and Woodcock, J. 2007. Evaluation of OCL for large-scale modelling: A different view of the Mondex purse. In MoDELS Workshops. Lecture Notes in Computer Science, vol. 5002. Springer, Berlin, Heidelberg, Germany, 194--205.

Digital Library

[9]

Back, R.-J. and von Wright, J. 1990. Refinement calculus, Part I: Sequential nondeterministic programs. In Proceedings of the Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, REX Workshop. Lecture Notes in Computer Science, vol. 430. Springer-Verlag, Berlin, Heidelberg, Germany, 42--66.

Digital Library

[10]

Badeau, F. and Amelot, A. 2005. Using B as a high level programming language in an industrial project: Roissy VAL. In ZB. Lecture Notes in Computer Science, vol. 3455. Springer-Verlag, Berlin, Heidelberg, Germany, 334--354.

Digital Library

[11]

Ball, T. and Rajamani, S. K. 2002. The SLAM project: Debugging system software via static analysis. In POPL, ACM, New York, 1--3.

Digital Library

[12]

Balser, M., Reif, W., Schellhorn, G., Stenzel, K., and Thums, A. 2000. Formal system development with KIV. In Proceedings of the 3rd International Conference on Fundamental Approaches to Software Engineering, FASE 2000 (Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS 2000). Lecture Notes in Computer Science, vol. 1783. Springer-Verlag, Berlin, Heidelberg, Germany, 363--366.

Digital Library

[13]

Barnes, J. 2003. High Integrity Ada: The SPARK Approach to Safety and Security. Addison-Wesley, Reading, MA.

Digital Library

[14]

Barnes, J., Chapman, R., Johnson, R., Widmaier, J., Cooper, D., and Everett, B. 2006. Engineering the Tokeneer enclave protection system. In Proceedings of the 1st International Symposium on Secure Software Engineering. IEEE Computer Society Press, Los Alamitos, CA.

[15]

Barrett, C., Sebastiani, R., Seshia, S. A., and Tinelli, C. 2008. Satisfiability modulo theories. In Handbook of Satisfiability, IOS Press, Amsterdam, The Netherlands, Chapter 12, 737--797.

[16]

Barrett, G. 1987. Formal methods applied to a floating-point number system. Technical Monograph PRG-58, Oxford University Computing Laboratory, Oxford Univ.

[17]

Barrett, G. 1989. Formal methods applied to a floating-point number system. IEEE Trans. Software Eng. 15, 5, 611--621.

Digital Library

[18]

Barrett, G. 1990. Verifying the Transputer. In Transputer Research and Applications, Proceedings of the 1st Conference of the North American Transputer Users Group, IOS, Amsterdam, The Netherlands, 17--24.

Digital Library

[19]

Behm, P., Benoit, P., Faivre, A., and Meynadier, J.-M. 1999. Météor: A successful application of B in a large project. In World Congress on Formal Methods. Lecture Notes in Computer Science, vol. 1708. Springer-Verlag, Berlin, Heidelberg, Germany, 369--387.

Digital Library

[20]

Berry, G. 2008. Synchronous design and verification of critical embedded systems using SCADE and Esterel. In Proceedings of the Formal Methods for Industrial Critical Systems. Lecture Notes in Computer Science, vol. 4916. Springer-Verlag, Berlin, Heidelberg Germany.

Digital Library

[21]

Bicarregui, J., Hoare, C. A. R., and Woodcock, J. C. P. 2006. The Verified Software Repository: A step towards the verifying compiler. Formal Asp. Comput. 18, 2, 143--151.

[22]

Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., and Rival, X. 2003. A static analyzer for large safety-critical software. In PLDI, ACM, New York, 196--207.

Digital Library

[23]

Bloomfield, R. and Craigen, D. 1999. Formal methods diffusion: Past lessons and future prospects. Tech. Rep. D/167/6101, Adelard, Coborn House, 3 Coborn Road, London, UK. Dec.

[24]

Börger, E. and Stärk, R. 2003. Abstract State Machines: A Method for High-Level System Design and Analysis. Springer-Verlag, Berlin, Heidelberg Germany.

Digital Library

[25]

Bowen, J. and Stavridou, V. 1993. Safety-critical systems, formal methods and standards. Softw. Eng. J. 8, 4, 189--209.

[26]

Bowen, J. P. and Hinchey, M. G. 1995. Ten commandments of formal methods. IEEE Comput. 28, 4 (Apr.), 56--62.

Digital Library

[27]

Bowen, J. P. and Hinchey, M. G. 2006. Ten commandments of formal methods… ten years later. IEEE Comput. 39, 1 (Jan.), 40--48.

Digital Library

[28]

Burdy, L., Cheon, Y., Cok, D. R., Ernst, M. D., Kiniry, J. R., Leavens, G. T., Leino, K. R. M., and Poll, E. 2005. An overview of JML tools and applications. Softw. Tools. tech. Trans. 7, 3, 212--232.

[29]

Bush, W. R., Pincus, J. D., and Sielaff, D. J. 2000. A static analyzer for finding dynamic programming errors. Softw., Pract. Exper. 30, 7, 775--802.

Digital Library

[30]

Butler, M. and Yadav, D. 2008. An incremental development of the Mondex system in Event-B. Formal Asp. Comput. 20, 1, 61--77.

Digital Library

[31]

Butterfield, A. 1997. Introducing formal methods to existing processes. In Proceedings of the IEEE Colloquium on Industrial Use of Formal Methods, IET, 7--10.

[32]

CADE. 2009. The CADE ATP system competition: The world championship for 1st order automated theorem proving. www.cs.miami.edu/~tptp/CASC/. Cited 9 Mar. 2009.

[33]

Cavalcanti, A., Clayton, P., and O'Halloran, C. 2005. Control law diagrams in circus. In FM 2005: Formal Methods, Lecture Notes in Computer Science, vol. 3582. Springer-Verlag, Berlin, Heidelberg, Germany, 253--268.

Digital Library

[34]

CCRA. 2006. Common criteria for information technology security evaluation. Part 1: Introduction and general model. Tech. Rep. CCMB-2006-09-001, Version 3.1, Revision 1, Common Criteria Recognition Agreement. Sept.

[35]

Chalin, P., Kiniry, J. R., Leavens, G. T., and Poll, E. 2006. Beyond assertions: Advanced specification and verification with JML and ESC/Java2. In Proceedings of the 4th International Symposium on Formal Methods for Components and Objects, FMCO 2005. Lecture Notes in Computer Science, vol. 4111. Springer-Verlag, Berlin, Heidelberg, Germany, 342--363.

Digital Library

[36]

Chapman, R. 2008. Tokeneer ID Station Overview and Reader's Guide. Tech. Rep. S.P1229.81.8, Issue 1.0, Praxis High Integrity Systems.

[37]

Clarke, E. M., Gupta, A., Jain, H., and Veith, H. 2008. Model checking: Back and forth between hardware and software. In Verified Software: Theories, Tools, Experiments, First IFIP TC 2/WG 2.3 Conference, VSTTE 2005, Revised Selected Papers and Discussions. Lecture Notes in Computer Science, vol. 4171. Springer-Verlag, Berlin, Heidelberg, Germany, 251--255.

Digital Library

[38]

Clarke, E. M. and Wing, J. M. 1996. Formal methods: State of the art and future directions. ACM Comput. Surv, 28, 4, 626--643.

Digital Library

[39]

Clarke, L. A. and Rosenblum, D. S. 2006. A historical perspective on runtime assertion checking in software development. ACM SIGSOFT Softw. Eng. Notes 31, 3, 25--37.

Digital Library

[40]

Craigen, D., Gerhart, S., and Ralston, T. 1993a. An International Survey of Industrial Applications of Formal Methods. Vol. 1 Purpose, Approach, Analysis and Conclusions. U.S. Department of Commerce, Technology Administration, National Institute of Standards and Technology, Computer Systems Laboratory, Gaithersburg, MD.

[41]

Craigen, D., Gerhart, S., and Ralston, T. 1993b. An International Survey of Industrial Applications of Formal Methods. Vol. 2 Case Studies. U.S. Department of Commerce, Technology Administration, National Institute of Standards and Technology, Computer Systems Laboratory, Gaithersburg, MD.

[42]

Cuadrado, J. 1994. Teach formal methods. Byte 19, 12 (Dec.), 292.

[43]

Das, M., Lerner, S., and Seigle, M. 2002. ESP: Path-sensitive program verification in polynomial time. In Proceedings of the Symposium on Programming Language Design and Implementation (PLDI). ACM, New York, 57--68.

Digital Library

[44]

DBLP. 2009. Computer Science bibliography. www.informatik.uni-trier.de/~ley/db/. Cited 9 Mar. 2009.

[45]

Dennis, L. A., Collins, G., Norrish, M., Boulton, R. J., Slind, K., and Melham, T. F. 2003. The PROSPER toolkit. Int. J. Softw. Tools Techn. Trans. 4, 2 (Feb.), 189--210.

[46]

Deploy. 2009. www.deploy-project.eu. Cited 9 Mar. 2009.

[47]

Dijkstra, E. W. 1975. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8, 453--457.

Digital Library

[48]

EPSRC. 2009. Engineering and Physical Sciences Research Council. www.epsrc.ac.uk. Cited 9 Mar. 2009.

[49]

Evans, D. and Larochelle, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw. 19, 42--52.

Digital Library

[50]

Finney, K. and Fenton, N. Evaluating the effectiveness of Z: The claims made about CICS and where we go from here. J. Syst. Softw. 35, 209--216.

Digital Library

[51]

Fitzgerald, J., Larsen, P. G., and Sahara, S. 2008. VDMTools: Advances in support for formal modeling in VDM. SIGPLAN Notices 43, 2 (Feb.), 3--11.

Digital Library

[52]

Floyd, R. 1967. Assigning meanings to programs. In Mathematical Aspects of Computer Science, Proceedings of Symposia in Applied Mathematics, Rhode Island. American Mathematical Society, Providence, RI, 19--32.

[53]

Freitas, L. and Woodcock, J. 2008. Mechanising Mondex with Z/Eves. Formal Asp. Comput. 20, 1, 117--139.

Digital Library

[54]

Gaudel, M.-C. 1995. Testing can be formal, too. In TAPSOFT'95: Proceedings of the 6th International Joint Conference Theory and Practice of Software Development, CAAP/FASE. Lecture Notes in Computer Science, vol. 915. Springer-Verlag, Berlin, Heidelberg, 82--96.

Digital Library

[55]

George, C. and Haxthausen, A. E. 2008. Specification, proof, and model checking of the Mondex electronic purse using RAISE. Formal Asp. Comput. 20, 1, 101--116.

[56]

George, V. and Vaughn, R. 2003. Application of lightweight formal methods in requirement engineering. Crosstalk: The J. Defense Softw. Eng.

[57]

Ghose, A. 2000. Formal methods for requirements engineering. In Proceedings of the 2000 International Symposium on Multimedia Software Engineering (ISMSE 2000). IEEE Computer Society Press, Los Alamitos, CA, 13--16.

Digital Library

[58]

Gibbons, J. 1993. Formal methods: Why should I care&quest; The development of the T800 Transputer floating-point unit. In Proceedings of the 13th New Zealand Computer Society Conference, New Zealand Computer Society, Auckland, NZ, 207--217.

[59]

Gibbs, W. W. 1994. Software's chronic crisis. Sci. Amer. 271, 3 (Sept.), 72--81.

[60]

Glass, R. L. 1996. Formal methods are a surrogate for a more serious software concern. IEEE Comput. 29, 4 (Apr.), 19.

[61]

Goldsmith, M., Cox, A., and Barrett, G. 1987. An algebraic transformation system for Occam programs. In STACS. Lecture Notes in Computer Science, vol. 247. Springer-Verlag, Berlin, Heidelberg, Germany, 481.

Digital Library

[62]

Greve, D. and Wilding, M. 2002. Evaluatable, high-assurance microprocessors. In Proceedings of the NSA High-Confidence Systems and Software Conference (HCSS).

[63]

Guiho, G. D. and Hennebert, C. 1990. SACEM software validation (experience report). In ICSE: Proceedings of the 12th International Conference on Software Engineering. IEEE Computer Society Press, Los Alamitos, CA, 186--191.

Digital Library

[64]

Hall, A. 1990. Seven myths of formal methods. IEEE Softw. 7, 5 (Sept.), 11--19.

Digital Library

[65]

Hall, A. and Chapman, R. 2002. Correctness by construction: Developing a commercial secure system. IEEE Softw. 19, 1, 18--25.

Digital Library

[66]

Haneberg, D., Schellhorn, G., Grandy, H., and Reif, W. 2008. Verification of Mondex electronic purses with KIV: From transactions to a security protocol. Formal Asp. Comput. 20, 1, 41--59.

[67]

Hennebert, C. and Guiho, G. D. 1993. SACEM: A fault tolerant system for train speed control. In Proceedings of the Fault Tolerence Computing Systems (FTCS). IEEE Computer Society Press, Los Alamitos, CA, 624--628.

[68]

Hierons, R. M., Bowen, J. P., and Harman, M., Eds. 2008. Formal Methods and Testing An Outcome of the FORTEST Network. Revised Selected Papers. Lecture Notes in Computer Science, vol. 4949. Springer-Verlag, Berlin, Heidelberg, Germany.

Digital Library

[69]

Hinchey, M. G. and Bowen, J. P. 1995. Applications of Formal Methods. Prentice-Hall, Englewood Cliffs, NJ.

Digital Library

[70]

Hinchey, M. G. and Bowen, J. P. 1996. To formalize or not to formalize&quest; IEEE Comput. 29, 4 (Apr.), 18--19.

Digital Library

[71]

Hoare, C. A. R. 1969. An axiomatic basis for computer programming. Commun. ACM 12, 10 (Oct.), 576--581.

Digital Library

[72]

Hoare, C. A. R. 1972. Proof of correctness of data representations. Acta Inf. 1, 271--281.

Digital Library

[73]

Hoare, C. A. R. 1985. Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs, NJ.

Digital Library

[74]

Hoare, C. A. R. 2002a. Assertions in modern software engineering practice. In Proceedings of the 26th International Computer Software and Applications Conference (COMPSAC 2002), Prolonging Software Life: Development and Redevelopment. IEEE Computer Society Press, Los Alamitos, CA, 459--462.

Digital Library

[75]

Hoare, C. A. R. 2003. The verifying compiler: A Grand Challenge for computing research. J. ACM 50, 1, 63--69.

Digital Library

[76]

Hoare, T. 2002b. Assert early and assert often: Practical hints on effective asserting. Presentation at Microsoft Techfest.

[77]

Hoare, T. 2007. The ideal of program correctness: Third Computer Journal Lecture. Comput. J. 50, 3, 254--260.

[78]

Hoare, T. and Misra, J. 2008. Verified software: Theories, tools, and experiments: Vision of a Grand Challenge project. In Verified Software: Theories, Tools, and Experiments. First IFIP TC2/EG2.3 Conference, Lecture Notes in Computer Science, vol. 4171. Springer-Verlag, Berlin, Heidelberg, Germany, 1--18.

Digital Library

[79]

Holzmann, G. J. 2004. The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley, Reading, MA.

Digital Library

[80]

Hommersom, A., Groot, P., Lucas, P. J. F., Balser, M., and Schmitt, J. 2007. Verification of medical guidelines using background knowledge in task networks. IEEE Trans. Knowl. Data Eng. 19, 6, 832--846.

Digital Library

[81]

Houston, I. and King, S. 1991. Experiences and results from the use of Z in IBM. In VDM '91: Formal Software Development Methods. Lecture Notes in Computer Science, vol. 551. Springer-Verlag, Berlin, Heidelberg, Germany, 588--595.

Digital Library

[82]

IEC. 1997. Functional safety of electrical/electronic/programmable electronic safety-related systems. Tech. Rep. IEC 61508, International Electrotechnical Commission.

[83]

IEEE. 1985. Standard for Binary Floating-Point Arithmetic, Standard 754-1985 ed. ANSI/IEEE, New York.

[84]

Inmos Ltd. 1988a. Occam2 Reference Manual. Prentice Hall, Englewood Cliffs, NJ.

[85]

Inmos Ltd. 1988b. Transputer Reference Manual. Prentice Hall, Englewood Cliffs, NJ.

Digital Library

[86]

ITSEC. 1991. Information technology security evaluation criteria (ITSEC): Preliminary harmonised criteria. Tech. Rep. Document COM(90) 314, Version 1.2, Commission of the European Communities. Jun.

[87]

Jackson, D. and Wing, J. 1996. Lightweight formal methods. IEEE Comput. 29, 4 (Apr.), 22--23.

[88]

Johnson, S. 1978. lint, a C program checker, Unix Programmer, Aos, Manual. Tech. Rep. 65, AT&T Bell Laboratories.

[89]

Jones, C. 1996. A rigorous approach to formal methods. IEEE Comput. 29, 4 (Apr.), 20--21.

[90]

Jones, C. B. 1990. Systematic Software Development Using VDM, 2nd ed. Prentice-Hall International, Englewood Cliffs, NJ.

Digital Library

[91]

Jones, C. B. and Pierce, K. G. 2007. What can the π-calculus tell us about the Mondex purse system&quest; In Proceedings of the 12th International Conference on Engineering of Complex Computer Systems (ICECCS 2007). IEEE Computer Society Press, Los Alamitos, CA, 300--306.

Digital Library

[92]

Jones, G. and Goldsmith, M. 1988. Programming in Occam2. Prentice-Hall, Englewood Cliffs, NJ.

Digital Library

[93]

Josey, A. 2004. The Single Unix Specification Version 3. Open Group, San Francisco, CA. ISBN: 193162447X.

[94]

Joshi, R. and Holzmann, G. J. 2007. A mini challenge: Build a verifiable filesystem. Formal Asp. Comput. 19, 2, 269--272.

[95]

Kars, P. 1997. The application of PROMELA and SPIN in the BOS project. In The SPIN Verification System: The Second Workshop on the SPIN Verification System. Proceedings of a DIMACS Workshop. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 33. Rutgers University, Piscataway, NJ, 51--63.

[96]

Krishnaswami, N. R., Aldrich, J., Birkedal, L., Svendsen, K., and Buisse, A. 2009. Design patterns in separation logic. In Proceedings of TLDI'08: 2008 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation. ACM, New York, 105--116.

Digital Library

[97]

Kuhlmann, M. and Gogolla, M. 2008. Modeling and validating Mondex scenarios described in UML and OCL with USE. Formal Asp. Comput. 20, 1, 79--100.

Digital Library

[98]

Kurita, T., Chiba, M., and Nakatsugawa, Y. 2008. Application of a formal specification language in the development of the “Mobile FeliCa” IC chip firmware for embedding in mobile phones. In FM 2008: Formal Methods. Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, Germany, 425--429.

Digital Library

[99]

Larsen, P. G. and Fitzgerald, J. 2007. Recent industrial applications of VDM in Japan. In FACS 2007 Christmas Workshop: Formal Methods in Industry, BCS, eWIC, London, U.K.

Digital Library

[100]

Larsen, P. G., Fitzgerald, J., and Brookes, T. 1996. Applying formal specification in industry. IEEE Softw. 13, 3 (May), 48--56.

Digital Library

[101]

Larus, J. R., Ball, T., Das, M., DeLine, R., Fähndrich, M., Pincus, J. D., Rajamani, S. K., and Venkatapathy, R. 2004. Righting software. IEEE Softw. 21, 3, 92--100.

Digital Library

[102]

Leino, K. R. M. 2007. Specifying and verifying programs in Spec&num;. In Perspectives of Systems Informatics, 6th International Andrei Ershov Memorial Conference, PSI 2006, Revised Papers. Lecture Notes in Computer Science, vol. 4378. Springer-Verlag, Berlin, Heidelberg, Germany, 20.

Digital Library

[103]

May, D., Barrett, G., and Shepherd, D. 1992. Designing chips that work. Philosoph. Trans. Roy. Soc. A 339, 3--19.

[104]

Meyer, B. 1991. In Advances in Object-Oriented Software Engineering, Prentice-Hall, Englewood Cliffs, NJ, Chapter Design by Contract, 1--50.

[105]

Miller, S. and Srivas, M. 1995. Formal verification of the AAMP5 microprocessor. In Proceedings of the Workshop on Industrial-Strength Formal Specification Techniques (WIFT95). IEEE Computer Society Press, Los Alamitos, CA.

Digital Library

[106]

Miller, S. P. 1998. The industrial use of formal methods: Was Darwin right&quest; In Proceedings of the 2nd IEEE Workshop on Industrial Strength Formal Specification Techniques. IEEE Computer Society Press, Los Alamitos, CA, 74--82.

Digital Library

[107]

Miller, S. P., Greve, D. A., and Srivas, M. K. 1996. Formal verification of the AAMP5 and AAMP-FV microcode. In Proceedings of the 3rd AMAST Workshop on Real-Time Systems.

[108]

Morgan, C. 1988. The specification statement. ACM Trans. Program. Lang. Syst. 10, 3, 403--419.

Digital Library

[109]

Morris, J. M. 1987. A theoretical basis for stepwise refinement and the programming calculus. Sci. Comput. Program. 9, 3, 287--306.

Digital Library

[110]

NASA. 1997. Formal methods, specification and verification guidebook for the verification of software and computer systems. vol II: A practitioner's companion. Tech. Rep. NASA-GB-001-97, Washington, DC. May.

[111]

NASA. 1998. Formal methods, specification and verification guidebook for the verification of software and computer systems. vol I: Planning and technology insertion. Tech. Rep. NASA/TP-98-208193, Washington, DC. Dec.

[112]

Norman, D. A. 1999. The Invisible Computer: Why Good Products Can Fail, the Personal Computer Is So Complex, and Information Appliances Are the Solution. MIT Press, Cambridge, MA.

Digital Library

[113]

O'Hearn, P. W., Reynolds, J. C., and Yang, H. 2001. Local reasoning about programs that alter data structures. In Computer Science Logic, 15th International Workshop, CSL 2001. 10th Annual Conference of the EACSL. Lecture Notes in Computer Science, vol. 2142. Springer-Verlag, Berlin, Heidelberg, Germany, 1--19.

Digital Library

[114]

Overture-Core-Team. 2007. Overture web site. www.overturetool.org. Cited 9 Mar. 2009.

[115]

Owre, S., Rushby, J. M., and Shankar, N. 1992. PVS: A prototype verification system. In CADE-11, Proceedings of the 11th International Conference on Automated Deduction. Lecture Notes in Computer Science, vol. 607. Springer-Verlag, Berlin, Heidelberg, Germany, 748--752.

Digital Library

[116]

RAISE Language Group. 1992. The RAISE Specification Language. The BCS Practitioners Series. Prentice-Hall, Englewood Cliffs, NJ.

[117]

RAISE Method Group. 1995. The RAISE Development Method. The BCS Practitioners Series. Prentice-Hall International, Engleward Cliffs, NJ.

[118]

Ramananandro, T. 2008. Mondex, an electronic purse: Specification and refinement checks with the Alloy model-finding method. Formal Asp. Comput. 20, 1, 21--39.

[119]

Riazanov, A. and Voronkov, A. 2002. The design and implementation of VAMPIRE. AI Commun. 15, 2--3, 91--110.

Digital Library

[120]

RODIN-Project-Members. 2007. RODIN web site. rodin.cs.ncl.ac.uk/. Cited 9 Mar. 2009.

[121]

Romanovsky, A. 2008. DEPLOY: Industrial deployment of advanced system engineering methods for high productivity and dependability. ERCIM News 74, 54--55.

[122]

Roscoe, A. W. and Hoare, C. A. R. 1988. The laws of Occam programming. Theoret. Comput. Sci. 60, 177--229.

Digital Library

[123]

Rushby, J. 1993. Formal methods and the certification of critical systems. Tech. Rep. CSL-93-7, Computer Science Laboratory, Menlo Park, CA. Dec.

[124]

Rushby, J. 2000. Disappearing formal methods. In High Assurance Systems Engineering, 2000, Fifth IEEE International Symposium on HASE 2000. IEEE Computer Society Press, Los Alamitos, CA.

[125]

Saiedian, H. 1996. An invitation to formal methods. IEEE Comput. 29, 4 (Apr.), 16--30.

Digital Library

[126]

Shankar, N. and Woodcock, J., Eds. 2008. Verified Software: Theories, Tools, Experiments, Second International Conference, VSTTE 2008. Lecture Notes in Computer Science, vol. 5295. Springer-Verlag, Berlin, Heidelberg, Germany.

Digital Library

[127]

Shepherd, D. 1988. The role of Occam in the design of the IMS T800. In Communicating Process Architectures. Prentice-Hall, Englewood Cliffs, NJ.

[128]

Shepherd, D. and Wilson, G. 1989. Making chips that work. New Scientist 1664, 39--42.

[129]

Snook, C. and Butler, M. 2006. UML-B: Formal modeling and design aided by UML. ACM Trans. Softw. Eng. Methodol. 15, 1, 92--122.

Digital Library

[130]

Snook, C. and Harrison, R. 2001. Practitioners' views on the use of formal methods: An industrial survey by structured interview. Inf. Softw. Tech. 43, 275--283.

[131]

Spinellis, D. 2008. A look at zero-defect code. www.spinellis.gr/blog/20081018/. Cited 9 Mar. 2009.

[132]

Spivey, J. M. 1989. The Z Notation: a Reference Manual. International Series in Computer Science. Prentice-Hall, Englewood Cliffs, NJ.

Digital Library

[133]

Srivas, M. and Miller, S. 1995. Applying formal verification to a commercial microprocessor. In Proceedings of the IFIP Conference on Hardware Description Languages and their Applications (CHDL'95).

[134]

Stepney, S., Cooper, D., and Woodcock, J. 2000. An electronic purse: Specification, refinement, and proof. Technical Monograph PRG-126, Oxford University Computing Laboratory. Jul.

[135]

Thomas, M. 1992. The industrial use of formal methods. Microproc. Microsyst. 17, 1 (Jan.), 31--36.

Digital Library

[136]

Tiwari, A., Shankar, N., and Rushby, J. 2003. Invisible formal methods for embedded control systems. Proc. IEEE 91, 1 (Jan), 29--39.

[137]

Tokeneer. 2009. www.adacore.com/tokeneer. Cited 9 Mar. 2009.

[138]

TPTP. 2009a. Entrants' system descriptions. www.cs.miami.edu/~tptp/CASC/J2/SystemDescriptions.html. Cited 9 Mar. 2009.

[139]

TPTP. 2009b. The TPTP problem library for automated theorem proving. www.cs.miami.edu/~tptp/. Cited 9 Mar. 2009.

[140]

Tretmans, J., Wijbrans, K., and Chaudron, M. 2001. Software engineering with formal methods: The development of a storm surge barrier control system revisiting seven myths of formal methods. Form. Methods Syst. Des. 19, 2, 195--215.

Digital Library

[141]

Vafeiadis, V. and Parkinson, M. J. 2007. A marriage of rely/guarantee and separation logic. In Proceedings of the 18th International Conference on Concurrency Theory, CONCUR 2007. Lecture Notes in Computer Science, vol. 4703. Springer-Verlag, Berlin, Heidelberg, Germany, 256--271.

Digital Library

[142]

van Lamsweerde, A. 2003. From system goals to software architecture. In SFM. 25--43.

[143]

VSR. 2009. Verified Software Repository. vsr.sourceforge.net/fmsurvey.htm. Cited 9 Mar. 2009.

[144]

Ward, M. P. and Bennett, K. H. 1995. Formal methods to aid the evolution of software. Int. J. Softw. Eng. Knowl. Eng. 5, 25--47.

[145]

Wijbrans, K., Buve, F., Rijkers, R., and Geurts, W. 2008. Software engineering with formal methods: Experiences with the development of a storm surge barrier control system. In FM2008: Formal Methods, Vol. 5014. Springer-Verlag, Berlin, Heidelberg, Germany, 419--424.

Digital Library

[146]

Wilding, M., Greve, D., and Hardin, D. 2001. Efficient simulation of formal processor models. Form. Meth. Syst. Des. 18, 3 (May), 233--248.

Digital Library

[147]

Wing, J. M. 1990. A specifier's introduction to formal methods. IEEE Comput. 23, 9, 8--24.

Digital Library

[148]

Woodcock, J. and Davies, J. 1996. Using Z: Specification, Refinement, and Proof. International Series in Computer Science. Prentice-Hall, Englewood Cliffs, NJ.

Digital Library

[149]

Woodcock, J., Stepney, S., Cooper, D., Clark, J. A., and Jacob, J. 2008. The certification of the Mondex electronic purse to ITSEC Level E6. Formal Asp. Comput. 20, 1, 5--19.

Digital Library

[150]

Younger, E. J., Luo, Z., Bennett, K. H., and Bull, T. M. 1996. Reverse engineering concurrent programs using formal modelling and analysis. In Proceedings of the 1996 International Conference on Software Maintenance (ICSM '96). IEEE Computer Society Press, Los Alamitos, CA, 255--264.

Digital Library

Cited By

Lathouwers SLiu YZaytsev V(2025)Extract, model, refine: improved modelling of program verification tools through data enrichmentSoftware and Systems Modeling10.1007/s10270-024-01232-7Online publication date: 8-Jan-2025
https://doi.org/10.1007/s10270-024-01232-7
ter Beek MBroy MDongol B(2024)The Role of Formal Methods in Computer Science EducationACM Inroads10.1145/370223115:4(58-66)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3702231
Faqrizal ISalaün GFalcone Y(2024)Adaptive Industrial Control Systems via IEC 61499 and Runtime EnforcementACM Transactions on Autonomous and Adaptive Systems10.1145/369134519:4(1-31)Online publication date: 31-Aug-2024
https://dl.acm.org/doi/10.1145/3691345
Show More Cited By

Index Terms

Formal methods: Practice and experience

Recommendations

Mechanising Mondex with Z/Eves
Abstract
We describe our experiences in mechanising the specification, refinement, and proof of the Mondex Electronic Purse using the Z/Eves theorem prover. We took a conservative approach and mechanised the original LaT_EX sources without changing their ...
The certification of the Mondex electronic purse to ITSEC Level E6
Abstract.
Ten years ago the Mondex electronic purse was certified to ITSEC Level E6, the highest level of assurance for secure systems. This involved building formal models in the Z notation, linking them with refinement, and proving that they correctly ...
A Formal Specification of Mondex Using SAM
SOSE '08: Proceedings of the 2008 IEEE International Symposium on Service-Oriented System Engineering

This paper presents a formal specification of Mondex, an electronic purse, using SAM. Mondex is the first pilot project for the 6th Grand Challenge to develop an integrated, automated toolset that developers can use to establish the correctness of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 41, Issue 4

October 2009

157 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/1592434

Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 October 2009

Accepted: 01 May 2009

Revised: 01 April 2009

Received: 01 December 2008

Published in CSUR Volume 41, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

451
Total Citations
View Citations
8,648
Total Downloads

Downloads (Last 12 months)463
Downloads (Last 6 weeks)53

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lathouwers SLiu YZaytsev V(2025)Extract, model, refine: improved modelling of program verification tools through data enrichmentSoftware and Systems Modeling10.1007/s10270-024-01232-7Online publication date: 8-Jan-2025
https://doi.org/10.1007/s10270-024-01232-7
ter Beek MBroy MDongol B(2024)The Role of Formal Methods in Computer Science EducationACM Inroads10.1145/370223115:4(58-66)Online publication date: 11-Nov-2024
https://dl.acm.org/doi/10.1145/3702231
Faqrizal ISalaün GFalcone Y(2024)Adaptive Industrial Control Systems via IEC 61499 and Runtime EnforcementACM Transactions on Autonomous and Adaptive Systems10.1145/369134519:4(1-31)Online publication date: 31-Aug-2024
https://dl.acm.org/doi/10.1145/3691345
ter Beek MChapman RCleaveland RGaravel HGu Rter Horst IKeiren JLecomte TLeuschel MRozier KSampaio ASeceleanu CThomas MWillemse TZhang L(2024)Formal Methods in IndustryFormal Aspects of Computing10.1145/368937437:1(1-38)Online publication date: 21-Aug-2024
https://dl.acm.org/doi/10.1145/3689374
Shah KGrant E(2024)Verification and Validation of Software System Class ModelsProceedings of the 2024 8th International Conference on Information System and Data Mining10.1145/3686397.3686415(107-116)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3686397.3686415
Broy MBrucker AFantechi AGleirscher MHavelund KKuppe MMendes APlatzer ARingert JSullivan A(2024)Does Every Computer Scientist Need to Know Formal Methods?Formal Aspects of Computing10.1145/367079537:1(1-17)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3670795
Gu SHuang DWen MChen GKnoll A(2024)Safe Multiagent Learning With Soft Constrained Policy Optimization in Real Robot ControlIEEE Transactions on Industrial Informatics10.1109/TII.2024.339193420:9(10706-10716)Online publication date: Sep-2024
https://doi.org/10.1109/TII.2024.3391934
Couder JGomez DOchoa O(2024)Requirements Verification Through the Analysis of Source Code by Large Language ModelsSoutheastCon 202410.1109/SoutheastCon52093.2024.10500073(75-80)Online publication date: 15-Mar-2024
https://doi.org/10.1109/SoutheastCon52093.2024.10500073
Ung GAmilon JGurov DLidström CNyberg MPalmskog K(2024)Post-Hoc Formal Verification of Automotive Software with Informal Requirements: An Experience Report2024 IEEE 32nd International Requirements Engineering Conference (RE)10.1109/RE59067.2024.00035(287-298)Online publication date: 24-Jun-2024
https://doi.org/10.1109/RE59067.2024.00035
Chatterjee SAllen NPatel NRoop P(2024)Exploring Compositional Neural Networks for Real-Time Systems2024 22nd ACM-IEEE International Symposium on Formal Methods and Models for System Design (MEMOCODE)10.1109/MEMOCODE63347.2024.00010(46-57)Online publication date: 3-Oct-2024
https://doi.org/10.1109/MEMOCODE63347.2024.00010
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents