I've been thinking about using formal methods to help clarify the requirements for the tool for both my client and the developers.
Very few developers have formal methods experience. The only time I've seen clients with formal methods training were members of the ZUG when we were porting CADiZ to Windows.
By formal methods I mean some form of modeling, possibly something mathematically-based. Some of the things I've read about and are considering include Z (http://en.wikipedia.org/wiki/Z_notation), state machines, UML 2.0 (possibly with extensions such as OCL), Petri nets, and some coding-level stuff like contracts and pre and post conditions. Is there anything else I should consider?
There's a very large gap between Z, which is a formal method, taking its basis in set theory, and UML, which is a informal notation with some semi-formal notations (state machines) tagged on.
Some technical clients, such as you'd expect to find using a software requirements tool, are quite comfortable with UML.
There may be value creating a Z model of your domain, and there may be value in creating a pi-calculus model of your messaging between client and server (or petri-net, but I find pi is both simpler and more powerful).
What a Z model of your domain would give is an implementation independent set of type constraints, expressed more powerfully than the type system of any common implementation language.
What a formal model of your messaging would give you is the facility to run analyses to ensure you don't lose updates or get conflicts or deadlocks.
What a UML model gives you is a notation for breaking a large system up into function areas (package diagrams), of showing how classes in those areas relate to each other statically (class diagrams), of showing how instances of those classes relate dynamically (sequence, activity and interaction diagrams), and showing how the packages are deployed (component and deployment diagrams). These are useful for communication in the team, and to get ideas fleshed out a bit, but don't have formally defined semantics which allows very sophisticated analysis.
The Z specialists I worked with in the '90s considered the idea of specifying a CASE GUI in Z ridiculous. Creating a UML model for such a GUI is commonplace.
I haven't used formal design-by-contract pre and post conditions, though I do sometimes add them in comments, and frequently in assertions, and I unit test conditions which might violate them.
In general you should use what the team is comfortable with. With new items there is going to be a learning curve, which means there are going to be questions about the process and mistakes made. Part of your development timeline will be used to correct these problems, and if you aren't planning on using them with this team in the future, really you're not going to have a long term gain by introducing something new. Change process takes a long time and a lot of work.
If you have estimated enough time to handle these problems you might be ok.....if your estimation is correct. Considering that you haven't worked with these people (at least that is what your post sounds like), chances are your timeline isn't going to be as accurate as it should which mean you could have not allocated enough time to finish the project let alone introducing a new process.
The other question you have to ask your self is "how comfortable are you with the process you want to implement?" I never try and introduce a new process on a project unless I know that I can pull the team through it if I have to. Trying new things from time to time is good, but you need to have a team you are comfortable with to know how to navigate out of a tight situation.
I've been looking at several approaches to 'lightweight' formal methods, for applications that may be mission-critical, but not life/safety critical. Some ideas:
有一些使用 ACSL(ANSI C 规范语言)的成功示例,它拥有成熟的工具集,其中大多数是开源的,例如 Why 平台、Frama-C。 对于Java来说类似的技术称为JML(Java Modeling Language)。 我认为两者都用于嵌入式应用程序的中小型项目,它们有助于在代码中添加一些保证,但并不是为了验证规范。 Z 绝对不是用户友好的,并且缺乏足够的工具支持恕我直言。
在可用于规范阶段的商业工具中,我会考虑基于 B 方法的 Rodin 平台。
There are some successful examples of using ACSL (ANSI C Specification Language) that has mature set of tools most of which are Open Source such as Why platform, Frama-C. For Java similar technology called JML (Java Modelling Language). I think both are used for small to medium size projects for embedded applications and they help to add some guarantees into your code but are not aimed at validating specifications. Z is absolutely not user-friendly and lack adequate tool support IMHO.
Among commercial tools that can be used on specification stages I would look into Rodin platform that is based on B-method.
在游戏后期,您可能会考虑类似 通过 Savara 进行测试的架构,我们在许多项目中使用它组件之间的通信或交互占主导地位。 这在 Web 前端的任何 SOA 后端中最常见。
它正式以 pi 演算为基础,您无需了解 pi 演算即可使用它。
Late in the game here but you might consider something like testable architecture through Savara which we use for many projects where there is a predominance of communication or interaction between components. This is most often seen in any SOA backend to a web frontend.
It is formally grounded in pi-calculus and you don't need to understand pi-calculus to use it.
I agree totally with Tom and ask the same question,
Will the productivity and outcome outweigh the complexity and learning needed?
In my opinion unless the system/software can be identified as “safety-critical” formal methods are unnecessary.
What safety-critical mean:
When the failure of a computer system can lead to catastrophic consequences, such as the loss of human life, damage to the environment, or damage to the system itself, such a system is known as “safety-critical”.
I agree with both Tom and Abufardeh - Will the productivity and outcome outweigh the complexity and learning needed?
Also, is this methd better for getting ALL the requirements before development (amd ensuring these requirements are both well-defined and testable)? Getting all the requirments first seems like common sense, but a large percentage of programs do things in parallel thinking it's no problem to get some requirements later. Requirements creep is a nightmare! The movie "The Pentagon Wars" is an eye-opener to anybody who disagrees.
发布评论
评论(8)
很少有开发人员拥有正式方法的经验。 我唯一一次看到接受过正式方法培训的客户是 ZUG 成员,当时我们正在移植 CADiZ 到 Windows。
Z 是一种以集合论为基础的形式化方法,而 UML 是一种带有一些半形式化符号(状态机)标记的非正式符号,两者之间存在很大差距。
一些技术客户(例如您期望使用软件需求工具的客户)对 UML 非常满意。
创建域的 Z 模型可能有价值,并且为客户端和服务器之间的消息传递创建 pi 演算模型可能有价值(或 petri-net,但我发现 pi 更简单且更强大)。
您的域的 Z 模型将提供一组独立于实现的类型约束,其表达方式比任何常见实现语言的类型系统都更强大。
正式的消息传递模型将为您提供运行分析的功能,以确保您不会丢失更新或发生冲突或死锁。
UML 模型为您提供的是一种符号,用于将大型系统分解为功能区域(包图),显示这些区域中的类如何静态地相互关联(类图),显示这些类的实例如何动态地关联(序列图、活动图和交互图),并显示包的部署方式(组件图和部署图)。 这些对于团队中的沟通很有用,并且可以使想法更加充实,但没有正式定义的语义,无法进行非常复杂的分析。
90 年代与我共事的 Z 专家认为在 Z 中指定 CASE GUI 的想法很荒谬。 为这样的 GUI 创建 UML 模型是很常见的。
我没有使用正式的按合同设计的前置和后置条件,尽管我有时会在注释中添加它们,并且经常在断言中添加它们,并且我对可能违反它们的条件进行单元测试。
Very few developers have formal methods experience. The only time I've seen clients with formal methods training were members of the ZUG when we were porting CADiZ to Windows.
There's a very large gap between Z, which is a formal method, taking its basis in set theory, and UML, which is a informal notation with some semi-formal notations (state machines) tagged on.
Some technical clients, such as you'd expect to find using a software requirements tool, are quite comfortable with UML.
There may be value creating a Z model of your domain, and there may be value in creating a pi-calculus model of your messaging between client and server (or petri-net, but I find pi is both simpler and more powerful).
What a Z model of your domain would give is an implementation independent set of type constraints, expressed more powerfully than the type system of any common implementation language.
What a formal model of your messaging would give you is the facility to run analyses to ensure you don't lose updates or get conflicts or deadlocks.
What a UML model gives you is a notation for breaking a large system up into function areas (package diagrams), of showing how classes in those areas relate to each other statically (class diagrams), of showing how instances of those classes relate dynamically (sequence, activity and interaction diagrams), and showing how the packages are deployed (component and deployment diagrams). These are useful for communication in the team, and to get ideas fleshed out a bit, but don't have formally defined semantics which allows very sophisticated analysis.
The Z specialists I worked with in the '90s considered the idea of specifying a CASE GUI in Z ridiculous. Creating a UML model for such a GUI is commonplace.
I haven't used formal design-by-contract pre and post conditions, though I do sometimes add them in comments, and frequently in assertions, and I unit test conditions which might violate them.
这里要问的真正问题不是是否使用它们,而是得到什么和失去什么。
生产力和成果会超过复杂性和所需的学习吗?
The true question to ask here is not whether to use them or not, but what is gained and lost.
Will the productivity and outcome outweigh the complexity and learning needed?
一般来说,您应该使用团队熟悉的内容。 对于新项目,将会有一个学习曲线,这意味着会对过程和所犯的错误产生疑问。 您的开发时间表的一部分将用于纠正这些问题,如果您不打算将来在这个团队中使用它们,那么实际上您不会通过引入新的东西来获得长期收益。 改变过程需要很长的时间和大量的工作。
如果您估计有足够的时间来处理这些问题,那么您可能没问题......如果您的估计是正确的。 考虑到您没有与这些人合作过(至少您的帖子听起来是这样),您的时间表可能不会像应有的那么准确,这意味着您可能没有分配足够的时间来完成该项目更不用说引入新流程了。
您必须问自己的另一个问题是“您对要实施的流程感到满意吗?” 我从不尝试在项目中引入新流程,除非我知道如果必要的话我可以带领团队完成它。 时不时地尝试新事物固然很好,但你需要有一个让你感到舒服的团队,知道如何摆脱困境。
In general you should use what the team is comfortable with. With new items there is going to be a learning curve, which means there are going to be questions about the process and mistakes made. Part of your development timeline will be used to correct these problems, and if you aren't planning on using them with this team in the future, really you're not going to have a long term gain by introducing something new. Change process takes a long time and a lot of work.
If you have estimated enough time to handle these problems you might be ok.....if your estimation is correct. Considering that you haven't worked with these people (at least that is what your post sounds like), chances are your timeline isn't going to be as accurate as it should which mean you could have not allocated enough time to finish the project let alone introducing a new process.
The other question you have to ask your self is "how comfortable are you with the process you want to implement?" I never try and introduce a new process on a project unless I know that I can pull the team through it if I have to. Trying new things from time to time is good, but you need to have a team you are comfortable with to know how to navigate out of a tight situation.
我一直在研究几种“轻量级”形式化方法,适用于可能是关键任务但不是生命/安全关键的应用程序。 一些想法:
I've been looking at several approaches to 'lightweight' formal methods, for applications that may be mission-critical, but not life/safety critical. Some ideas:
有一些使用 ACSL(ANSI C 规范语言)的成功示例,它拥有成熟的工具集,其中大多数是开源的,例如 Why 平台、Frama-C。 对于Java来说类似的技术称为JML(Java Modeling Language)。 我认为两者都用于嵌入式应用程序的中小型项目,它们有助于在代码中添加一些保证,但并不是为了验证规范。 Z 绝对不是用户友好的,并且缺乏足够的工具支持恕我直言。
在可用于规范阶段的商业工具中,我会考虑基于 B 方法的 Rodin 平台。
There are some successful examples of using ACSL (ANSI C Specification Language) that has mature set of tools most of which are Open Source such as Why platform, Frama-C. For Java similar technology called JML (Java Modelling Language). I think both are used for small to medium size projects for embedded applications and they help to add some guarantees into your code but are not aimed at validating specifications. Z is absolutely not user-friendly and lack adequate tool support IMHO.
Among commercial tools that can be used on specification stages I would look into Rodin platform that is based on B-method.
在游戏后期,您可能会考虑类似 通过 Savara 进行测试的架构,我们在许多项目中使用它组件之间的通信或交互占主导地位。 这在 Web 前端的任何 SOA 后端中最常见。
它正式以 pi 演算为基础,您无需了解 pi 演算即可使用它。
Late in the game here but you might consider something like testable architecture through Savara which we use for many projects where there is a predominance of communication or interaction between components. This is most often seen in any SOA backend to a web frontend.
It is formally grounded in pi-calculus and you don't need to understand pi-calculus to use it.
我完全同意汤姆的观点,并提出同样的问题,
生产力和结果会超过复杂性和所需的学习吗?
在我看来,除非系统/软件可以被识别为“安全关键”,否则正式方法是不必要的。
安全关键是什么意思:
当计算机系统的故障可能导致灾难性后果,例如人员伤亡、环境破坏或系统本身损坏时,这样的系统被称为“安全关键” 。
I agree totally with Tom and ask the same question,
Will the productivity and outcome outweigh the complexity and learning needed?
In my opinion unless the system/software can be identified as “safety-critical” formal methods are unnecessary.
What safety-critical mean:
When the failure of a computer system can lead to catastrophic consequences, such as the loss of human life, damage to the environment, or damage to the system itself, such a system is known as “safety-critical”.
我同意 Tom 和 Abufardeh 的观点——生产力和结果会超过复杂性和所需的学习吗?
另外,这种方法是否可以更好地在开发之前获取所有需求(amd 确保这些需求都定义良好且可测试)? 首先获取所有需求似乎是常识,但很大一部分程序并行执行操作,认为稍后获取一些需求没有问题。 需求的蔓延是一场噩梦! 电影《五角大楼战争》让任何持不同意见的人大开眼界。
I agree with both Tom and Abufardeh - Will the productivity and outcome outweigh the complexity and learning needed?
Also, is this methd better for getting ALL the requirements before development (amd ensuring these requirements are both well-defined and testable)? Getting all the requirments first seems like common sense, but a large percentage of programs do things in parallel thinking it's no problem to get some requirements later. Requirements creep is a nightmare! The movie "The Pentagon Wars" is an eye-opener to anybody who disagrees.