Formal Methods  An Overview

Author
marcobonanno 
Category
Documents

view
236 
download
0
Embed Size (px)
Transcript of Formal Methods  An Overview

8/3/2019 Formal Methods  An Overview
1/25
Formal Methods: An Overview1
Formal MethodsAn Overview
Introduction
The task of minimizing human errors in building an artifact increases the trust in it, thus
increasing its usage. This is true especially if failure implies losses of any kind. This can
be seen in the construction of bridges. In the early bridge constructions the load that amaterial could withstand or the effect the elements had upon the structure of the bridge
being constructed were probably not considered. As time progressed, the need to prevent
disasters due to the falling of bridges led to more disciplined bridge constructions. For
example, the study of materials was applied to find the best material that can withstand aparticular load. The best structure that can withstand powerful winds and the most
effective way how to join the materials together are all part of the new form of bridge
construction. This process of human error minimization led to a much a less occurrenceof bridge disaster and a higher trust in these structures.
This argument can be applied to all fields in engineering (including hardware
construction) and the building of software. The more complex the system the larger thediscipline needed in the construction of the systems. The study of how to discipline the
construction of software is software engineering. Software engineering, describes the
different ways how to design, build, test and maintain the software. When this knowledgeis applied correctly, the construction of software cost and time can be reduced
dramatically.
Among the repertoire of techniques and ideas in software engineering that can be used to
build software, there is a family of techniques that specify, design and verify software
(and hardware) with mathematical rigor. This means that the statements describing thespecification and design are written using wellformed formulae in a particular calculus.Thus, one can reason more effectively on these descriptions and deduce new facts by
using the axioms and inference rules of the calculus. Such facts include properties that
are true for a given set of inputs. [1]
Two important properties are safety and liveliness properties. Consider the case of the
design of a scheduler. First, the design is encoded as logic formulae in a particularcalculus. By using the theorems and axioms of the calculus one can arrive at a property of
the scheduler stating that the scheduler is mutually exclusive (no two processes can be in
a critical section at the same time). This is a safety property since its shows that the
scheduler is safe from entering incorrect states (in this case the incorrect state is that ofhaving nonmutual exclusion). If a fact can be proved showing that a process waiting to
be scheduled will eventually be executed, then a liveliness property of the scheduler has
been proved. A liveliness property shows that good states will eventually be reached.From these properties one can go on to talk about partial correctness and termination
properties. A program is said to be partially correct if the program gives the correct
output when it terminates. This follows from safety properties. A program has a

8/3/2019 Formal Methods  An Overview
2/25
Formal Methods: An Overview2
termination property if it always terminates. This is a liveliness property since
termination is a good state which will eventually happen. [9]
The group of techniques described is called formal methods. When these techniques are
correctly applied, one can build software or hardware that complies perfectly with its
specification, hence behaving as it should. The effort spent in applying formal methodsreduces drastically the number of bugs found in testing and the time taken in bugfixing
[8].
Due to the complexity of certain systems, formal techniques are applied on the most
important parts of the system. For example, when building a theorem prover theapplication of formal methods will be on the section of the code which performs the
proof.
Whilst these methods help in minimizing human error in building hardware and software,one cannot regard these techniques as panaceas of hardware and software development.
There is no such thing as program that is all correct and one can expect that it is bugfree.[2] argues that the actual behavior of a program depends on the operating system, thehardware and the compiler. One can be surer on the stability of the software built in this
case by studying the behavior of the software with these three entities. Nevertheless, the
application of formal methods has been shown to produce reliable hardware and softwarethat is used in highly critical situations ranging from business applications to spacecraft
[8].
As mentioned previously, there are a number of techniques in formal methods. Not allmethods are equally good for being applied at a particular hardware or software
specification, design or implementation since each method has its own degree of
abstraction and own way how to model the artifact. For example, a method can be usedbetter to model a design at the gate level while another can model better the operation of
a circuit to its change of state in time. Thus the success of application of formal methods
depends on choosing the choice of the method [2]. This writeup is an overview on anumber of techniques used in formal methods.
The overview starts by describing the methods used in giving the semantics of formal
languages which are methods used to describe the meaning in programming languages,followed by temporal Logics: different logics with which one can reason about
statements whose truth value changes with time. An overview of Model Checking and
several methods than can be used in Model Checking such as Binary Decision Diagrams(BDDs) and timed automata are discussed. Runtime Verification, another technique
sitting in between Model Checking and testing and compiler correctness follow the
discussion. A description of the use of the functional paradigm as a metalanguage offormal logic is then given.

8/3/2019 Formal Methods  An Overview
3/25
Formal Methods: An Overview3
1. Semantics of Programming LanguagesLet us take a valid source code from a programming language. The description of the
meaning of the source code can be done at several levels. The meaning can be describedin several ways, for example using another language or describing the execution being
carried out. The different methods to represent the meaning or semantics of programminglanguages in a rigorous way fall in the field of formal semantics of programming
languages. Such methods include Algebraic Semantics, Denotational Semantics,Axiomatic Semantics and Operational Semantics [4].
1.1Algebraic SemanticsWith algebraic semantics, a program is defined as a mathematical expression. A set of
algebraic laws are written for each statement. These laws govern the behaviour of thecommand when executed. For example, the meaning of an arithmetic operator such as
multiplication can be defined in terms of the laws it obeys such as monotonicity and
associativity. The behaviour of the operator is then described algebraically [10]. Thealgebraic semantics of a programming language are divided into two parts: The domain
or values used are defined, followed by the definition of the functions on these values.
Algebraic Laws are built from the functions that define the behavior. The following
example shows the meaning of a stack data structure using algebraic semantics [2].
The domain is composed of:
NNat
Stack
},{ falsetrueBool
The functions on the domain are defined
Stackcreate :
StackStackNatpush :
StackStackpop :
NatStacktop :
BoolStackempty :
The laws describing the behavior of the stack are defined as
SSNpushpop =)),((
NSNpushtop =)),((
falseSNpushempty =)),((
truecreateempty =)(

8/3/2019 Formal Methods  An Overview
4/25
Formal Methods: An Overview4
Although only the type definition of the functions is given, the laws (or axioms) describe
the behavior. The definition of the function is irrelevant as long as the laws are obeyed.
Algebraic semantics provide the best description of ADTs such as in this case [17].
The use of such laws enables programs to be reduced to a normal form. This enables
comparison of programs. In this way it can be shown that two syntactically differentprograms can be semantically equivalent, that is they perform the same task. Ordering of
programs can also be achieved, showing if a program is more specific than another. The
laws can be used to develop and reason on a specification. This specification can then be
transformed directly from the algebra to the actual syntax of the programming language,
thus generating the source code. Algebraic transformations can be used to optimize a
given program.
Algebraic Semantics, like all methods have the following drawback: the meaning given
by the algebra is not easy to comprehend immediately. Although algebraic semantics can
give several advantages, its application in real situations involves having practical
experience in the application of these laws. More specific theorems need to be discoveredto make the application of the laws more practical.
1.2Axiomatic SemanticsThe meaning of a statement in a programming language is described by the change in the
assertions representing the state of the program. The meaning of a statement c is defined
in the following way:
}{}{ QcP
P is an assertion describing the state of the program before the execution of command c .Q is the post condition describing the state of the program after the execution of
command c . The assertions are written in a chosen logic. The entire formula means that
if c is executed, then P must be satisfied before, while Q must be satisfied after execution
[17].
Consider a program (shown in Figure 1) that computes the summation of numbers in an
arrayA . The axiomatic semantics of the program can be used to verify that the output is
correct.
Lines 1 and 11 are the preand postconditions of the program. The precondition states
that the sum of the first 0 elements ofA is 0 and that the number of elements in the arrayn is greater than 0. The postcondition states that the sum of the contents of the array is
equal to S. Line 3 states that the summation S is equal to the summation of the first I
elements inA, whereIis less than or equal to the number of elements inA.
The while loop can be entered ifI is less than n. If this is true, the summation of the first
i+1 elements must be equal to the sum of the i+1th element and the summation of the
firstIelements where i+1 is less than or equal to n. After the assignment on line 7 S must

8/3/2019 Formal Methods  An Overview
5/25
Formal Methods: An Overview5
be equal to the summation of the first i+1 elements. Line 10 states that the while loop
stops when i is equal to n.
Figure 1 A Summation program given meaning using axiomatic semantics [2]
Showing that the program is correct means showing that the pre and post conditions of
each command are true. To do this, the axioms describing the relation of the pre and post
conditions with the execution of a particular command must be used to show that the
conditions are true.
In the case of the assignment command, the axiom is
}{:]}:[{ PExExP =
This means that ifP is a post condition, then P must also be true before the execution of
the assignment given that x is substituted instead ofE. Lines 13 and 68 satisfy this
axiom.
The rule of consequence states:
}{}{
}{}{
RcP
RScQP
From this axiom, lines 58 can be written as
}1,][{1],1[:,},][{00
nIiAsIIASISnIiAsI
i
I
i+=+++=

8/3/2019 Formal Methods  An Overview
6/25
Formal Methods: An Overview6
=
===

8/3/2019 Formal Methods  An Overview
7/25
Formal Methods: An Overview7
1.3Denotational SemanticsIn denotational semantics each statement in a programming language is translated into a
denotation. A denotation is a description of the meaning in another language. To do this
the denotational semantics of a programming language is built from three parts: A
description of the syntax of the language, a semantic algebra and a set of valuationfunctions that map the syntax of the language to the semantic algebra. The functions thus
map from the syntactic domain to the semantic domain. To find the meaning of astatement we apply the valuation functions to the command. The result of the function is
an expression in the semantic algebra which denotes the meaning.
Let us give an example of the denotational semantics for the assignment and conditionalstatements. Initially, the syntax of the language is defined:
OperatorO
ExpressionE
CommandC
>

8/3/2019 Formal Methods  An Overview
8/25
Formal Methods: An Overview8
falseEec = 2
falseEvct =),(),( 2
Using these two functions the denotation of the assignment and conditional commands
can be made in the semantic algebra
]:[:: EeVEVc ==
The evaluation of E is done by applyingEand to e. When V is applied to , the valuereturned will be the evaluation ofE.
To evaluate the conditional:
trueEeccelsecthenEifc == 121
If the evaluation of E is true, the denotation of the conditional is the denotation of c1,
otherwise the denotation of c2 is the denotation of the conditional.
Denotational Semantics are useful for the theoretical study of programming languages,especially in compiler construction. The denotations do not necessarily have to be
mathematical objects but any other representation can denote the meaning, such as object
code. In fact systems can be developed that can construct compilers given the
specification in terms of denotational semantics.
1.4Operational SemanticsWith operational semantics the meaning of the program can be understood by viewing
the execution of the program itself. Operational Semantics gives the trace of program
execution. The operational semantics of a programming language is built from two parts:
the first part is similar to that of denotational semantics: a description of the syntax of thelanguage. Then the second part is the definition of an interpreter that describes the
computation. The interpreter can be seen as a function that describes the meaning of a
command c by taking c and the state of the program . is a structure containing thevariables and their corresponding values.. The operational semantics for the programming
language defined in section 1.3 will be defined. The syntactic description is the same as
that for the denotational semantics. The interpreter is defined as follows
As stated, the interpretation function tis defined as Ct: . The function
e evaluates expressions: )(: TNEv . To describe the meaning of the assignment
statement we define the t as:
)],(:[),:( evVEVt ==
The same is done for the conditional statement:
trueEvctcelsecthenEift == ),(),(),( 121

8/3/2019 Formal Methods  An Overview
9/25
Formal Methods: An Overview9
The execution trace in operational semantics can be described using a labelled transition
system. [14] defines a labelled transition system is defined as >< TLSS o ,,, where
S is the set of states
SSo is the initial state
L is the set of possible actions or events in the system
SLST is the set of transition relations.
A transition from state s to 's if there is an action or event a which is given by a
transition relation )',,( sas .
A way of showing if two transition systems are equivalent is by using bisimulation [14].
One can see if two automata are equivalent if we compare the language generated by the
two automata and so in this case, bisimulation is not that useful. However Bisimulation
is useful in picalculus, a calculus used for modelling concurrent systems, there are final
no states and thus the approach to determine equivalence used in automata cannot be
used.
Bi simulation can be defined as an equivalence relation SSR where
RqpTqlqqTplpTqp )','()',,'.()',,.(),( . Two states p and q are bi
similar if the actions from p and q go into states p and q that are bisimilar with each
other.
Although operational semantics does not give information on how to implement the
commands, specifying the programming language using operational semantics is very
convenient since by looking at the described execution trace, one can understand better
what the command should do in relation to the program state. A specification inoperational semantics is thus helpful when developing an interpreter or simulator of a
programming language.
2 Temporal LogicsIn the analysis of hardware and software specification and design, reasoning about the
change of objects in time is very important. Unfortunately propositional and predicate
logic cannot be used to represent such reasoning. For example the statement the light
bulb is on can be true at a certain time but false in another. For this reason an extension
is needed to these logics to provide reasoning on change in time. This is done with
temporal logic. In temporal logic one can represent statements such as The bulb isalways switched on, The light bulb will be eventually switched on and The light bulb
will be switched on until someone switches it off [11]. This is achieved using the
following operators:
P, meaning Always P
P, meaning Eventually, P will be true

8/3/2019 Formal Methods  An Overview
10/25
Formal Methods: An Overview10
Temporal logic is used for reasoning in a timeline. In this way there is no need to write
properties as functions of time and the reasoning and proving of properties can be done in
a more elegant and easier way. There are various temporal logics each having a different
way of looking at time. For example, in linear temporal logic reasoning can be done on
only one time line, being deterministic. On the other hand, branching logics can handle
more than one timeline, introducing nondeterminism. One example is ComputationalTree Logic (CTL). In CTL one can write statements saying there is a possibility that the
light bulb will be switched off meaning that there exists at least one timeline where there
is an instance where the light bulb is switched off. These different timelines are
represented as different paths in a graph. This is done by introducing path quantifiers that
state for which paths (or timelines) a predicate is true. For example AP means that
Always P is true for all timelines. EP means that there exists at least one path in
which P is always true [5].
Interval temporal logic (ITL) is another logic with which one can reason effectively about
the periods of time. This is very useful in hardware design and analysis where certain
properties of a system can be true for certain periods of time. One type of ITL is DurationCalculus, which is appropriate for the design of realtime systems.
2.1Duration Calculus [11]In duration calculus time is represented as }0{=
+T . This definition of time enables
stating which the order of occurrence of events. State variables are functions that map
from the time domain to {0,1}. State variables cannot vary infinitely often. Removing
this assumption will introduce problems in the calculus. An interval
}^{],[^
braTrrba = denotes a time slice. An empty interval has length 0. As
mentioned previously, temporal logic was developed to eliminate the use of statevariables as functions of time and in duration calculus this is done by introducing the idea
of a duration. A duration is an amount of time a state Variable P is true in an interval.
This is written as =a
b
dttPP )( . nbaP = ],[ is true if the duration of P in an interval
],[ ba is equal to n . If P is true for the entire duration, then == 11a
b
dtP . P is true if
= 1P . To show that there is an interval which can be divided into two parts where inthe first one P is true and in the second part Q is true, the chop operator ; is used. The
chop operator is defined as === 1^1.,,;c
b
b
a
dtBdtATcbaBA . This operator
is used to describe which state variables are true in a part of the interval. The duration
calculus contains 4 axioms which are
00 =

8/3/2019 Formal Methods  An Overview
11/25
Formal Methods: An Overview11
+=+
)()(
0
QPQPQP
P
)();( ==+= sPrPsrP
The and operators are defined in the following way:
P = true ; P ; true
P = P
Note the relation between the always and sometimes operator in temporal logic. With
these axioms and the theorems that can be proved from them, one can prove properties
for real time systems. An induction rule in propositional calculus eases the task of
proving the properties. Given a state P and Xis a predicate in )(XR , the induction rule
is defined as
)()));;()(()(( trueRPXPXXRXRR
The induction rule tells us that if a property R is true on the empty interval and if from
the fact that property is satisfied on part of the interval one can reach the fact that the
property is satisfied by the interval together with another part then the property is trueover the whole interval.
The safety constraints of a gas burner can be defined in duration calculus. For example, a
safety constraint stating that if the gas burner has been on for 60 seconds, leaking timemust be at most 1/20 of the total time. In duration calculus this is written as
120601 Leak (R1)
)(tLeak is true if the gas burner leaks at time t.
The design of the gas burner detects a leak after 1 second from the start of the leak. The
time between two successive leaks is at minimum 30 seconds. These are written as
11 Leak (D1)( ;Leak ;Leak Leak
301 ) (D2)
To show that the gas burner is safe, one must show that the design constraints imply the
security constraints: 12^1 RDD
The induction rule is in fact used to first prove the assertion by first proving on the empty
interval and then showing that if this is true on a part of the interval then it is true for the
interval together with another part. Duration calculus provides a simple notation for

8/3/2019 Formal Methods  An Overview
12/25
Formal Methods: An Overview12
expressing these statements by abstracting over time. With the theorems and the
induction rule, the proving of properties of the realtime system such as these examplesbecomes less timeconsuming and more elegant.
2.2Discrete Duration Calculus [15]In digital circuits time is represented as pulses of unit time, or discrete time. To simplify
the reasoning of a digital circuit with respect to time a refined form of duration calculuswas developed called discrete duration calculus. In discrete duration calculus, intervals
can be described by ],0[ n where n is an integer. Since time is discrete the smallest
change in time greater than 0 cannot take any value but is the defined by the unit time.Thus the change in time must be a multiple of the unit time. The notion of history is also
present in this calculus. This is given by the >> operator. Given a state variable P a time
n, Pn >> will return a function that given the present time will return the value of P n
units before the present time. Thus:
>=>>
otherwisentPtntPn
)(0)(
Discrete duration calculus is further extended with relational duration calculus, with
which reasoning on 0 time events can be done.
2.3Relational Duration Calculus [16]Consider the following code snippet from a Hardware Description language Verilog:
i:=1; j := i; i:= 0. If the behavior were to be modeled using discrete duration
calculus a problem is encountered. The reason is that each of the statement is takes 0time, thus it happens in 0 clock cycles and so is not registered so whenj is assigned to
i, i will have a value of 1, but the value before the assignment. The reasoning above
events that take 0time long must be introduced in duration calculus. The extension to
duration calculus where such reasoning can be done is called relational duration calculus.This calculus is built upon discrete duration calculus. The pre and post values of the
variables are written for each interval. Thus in this case, the value 0=i is written before
an empty interval and 1=i is written after an empty interval. The chop operator is similar
to the one used in duration calculus but handles also sequence of zero time events which
affect certain state variables. Thus ifi:=1 is event A and i:=2 is event B then using the
chop operator we can write BAi 1
;=
. In this wayj will be assigned to i with value 1 rather
than the value ofi before the assignment to 1.
Relational Duration Calculus can thus be used to model the semantics of Verilog. Since
Verilog describes circuits, there are commands which take a number of time units toexecute and others which take 0 time long like the delay and assignment constructs. As
seen above with relational duration calculus the meaning of assignment is defined using
the chop operator. These semantics of these two types of commands can both bedescribed using relational duration calculus as described above.

8/3/2019 Formal Methods  An Overview
13/25
Formal Methods: An Overview13
3. Model Checking [6]Given a model of the system Mand a logical property P , model checking involves the
process to show that P is true forM. Thus, if the system is in an initial state s, with
Model Checking one tries to show that Ps = . The choice of the model must be made in
a way that the properties of the system can be easily described. The Model built musthave a level of abstraction enough to hide irrelevant details and keep only those relevantto prove correctness. For example, the model for a realtime system should describe the
variation of state over time. The system can be modeled using a state transition diagram
or a Kripke Structure. Informally, a Kripke structure describes state transitions but inaddition, each state contains a number of logical formulae which are true for this state. To
describe properties of systems changing with time, temporal logic is used to write the
statements that describe the model (the property). The property can be written in atemporal logic and then it is shown if the property is true for the model. The computation
of the system can be described by the model as a sequence of states which is achieved by
transitions from one state to the other.
Systems can have multiple paths of execution. Thus properties of such system can be
written in CTL due to its ability of reasoning about multiple time lines. Given a model of
a traffic light controller, it is important to check if this model does not permit that twolights are green at the same time. This is a safety property. This can be written as, in all
execution paths, it is always true that ))()^(( 21 tgreentgreen where 1t and 2t are traffic
lights. This is written as (AG )))()^(( 21 tgreentgreen where A represents all
execution paths and G states that the assertion is globally true throughout the entire
execution path.
It can be shown that the expressive power of LTL and CTL are different. For example in
LTL one cannot specify truths for certain paths as done in CTL using the E quantifier. Onthe other hand strong fairness cannot be expressed in CTL [5]. CTL* is a temporal logicthat has the expressive power of the two temporal logics combined together. In this logic,
the temporal operators can be applied without any constraints. For example one can writeAP, which states that for all paths, P is true infinitely often. Using CTL*, properties
such as fairness can be proved for systems that have more than one computation paths.
For certain instances, the proofs to show that a property is true for a Model can be fullyautomated using Model Checkers. This is done using Model Checking Algorithms that
given a model of the system such as Kripke Structure S and a property described in a
logic such as a CTL* formula f . The algorithm finds if f is true for S . Thus, system
designers do not need to have a huge expertise in proof techniques. The system designers
need only create a model to give as input and encode the requirements of the system aslogical formulae. If a property is not true for a Model, the Model Checker gives a counter
example which helps in understanding the reason of why the property is not true for the
system. Unfortunately, the system can contain a huge number of different computationpaths, leading to the state explosion problem. Different model checking algorithms
handle this problem with techniques to reduce the search space. However, this does not

8/3/2019 Formal Methods  An Overview
14/25
Formal Methods: An Overview14
always work and so the model checker must either divide the design and model check
each part on its own or else reduce the number of independent variables.
Model checking is a very important method in formal methods with regards to the
analysis of specification and design of a system. The problems found in the design due to
model checking save effort in redesigning, rewriting the code and testing again. Twoalgorithms that can be used for modeling the system are described in this section: Binary
Decision Diagrams (BDDs) and Timed Automata.
3.1Binary Decision DiagramsBinary Decisions Diagrams (BDDs) are structures that represent Boolean functions. Theidea of BDDs was inspired from the Shannon Expansion [4]. The Shannon Expansion
expresses a Boolean function as the sum of two sub functions. This can be done by
converting the function into ifthenelse normal form. To convert a Boolean function
fhaving a variable x in ifthenelse normal form the following rule is used
]0[[],1/[ xfxfxf =
The rule says that if x is true then substitute x with 1, otherwise substitute x with 0. Thesubformulae are then applied the same rule until no subformulae contains any more
variables. Thus, each formula is split into two parts, one where the variable is true, and
one where the variable is false. A decision tree can be built from these formulae by
having each formula pointing to each its subformulae. For example yxt = in ifthen
else normal form becomes )1,0(),0,1( = yyxt . A more complex example is the
following:
Figure 2 [3]
This function can thus be represented as a Binary Decision Diagram (BDD) as shown in
figure 2. Note that the dashed (solid) edge represents the variable represented in the nodehaving a value 0 (1).
Note that 110t and 000t , 111t and 001t , and 00t and 11t are all equal. Merging these nodes
together we create a binary decision diagram with no duplicate nodes which is
represented in figure 3.

8/3/2019 Formal Methods  An Overview
15/25
Formal Methods: An Overview15
The BDD is effectively a graph. In this way one can use graph algorithms to analyze the
Boolean function being represented. A BDD is said to be ordered if node x comes before
node y if yx < . A reduced BDD is a BDD where there are no redundant nodes, that is
no nodes where both edges go to the same node. If a graph has no duplicate nodes, no
redundant nodes and is ordered then the BDD is called Reduced Ordered Binary Decision
Diagram (ROBDD). The BDD in the figure is an ROBDD since it has no redundantnodes and is ordered. Note the small size of an ROBDD compared to the BDD from
where it was converted. It can be shown that there is a unique ROBDD for every Boolean
function and that it takes constant time to see if an ROBDD is a tautology. On the otherhand, the construction of an ordered BDD is computationally intensive. For example
choosing the best ordering for a given BDD is NPHard.
Figure 3 The representation of )1,0(),0,1( = yyxt [3]
Figure 3 The ROBDD of Figure 2 [3]

8/3/2019 Formal Methods  An Overview
16/25
Formal Methods: An Overview16
Checking if the Boolean formula represented by a BDD is a tautology and if two BDDs
are equivalent takes constant time. BDDs are applied in formal verification in two fields.BDDs can be used to check satisfiability of a Boolean formula and can be also used to
compare if two combinational circuits are equivalent. The output of combinational
circuits is a function of the input given and does not depend on the inputs given
previously. Each circuit is a representation of Boolean formula which has a uniqueROBDD. Hence by comparing the ROBDD of two circuits one can find if two
combinational circuits are equivalent.
3.2Timed Automata [3]As one can see from the temporal logics such as CTL and duration calculus, realtimesystems can be modeled effectively. However it is useful to describe such systems in
terms of transitions between states with respect to the flow of time. This can be achieved
through a specialized form of automata: timed automata.
Given a set of symbols
, while in an automaton, reading a symbol
a in a state b willmake a transition to a state c given tcab ),,( , in a timed automaton, the reading of
symbol a in a state b will make a transition to a state c if the time in the system is .Time is represented by a nonnegative real number where if two events a and b happen
at time 1t and 2t , where 12 tt > then b happens later than a . Thus the flow of time can
be described by a sequence of real numbers. Timed automata accept an infinite set of
timed words described by ),( a where *a and is the time at which a is accepted.
Time is represented using the positive real number. A number of clocks can be defined
for a timed automaton. These clocks are real numbers giving the time. Clocks can bereset in a transition and constraints on the time given by a clock can be made. A transition
can happen if a constraint is satisfied. Figure 4 shows an example of a timed automata.
Figure 4 A timed automata producing strings }2.),){((122
+

8/3/2019 Formal Methods  An Overview
17/25
Formal Methods: An Overview17
Formally, we can define a timed automata as a 5 tuple >< ,,,,, tCQQ o where
Q is the set of states
oQ is the initial state
is the alphabet
Cis the set of clocks
)(2 CSStC : the set of transitions.
A transition is described by >< )(,,,', Cass . A transition from s to 's is made by
accepting a , resetting the clocks in to 0 if the constraints on the clocks )(C are true.
Timed automata are used in modeling of realtime finitestate systems. The theory of
automata can then be used to prove properties about the system [18]. An example of such
a system is a gate controller. After describing the design as a timed automaton, certain
properties such as if the gate is never closed longer than an amount of time can be
proved. This is a safety property. Such properties can be proved or disproved by
analyzing the time constraints between the open and closed states. This shows theconvenience of modeling using timedautomata for such systems.
Timed Automata can be used for scheduling problems. The timed automata used here is a
variant of the timed automata described in the timed automata section. This variant can
be described as a 5 tuple >< tfsCQ ,,,, where
Q is the set of states
Cis the set of clocks
s is the initial state
f is the final state
tis a set of transition relations.
The transition functions are of the form >< )(,,', Ccss . The transition from s to s with
the clocks in c reset to 0, happens if the clock constraint )(C is true.
Consider having a set of jobs each made of a number of operations. Each operation needs
to use resource for a fixed time. Only one operation can be put on the machine at a given
time. Finding the start time of each operation and which machine it will use to minimize
the time taken to complete the entire process is known the jobshop scheduling problem.
This problem can be shown to be NPComplete.
The shop scheduling problem can be posed as a timeautomata and the shortest path (in
terms of time) from the initial state to the final state is found. For every job J, one timed
clock is made. For every operationj using a resource m , two states are created. The first
state represents the job waiting to start called m and the second state represents the step
executing m . In the transition between the two states the clock of the job is set to 0. For
example, let us consider two jobs: )}3,(),4,{( 211 mmJ = where )}3,{( 12 mJ = . Each job is
represented as a set of operations. An operation is in turn represented as a tuple

8/3/2019 Formal Methods  An Overview
18/25
Formal Methods: An Overview18
),( ba where a is the machine to be used and b is the time allocated on the machine a. The
jobs can be represented as a timed automata as shown in Figure 5.
Figure 5 Job represented as a timed automata. Note that the state corresponds to the machine being
used and the time before a transition can be made (the machine stops) is no less than the time
required for the step to use the machine [18].
However both jobs are in the same system so the two automata have to be combined
together. However, when merging states together one must not merge two states that areusing the same resource to conserve mutual exclusion. Instead of having two states s1
and s2 with the same resource, one must consider the case of having s1 using the resource
while s2 waiting or vice versa. Let us consider the merging of the two automata. Initially,
both machines are waiting to be used. Thus the first state is 11 mm . Now there are two
possibilities: either a transition to 11mm or 11 mm since both jobs need to use the same
resource so one job waits until the other finishes. This is applied to all states and the
automata representing the jobshop scheduling in this case is given below. Note how the
automaton grows for only two jobs. The computationally intensive part is the building of
the automata rather than finding the shortest path. The representation automata of the two
jobs merged together is found in figure 6.
Thus, jobscheduling problem is reduced to a timedautomata and then finding the
shortest path from the initial to the final state is achieved. In this way different techniques
to develop heuristics to get good solutions for the scheduling problem can be found and
different insights on the scheduling problems can be developed.

8/3/2019 Formal Methods  An Overview
19/25
Formal Methods: An Overview19
Figure 6 The two jobs described by a single automata. The shortest path in terms of time will give the
optimal schedule. The graph as more than two paths to preserve mutual exclusion [18].
3.3 Runtime Verification [7]In Model Checking a model of the system is checked to see if it satisfies a given property.
Thus Model Checking increases the trust in the design of the system. However, Model
Checking does not check the actual implementation. To check the implementation testing
techniques are used. However testing is neither formal nor does it give any guarantee thatthe implementation satisfies a property. Formal Verification, on the other hand sits
between Model Checking and testing. With Formal Verification one can see if a property
is satisfied along a trace of execution of the system. While increasing the trust of the
system more than testing, it still does not provide a guarantee like in Model Checking
since to do so, all traces of execution must be checked. However, runtime verification is
applied to the running program continuously and if there is a case where the
implementation does not satisfy a property, the failure is logged. In this way, the reason
why that particular execution failed can be used to find the source of the error and change
it in less time.
Runtime verification is achieved by having an observer that views the execution of theprogram and checks that the property is true along all the execution trace. The observer
can be thought of as a monitor. The observer logs information on the execution trace that
can be used for analysis. The properties in this case are expressed in Linear Temporal
Logic since only the actual execution trace is dealt. Thus, only events in one timeline are
being dealt with and the reasoning can be done using this logic.

8/3/2019 Formal Methods  An Overview
20/25
Formal Methods: An Overview20
When using runtime verification care must be taken to ensure that the effect of the
observer running with the program does not effect if the property is true for the execution
trace or no. For example suppose that there is a property for a system stating that the time
taken between a request and a response should be less than 200ms. With the system
running without the observer, the property is true for the system. However when the
observer is introduced a slow down can make the property false. One should also takecare of the correctness of the observer of the monitor itself. Incorrect behavior of the
monitor can effect the execution of the program itself, which if run by itself could have
run correctly.
Runtime verification is a method of getting more confident about the correctness of the
implementation of the system. With runtime verification the behavior of the system with
its environment, such as the hardware and operating system is understood better. The
changes of the environment may not be known before execution and these cases cannot
be handled by testing, showing that runtime verification helps in the delivery of a more
reliable system.
4. Compiler Correctness [13]
In the introduction it was mentioned that that the actual behavior of the program built
depends on the compiler and systems software. The behavior of the program can become
more predictable and increases confidence that the program is correct if one can show
that the compiler with the program is being compiled is correct. Compiler Correctness
means that if a statement a in the source language is converted into a statement 'a into the
target language, the meaning of a is the same as the meaning of 'a . Ensuring correctness
implies that when the compiled code is executed it will behave as is defined in the source
code.
Let us suppose that a language that represents expressions involving addition,
subtraction, multiplication and addition is compiled to a target language which is run on a
single address computer with an accumulator and 4 instructions: li (load immediate),
load, store and add. To prove the correctness of the compiler one must start by defining
the semantics of source and target language. As explained in the section on semantics,
semantics provide meaning to each command. By showing that the semantics of the
command in the source language are equal to the semantics in the target language, the
correctness of the compiler is shown. Although the proof of correctness for the compiler
described above is quite straightforward, the task complicates more when other
commands are introduced, such as loops which in the target language can be handled
with jump statements.
Using a compiler that is shown to be correct is of extreme importance in critical systems.
A compiler that has been proved correct implies that behavior of the implementation is
the same as the behavior of the program executed from the object code will behave as
defined in the source code used to produce the object code. Hence the properties true for
the program described in the source will be also true for the program in the object code,
thus increasing further the trust in the system.

8/3/2019 Formal Methods  An Overview
21/25
Formal Methods: An Overview21
5. Learning Formal Logic using the Functional Paradigm [12]
The difficulties encountered when learning Formal Logic can be due to various reasons.
One could mention the failure to understand how a proof works. The distinction between
theorems and metatheorems is also important to understand formal logic. The notation
used can introduce difficulty initially to students. Perhaps having a metalanguage withwhich students are familiar to represent the concepts of formal logic can help in reducing
these difficulties. For students who have a background in functional programming,
formal logic can be introduced by using a functional language as the metalanguage. The
syntax of functional languages is very readable compared to languages in other
paradigms. The language used in this demonstration is Gofer, the predecessor of Haskell.
The formal logic introduced is Hilbert Logic. In this logic system, wellformedformulae
(wff) are built from variables, negation and implication. There are three axiom schemas:
)( ABA (1)
))()(())(( CABACBA (2))()( ABBA (3)
An axiom schema is a wff where the variables represent any wff. When the variables are
substituted with wff the axiom schema becomes an axiom.
The inference rule used is Modus Ponens:
B
BAA ,
A proof in Hilbert logic is made of a nonempty set of hypothesis T, a number of steps n
from 1s to ns that lead to a conclusion a. This is written as aT  . Each step can be a
hypothesis, an axiom or an application of Modus Ponens using two previous steps. It can
be shown that Hilbert Logic is both sound and complete. Soundness of a logic system
implies that all conclusion proved are true. Completeness of a logic system implies that
all true conclusions can be proved.
In the functional metalanguage a wellformedform is represented as:
data Wff = Var String  Not Wff  Wff :=> Wff
The structure of the proof is then described. Note that K, S and CP represent axiom
schemas 1,2 and 3 respectively. Hyp and MP represent the Hypothesis and Modus
Ponens respectively.
data Prf = K Wff Wff  S Wff Wff Wff  CP Wff Wff
 Hyp Wff  MP Prf Prf
Sequents relate the set of hypothesis with the conclusion of a proof:Data Seq = [Wff] : Wff

8/3/2019 Formal Methods  An Overview
22/25
Formal Methods: An Overview22
Function seq gives the sequent described by a proof. seq :: Prf > Seq. This provides
a way to get the hypothesis and conclusion from a proof.
seq :: Prf > Seq
seq (K x y) = [] : (x :=> (y :=> x))
seq (S x y z) = [] : (x:=>(y:=>z)) :=>
(x:=>y):=>(x:=>z)seq (CP x y) = [] : (Not x :=> Not y) :=> (y :=> x)
seq (Hyp x) = [x] : x
seq (MP p q) = (ws `union` hs) : z = if w == x
where ws  x = seq p
hs  w :=> z = seq q
Note that seq is a partial function since it assumes that the proof is given in a correct
form. However, a proof must be first checked that it is in a good form before applying it
to seq. The checking of a proof is done using:
gp :: Prf > Bool
gp (MP p q) = gp p && gp q && isImp cq&& cp == limp cq
where (cp,cq) = (con p,con q)
gp _ = True
isImp x checks ifcq is an implication. limp p returns the left side of the implication p.
con p returns the conclusion of a proofp. Using seq and gp, proof checking can be
achieved. This is done using the function just, which finds if a sequent has all the
hypothesis of the proof and the conclusion of the sequent is the same as that of the proof.
just :: Prf > Seq > Bool
just pr (h : c) = gp pr && con pr == c &&
hyps pr `subset` h
This is achieved by checking ifpr is a good proof and then checking if the conclusion of
the proof is the same as the conclusion of the sequent. It is then checked if the hypothesis
of the sequent contains all the hypothesis of the proof.
With the just function we can define ch  , )):``.Prf:( chjustppch ( .
Students being introduced to formal logic can understand this definition better.
Consider proving xxwffx .: . This means writing a proof p such that (p x) just
([]:x:=>x) is true.
0. xxK)( xxx
1. x)(xxK ))(( xxxx
2.xx)(xxS
))())((()))((( xxxxxxxxx
3. 21MP)())(( xxxxx
4. 30MPxx 

8/3/2019 Formal Methods  An Overview
23/25
Formal Methods: An Overview23
Using the functional metalanguage, the proof can be written as
p x = MP (K x x) (MP (K x (x:=>x)) (S x (x:=>x) x))
Proving even the simplest properties of implication are long, tedious and difficult.
However such proofs can be made easier using the deduction theorem. The deduction
theorem can be written in the following way:
The deduction theorem states that given a set of hypothesis }{hhs , from which c is
concluded, then one can prove that using hs as a hypothesis, one can conclude ch . Forexample, proving ))(( yyxx can be done by first proving yyxx },{ , then
using the deduction theorem to obtain the actual proof. This can be done by using a
function ded which satisfies:
con p)h :ut` h :s p `withojust` (hypded h p `gp p =>
Thus ded, given a proof of form chhs }{ will create a proof for chhs ! . ded is
an implementation of the construction got from the proof of the deduction theorem. The
deduction theorem is proved by constructing an algorithm that given chhs }{ ,
creates a proof for chhs ! . Using ded we can prove ))(( yyxx .
1) proofp1 is obtained from yyxx },{
p1 = MP (Hyp (Var x) (Hyp ((Var x:=>Var y))
2) Secondly, p2 is obtained from yyxx )(}{
p2 = ded (Var x :=> Var y) p1
Finally, we obtain a proof p3 for ))(( yyxx
p3 = ded (Var x) p2
Using the functional paradigm, a gentler introduction can be given to formal logic.
Concepts which are found difficult in the beginning such as the structure of proofs and
the role of the metatheorem in Hilbert Logic are explained easily in this manner. A layer
of experimentation with proofs is also obtained where students can practice writing
proofs.
Conclusion
The more complex and critical systems are, the more important it is to reduce to
minimum errors in the system. Correctly applied design and testing techniques achieve
conchs : h:conc` [h]) :(hs `union =>

8/3/2019 Formal Methods  An Overview
24/25
Formal Methods: An Overview24
this up to a certain degree. For example, with these techniques alone one cannot show
that a design of vending machine gives back the exact change exactly. To ensure that a
design meets the requirements or that the implementation is faithful to the design formal
methods have to be used. As already mentioned not all methods are equally good to be
used on any system. Experience and expertise are necessary in employing these methods
successfully. For example in the case of using axiomatic semantics finding an invariantfor a while loop is not an easy task and requires skill. Neither is the task of finding the
property which is true for the entire interval in duration calculus. However from the
number of success stories of formal method one can see that the correct use of the
methods described to specify, model and verify systems leads to a software or hardware
product of a much higher quality.
References
[1] What is formal methods? http://shemesh.larc.nasa.gov/fm/fmwhat.html. Last
Referenced: 13th April 2007.
[2] Anthony A. Aaby. Semantics of Programming Languages.http://cs.wwc.edu/ aabyan/LN/PL/book/book.html Last Referenced: 13th April
2008, 2004.
[3] Dill Alur. A theory of timed automata. Theoretical Computer Science, 126:183
235, 1994.
[4] Henrik Leif Anderson. An introduction to binary decision diagrams. In Lecture
Notes for 49285 Advanced Algorithms E97. Technical University of Denmark,
1997.
[5] Alessandro Artale. Formal Methods: Computational Tree Logic.
http://www.inf.unibz.it/ artale/FM/slide4.pdf. Last Referenced: 13th April 2007,
2007.
[6] E.M. Clarke.Model Checking, chapter 3. 2000.[7] Marc Geilen. On the construction of monitors for temporal logic properties.
Electronic Notes in Theoretical Computer Science, 2001.
[8] Anthony Hall. Seven myths of formal methods.IEEE Software, 7, 1990.
[9] David Harel.Algorithics  The Spirit of Computing. AddisonWesley, 1987.
[10] C.A.R. Hoare. Laws of programming. Communications of the ACM, 30:672686,
1988.
[11] C.A.R. Hoare. A calculus of durations. Information Processing Letters, 40:269
276, 1991.
[12] B.A. Sufrin J. Leifer. Deduction for functional programmers. Functional Pearl,
Journal of Functional Programming, 6:365373, 1993.
[13] John McCarthy and James Painter. Correctness of a compiler for arithmeticexpressions. Proceedings Symposium in Applied Mathematics, Vol. 19,
Mathematical Aspects of Computer Science, pages 3341, 1967.
[14] Robin Milner.A Calculus of Communicating Systems. 1980.
[15] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis, Oxford
University, 1998.
[16] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis, Oxford
University, 1998.

8/3/2019 Formal Methods  An Overview
25/25
Formal Methods: An Overview25
[17] Kenneth Slonneger. Syntax and Semantics of Programming Languages. Addison
Wesley, 1995.
[18] Oded Maler Yasmina Abdeddaim. Jobshop scheduling using timed automata.
Computer Aided Verification, pages 478492, 2001.