Teaching Formal Methods With Perfect Developer
Teaching Formal Methods With Perfect Developer
Teaching Formal Methods With Perfect Developer
David Crocker
Escher Technologies Ltd.
[email protected]
Abstract. In order to teach formal methods successfully, the subject must be presented in a
way that students find relevant, manageable and rewarding. This position paper discusses
some of the difficulties in teaching formal methods and suggests solutions. We present an
outline of the Perfect Developer tool and describe how we teach our own employees to use it
for formally verified software development.
1
The author, being unused to mathematical notation until a few years ago, used to have difficulty remembering whether this symbol denoted
conjunction or disjunction – and it has just taken more than ten minutes to find this character in any font supported by the word processor.
1.3 Motivation
Students and software developers need to be provided with positive feedback at regular intervals to motivate
them to continue working hard. One of the best forms of positive feedback is the satisfaction of seeing a
completed program or subsystem running correctly. The satisfaction provided by completing a specification is
tiny in comparison (although some satisfaction may be gained by successfully animating a specification).
Formal methods fail to provide sufficient feedback on two counts:
• Many formal methods stop with the development of a specification;
• Where a formal method does go right through to code (or a course includes manual implementation of
formal specifications), it is likely that the running program is produced after a very long time, or that it is a
trivially small. In contrast, if software is developed without using formal methods, techniques such as
Extreme Programming can be employed, which provides a running program very quickly (albeit with little
functionality) and regular increments to the functionality thereafter.
The motivational benefits of Extreme Programming can be realised in a formal context by introducing the
paradigm of Extreme Specification2, in which the functionality of a specification is incrementally improved.
Positive feedback may be provided at each stage by way of formal verification, animation, or (preferably)
generation of a program from the specification. The latter requires a tool that provides for automated refinement
of specifications to ready-to-compile code.
2
This name was suggested by Helen Treharne of Royal Holloway University.
As well as allowing manual refinement to be expressed in the language, the tool will attempt to refine
specifications automatically. Either way, the system then refines them further using an internal notation that
extends the visible language with lower-level concepts that parallel programming language features. From this
notation they are translated directly to the target programming language (Java and C++ are currently supported).
Hence we achieve a fast turnaround from specifications to ready-to-compile code, allowing for fast prototyping
and the use of agile software development approaches such as Extreme Specification.
In recent years the Unified Modeling Language (UML) has become the dominant notation for graphically
depicting the structure of object-oriented software systems. We therefore provide a mechanism to generate
skeleton specifications from models exported by most UML tools.
Perfect Developer requires as its host a fast PC running a recent version of either Windows or Linux. More
information is available on the Internet [3].
3
A property declaration is a statement of some expected behaviour of the class, component or system.
4 Experiences and conclusion
So far we have trained seven staff in Perfect Developer. Of these, three were recruited because they had at least
some relevant mathematical background (not because they had to learn Perfect Developer but because they
would be working on the theorem prover). Of the remaining four, two did not get on well with Perfect
Developer (in part because we could not persuade them to move from a programming to a specification
mentality) and left the company; the other two became proficient and productive within a few weeks.
In the academic year 2002-2003, several universities ran student projects with Perfect Developer and one
university used it to assist in teaching a formal methods module. We expect another four to six universities to
teach formal methods with Perfect Developer during the current academic year and we look forward to hearing
of their experiences.
References
1. The B-Book: Assigning Programs to Meanings. J.-R. Abrial, Cambridge University Press, 1996. ISBN 0-
521-49619-5.
2. Perfect Developer Language Reference Manual version 2.10. Available online (October 2003) via
http://www.eschertech.com by following the “Support” and “Perfect Developer self-help” links.
3. Follow the “Products” link from http://www.eschertech.com (October 2003).
4. Introducing Perfect Developer: A Tutorial. Available online (October 2003) at
http://www.eschertech.com/tutorial/contents.htm.