Formal Methods Going Mainstream: Costs, Benefits, Experiences by Margaria, Tiziana et al.






The following full text is a publisher's version.
 
 





Please be advised that this information was generated on 2019-12-04 and may be subject to
change.
FACS FACTS Issue 2006-2 September 2006 
 
34 
Formal Methods Going Mainstream – Cost, 
Benefits and Experiences: Report on the ForTia 
Industry Day at FM05 
Tiziana Margaria, Bernhard Schätz and Marcel Verhoef 
The Formal Techniques Industrial 
Association ForTIA, a subgroup of Formal 
Methods Europe, organized an “Industry 
Day” as a parallel track to the 13th 
International Symposium on Formal 
Methods held at the University of Newcastle 
upon Tyne on 20 July 2005. The purpose of the Industry Day is to focus on the 
perceived pros and cons of formal methods by end-users, not necessarily the 
proposition(s) that were made by the technology providers. The aim is to 
understand how formal techniques can be introduced successfully in an 
industrial setting and how common pitfalls can be prevented, pitfalls that might 
not necessarily have anything to do with the formal technique itself. 
The theme for I-Day 2005 was 
"Formal Methods Going Mainstream - 
Costs, Benefits and Experiences". Six 
invited speakers provided us with their 
insight into this theme; each was given 
half an hour to reflect on their 
experiences bringing formal 
techniques to the forefront of their 
business. SAP Research kindly 
sponsored the event. The Industry Day 
was closed with a panel (pictured 
above) discussion that also included the conference key-note speaker Matai 
Joseph (Tata Research Development and Design Centre), which resulted in a 
lively debate with the 75 people strong audience. Despite a substantial publicity 
campaign in the UK set up by the local organizers, attendance from industry 
(non-conference attendees) was low. Nevertheless, the returned evaluation 
forms indicated that the talks were of high quality. They indicated that Industry 
Day was a success and that the event should be continued in its present form. 
FM 2006 at McMaster (Canada), has already kindly 
agreed to host another I-Day; the theme for that event will 
be “Security & Trust”. 
John Harrison (pictured left) of Intel Corporation 
(USA) kicked off, giving an eye-opening story on the role 
of formal methods in the verification of floating point units. 
Intel wrote off 475 million USD to cover damages for the 
incident with the incorrect division in early Pentium 
processors (also known as the FDIV bug). A similar 
problem in current chip designs would be much more 
costly. Chip designs are getting more complex, but the 
FACS FACTS Issue 2006-2 September 2006 
 
35 
associated testing problem is growing even faster in size and complexity. 
Traditional testing techniques are not sufficiently powerful and formal 
verification techniques can sometimes offer a solution. Several techniques are 
used in the hardware industry today such as ACL2, COQ and PVS. Since the 
FDIV bug, formal verification has become almost standard practice. Twenty 
percent of the Pentium IV design was formally verified and many high-quality 
bugs were discovered before “first silicon”. The HOL Light theorem prover was 
used by John and his team to verify the floating point operations of the Itanium 
processor. As can be expected, several bugs were found in the design, but the 
verification – in combination with the high-level specification of the algorithm – 
also increased the problem understanding which eventually let to several 
improvements to the design. 
Christian Scheidler (pictured left) of Daimler 
Chrysler Research and Technology (Germany) presented 
his experiences using state of the art model checkers in 
the automotive industry. The aim of the EASIS project in 
which he is involved is to determine whether model 
checkers can replace traditional testing in embedded 
system design. Model checkers are attractive from an 
industrial perspective because it is to a large extent push-
button technology. The state space is explored 
exhaustively without the need to create test vectors 
manually and if an error is found, then the counter 
example is automatically produced. However, model 
checking does not provide a proof as a result when no errors are found. One 
has to trust the quality of the model checker itself. Furthermore, it is not known 
a priori how long it takes to search or how much memory is required to 
construct the state space. These problems seem to hinder industrial acceptance. 
A few realistic case studies were performed using the EmbeddedValidator tool 
suite, which provides an integrated platform that couples Matlab/Simulink, 
dSPACE and two proof engines: VIS and Prover. In total 67 out of 81 
requirements could be automatically verified and residual errors where found in 
7 of them. Despite some restrictions in the notation and limitations in the tools, 
the technology seemed to work quite well in practice and resource problems 
were not experienced during the experiments. This is partly due to the 
application of a collection of standard properties commonly expected to hold for 
the models under development, liberating the developers from formalizing these 
properties on their own. The amount of time needed to create the formal models 
was acceptable in an industrial setting and it was possible to achieve this 
without in-depth formal methods knowledge. 
Guy Broadfoot (pictured left) of Verum 
Consultants (The Netherlands) reported on the use of 
their patented Analytic Software Design method. First, 
Sequence-based Specification (SBS) is used to create a 
set of inherently consistent and complete requirements. 
Noteworthy, these specifications are free from 
mathematical notation, which makes it easy to 
communicate with critical project stakeholders. The 
ASD Model Generator is used to derive CSP models 
and designs from the Sequence-based Specification, 
FACS FACTS Issue 2006-2 September 2006 
 
36 
which in turn can be analyzed using the FDR model checker. The ASD Code 
Generator can generate significant amounts of program source code 
automatically from these verified designs. The ASD method was used to design 
and implement the control software of a magnetic levitation device which is a 
subsystem that is used for high accuracy positioning of objects in a production 
cell, e.g. to move a silicon wafer in a waferstepper. During the analysis and 
design phase, 400 defects where found by formal verification and removed 
before coding started. In total 18000 lines of C++ code were generated 
automatically, which represents 90% of the total code base. 35 man weeks of 
effort was spent on the complete project leading to an overall productivity of 12 
lines of code per hour, which is three times higher than during conventional 
development in C++. After delivery only 5 defects where detected, mostly 
related to errors in the handwritten “glue” code, leading to a rate of only 0.28 
defects per KLOC. 
Gerrit Muller (pictured left) of the Embedded 
System Institute (The Netherlands) gave a very 
provocative yet inspiring talk on the relationship between 
formal methods and system engineering of complex 
computerized systems. He believes that the meaning of 
the word "formal" has become overloaded and very 
unclear, in particular in industry. The word is often used to 
qualify the development process, not necessarily the 
mathematical rigor that is the topic of the FM conference. 
He claims that formal methods are well suited to 
prescribed homogeneous domains, but that systems 
engineering, which integrates specialized engineering disciplines, is by nature 
informal rather than formal. He used the development of a wafer stepper as an 
example to illustrate this point. He zoomed in on a concrete property of the 
system, the required optical resolution, and he showed that many potential 
decisions in many design dimensions can affect this property by orders of 
magnitude. He believes that it is impossible to create a (formal) model that 
captures all these aspects in such a way that it can be usefully subjected to 
rigorous mathematical analysis. He conjectures that the added value of formal 
methods is primarily the skills of the people using them: they are analytical, 
structured, firm in principle and consistent. Using these skills, these individuals 
can play an important role in the informal multi-disciplinary system engineering 
process, but not necessarily using mathematical models or applying rigorous 
analysis techniques. 
Alexander Pretschner (pictured left) of ETH Zürich 
(Switzerland) took a critical look at model-based testing 
(MBT). The proposition of MBT is that the quality of the 
test process can be increased by creating abstract formal 
models of the system under test. These models are then 
used to create test sets (semi-) automatically, which leads 
to better coverage and more errors found. Since this is a 
largely automated process, test efficiency is also 
increased. He has tried to find evidence to support the 
perceived benefits of this approach and he concludes that 
such evidence in fact does not exist. Virtually no 
quantitative comparative research to traditional testing 
FACS FACTS Issue 2006-2 September 2006 
 
37 
and inspection approaches has been performed. He executed a few 
experiments in an industrial setting to fill this gap. The results were surprising; 
the rate of errors found in both the system requirements and the code indeed 
increased compared to traditional testing, but the automation did not improve 
the effectiveness as expected. The abstraction of the test model basically limits 
the potential coverage; automation (generation of test case) is limited to the 
syntactic level. Although the study is too small to make generic conclusions, it is 
already clear from the experiments that the benefits of MBT should not be taken 
for granted: While MBT does not in general outperform traditional means of 
testing, the conformance of implementations, the development of an explicit 
model of the system under test and the generation of associated test cases 
provide additional quality assurance for the system specification.  
Margus Veanus (pictured left) of Microsoft (USA) 
presented a practical model based testing tool called 
SpecExplorer. This tool enables modelling and automatic 
testing of concurrent object-oriented systems written in 
Spec#. SpecExplorer is being used daily by several 
Microsoft product groups to test operating system 
components and Web service infrastructure. As an 
experiment, they had two teams test some components 
of the Windows operating system, one using a traditional 
approach, the other using SpecExplorer. The model-
based approach supported by SpecExplorer found 
roughly ten times more errors than the traditional 
approach. The amount of effort spend in total was roughly identical for both, but 
model-based testing helped to discover two times more design issues than 
bugs in the implementation, so it paid of already in the design phase to use this 
technique. Only half of the errors found were actual errors in the system under 
test (SUT); the other half was due to mistakes in the informal requirements, the 
model itself or bugs in the test harness. However, the errors that were found in 
the system under test where deep system-level bugs for which manual test 
cases would have been hard to construct. The comparison also demonstrated 
to the developers and testers that code coverage is a poor measure for testing 
concurrent software; often a single execution thread gives the same coverage. 
In fact, Margus claims that a good measure for code coverage does not yet 
exist. 
The panel discussion led to the conclusion that Formal Methods are still 
far from main stream technology at the moment. Instead, they seem to play an 
increasingly important role in certain niche areas. Their economic value is 
certainly demonstrated in those cases, although in general real cost / benefit 
analysis and comparisons to other approaches are seldom made or are at best 
very limited in scope. There is a responsibility for the Formal Methods 
community to make their impact more quantifiable; this requires gathering more 
quantitative evidence from experiments, but typically this is rejected as 
“interesting research”. There seems to be a big difference in mental attitude in 
the hardware and software communities. In the former, the use of formal 
techniques is well established, possibly because product liability claims are of 
real economic significance. In the software community, product liability is 
typically waived and the end-users still seems to accept that fact. The open 
question raised in the discussion was whether or not the uptake of formal 
FACS FACTS Issue 2006-2 September 2006 
 
38 
methods in main stream software engineering is indeed hindered by that fact. 
The suggestion was made that in particular in the area of embedded software, 
where the borderline between hardware and software is inherently less obvious, 
this attitude is in fact changing. The quality demands posed on those type of 
systems, for example in the automotive domain, are typically identical to 
hardware and product liability is indeed a real concern here. Some participants 
claimed that “correct by construction” is now feasible at a similar cost to 
traditional approaches but providing inherently better quality levels than 
traditional development. In the long run, the use of formal methods is not a 
matter of choice but a matter of survival in the rapidly evolving economic market 
place. 
More information on ForTIA can be found at http://www.fortia.org. This 
web-site also contains slides of all the talks mentioned above. Extended 
abstracts of the talks can be found in the proceedings of FM 2005, volume 3582 
of the well-known Lecture Notes in Computer Science series. Q
Joining Other Societies and Groups 
 
London Mathematical Society 
http://www.lms.ac.uk/contact/membership.html
Formal Methods Europe 
http://www.fmeurope.org/fme/member.htm
European Association for Theoretical Computer Science 
http://www.eatcs.org/organization/membership.html#how_to_join
Association for Computing Machinery  
https://campus.acm.org/Public/QuickJoin/interim.cfm
IEEE Computer Society 
 www.computer.org/join/
` The British Computer Society 
www.bcs.org/bcs/join/
