From specification to realization, testing and proof : formal approaches

Software engineering and formal verification share two essential prerequisites: firstly, the quality of the initial specifications, which must be precise, non-contradictory and complete, but without excessive precision; secondly, the quality of the programming languages, whose semantics must be precise yet intuitive. Many industrial projects still fail because they do not respect these constraints.

Conventional software engineering writes specifications in the usual language and provides traceability tools to link specifications and implementation. To validate the result, it relies on code reviews and, above all, tests, which poses two major problems: it is difficult to measure what the tests actually test, and testing provides no information on what is not tested. But we'll see that systems for generating random tests can achieve surprising results.

Formal methods, on the other hand, write specifications in mathematical language - the only rigorous language we really have - and take this language a step further. Modern program typing systems enable errors to be detected as early as the first compilation passes. The best of these are a direct result of research into programming semantics, which in turn is directly linked to formal verification. To take things a step further, we're looking to replace or supplement dynamic validation tests with static proofs, again mathematical proofs, aided by more or less automated formal verification systems. In contrast to tests, formal verification says everything about the properties to be validated: proven true, they are true in all circumstances; detected as false, the tools often enable us to build tests invalidating them and thus discover the source of the error. But proofing is technically more difficult than testing, and requires special training. And it's not necessarily a panacea, since certain properties, such as the stopping of a program, are not generally provable (although things are improving in practice).

After detailing the above issues, we'll briefly introduce the styles of formal methods that will be detailed in the remainder of the lecture, along with their practical applications: assertions, proofs by formal semantic rewrites, abstract interpretation, logical verifications by proof assistants, and automatic model checking. An important point of discussion will be the link with classical programming. We'll see that three quite different points of view naturally coexist, which is one of the reasons for the multiplicity of the aforementioned techniques:

• Program as usual and use formal verification tools to complement tests and check a certain number of critical program properties (absence of errors blocking execution, verification of predicates on states or outputs, etc.). This solution is often used in electronic circuit design or embedded software.
  
• At the other end of the spectrum, abandon conventional methods by integrating the entire path from formal specifications to executable code into a single logical formalism, while continuously producing automatic or manually-guided proofs of the correctness of the realization in relation to the specifications. This highly ambitious approach, generally based on formal logic proof assistants, is used to varying degrees for applications in transport, compilation, operating systems, distributed algorithms, IT security and more.
  
• In between are intermediate methods such as abstract interpretation and model checking, in which the object being verified is a more or less abstract model of the application. The focus is then on dealing with difficult or dangerous points in the specification, by abstracting its insignificant details. This approach considerably reduces the size of the verification process, but does not always uncover the devil that may be lurking in the details of the implementation. It is often preferred for parallel, distributed or real-time applications, as well as for IT security.