Formal Methods - An Overview

download Formal Methods - An Overview

of 25

Embed Size (px)

Transcript of Formal Methods - An Overview

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview1

    Formal MethodsAn Overview


    The task of minimizing human errors in building an artifact increases the trust in it, thus

    increasing its usage. This is true especially if failure implies losses of any kind. This can

    be seen in the construction of bridges. In the early bridge constructions the load that amaterial could withstand or the effect the elements had upon the structure of the bridge

    being constructed were probably not considered. As time progressed, the need to prevent

    disasters due to the falling of bridges led to more disciplined bridge constructions. For

    example, the study of materials was applied to find the best material that can withstand aparticular load. The best structure that can withstand powerful winds and the most

    effective way how to join the materials together are all part of the new form of bridge

    construction. This process of human error minimization led to a much a less occurrenceof bridge disaster and a higher trust in these structures.

    This argument can be applied to all fields in engineering (including hardware

    construction) and the building of software. The more complex the system the larger thediscipline needed in the construction of the systems. The study of how to discipline the

    construction of software is software engineering. Software engineering, describes the

    different ways how to design, build, test and maintain the software. When this knowledgeis applied correctly, the construction of software cost and time can be reduced


    Among the repertoire of techniques and ideas in software engineering that can be used to

    build software, there is a family of techniques that specify, design and verify software

    (and hardware) with mathematical rigor. This means that the statements describing thespecification and design are written using well-formed formulae in a particular calculus.Thus, one can reason more effectively on these descriptions and deduce new facts by

    using the axioms and inference rules of the calculus. Such facts include properties that

    are true for a given set of inputs. [1]

    Two important properties are safety and liveliness properties. Consider the case of the

    design of a scheduler. First, the design is encoded as logic formulae in a particularcalculus. By using the theorems and axioms of the calculus one can arrive at a property of

    the scheduler stating that the scheduler is mutually exclusive (no two processes can be in

    a critical section at the same time). This is a safety property since its shows that the

    scheduler is safe from entering incorrect states (in this case the incorrect state is that ofhaving non-mutual exclusion). If a fact can be proved showing that a process waiting to

    be scheduled will eventually be executed, then a liveliness property of the scheduler has

    been proved. A liveliness property shows that good states will eventually be reached.From these properties one can go on to talk about partial correctness and termination

    properties. A program is said to be partially correct if the program gives the correct

    output when it terminates. This follows from safety properties. A program has a

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview2

    termination property if it always terminates. This is a liveliness property since

    termination is a good state which will eventually happen. [9]

    The group of techniques described is called formal methods. When these techniques are

    correctly applied, one can build software or hardware that complies perfectly with its

    specification, hence behaving as it should. The effort spent in applying formal methodsreduces drastically the number of bugs found in testing and the time taken in bug-fixing


    Due to the complexity of certain systems, formal techniques are applied on the most

    important parts of the system. For example, when building a theorem prover theapplication of formal methods will be on the section of the code which performs the


    Whilst these methods help in minimizing human error in building hardware and software,one cannot regard these techniques as panaceas of hardware and software development.

    There is no such thing as program that is all correct and one can expect that it is bug-free.[2] argues that the actual behavior of a program depends on the operating system, thehardware and the compiler. One can be surer on the stability of the software built in this

    case by studying the behavior of the software with these three entities. Nevertheless, the

    application of formal methods has been shown to produce reliable hardware and softwarethat is used in highly critical situations ranging from business applications to spacecraft


    As mentioned previously, there are a number of techniques in formal methods. Not allmethods are equally good for being applied at a particular hardware or software

    specification, design or implementation since each method has its own degree of

    abstraction and own way how to model the artifact. For example, a method can be usedbetter to model a design at the gate level while another can model better the operation of

    a circuit to its change of state in time. Thus the success of application of formal methods

    depends on choosing the choice of the method [2]. This write-up is an overview on anumber of techniques used in formal methods.

    The overview starts by describing the methods used in giving the semantics of formal

    languages which are methods used to describe the meaning in programming languages,followed by temporal Logics: different logics with which one can reason about

    statements whose truth value changes with time. An overview of Model Checking and

    several methods than can be used in Model Checking such as Binary Decision Diagrams(BDDs) and timed automata are discussed. Runtime Verification, another technique

    sitting in between Model Checking and testing and compiler correctness follow the

    discussion. A description of the use of the functional paradigm as a meta-language offormal logic is then given.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview3

    1. Semantics of Programming LanguagesLet us take a valid source code from a programming language. The description of the

    meaning of the source code can be done at several levels. The meaning can be describedin several ways, for example using another language or describing the execution being

    carried out. The different methods to represent the meaning or semantics of programminglanguages in a rigorous way fall in the field of formal semantics of programming

    languages. Such methods include Algebraic Semantics, Denotational Semantics,Axiomatic Semantics and Operational Semantics [4].

    1.1Algebraic SemanticsWith algebraic semantics, a program is defined as a mathematical expression. A set of

    algebraic laws are written for each statement. These laws govern the behaviour of thecommand when executed. For example, the meaning of an arithmetic operator such as

    multiplication can be defined in terms of the laws it obeys such as monotonicity and

    associativity. The behaviour of the operator is then described algebraically [10]. Thealgebraic semantics of a programming language are divided into two parts: The domain

    or values used are defined, followed by the definition of the functions on these values.

    Algebraic Laws are built from the functions that define the behavior. The following

    example shows the meaning of a stack data structure using algebraic semantics [2].

    The domain is composed of:



    },{ falsetrueBool

    The functions on the domain are defined

    Stackcreate :

    StackStackNatpush :

    StackStackpop :

    NatStacktop :

    BoolStackempty :

    The laws describing the behavior of the stack are defined as

    SSNpushpop =)),((

    NSNpushtop =)),((

    falseSNpushempty =)),((

    truecreateempty =)(

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview4

    Although only the type definition of the functions is given, the laws (or axioms) describe

    the behavior. The definition of the function is irrelevant as long as the laws are obeyed.

    Algebraic semantics provide the best description of ADTs such as in this case [17].

    The use of such laws enables programs to be reduced to a normal form. This enables

    comparison of programs. In this way it can be shown that two syntactically differentprograms can be semantically equivalent, that is they perform the same task. Ordering of

    programs can also be achieved, showing if a program is more specific than another. The

    laws can be used to develop and reason on a specification. This specification can then be

    transformed directly from the algebra to the actual syntax of the programming language,

    thus generating the source code. Algebraic transformations can be used to optimize a

    given program.

    Algebraic Semantics, like all methods have the following drawback: the meaning given

    by the algebra is not easy to comprehend immediately. Although algebraic semantics can

    give several advantages, its application in real situations involves having practical

    experience in the application of these laws. More specific theorems need to be discoveredto make the application of the laws more practical.

    1.2Axiomatic SemanticsThe meaning of a statement in a programming language is described by the change in the

    assertions representing the state of the program. The meaning of a statement c is defined

    in the following way:

    }{}{ QcP

    P is an assertion describing the state of the program before the execution of command c .Q is the post condition describing the state of the program after the execution of

    command c . The assertions are written in a chosen logic. The entire formula means that

    if c is executed, then P must be satisfied before, while Q must be satisfied after execution


    Consider a program (shown in Figure 1) that computes the summation of numbers in an

    arrayA . The axiomatic semantics of the program can be used to verify that the output is


    Lines 1 and 11 are the pre-and post-conditions of the program. The pre-condition states

    that the sum of the first 0 elements ofA is 0 and that the number of elements in the arrayn is greater than 0. The post-condition states that the sum of the contents of the array is

    equal to S. Line 3 states that the summation S is equal to the summation of the first I

    elements inA, whereIis less than or equal to the number of elements inA.

    The while loop can be entered ifI is less than n. If this is true, the summation of the first

    i+1 elements must be equal to the sum of the i+1th element and the summation of the

    firstIelements where i+1 is less than or equal to n. After the assignment on line 7 S must

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview5

    be equal to the summation of the first i+1 elements. Line 10 states that the while loop

    stops when i is equal to n.

    Figure 1 A Summation program given meaning using axiomatic semantics [2]

    Showing that the program is correct means showing that the pre and post conditions of

    each command are true. To do this, the axioms describing the relation of the pre and post

    conditions with the execution of a particular command must be used to show that the

    conditions are true.

    In the case of the assignment command, the axiom is

    }{:]}:[{ PExExP =

    This means that ifP is a post condition, then P must also be true before the execution of

    the assignment given that x is substituted instead ofE. Lines 1-3 and 6-8 satisfy this


    The rule of consequence states:





    From this axiom, lines 5-8 can be written as






  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview6



  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview7

    1.3Denotational SemanticsIn denotational semantics each statement in a programming language is translated into a

    denotation. A denotation is a description of the meaning in another language. To do this

    the denotational semantics of a programming language is built from three parts: A

    description of the syntax of the language, a semantic algebra and a set of valuationfunctions that map the syntax of the language to the semantic algebra. The functions thus

    map from the syntactic domain to the semantic domain. To find the meaning of astatement we apply the valuation functions to the command. The result of the function is

    an expression in the semantic algebra which denotes the meaning.

    Let us give an example of the denotational semantics for the assignment and conditionalstatements. Initially, the syntax of the language is defined:





  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview8

    falseEec = |2

    falseEvct =),(|),( 2

    Using these two functions the denotation of the assignment and conditional commands

    can be made in the semantic algebra

    ]:[:: EeVEVc ==

    The evaluation of E is done by applyingEand to e. When V is applied to , the valuereturned will be the evaluation ofE.

    To evaluate the conditional:

    trueEeccelsecthenEifc == |121

    If the evaluation of E is true, the denotation of the conditional is the denotation of c1,

    otherwise the denotation of c2 is the denotation of the conditional.

    Denotational Semantics are useful for the theoretical study of programming languages,especially in compiler construction. The denotations do not necessarily have to be

    mathematical objects but any other representation can denote the meaning, such as object

    code. In fact systems can be developed that can construct compilers given the

    specification in terms of denotational semantics.

    1.4Operational SemanticsWith operational semantics the meaning of the program can be understood by viewing

    the execution of the program itself. Operational Semantics gives the trace of program

    execution. The operational semantics of a programming language is built from two parts:

    the first part is similar to that of denotational semantics: a description of the syntax of thelanguage. Then the second part is the definition of an interpreter that describes the

    computation. The interpreter can be seen as a function that describes the meaning of a

    command c by taking c and the state of the program . is a structure containing thevariables and their corresponding values.. The operational semantics for the programming

    language defined in section 1.3 will be defined. The syntactic description is the same as

    that for the denotational semantics. The interpreter is defined as follows

    As stated, the interpretation function tis defined as Ct: . The function

    e evaluates expressions: )(: TNEv . To describe the meaning of the assignment

    statement we define the t as:

    )],(:[),:( evVEVt ==

    The same is done for the conditional statement:

    trueEvctcelsecthenEift == ),(|),(),( 121

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview9

    The execution trace in operational semantics can be described using a labelled transition

    system. [14] defines a labelled transition system is defined as >< TLSS o ,,, where

    S is the set of states

    SSo is the initial state

    L is the set of possible actions or events in the system

    SLST is the set of transition relations.

    A transition from state s to 's if there is an action or event a which is given by a

    transition relation )',,( sas .

    A way of showing if two transition systems are equivalent is by using bi-simulation [14].

    One can see if two automata are equivalent if we compare the language generated by the

    two automata and so in this case, bi-simulation is not that useful. However Bi-simulation

    is useful in pi-calculus, a calculus used for modelling concurrent systems, there are final

    no states and thus the approach to determine equivalence used in automata cannot be


    Bi simulation can be defined as an equivalence relation SSR where

    RqpTqlqqTplpTqp )','()',,'.()',,.(),( . Two states p and q are bi-

    similar if the actions from p and q go into states p and q that are bi-similar with each


    Although operational semantics does not give information on how to implement the

    commands, specifying the programming language using operational semantics is very

    convenient since by looking at the described execution trace, one can understand better

    what the command should do in relation to the program state. A specification inoperational semantics is thus helpful when developing an interpreter or simulator of a

    programming language.

    2 Temporal LogicsIn the analysis of hardware and software specification and design, reasoning about the

    change of objects in time is very important. Unfortunately propositional and predicate

    logic cannot be used to represent such reasoning. For example the statement the light

    bulb is on can be true at a certain time but false in another. For this reason an extension

    is needed to these logics to provide reasoning on change in time. This is done with

    temporal logic. In temporal logic one can represent statements such as The bulb isalways switched on, The light bulb will be eventually switched on and The light bulb

    will be switched on until someone switches it off [11]. This is achieved using the

    following operators:

    P, meaning Always P

    P, meaning Eventually, P will be true

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview10

    Temporal logic is used for reasoning in a timeline. In this way there is no need to write

    properties as functions of time and the reasoning and proving of properties can be done in

    a more elegant and easier way. There are various temporal logics each having a different

    way of looking at time. For example, in linear temporal logic reasoning can be done on

    only one time line, being deterministic. On the other hand, branching logics can handle

    more than one timeline, introducing non-determinism. One example is ComputationalTree Logic (CTL). In CTL one can write statements saying there is a possibility that the

    light bulb will be switched off meaning that there exists at least one timeline where there

    is an instance where the light bulb is switched off. These different timelines are

    represented as different paths in a graph. This is done by introducing path quantifiers that

    state for which paths (or timelines) a predicate is true. For example AP means that

    Always P is true for all timelines. EP means that there exists at least one path in

    which P is always true [5].

    Interval temporal logic (ITL) is another logic with which one can reason effectively about

    the periods of time. This is very useful in hardware design and analysis where certain

    properties of a system can be true for certain periods of time. One type of ITL is DurationCalculus, which is appropriate for the design of real-time systems.

    2.1Duration Calculus [11]In duration calculus time is represented as }0{=

    +T . This definition of time enables

    stating which the order of occurrence of events. State variables are functions that map

    from the time domain to {0,1}. State variables cannot vary infinitely often. Removing

    this assumption will introduce problems in the calculus. An interval


    braTrrba = denotes a time slice. An empty interval has length 0. As

    mentioned previously, temporal logic was developed to eliminate the use of statevariables as functions of time and in duration calculus this is done by introducing the idea

    of a duration. A duration is an amount of time a state Variable P is true in an interval.

    This is written as =a


    dttPP )( . nbaP = ],[ is true if the duration of P in an interval

    ],[ ba is equal to n . If P is true for the entire duration, then == 11a


    dtP . P is true if

    = 1P . To show that there is an interval which can be divided into two parts where inthe first one P is true and in the second part Q is true, the chop operator ; is used. The

    chop operator is defined as === 1^1.,,;c




    dtBdtATcbaBA . This operator

    is used to describe which state variables are true in a part of the interval. The duration

    calculus contains 4 axioms which are

    00 =

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview11






    )();( ==+= sPrPsrP

    The and operators are defined in the following way:

    P = true ; P ; true

    P = P

    Note the relation between the always and sometimes operator in temporal logic. With

    these axioms and the theorems that can be proved from them, one can prove properties

    for real time systems. An induction rule in propositional calculus eases the task of

    proving the properties. Given a state P and Xis a predicate in )(XR , the induction rule

    is defined as

    )()));;()(()(( trueRPXPXXRXRR

    The induction rule tells us that if a property R is true on the empty interval and if from

    the fact that property is satisfied on part of the interval one can reach the fact that the

    property is satisfied by the interval together with another part then the property is trueover the whole interval.

    The safety constraints of a gas burner can be defined in duration calculus. For example, a

    safety constraint stating that if the gas burner has been on for 60 seconds, leaking timemust be at most 1/20 of the total time. In duration calculus this is written as

    120601 Leak (R1)

    )(tLeak is true if the gas burner leaks at time t.

    The design of the gas burner detects a leak after 1 second from the start of the leak. The

    time between two successive leaks is at minimum 30 seconds. These are written as

    11 Leak (D1)( ;Leak ;Leak Leak

    301 ) (D2)

    To show that the gas burner is safe, one must show that the design constraints imply the

    security constraints: 12^1 RDD

    The induction rule is in fact used to first prove the assertion by first proving on the empty

    interval and then showing that if this is true on a part of the interval then it is true for the

    interval together with another part. Duration calculus provides a simple notation for

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview12

    expressing these statements by abstracting over time. With the theorems and the

    induction rule, the proving of properties of the real-time system such as these examplesbecomes less time-consuming and more elegant.

    2.2Discrete Duration Calculus [15]In digital circuits time is represented as pulses of unit time, or discrete time. To simplify

    the reasoning of a digital circuit with respect to time a refined form of duration calculuswas developed called discrete duration calculus. In discrete duration calculus, intervals

    can be described by ],0[ n where n is an integer. Since time is discrete the smallest

    change in time greater than 0 cannot take any value but is the defined by the unit time.Thus the change in time must be a multiple of the unit time. The notion of history is also

    present in this calculus. This is given by the >> operator. Given a state variable P a time

    n, Pn >> will return a function that given the present time will return the value of P n

    units before the present time. Thus:




    Discrete duration calculus is further extended with relational duration calculus, with

    which reasoning on 0 time events can be done.

    2.3Relational Duration Calculus [16]Consider the following code snippet from a Hardware Description language Verilog:

    i:=1; j := i; i:= 0. If the behavior were to be modeled using discrete duration

    calculus a problem is encountered. The reason is that each of the statement is takes 0time, thus it happens in 0 clock cycles and so is not registered so whenj is assigned to

    i, i will have a value of 1, but the value before the assignment. The reasoning above

    events that take 0-time long must be introduced in duration calculus. The extension to

    duration calculus where such reasoning can be done is called relational duration calculus.This calculus is built upon discrete duration calculus. The pre and post values of the

    variables are written for each interval. Thus in this case, the value 0=i is written before

    an empty interval and 1=i is written after an empty interval. The chop operator is similar

    to the one used in duration calculus but handles also sequence of zero time events which

    affect certain state variables. Thus ifi:=1 is event A and i:=2 is event B then using the

    chop operator we can write BAi 1


    . In this wayj will be assigned to i with value 1 rather

    than the value ofi before the assignment to 1.

    Relational Duration Calculus can thus be used to model the semantics of Verilog. Since

    Verilog describes circuits, there are commands which take a number of time units toexecute and others which take 0 time long like the delay and assignment constructs. As

    seen above with relational duration calculus the meaning of assignment is defined using

    the chop operator. These semantics of these two types of commands can both bedescribed using relational duration calculus as described above.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview13

    3. Model Checking [6]Given a model of the system Mand a logical property P , model checking involves the

    process to show that P is true forM. Thus, if the system is in an initial state s, with

    Model Checking one tries to show that Ps =| . The choice of the model must be made in

    a way that the properties of the system can be easily described. The Model built musthave a level of abstraction enough to hide irrelevant details and keep only those relevantto prove correctness. For example, the model for a real-time system should describe the

    variation of state over time. The system can be modeled using a state transition diagram

    or a Kripke Structure. Informally, a Kripke structure describes state transitions but inaddition, each state contains a number of logical formulae which are true for this state. To

    describe properties of systems changing with time, temporal logic is used to write the

    statements that describe the model (the property). The property can be written in atemporal logic and then it is shown if the property is true for the model. The computation

    of the system can be described by the model as a sequence of states which is achieved by

    transitions from one state to the other.

    Systems can have multiple paths of execution. Thus properties of such system can be

    written in CTL due to its ability of reasoning about multiple time lines. Given a model of

    a traffic light controller, it is important to check if this model does not permit that twolights are green at the same time. This is a safety property. This can be written as, in all

    execution paths, it is always true that ))()^(( 21 tgreentgreen where 1t and 2t are traffic

    lights. This is written as (AG )))()^(( 21 tgreentgreen where A represents all

    execution paths and G states that the assertion is globally true throughout the entire

    execution path.

    It can be shown that the expressive power of LTL and CTL are different. For example in

    LTL one cannot specify truths for certain paths as done in CTL using the E quantifier. Onthe other hand strong fairness cannot be expressed in CTL [5]. CTL* is a temporal logicthat has the expressive power of the two temporal logics combined together. In this logic,

    the temporal operators can be applied without any constraints. For example one can writeAP, which states that for all paths, P is true infinitely often. Using CTL*, properties

    such as fairness can be proved for systems that have more than one computation paths.

    For certain instances, the proofs to show that a property is true for a Model can be fullyautomated using Model Checkers. This is done using Model Checking Algorithms that

    given a model of the system such as Kripke Structure S and a property described in a

    logic such as a CTL* formula f . The algorithm finds if f is true for S . Thus, system

    designers do not need to have a huge expertise in proof techniques. The system designers

    need only create a model to give as input and encode the requirements of the system aslogical formulae. If a property is not true for a Model, the Model Checker gives a counter

    example which helps in understanding the reason of why the property is not true for the

    system. Unfortunately, the system can contain a huge number of different computationpaths, leading to the state explosion problem. Different model checking algorithms

    handle this problem with techniques to reduce the search space. However, this does not

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview14

    always work and so the model checker must either divide the design and model check

    each part on its own or else reduce the number of independent variables.

    Model checking is a very important method in formal methods with regards to the

    analysis of specification and design of a system. The problems found in the design due to

    model checking save effort in redesigning, re-writing the code and testing again. Twoalgorithms that can be used for modeling the system are described in this section: Binary

    Decision Diagrams (BDDs) and Timed Automata.

    3.1Binary Decision DiagramsBinary Decisions Diagrams (BDDs) are structures that represent Boolean functions. Theidea of BDDs was inspired from the Shannon Expansion [4]. The Shannon Expansion

    expresses a Boolean function as the sum of two sub functions. This can be done by

    converting the function into if-then-else normal form. To convert a Boolean function

    fhaving a variable x in if-then-else normal form the following rule is used

    ]0[[],1/[ xfxfxf =

    The rule says that if x is true then substitute x with 1, otherwise substitute x with 0. Thesub-formulae are then applied the same rule until no sub-formulae contains any more

    variables. Thus, each formula is split into two parts, one where the variable is true, and

    one where the variable is false. A decision tree can be built from these formulae by

    having each formula pointing to each its sub-formulae. For example yxt = in if-then-

    else normal form becomes )1,0(),0,1( = yyxt . A more complex example is the


    Figure 2 [3]

    This function can thus be represented as a Binary Decision Diagram (BDD) as shown in

    figure 2. Note that the dashed (solid) edge represents the variable represented in the nodehaving a value 0 (1).

    Note that 110t and 000t , 111t and 001t , and 00t and 11t are all equal. Merging these nodes

    together we create a binary decision diagram with no duplicate nodes which is

    represented in figure 3.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview15

    The BDD is effectively a graph. In this way one can use graph algorithms to analyze the

    Boolean function being represented. A BDD is said to be ordered if node x comes before

    node y if yx < . A reduced BDD is a BDD where there are no redundant nodes, that is

    no nodes where both edges go to the same node. If a graph has no duplicate nodes, no

    redundant nodes and is ordered then the BDD is called Reduced Ordered Binary Decision

    Diagram (ROBDD). The BDD in the figure is an ROBDD since it has no redundantnodes and is ordered. Note the small size of an ROBDD compared to the BDD from

    where it was converted. It can be shown that there is a unique ROBDD for every Boolean

    function and that it takes constant time to see if an ROBDD is a tautology. On the otherhand, the construction of an ordered BDD is computationally intensive. For example

    choosing the best ordering for a given BDD is NP-Hard.

    Figure 3 The representation of )1,0(),0,1( = yyxt [3]

    Figure 3 The ROBDD of Figure 2 [3]

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview16

    Checking if the Boolean formula represented by a BDD is a tautology and if two BDDs

    are equivalent takes constant time. BDDs are applied in formal verification in two fields.BDDs can be used to check satisfiability of a Boolean formula and can be also used to

    compare if two combinational circuits are equivalent. The output of combinational

    circuits is a function of the input given and does not depend on the inputs given

    previously. Each circuit is a representation of Boolean formula which has a uniqueROBDD. Hence by comparing the ROBDD of two circuits one can find if two

    combinational circuits are equivalent.

    3.2Timed Automata [3]As one can see from the temporal logics such as CTL and duration calculus, real-timesystems can be modeled effectively. However it is useful to describe such systems in

    terms of transitions between states with respect to the flow of time. This can be achieved

    through a specialized form of automata: timed automata.

    Given a set of symbols

    , while in an automaton, reading a symbol

    a in a state b willmake a transition to a state c given tcab ),,( , in a timed automaton, the reading of

    symbol a in a state b will make a transition to a state c if the time in the system is .Time is represented by a non-negative real number where if two events a and b happen

    at time 1t and 2t , where 12 tt > then b happens later than a . Thus the flow of time can

    be described by a sequence of real numbers. Timed automata accept an infinite set of

    timed words described by ),( a where *a and is the time at which a is accepted.

    Time is represented using the positive real number. A number of clocks can be defined

    for a timed automaton. These clocks are real numbers giving the time. Clocks can bereset in a transition and constraints on the time given by a clock can be made. A transition

    can happen if a constraint is satisfied. Figure 4 shows an example of a timed automata.

    Figure 4 A timed automata producing strings }2.|),){((122


  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview17

    Formally, we can define a timed automata as a 5 tuple >< ,,,,, tCQQ o where

    Q is the set of states

    oQ is the initial state

    is the alphabet

    Cis the set of clocks

    )(2 CSStC : the set of transitions.

    A transition is described by >< )(,,,', Cass . A transition from s to 's is made by

    accepting a , resetting the clocks in to 0 if the constraints on the clocks )(C are true.

    Timed automata are used in modeling of real-time finite-state systems. The theory of

    automata can then be used to prove properties about the system [18]. An example of such

    a system is a gate controller. After describing the design as a timed automaton, certain

    properties such as if the gate is never closed longer than an amount of time can be

    proved. This is a safety property. Such properties can be proved or disproved by

    analyzing the time constraints between the open and closed states. This shows theconvenience of modeling using timed-automata for such systems.

    Timed Automata can be used for scheduling problems. The timed automata used here is a

    variant of the timed automata described in the timed automata section. This variant can

    be described as a 5 tuple >< tfsCQ ,,,, where

    Q is the set of states

    Cis the set of clocks

    s is the initial state

    f is the final state

    tis a set of transition relations.

    The transition functions are of the form >< )(,,', Ccss . The transition from s to s with

    the clocks in c reset to 0, happens if the clock constraint )(C is true.

    Consider having a set of jobs each made of a number of operations. Each operation needs

    to use resource for a fixed time. Only one operation can be put on the machine at a given

    time. Finding the start time of each operation and which machine it will use to minimize

    the time taken to complete the entire process is known the job-shop scheduling problem.

    This problem can be shown to be NP-Complete.

    The shop scheduling problem can be posed as a time-automata and the shortest path (in

    terms of time) from the initial state to the final state is found. For every job J, one timed

    clock is made. For every operationj using a resource m , two states are created. The first

    state represents the job waiting to start called m and the second state represents the step

    executing m . In the transition between the two states the clock of the job is set to 0. For

    example, let us consider two jobs: )}3,(),4,{( 211 mmJ = where )}3,{( 12 mJ = . Each job is

    represented as a set of operations. An operation is in turn represented as a tuple

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview18

    ),( ba where a is the machine to be used and b is the time allocated on the machine a. The

    jobs can be represented as a timed automata as shown in Figure 5.

    Figure 5 Job represented as a timed automata. Note that the state corresponds to the machine being

    used and the time before a transition can be made (the machine stops) is no less than the time

    required for the step to use the machine [18].

    However both jobs are in the same system so the two automata have to be combined

    together. However, when merging states together one must not merge two states that areusing the same resource to conserve mutual exclusion. Instead of having two states s1

    and s2 with the same resource, one must consider the case of having s1 using the resource

    while s2 waiting or vice versa. Let us consider the merging of the two automata. Initially,

    both machines are waiting to be used. Thus the first state is 11 mm . Now there are two

    possibilities: either a transition to 11mm or 11 mm since both jobs need to use the same

    resource so one job waits until the other finishes. This is applied to all states and the

    automata representing the job-shop scheduling in this case is given below. Note how the

    automaton grows for only two jobs. The computationally intensive part is the building of

    the automata rather than finding the shortest path. The representation automata of the two

    jobs merged together is found in figure 6.

    Thus, job-scheduling problem is reduced to a timed-automata and then finding the

    shortest path from the initial to the final state is achieved. In this way different techniques

    to develop heuristics to get good solutions for the scheduling problem can be found and

    different insights on the scheduling problems can be developed.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview19

    Figure 6 The two jobs described by a single automata. The shortest path in terms of time will give the

    optimal schedule. The graph as more than two paths to preserve mutual exclusion [18].

    3.3 Runtime Verification [7]In Model Checking a model of the system is checked to see if it satisfies a given property.

    Thus Model Checking increases the trust in the design of the system. However, Model

    Checking does not check the actual implementation. To check the implementation testing

    techniques are used. However testing is neither formal nor does it give any guarantee thatthe implementation satisfies a property. Formal Verification, on the other hand sits

    between Model Checking and testing. With Formal Verification one can see if a property

    is satisfied along a trace of execution of the system. While increasing the trust of the

    system more than testing, it still does not provide a guarantee like in Model Checking

    since to do so, all traces of execution must be checked. However, runtime verification is

    applied to the running program continuously and if there is a case where the

    implementation does not satisfy a property, the failure is logged. In this way, the reason

    why that particular execution failed can be used to find the source of the error and change

    it in less time.

    Runtime verification is achieved by having an observer that views the execution of theprogram and checks that the property is true along all the execution trace. The observer

    can be thought of as a monitor. The observer logs information on the execution trace that

    can be used for analysis. The properties in this case are expressed in Linear Temporal

    Logic since only the actual execution trace is dealt. Thus, only events in one timeline are

    being dealt with and the reasoning can be done using this logic.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview20

    When using runtime verification care must be taken to ensure that the effect of the

    observer running with the program does not effect if the property is true for the execution

    trace or no. For example suppose that there is a property for a system stating that the time

    taken between a request and a response should be less than 200ms. With the system

    running without the observer, the property is true for the system. However when the

    observer is introduced a slow down can make the property false. One should also takecare of the correctness of the observer of the monitor itself. Incorrect behavior of the

    monitor can effect the execution of the program itself, which if run by itself could have

    run correctly.

    Runtime verification is a method of getting more confident about the correctness of the

    implementation of the system. With runtime verification the behavior of the system with

    its environment, such as the hardware and operating system is understood better. The

    changes of the environment may not be known before execution and these cases cannot

    be handled by testing, showing that runtime verification helps in the delivery of a more

    reliable system.

    4. Compiler Correctness [13]

    In the introduction it was mentioned that that the actual behavior of the program built

    depends on the compiler and systems software. The behavior of the program can become

    more predictable and increases confidence that the program is correct if one can show

    that the compiler with the program is being compiled is correct. Compiler Correctness

    means that if a statement a in the source language is converted into a statement 'a into the

    target language, the meaning of a is the same as the meaning of 'a . Ensuring correctness

    implies that when the compiled code is executed it will behave as is defined in the source


    Let us suppose that a language that represents expressions involving addition,

    subtraction, multiplication and addition is compiled to a target language which is run on a

    single address computer with an accumulator and 4 instructions: li (load immediate),

    load, store and add. To prove the correctness of the compiler one must start by defining

    the semantics of source and target language. As explained in the section on semantics,

    semantics provide meaning to each command. By showing that the semantics of the

    command in the source language are equal to the semantics in the target language, the

    correctness of the compiler is shown. Although the proof of correctness for the compiler

    described above is quite straightforward, the task complicates more when other

    commands are introduced, such as loops which in the target language can be handled

    with jump statements.

    Using a compiler that is shown to be correct is of extreme importance in critical systems.

    A compiler that has been proved correct implies that behavior of the implementation is

    the same as the behavior of the program executed from the object code will behave as

    defined in the source code used to produce the object code. Hence the properties true for

    the program described in the source will be also true for the program in the object code,

    thus increasing further the trust in the system.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview21

    5. Learning Formal Logic using the Functional Paradigm [12]

    The difficulties encountered when learning Formal Logic can be due to various reasons.

    One could mention the failure to understand how a proof works. The distinction between

    theorems and meta-theorems is also important to understand formal logic. The notation

    used can introduce difficulty initially to students. Perhaps having a meta-language withwhich students are familiar to represent the concepts of formal logic can help in reducing

    these difficulties. For students who have a background in functional programming,

    formal logic can be introduced by using a functional language as the meta-language. The

    syntax of functional languages is very readable compared to languages in other

    paradigms. The language used in this demonstration is Gofer, the predecessor of Haskell.

    The formal logic introduced is Hilbert Logic. In this logic system, well-formed-formulae

    (wff) are built from variables, negation and implication. There are three axiom schemas:

    )(| ABA (1)

    ))()(())((| CABACBA (2))()(| ABBA (3)

    An axiom schema is a wff where the variables represent any wff. When the variables are

    substituted with wff the axiom schema becomes an axiom.

    The inference rule used is Modus Ponens:


    BAA |,|

    A proof in Hilbert logic is made of a non-empty set of hypothesis T, a number of steps n

    from 1s to ns that lead to a conclusion a. This is written as aT | . Each step can be a

    hypothesis, an axiom or an application of Modus Ponens using two previous steps. It can

    be shown that Hilbert Logic is both sound and complete. Soundness of a logic system

    implies that all conclusion proved are true. Completeness of a logic system implies that

    all true conclusions can be proved.

    In the functional meta-language a well-formed-form is represented as:

    data Wff = Var String | Not Wff | Wff :=> Wff

    The structure of the proof is then described. Note that K, S and CP represent axiom

    schemas 1,2 and 3 respectively. Hyp and MP represent the Hypothesis and Modus

    Ponens respectively.

    data Prf = K Wff Wff | S Wff Wff Wff | CP Wff Wff

    | Hyp Wff | MP Prf Prf

    Sequents relate the set of hypothesis with the conclusion of a proof:Data Seq = [Wff] :|- Wff

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview22

    Function seq gives the sequent described by a proof. seq :: Prf -> Seq. This provides

    a way to get the hypothesis and conclusion from a proof.

    seq :: Prf -> Seq

    seq (K x y) = [] :|- (x :=> (y :=> x))

    seq (S x y z) = [] :|- (x:=>(y:=>z)) :=>

    (x:=>y):=>(x:=>z)seq (CP x y) = [] :|- (Not x :=> Not y) :=> (y :=> x)

    seq (Hyp x) = [x] :|- x

    seq (MP p q) = (ws `union` hs) :|- z = if w == x

    where ws |- x = seq p

    hs |- w :=> z = seq q

    Note that seq is a partial function since it assumes that the proof is given in a correct

    form. However, a proof must be first checked that it is in a good form before applying it

    to seq. The checking of a proof is done using:

    gp :: Prf -> Bool

    gp (MP p q) = gp p && gp q && isImp cq&& cp == limp cq

    where (cp,cq) = (con p,con q)

    gp _ = True

    isImp x checks ifcq is an implication. limp p returns the left side of the implication p.

    con p returns the conclusion of a proofp. Using seq and gp, proof checking can be

    achieved. This is done using the function just, which finds if a sequent has all the

    hypothesis of the proof and the conclusion of the sequent is the same as that of the proof.

    just :: Prf -> Seq -> Bool

    just pr (h :|- c) = gp pr && con pr == c &&

    hyps pr `subset` h

    This is achieved by checking ifpr is a good proof and then checking if the conclusion of

    the proof is the same as the conclusion of the sequent. It is then checked if the hypothesis

    of the sequent contains all the hypothesis of the proof.

    With the just function we can define ch | , )):|``.Prf:(| chjustppch ( .

    Students being introduced to formal logic can understand this definition better.

    Consider proving xxwffx |.: . This means writing a proof p such that (p x) just

    ([]:|-x:=>x) is true.

    0. xxK)(| xxx

    1. x)(xxK ))((| xxxx


    ))())((()))(((| xxxxxxxxx

    3. 21MP)())((| xxxxx

    4. 30MPxx |

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview23

    Using the functional meta-language, the proof can be written as

    p x = MP (K x x) (MP (K x (x:=>x)) (S x (x:=>x) x))

    Proving even the simplest properties of implication are long, tedious and difficult.

    However such proofs can be made easier using the deduction theorem. The deduction

    theorem can be written in the following way:

    The deduction theorem states that given a set of hypothesis }{hhs , from which c is

    concluded, then one can prove that using hs as a hypothesis, one can conclude ch . Forexample, proving ))((| yyxx can be done by first proving yyxx |},{ , then

    using the deduction theorem to obtain the actual proof. This can be done by using a

    function ded which satisfies:

    con p)h :ut` h :|-s p `withojust` (hypded h p `gp p =>

    Thus ded, given a proof of form chhs |}{ will create a proof for chhs ! . ded is

    an implementation of the construction got from the proof of the deduction theorem. The

    deduction theorem is proved by constructing an algorithm that given chhs |}{ ,

    creates a proof for chhs ! . Using ded we can prove ))((| yyxx .

    1) proofp1 is obtained from yyxx |},{

    p1 = MP (Hyp (Var x) (Hyp ((Var x:=>Var y))

    2) Secondly, p2 is obtained from yyxx )(|}{

    p2 = ded (Var x :=> Var y) p1

    Finally, we obtain a proof p3 for ))((| yyxx

    p3 = ded (Var x) p2

    Using the functional paradigm, a gentler introduction can be given to formal logic.

    Concepts which are found difficult in the beginning such as the structure of proofs and

    the role of the meta-theorem in Hilbert Logic are explained easily in this manner. A layer

    of experimentation with proofs is also obtained where students can practice writing



    The more complex and critical systems are, the more important it is to reduce to

    minimum errors in the system. Correctly applied design and testing techniques achieve

    conchs :|- h:conc` [h]) :|-(hs `union =>

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview24

    this up to a certain degree. For example, with these techniques alone one cannot show

    that a design of vending machine gives back the exact change exactly. To ensure that a

    design meets the requirements or that the implementation is faithful to the design formal

    methods have to be used. As already mentioned not all methods are equally good to be

    used on any system. Experience and expertise are necessary in employing these methods

    successfully. For example in the case of using axiomatic semantics finding an invariantfor a while loop is not an easy task and requires skill. Neither is the task of finding the

    property which is true for the entire interval in duration calculus. However from the

    number of success stories of formal method one can see that the correct use of the

    methods described to specify, model and verify systems leads to a software or hardware

    product of a much higher quality.


    [1] What is formal methods? Last

    Referenced: 13th April 2007.

    [2] Anthony A. Aaby. Semantics of Programming Languages. aabyan/LN/PL/book/book.html Last Referenced: 13th April

    2008, 2004.

    [3] Dill Alur. A theory of timed automata. Theoretical Computer Science, 126:183

    235, 1994.

    [4] Henrik Leif Anderson. An introduction to binary decision diagrams. In Lecture

    Notes for 49285 Advanced Algorithms E97. Technical University of Denmark,


    [5] Alessandro Artale. Formal Methods: Computational Tree Logic. artale/FM/slide4.pdf. Last Referenced: 13th April 2007,


    [6] E.M. Clarke.Model Checking, chapter 3. 2000.[7] Marc Geilen. On the construction of monitors for temporal logic properties.

    Electronic Notes in Theoretical Computer Science, 2001.

    [8] Anthony Hall. Seven myths of formal methods.IEEE Software, 7, 1990.

    [9] David Harel.Algorithics - The Spirit of Computing. Addison-Wesley, 1987.

    [10] C.A.R. Hoare. Laws of programming. Communications of the ACM, 30:672686,


    [11] C.A.R. Hoare. A calculus of durations. Information Processing Letters, 40:269

    276, 1991.

    [12] B.A. Sufrin J. Leifer. Deduction for functional programmers. Functional Pearl,

    Journal of Functional Programming, 6:365373, 1993.

    [13] John McCarthy and James Painter. Correctness of a compiler for arithmeticexpressions. Proceedings Symposium in Applied Mathematics, Vol. 19,

    Mathematical Aspects of Computer Science, pages 3341, 1967.

    [14] Robin Milner.A Calculus of Communicating Systems. 1980.

    [15] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis, Oxford

    University, 1998.

    [16] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis, Oxford

    University, 1998.

  • 8/3/2019 Formal Methods - An Overview


    Formal Methods: An Overview25

    [17] Kenneth Slonneger. Syntax and Semantics of Programming Languages. Addison-

    Wesley, 1995.

    [18] Oded Maler Yasmina Abdeddaim. Jobshop scheduling using timed automata.

    Computer Aided Verification, pages 478492, 2001.