Tools for VDM in Industry
Professor Peter Gorm Larsen
Engineering College of Aarhus
(pgl@iha.dk)
Also adjunct professor at Aarhus University
March 2009
Tools for VDM in Industry
1
Personal Background
• Theoretical Work
• VDM-SL Semantics (ISO standard)
• VDM-SL Proof Rules (PhD work)
• More Practical Work
• VDM and Structured Analysis in combination
• VDMTools architect
• Transfer VDM to Industry
• Intensive use Industrially
• Employed by
• For 13 years: IFAD A/S
• For 3,5 years: Systematic Software Engineering A/S
• For 3,5 years:
• Engineering College of Aarhus
March 2009
Tools for VDM in Industry
2
Tools for VDM in Industry
 Industrial Experience with VDM
• ”Bootstrapping” VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future
March 2009
Tools for VDM in Industry
3
References, World-wide, 2001
More than 150 VDMTools clients world-wide
France
Aerospatiale Espace et Defense
Dassault Aviation
Dasssault Electronique
CISI CEA et Defense
CEA Leti
Cap Gemini
LAAS
Matra Bae Dynamics
U.K.
British Aerospace Systems &
Equipment
British Aerospace Defense
Adelard
ICL Enterprise Engineering
Rolls Royce
Transitive Technologies
March 2009
Italy
ENEA
Ansaldo
The Netherlands
Dutch Dept. of Defence
Origin
Chess
Portugal
Sidereus
Denmark
Baan Nordic
Odense Steel Shipyard
DDC International
Tools for VDM in Industry
North America
Boeing
Rockwell Collins
Lockheed Martin
DDC-I, Inc.
Rational Software Corp.
Formal Systems Inc.
Concordia University
Japan
RTRI (Japan Railways)
JFITS
Felica Networks
Germany
GAO mbH
4
ConForm (1994)
• Organisation: British Aerospace (UK)
• Domain: Security (gateway)
• Tools: The VDM-SL Toolbox
• Experience:
• Prevented propagation of error
• Successful technology transfer
• At least 4 more applications without support
• Statements:
• “Engineers can learn the technique in one week”

• “VDMTools can be integrated gradually into a
traditional existing development process”
March 2009
Tools for VDM in Industry
5
DustExpert (1995-7)
•
•
•
•
Organisation: Adelard (UK)
Domain: Safety (dust explosives)
Tools: The VDM-SL Toolbox
Experience:
• Delivered on time at expected cost
• Large VDM-SL specification
• Testing support valuable
• Statement:

• “Using VDMTools we have achieved a productivity
and fault density far better than industry norms for
safety related systems”
March 2009
Tools for VDM in Industry
6
Adelard Metrics
Initial requirements 450 pages
VDM specification
16kloc (31 modules)
12kloc (excl comments)
Prolog
implementation
37kloc
16kloc (excl comments)
C++ GUI
implementation
23kloc
18kloc (excl comments)
• 31 faults in Prolog and C++ (< 1/kloc)
• Most minor, only 1 safety-related
• 1 (small) design error, rest in coding
March 2009
Tools for VDM in Industry
7
CAVA (1998-)
• Organisation: Baan (Denmark)
• Domain: Constraint solver (Sales Configuration)
• Tools: The VDM-SL Toolbox
• Experience:
• Common understanding
• Faster route to prototype
• Earlier testing
• Statement:

• “VDMTools has been used in order to increase
quality and reduce development risks on high
complexity products”
March 2009
Tools for VDM in Industry
8
Dutch DoD (1997-8)
• Organisation: Origin, The Netherlands
• Domain: Military
• Tools: The VDM-SL Toolbox
• Experience:
• Higher level of assurance
• Mastering of complexity
• Delivered at expected cost and on schedule
• No errors detected in code after delivery
• Statement:

• “We chose VDMTools because of high demands on
maintainability, adaptability and reliability”
March 2009
Tools for VDM in Industry
9
DoD, NL Metrics (1)
kloc
spec
hours
loc/hour
15
1196
13
4
471
8.5
automatic impl
90
0
NA
test
NA
612
NA
total code
94
2279
41.2
manual impl
totAL
• Estimated 12 C++ loc/h with manual coding!
March 2009
Tools for VDM in Industry
10
DoD - Comparative Metrics
Traditional:
900
2000
ANALYSIS &
DESIGN
CODING
700
TESTING
VDMTools®:
1200
ANALYSIS &
DESIGN
500
CODING
600
TESTING
100%
64%
0%
March 2009
Tools for VDM in Industry
Cost
11
BPS 1000 (1997-)
• Organisation: GAO, Germany
• Domain: Bank note processing
• Tools: The VDM-SL Toolbox
• Experience:
• Better understanding of sensor data
• Errors identified in other code
• Savings on maintenance
• Statement:
• VDMTools provides unparalleled support for design
abstraction ensuring quality and control throughout
the development life cycle.
March 2009
Tools for VDM in Industry
12
Flower Auction (1998)
• Organisation: Chess, The Netherlands
• Domain: Financial transactions
• Tools: The VDM++ Toolbox
• Experience:
• Successful combination of UML and VDM++
• Use iterative process to gain client commitment
• Implementers did not even have a VDM course
• Statement:
• “The link between VDMTools and Rational Rose is
essential for understanding the UML diagrams”
March 2009
Tools for VDM in Industry
13
SPOT 4 (1999)
• Organisation: CS-CI, France
• Domain: Space (payload for SPOT4 satellite)
• Tools: The VDM-SL Toolbox
• Experience:
• 38 % less lines of source code
• 36 % less overall effort
• Use of automatic C++ code generation
• Statement:
The cost of applying Formal methods is significantly
lower than without them.
March 2009
Tools for VDM in Industry
14
IFAD VDM Applications
• VDMTools
•
•
•
•
•
•
•
•
March 2009
VDM interpreter
VDM static semantics
VDM to C++ code generator
Specification manager
UML mapper
Java static semantics
Java VDM++ translator
MUSTER: Emergency response training
Tools for VDM in Industry
15
Japanese Railways (2000-2001)
• Domain: Railways (database and interlocking)
• Experience:
• Prototyping important
• Subsequent also using it for ATC system
• Engineer working at IFAD for two years
March 2009
Tools for VDM in Industry
16
TradeOne, CSK, 2000 - 2001
• Full TradeOne system is 1.3 MLOC system
• Mission-critical backbone system keeping track of financial
transactions conducted
• Used by securities companies and brokerage houses
Options Subsystem
handles the business
process for trading
options. Modelled in
VDM++
Tax exemption subsystem
has particularly complex
regulations to implement.
Modelled in VDM++.
March 2009
Tools for VDM in Industry
17
TradeOne Cost Effectiveness
Subsystem
COCOMO
estimate
Real time
Time saving
Tax exemption
Effort:38.5 PM
Schedule:9M
Effort:14 PM
Effort:74%
Schedule: 3.5 M Schedule:61%
Options
Effort:147.2 PM
Schedule:14.3M
Effort: 60.1 PM
Schedule:7M
Effort: 60%
Schedule: 51%
Overall sizes
Total TradeOne
Tax exemption subsystem
Option subsystem
March 2009
1,342,858
18,431
60,206
Tools for VDM in Industry
18
The FeliCa Mobile Chip Project
• Mobile FeliCa IC chips can be embedded inside
mobile phones
• Used for different on-line services including payment
• Uses Near-Field-Communication technology
• Used for example for metro ticking in Tokyo
• The IC Chips contains an operating system as
firmware for 50 million mobile phones
• This is fully developed using the VDM++ technology
• Between 50 and 60 people in total on the project
23.5 mm
March 2009
Tools for VDM in Industry
19
Specification and
Implementation Growth
kLOC
Specification v.1.0
コミットした累計行数
仕様変更数
形式仕様と実装のコミットした累計行数 / 仕様変更数 / 各種イベント
140
140,000
仕様変更
形式仕様
実装
130,000
100
Implementation
90
120,000
80
March 2009
R R 4.0 パイロット移動機メーカ
R R 7.0 全移動機メーカ
R R 5.0 全移動機メーカ
R R 3.0 パイロット移動機メーカ
O S定義書1.0
R R 1.0
Tools for VDM in Industry
Specification Phase
Implementation Phase
本開発準備フェーズ (3M )
本開発フェーズ (8M )
60
50
40
内部リリース後フェーズ (6M )
外部リリース後フェーズ (6M )
2006/4
2006/3
2005/5
2005/4
2005/3
2005/2
2005/1
2004/12
2004/11
2004/10
2004/7
2004/9
2004/8
2004/7
0
2006/2
2課+椎木さんレビュー
α版評価
2006/1
0
2005/12
10,000
2005/11
20,000
2005/9
30,000
2005/8
40,000
70
The average productivity of
VDM++ code for the formal
specifications was about
1,900 LOC クロスチェ
per ッengineer
per
ク評価 ・カバレッジ評価
設計者・
評価者レビュー
month.
2005/7
50,000
形式仕様書1.0
60,000
Specification
2005/6
70
70,000
設計構想会議
80,000
外部仕様書1.0
90,000
形式仕様書0.9
形式仕様本開発スタート
100,000
2005/10
100
R R 2.0 パイロット移動機メーカ
110,000
30
20
10
0
2006/4
20
Number of Changes
Specification v.1.0
コミットした累計行数
仕様変更数
形式仕様と実装のコミットした累計行数 / 仕様変更数 / 各種イベント
140,000
100
仕様変更
形式仕様
実装
130,000
90
120,000
80
50,000
40,000
R R 4.0 パイロット移動機メーカ
70
R R 7.0 全移動機メーカ
R R 5.0 全移動機メーカ
R R 3.0 パイロット移動機メーカ
O S定義書1.0
R R 1.0
60,000
形式仕様書1.0
70,000
設計構想会議
80,000
外部仕様書1.0
90,000
形式仕様書0.9
形式仕様本開発スタート
100,000
R R 2.0 パイロット移動機メーカ
110,000
60
50
50
40
Number of Changes
30,000
30
20
20,000
10
クロスチェック評価 ・カバレッジ評価
10,000
設計者・
評価者レビュー
2課+椎木さんレビュー
α版評価
0
March 2009
Tools for VDM in Industry
Specification Phase
Implementation Phase
本開発準備フェーズ (3M )
本開発フェーズ (8M )
内部リリース後フェーズ (6M )
外部リリース後フェーズ (6M )
2006/4
2006/3
2006/2
2006/1
2005/12
2005/11
2005/10
2005/9
2005/8
2005/7
2005/6
2005/5
2005/4
2005/3
2005/2
2005/1
2004/12
2004/11
2004/10
2004/7
2004/9
2004/8
2004/7
0
0
2006/4
21
Further Information
• Applying Formal Specification in Industry. P.G. Larsen, J.
Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13,
no. 3, May 1996
• A Lightweight Approach to Formal Methods S.Agerholm and
P.G. Larsen. In Proceedings of the International Workshop on
Current Trends in Applied Formal Methods, Boppard, Germany,
Springer-Verlag, October 1998.
• Applications of VDM in Banknote Processing P. Smith and P.G.
Larsen. + Application of VDM-SL to the Development of the
SPOT4 Programming Messages Generator, A. Puccetti and J.Y.
Tixadou + Formal Specification of an Auctioning System Using
VDM++ and UML, M.Verhoef et. al.
Published at the First VDM Workshop: VDM in Practice with the
FM'99 Symposium, Toulouse, France, September 1999.
• Application of a Formal Specification Language in the
Development of the ``Mobile FeliCa'' IC Chip Firmware for
Embedding in Mobile Phone, Taro Kurita and Miki Chiba and
Yasumasa Nakatsugawa, Springer-Verlag, FM2008, May 2008.
March 2009
Tools for VDM in Industry
22
Tools for VDM in Industry
 Industrial Experience with VDM
 ”Bootstrapping” VDMTools
• Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future
March 2009
Tools for VDM in Industry
23
Development Choices Taken
 Executable models
Testing and animation
 Partial “analysis” (validation)
System level testing
 Code generation
VDM for source code
 Formal refinement and formal verification
March 2009
Tools for VDM in Industry
24
Staff Overview
91
92
MV
PGL
ETN NP
PBL
MA
HC
HV
NK
JNJ
SA
LTO
JWT
OS
JKP
KS
+JR
PM
March 2009
93
94
95
96
97
BF BA
KdB CA
SN
JKP
VS
98
OO
99
00
GW
JKP
WS
+ML
+RM
Tools for VDM in Industry
JSF
25
Development Environment
•
•
•
•
•
•
•
•
March 2009
GNU C++/Visual C++
Generic VDM C++ library
GUI: Previously:Tcl/Tk, Now: Qt
flex and bison
CVS/Ediff version control
OSs: Windows, Linux, Unix
Test environments
Development procedures
Tools for VDM in Industry
26
The “Bootstrapping” Process
VDM++
VDM++
VDM++
VDM++
VDM-SL
VDM-SL
VDM-SL
VDM-SL
VDM-SL
DS spec
SS spec
CG spec
SM spec
PM spec
VDM++
VDM++
VDM++
VDM++
VDM-SL
VDM-SL
VDM-SL
VDM-SL
VDM-SL
DS impl
SS impl
CG impl
SM impl
PM impl
Implicit time line
March 2009
Tools for VDM in Industry
27
Specification Sizes
Abstract Syntax etc
Static Semantics
Interpreter
Code generators
Specification Manager
Dependency
Rose-VDM++ Link
Proof Obligation Generation
Java Static Semantics
Java 2 VDM++ Translator
In total
March 2009
Tools for VDM in Industry
3196
20289
29738
32891
3822
792
1518
15475
7025
7702
122448
28
Component Categories
• Purely hand-coded
• VDM + hand coding
• VDM + code generation
March 2009
Tools for VDM in Industry
29
Purely Hand-coded Components
•
•
•
•
Scanner/parser (lex/yacc)
pretty-printer (simple C++ component)
GUI (previously: Tcl/Tk, now: Qt)
Interface to third party tools
• Rational Rose and XMI based UML tools
• Corba for API
• ML for HOL
• Generic VDM C++ library
March 2009
Tools for VDM in Industry
30
VDM + Hand Coding
•
•
•
•
•
•
March 2009
Dynamic semantics (SL and ++)
Static semantics (SL and ++)
Java/C++ Code generators (SL and ++)
Test environments for each component
Reused at implementation level
Java/C++ code generators now themselves
partially code generated
Tools for VDM in Industry
31
Maintenance Approach
•
•
•
•
•
March 2009
Bugs first reproduced at specification level
Tested using the VDM debugger
Check that all tests are satisfactory
Implement changes of specification
Rerun all tests at implementation level
Tools for VDM in Industry
32
VDM + code generation
•
•
•
•
•
•
•
Animator for SA/RT
Specification Manager (SL and ++)
VDM++ to/from UML translation
Proof support (SL)
Parts of GUI now code generated
VDM model becomes source
Trade-off with abstraction
March 2009
Tools for VDM in Industry
33
Tools for VDM in Industry
 Industrial Experience with VDM
 ”Bootstrapping” VDMTools
 Overview of VDMTools
• The Overture/Eclipse Initiative
• Vision for the future
March 2009
Tools for VDM in Industry
34
VDMTools Overview
Experimentally
linked to HOL
Syntax & Type
Checker
Java to VDM++
Integrity Checker
Round Trip Rose-VDM++
Engineering
Link
support
Interpreter (Debugger)
Document Generator
API (Corba), DL Facility
Code Generators
- C++, Java
March 2009
Tools for VDM in Industry
35
Japanese Support via Unicode
March 2009
Tools for VDM in Industry
36
Validation with VDMTools®
VDM specs
Actual results
Comparison
Execution
Test cases
March 2009
Expected results
Tools for VDM in Industry
37
Documentation in MS Word/RTF
One compound document:
• Documentation
• Specification
• Test coverage
• Test coverage
statistics
March 2009
Tools for VDM in Industry
38
Architecture of the Rose VDM++ Link
VDM++ Toolbox
Rational Rose 2000
UML
Diagrams
Class
Repository
Merge Tool
Class
Repository
UML model
file
VDM++ Files
March 2009
Tools for VDM in Industry
39
Integrity checker
March 2009
Tools for VDM in Industry
40
Toolbox API
Request
Result
March 2009
Tools for VDM in Industry
41
Dynamic Link Facility
VDM
Specification
Dynamic Link
Module
External
Code
March 2009
Type
Conversion
Module
Tools for VDM in Industry
42
Further Information
• An Executable Subset of Meta-IV with Loose Specification, P.G.
Larsen, P.B. Lassen, VDM '91: Formal Software Development
Methods, 1991
• The IFAD VDM-SL Toolbox: A Practical Approach to Formal
Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM
Sigplan Notices, September 1994
• Computer-aided Validation of Formal Specifications, P.
Mukherjee, Software Engineering Journal, July 1995
• Ten Years of Historical Development - ”Bootstrapping”
VDMTools, P.G. Larsen, Journal of Universal Computer Science,
2001
• VDMTools: advances in support for formal modeling in VDM, J.
S. Fitzgerald and P. G. Larsen and S. Sahara, ACM Sigplan
Notices, February 2008
March 2009
Tools for VDM in Industry
43
Tools for VDM in Industry
 Industrial Experience with VDM
 ”Bootstrapping” VDMTools
 Overview of VDMTools
 The Overture/Eclipse Initiative
• Vision for the future
March 2009
Tools for VDM in Industry
44
Overture versus VDMTools
• VDMTools (http://www.vdmtools.jp/en)
• Closed source, proprietary (available under NDA)
• Monolithic architecture (single binary), C++
• Optimized for performance, industry strength
• Overture Tool project (http://www.overturetool.org)
•
•
•
•
March 2009
Open source, GPL license
Plug-in architecture, Eclipse, Java
Optimized for flexibility, targets academic use
(partly) developed using VDMTools
Tools for VDM in Industry
Overture –
an open-source initiative
•
•
•
•
Based on the Eclipse platform
Extendible open VDM++ tool support
Initial tool support produced in MSc project in NL
MSc project carried out at TUD
• Jacob Porsborg Nielsen and Jens Kielsgaard Hansen
• MSc project at Aarhus University
• Thomas Christensen
• MSc projects at Engineering College of Aarhus
• Hugo Macedo, Minho University
• Sander Vermolen, University of Nijmegen
• Adriana Sucena, Minho University
• Carlos Vilhena, Minho University
• Augusto Ribeiro, Minho University
• Kenneth Lausdahl and Hans Christian Lintrup, IHA
March 2009
Tools for VDM in Industry
46
Overture Architecture Overview
GUI
generators
UML, SysML
AADL
Visualisation
Support
Refactoring
support
Syntax
Check
Type
Check
Interpreter
(Debugger)
With API
capabilities
Basic automatic checks and GUI
Test
Generation
support
Connection
to JML
AST
Eclipse
Visualization
Support for
Execution
traces
Verification support
Model
Checking
support
Not yet available
March 2009
OML editor
With
syntax
highlighting
Validation support
Reverse
Engineering
support
Connection to standard development environments
Code
Generators
- C++, Java
Interactive
Proof
support
Automatic
Proof
support
A version is available
Tools for VDM in Industry
Proof
Obligation
generation
Pretty
Printing
With
coverage
Planned
47
Example Screen dump
March 2009
Tools for VDM in Industry
48
Automatic AST generation
specified in VDM++
● code generated
●
OVERTURE
AST spec
(VDM-SL subset)
ASTGEN
JAVA
interfaces
“implements”
sed script
sed
VDM++
classes
other users can use these
specs to specify their own
OVERTURE extensions
(in VDM++)
March 2009
java
classes
VDMTools
Tools for VDM in Industry
modified java
classes
Tracefile Viewer (1)
March 2009
Tools for VDM in Industry
Tracefile Viewer (2)
March 2009
Tools for VDM in Industry
Tracefile Viewer (3)
March 2009
Tools for VDM in Industry
Tools for VDM in Industry
 Industrial Experience with VDM
 ”Bootstrapping” VDMTools
 Overview of VDMTools
 The Overture/Eclipse Initiative
 Vision for the future
March 2009
Tools for VDM in Industry
53
Extending VDM++ with better support for distributed
real-time
• Today embedded real-time systems are increasingly
distributed
• Hard to master complexity within tight time schedules
• Current research work extend VDM++ with better
support for describing and analyzing this
• Possibility to use CPU’s and BUS’es inside system
• Deployment of objects to CPUs
• Setting priorities of operations
• Introduction of asynchronous operations
• Cycles statement in addition to duration statement
March 2009
Tools for VDM in Industry
54
Combining with continuous time
March 2009
Tools for VDM in Industry
Beyond the Ordinary:
Design of Embedded Real-time Control
•BODERC project @ ESI
•Sept 2002 - Apr 2007
•Multi-disciplinary design
•mechanics
•electronics
•software
•High-tech systems focus
•Early life cycle trade-off analysis
•Industry as a laboratory
•http://www.esi.nl/boderc
March 2009
Tools for VDM in Industry
56
Printer paper path - case study
VDM++
Bond
graphs
VDM++
VDMTools
co-sim
results
20-sim
VDMTools
C++
HOST
COMPILER
Bond
graphs
VDM++
March 2009
VDMTools
C++
TARGET
COMPILER
Tools for VDM in Industry
continuous
validation
DLL
20-sim
SIL sim
results
ctrl app
measurements
57
An email from an old (very good)
student
… At that time I understood that a formal specification would be an advantage
for big projects but I had no idea how desperately this is also needed in
smaller projects when there are many people involved. Today I do know:
At the moment I am working at BMW in the communications department.
We work on the integration of the car telephone (including a telematics unit
with GPS coordinates) into the overall car. There is a lot of interaction
between the telephone and the HMI of the car and there are different
versions and types of all the involved devices. There are also five
companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who
develop the different units. The system should not be so complex because
many of the devices should (!) behave similarly. But the specifications we
write are English plain text (hundreds of pages), in our department more
than 10 people are involved and we do not know anymore how the devices
will behave ourselves...every external company has an own interpretation of
the specs and this interpretation changes over time. If you ask the same
person twice you get different answers (I frankly admit that I am no
exception)... You can imagine how "efficient" everything is and its a miracle
that the system still works (with a number of bugs though)...
March 2009
Tools for VDM in Industry
58
Go out and use the
principles at least!
March 2009
Tools for VDM in Industry
59