Combining Formal & Agile Methods KeY Symposium 2010 25. May 2010 David Faragó, LFM Motivation and Introduction Discussion KIT – University of the State of Baden-Wuerttemberg and www.kit.edu National Research Center of the Helmholtz Association
Intro: AM Iterative software development: requirements and solutions evolve set of engineering best practices rapid delivery of high-quality software Agile values defined in the Agile Manifesto [Fowler, Martin et al. 2001] individuals and interactions over processes and tools working software over comprehensive documentation customer collaboration over contract negotiation responding to change over following a plan Key requirements rapid delivery of working software flexible towards changes David Faragó – FM & AM 2 25.05.2010 www.kit.edu
Motivation FM & AM: two major means for better quality of software FM can improve AM and vice versa, see below Fraction of organizations that adopted AM: 2/3 [Ambler, Scott 2008]; 1/3 [Forrester 2009] mentioned in [Black, Sue et al. 2008] Events: 2007: Reiner‘s talk at the KeY -Symposium 2007 about FM & AM: „FM align very well with some AM principles― 2009: FM+AM workshop founded; Agile Conference: 40% growth [Rainsberger, J.B. 2009]: „Contract -based testing should replace integration tests in agile development― [OpenDO 2009]: Project AGILE about agile development of safety critical software; certifications for DO178B and others David Faragó – FM & AM 3 25.05.2010 www.kit.edu
Intro: Agile process (Scrum & XP example) Continuous Integration (CI) via regression testing and Continuous Integration (CI) via regression testing and FM, simple static analysis e.g. JMLUnit,FindBugs, VBT,MBT,B, simple static analysis (refactor) implementation (refactor) tests (refactor) specification debug detailed (re-)design symbolic exec. debugger and counterexample generation task rough analysis & design 1-2 man-days b a c k l o g s sprint 1-4 weeks tasks products potentially shippable, done sprints incremented product David Faragó – FM & AM 4 25.05.2010 www.kit.edu
AM deficits exemplary FM Too little specification and documentation Contracts; Assertions; LTSs no knowledge of purpose and direction while navigating through code (e.g. in pair programming) Refactoring & JML difficult to distribute and re-use components [Kiniry, Joseph 2009] Refactoring code often causes defects RAC Tracing back from low level artifact to JMLUnit high level requirements FindBugs Deceptive and insufficient test coverage SBMC Test cases are unflexible and require MBT high maintenance VBT Counterexample generation Symbolic exececution debugger David Faragó – FM & AM 5 25.05.2010 www.kit.edu
FM deficits AM • high modularization Often do not scale; infeasible • restricted, small increments • cleaner code Many faults during verification are caused by errors in specification • continuous conformance checks of spec and code • pair programming • reviews • validation via customer feedback Heavy-weight: unflexible & restricted application areas; big design up front; rapid delivery of increments also applied to specification David Faragó – FM & AM 6 25.05.2010 www.kit.edu
To boldly go agile, KeY must address: Strong modularization and abstraction (for flexibility and rapid delivery) Proof re-use (for ten-minute build) VBT, counterexample generation, symbolic execution debugger Tool integration (e.g. into Eclipse) JML (refactoring, TDD, contract-based testing, debugging) high degree of automation (for light-weight FM) Flexible tool chaining and language support (full Java with generics, soon closures; other languages) Most of them are being addressed already David Faragó – FM & AM 7 25.05.2010 www.kit.edu
Thank you for your attention David Faragó – FM & AM 8 25.05.2010 www.kit.edu
References Ambler, Scott (2008). Has agile peaked? Dr. Dobb's, May 07, 2008 http://www.ddj.com/architecture-and-design/207600615 Black, Sue et al. (2008). Formal Versus Agile: Survival of the Fittest . IEEE Computer, vol. 42.9, 37 — 45, IEEE Computer Society Press. C3 Team (1998). Chrysler goes to „Extremes“ , Distributed Computing, October 1998, 24 — 26. Forrester (2009). Agile Development Method Growing in Popularity. http://www.internetnews.com/dev-news/print.php/3841571 Fowler, Martin et al. (2001). Agile Manifesto. http://agilemanifesto.org Jeffries, Ron et al. (2000). Extreme Programming Installed. Addison-Wesley. Kiniry, Joseph (2009). MSc proposal: Automated Refactoring of Java Contracts. http://secure.ucd.ie/documents/proposals/msc_proposals/Hull09.pdf OpenDO (2009). Project AGILE . http://www.open-do.org/projects/agile/ Rainsberger, J.B. (2009). Integration Tests are a Scam . Agile 2009 Conference. Takeuchi, Hirotaka and Nonaka, Ikujiro (1986). The New New Product Development Game. Harvard Business Review. David Faragó – FM & AM 9 25.05.2010 www.kit.edu
Example: MBT & AM MBT for CI, TDD and communication using only one kind of spec. (e.g. symbolic transition systems) MBT must be flexible and without BDUF: underspecification must be comfortable, efficiently handled, flexible → AM also for the specifications David Faragó – FM & AM 10 25.05.2010 www.kit.edu
Recommend
More recommend