Download - Formal Methods - An Overview

8/3/2019 Formal Methods - An Overview

1/25

Formal Methods: An Overview1

Formal MethodsAn Overview

Introduction

The task of minimizing human errors in building an artifact increases the trust in it, thus

increasing its usage. This is true especially if failure implies losses of any kind. This can

be seen in the construction of bridges. In the early bridge constructions the load that amaterial could withstand or the effect the elements had upon the structure of the bridge

being constructed were probably not considered. As time progressed, the need to prevent

disasters due to the falling of bridges led to more disciplined bridge constructions. For

example, the study of materials was applied to find the best material that can withstand aparticular load. The best structure that can withstand powerful winds and the most

effective way how to join the materials together are all part of the new form of bridge

construction. This process of human error minimization led to a much a less occurrenceof bridge disaster and a higher trust in these structures.

This argument can be applied to all fields in engineering (including hardware

construction) and the building of software. The more complex the system the larger thediscipline needed in the construction of the systems. The study of how to discipline the

construction of software is software engineering. Software engineering, describes the

different ways how to design, build, test and maintain the software. When this knowledgeis applied correctly, the construction of software cost and time can be reduced

dramatically.

Among the repertoire of techniques and ideas in software engineering that can be used to

build software, there is a family of techniques that specify, design and verify software

(and hardware) with mathematical rigor. This means that the statements describing thespecification and design are written using well-formed formulae in a particular calculus.Thus, one can reason more effectively on these descriptions and deduce new facts by

using the axioms and inference rules of the calculus. Such facts include properties that

are true for a given set of inputs. [1]

Two important properties are safety and liveliness properties. Consider the case of the

design of a scheduler. First, the design is encoded as logic formulae in a particularcalculus. By using the theorems and axioms of the calculus one can arrive at a property of

the scheduler stating that the scheduler is mutually exclusive (no two processes can be in

a critical section at the same time). This is a safety property since its shows that the

scheduler is safe from entering incorrect states (in this case the incorrect state is that ofhaving non-mutual exclusion). If a fact can be proved showing that a process waiting to

be scheduled will eventually be executed, then a liveliness property of the scheduler has

been proved. A liveliness property shows that good states will eventually be reached.From these properties one can go on to talk about partial correctness and termination

properties. A program is said to be partially correct if the program gives the correct

output when it terminates. This follows from safety properties. A program has a


2/25


termination property if it always terminates. This is a liveliness property since

termination is a good state which will eventually happen. [9]

The group of techniques described is called formal methods. When these techniques are

correctly applied, one can build software or hardware that complies perfectly with its

specification, hence behaving as it should. The effort spent in applying formal methodsreduces drastically the number of bugs found in testing and the time taken in bug-fixing

[8].

Due to the complexity of certain systems, formal techniques are applied on the most

important parts of the system. For example, when building a theorem prover theapplication of formal methods will be on the section of the code which performs the

proof.

Whilst these methods help in minimizing human error in building hardware and software,one cannot regard these techniques as panaceas of hardware and software development.

There is no such thing as program that is all correct and one can expect that it is bug-free.[2] argues that the actual behavior of a program depends on the operating system, thehardware and the compiler. One can be surer on the stability of the software built in this

case by studying the behavior of the software with these three entities. Nevertheless, the

application of formal methods has been shown to produce reliable hardware and softwarethat is used in highly critical situations ranging from business applications to spacecraft

[8].

As mentioned previously, there are a number of techniques in formal methods. Not allmethods are equally good for being applied at a particular hardware or software

specification, design or implementation since each method has its own degree of

abstraction and own way how to model the artifact. For example, a method can be usedbetter to model a design at the gate level while another can model better the operation of

a circuit to its change of state in time. Thus the success of application of formal methods

depends on choosing the choice of the method [2]. This write-up is an overview on anumber of techniques used in formal methods.

The overview starts by describing the methods used in giving the semantics of formal

languages which are methods used to describe the meaning in programming languages,followed by temporal Logics: different logics with which one can reason about

statements whose truth value changes with time. An overview of Model Checking and

several methods than can be used in Model Checking such as Binary Decision Diagrams(BDDs) and timed automata are discussed. Runtime Verification, another technique

sitting in between Model Checking and testing and compiler correctness follow the

discussion. A description of the use of the functional paradigm as a meta-language offormal logic is then given.


3/25


1. Semantics of Programming LanguagesLet us take a valid source code from a programming language. The description of the

meaning of the source code can be done at several levels. The meaning can be describedin several ways, for example using another language or describing the execution being

carried out. The different methods to represent the meaning or semantics of programminglanguages in a rigorous way fall in the field of formal semantics of programming

languages. Such methods include Algebraic Semantics, Denotational Semantics,Axiomatic Semantics and Operational Semantics [4].

1.1Algebraic SemanticsWith algebraic semantics, a program is defined as a mathematical expression. A set of

algebraic laws are written for each statement. These laws govern the behaviour of thecommand when executed. For example, the meaning of an arithmetic operator such as

multiplication can be defined in terms of the laws it obeys such as monotonicity and

associativity. The behaviour of the operator is then described algebraically [10]. Thealgebraic semantics of a programming language are divided into two parts: The domain

or values used are defined, followed by the definition of the functions on these values.

Algebraic Laws are built from the functions that define the behavior. The following

example shows the meaning of a stack data structure using algebraic semantics [2].

The domain is composed of:

NNat

Stack

},{ falsetrueBool

The functions on the domain are defined

Stackcreate :

StackStackNatpush :

StackStackpop :

NatStacktop :

BoolStackempty :

The laws describing the behavior of the stack are defined as

SSNpushpop =)),((

NSNpushtop =)),((

falseSNpushempty =)),((

truecreateempty =)(


4/25


Although only the type definition of the functions is given, the laws (or axioms) describe

the behavior. The definition of the function is irrelevant as long as the laws are obeyed.

Algebraic semantics provide the best description of ADTs such as in this case [17].

The use of such laws enables programs to be reduced to a normal form. This enables

comparison of programs. In this way it can be shown that two syntactically differentprograms can be semantically equivalent, that is they perform the same task. Ordering of

programs can also be achieved, showing if a program is more specific than another. The

laws can be used to develop and reason on a specification. This specification can then be

transformed directly from the algebra to the actual syntax of the programming language,

thus generating the source code. Algebraic transformations can be used to optimize a

given program.

Algebraic Semantics, like all methods have the following drawback: the meaning given

by the algebra is not easy to comprehend immediately. Although algebraic semantics can

give several advantages, its application in real situations involves having practical

experience in the application of these laws. More specific theorems need to be discoveredto make the application of the laws more practical.

1.2Axiomatic SemanticsThe meaning of a statement in a programming language is described by the change in the

assertions representing the state of the program. The meaning of a statement c is defined

in the following way:

}{}{ QcP

P is an assertion describing the state of the program before the execution of command c .Q is the post condition describing the state of the program after the execution of

command c . The assertions are written in a chosen logic. The entire formula means that

if c is executed, then P must be satisfied before, while Q must be satisfied after execution

[17].

Consider a program (shown in Figure 1) that computes the summation of numbers in an

arrayA . The axiomatic semantics of the program can be used to verify that the output is

correct.

Lines 1 and 11 are the pre-and post-conditions of the program. The pre-condition states

that the sum of the first 0 elements ofA is 0 and that the number of elements in the arrayn is greater than 0. The post-condition states that the sum of the contents of the array is

equal to S. Line 3 states that the summation S is equal to the summation of the first I

elements inA, whereIis less than or equal to the number of elements inA.

The while loop can be entered ifI is less than n. If this is true, the summation of the first

i+1 elements must be equal to the sum of the i+1th element and the summation of the

firstIelements where i+1 is less than or equal to n. After the assignment on line 7 S must


5/25


be equal to the summation of the first i+1 elements. Line 10 states that the while loop

stops when i is equal to n.

Figure 1 A Summation program given meaning using axiomatic semantics [2]

Showing that the program is correct means showing that the pre and post conditions of

each command are true. To do this, the axioms describing the relation of the pre and post

conditions with the execution of a particular command must be used to show that the

conditions are true.

In the case of the assignment command, the axiom is

}{:]}:[{ PExExP =

This means that ifP is a post condition, then P must also be true before the execution of

the assignment given that x is substituted instead ofE. Lines 1-3 and 6-8 satisfy this

axiom.

The rule of consequence states:

}{}{

}{}{

RcP

RScQP

From this axiom, lines 5-8 can be written as

}1,][{1],1[:,},][{00

nIiAsIIASISnIiAsI

i

I

i+=+++=


6/25


=

===


7/25


1.3Denotational SemanticsIn denotational semantics each statement in a programming language is translated into a

denotation. A denotation is a description of the meaning in another language. To do this

the denotational semantics of a programming language is built from three parts: A

description of the syntax of the language, a semantic algebra and a set of valuationfunctions that map the syntax of the language to the semantic algebra. The functions thus

map from the syntactic domain to the semantic domain. To find the meaning of astatement we apply the valuation functions to the command. The result of the function is

an expression in the semantic algebra which denotes the meaning.

Let us give an example of the denotational semantics for the assignment and conditionalstatements. Initially, the syntax of the language is defined:

OperatorO

ExpressionE

CommandC

>


8/25


falseEec = |2

falseEvct =),(|),( 2

Using these two functions the denotation of the assignment and conditional commands

can be made in the semantic algebra

]:[:: EeVEVc ==

The evaluation of E is done by applyingEand to e. When V is applied to , the valuereturned will be the evaluation ofE.

To evaluate the conditional:

trueEeccelsecthenEifc == |121

If the evaluation of E is true, the denotation of the conditional is the denotation of c1,

otherwise the denotation of c2 is the denotation of the conditional.

Denotational Semantics are useful for the theoretical study of programming languages,especially in compiler construction. The denotations do not necessarily have to be

mathematical objects but any other representation can denote the meaning, such as object

code. In fact systems can be developed that can construct compilers given the

specification in terms of denotational semantics.

1.4Operational SemanticsWith operational semantics the meaning of the program can be understood by viewing

the execution of the program itself. Operational Semantics gives the trace of program

execution. The operational semantics of a programming language is built from two parts:

the first part is similar to that of denotational semantics: a description of the syntax of thelanguage. Then the second part is the definition of an interpreter that describes the

computation. The interpreter can be seen as a function that describes the meaning of a

command c by taking c and the state of the program . is a structure containing thevariables and their corresponding values.. The operational semantics for the programming

language defined in section 1.3 will be defined. The syntactic description is the same as

that for the denotational semantics. The interpreter is defined as follows

As stated, the interpretation function tis defined as Ct: . The function

e evaluates expressions: )(: TNEv . To describe the meaning of the assignment

statement we define the t as:

)],(:[),:( evVEVt ==

The same is done for the conditional statement:

trueEvctcelsecthenEift == ),(|),(),( 121


9/25


The execution trace in operational semantics can be described using a labelled transition

system. [14] defines a labelled transition system is defined as >< TLSS o ,,, where

S is the set of states

SSo is the initial state

L is the set of possible actions or events in the system

SLST is the set of transition relations.

A transition from state s to 's if there is an action or event a which is given by a

transition relation )',,( sas .

A way of showing if two transition systems are equivalent is by using bi-simulation [14].

One can see if two automata are equivalent if we compare the language generated by the

two automata and so in this case, bi-simulation is not that useful. However Bi-simulation

is useful in pi-calculus, a calculus used for modelling concurrent systems, there are final

no states and thus the approach to determine equivalence used in automata cannot be

used.

Bi simulation can be defined as an equivalence relation SSR where

RqpTqlqqTplpTqp )','()',,'.()',,.(),( . Two states p and q are bi-

similar if the actions from p and q go into states p and q that are bi-similar with each

other.

Although operational semantics does not give information on how to implement the

commands, specifying the programming language using operational semantics is very

convenient since by looking at the described execution trace, one can understand better

what the command should do in relation to the program state. A specification inoperational semantics is thus helpful when developing an interpreter or simulator of a

programming language.

2 Temporal LogicsIn the analysis of hardware and software specification and design, reasoning about the

change of objects in time is very important. Unfortunately propositional and predicate

logic cannot be used to represent such reasoning. For example the statement the light

bulb is on can be true at a certain time but false in another. For this reason an extension

is needed to these logics to provide reasoning on change in time. This is done with

temporal logic. In temporal logic one can represent statements such as The bulb isalways switched on, The light bulb will be eventually switched on and The light bulb

will be switched on until someone switches it off [11]. This is achieved using the

following operators:

P, meaning Always P

P, meaning Eventually, P will be true


10/25


Temporal logic is used for reasoning in a timeline. In this way there is no need to write

properties as functions of time and the reasoning and proving of properties can be done in

a more elegant and easier way. There are various temporal logics each having a different

way of looking at time. For example, in linear temporal logic reasoning can be done on

only one time line, being deterministic. On the other hand, branching logics can handle

more than one timeline, introducing non-determinism. One example is ComputationalTree Logic (CTL). In CTL one can write statements saying there is a possibility that the

light bulb will be switched off meaning that there exists at least one timeline where there

is an instance where the light bulb is switched off. These different timelines are

represented as different paths in a graph. This is done by introducing path quantifiers that

state for which paths (or timelines) a predicate is true. For example AP means that

Always P is true for all timelines. EP means that there exists at least one path in

which P is always true [5].

Interval temporal logic (ITL) is another logic with which one can reason effectively about

the periods of time. This is very useful in hardware design and analysis where certain

properties of a system can be true for certain periods of time. One type of ITL is DurationCalculus, which is appropriate for the design of real-time systems.

2.1Duration Calculus [11]In duration calculus time is represented as }0{=

+T . This definition of time enables

stating which the order of occurrence of events. State variables are functions that map

from the time domain to {0,1}. State variables cannot vary infinitely often. Removing

this assumption will introduce problems in the calculus. An interval

}^|{],[^

braTrrba = denotes a time slice. An empty interval has length 0. As

mentioned previously, temporal logic was developed to eliminate the use of statevariables as functions of time and in duration calculus this is done by introducing the idea

of a duration. A duration is an amount of time a state Variable P is true in an interval.

This is written as =a

b

dttPP )( . nbaP = ],[ is true if the duration of P in an interval

],[ ba is equal to n . If P is true for the entire duration, then == 11a

b

dtP . P is true if

= 1P . To show that there is an interval which can be divided into two parts where inthe first one P is true and in the second part Q is true, the chop operator ; is used. The

chop operator is defined as === 1^1.,,;c

b

b

a

dtBdtATcbaBA . This operator

is used to describe which state variables are true in a part of the interval. The duration

calculus contains 4 axioms which are

00 =


11/25


+=+

)()(

0

QPQPQP

P

)();( ==+= sPrPsrP

The and operators are defined in the following way:

P = true ; P ; true

P = P

Note the relation between the always and sometimes operator in temporal logic. With

these axioms and the theorems that can be proved from them, one can prove properties

for real time systems. An induction rule in propositional calculus eases the task of

proving the properties. Given a state P and Xis a predicate in )(XR , the induction rule

is defined as

)()));;()(()(( trueRPXPXXRXRR

The induction rule tells us that if a property R is true on the empty interval and if from

the fact that property is satisfied on part of the interval one can reach the fact that the

property is satisfied by the interval together with another part then the property is trueover the whole interval.

The safety constraints of a gas burner can be defined in duration calculus. For example, a

safety constraint stating that if the gas burner has been on for 60 seconds, leaking timemust be at most 1/20 of the total time. In duration calculus this is written as

120601 Leak (R1)

)(tLeak is true if the gas burner leaks at time t.

The design of the gas burner detects a leak after 1 second from the start of the leak. The

time between two successive leaks is at minimum 30 seconds. These are written as

11 Leak (D1)( ;Leak ;Leak Leak

301 ) (D2)

To show that the gas burner is safe, one must show that the design constraints imply the

security constraints: 12^1 RDD

The induction rule is in fact used to first prove the assertion by first proving on the empty

interval and then showing that if this is true on a part of the interval then it is true for the

interval together with another part. Duration calculus provides a simple notation for


12/25


expressing these statements by abstracting over time. With the theorems and the

induction rule, the proving of properties of the real-time system such as these examplesbecomes less time-consuming and more elegant.

2.2Discrete Duration Calculus [15]In digital circuits time is represented as pulses of unit time, or discrete time. To simplify

the reasoning of a digital circuit with respect to time a refined form of duration calculuswas developed called discrete duration calculus. In discrete duration calculus, intervals

can be described by ],0[ n where n is an integer. Since time is discrete the smallest

change in time greater than 0 cannot take any value but is the defined by the unit time.Thus the change in time must be a multiple of the unit time. The notion of history is also

present in this calculus. This is given by the >> operator. Given a state variable P a time

n, Pn >> will return a function that given the present time will return the value of P n

units before the present time. Thus:

>=>>

otherwisentPtntPn

|)(|0)(

Discrete duration calculus is further extended with relational duration calculus, with

which reasoning on 0 time events can be done.

2.3Relational Duration Calculus [16]Consider the following code snippet from a Hardware Description language Verilog:

i:=1; j := i; i:= 0. If the behavior were to be modeled using discrete duration

calculus a problem is encountered. The reason is that each of the statement is takes 0time, thus it happens in 0 clock cycles and so is not registered so whenj is assigned to

i, i will have a value of 1, but the value before the assignment. The reasoning above

events that take 0-time long must be introduced in duration calculus. The extension to

duration calculus where such reasoning can be done is called relational duration calculus.This calculus is built upon discrete duration calculus. The pre and post values of the

variables are written for each interval. Thus in this case, the value 0=i is written before

an empty interval and 1=i is written after an empty interval. The chop operator is similar

to the one used in duration calculus but handles also sequence of zero time events which

affect certain state variables. Thus ifi:=1 is event A and i:=2 is event B then using the

chop operator we can write BAi 1

;=

. In this wayj will be assigned to i with value 1 rather

than the value ofi before the assignment to 1.

Relational Duration Calculus can thus be used to model the semantics of Verilog. Since

Verilog describes circuits, there are commands which take a number of time units toexecute and others which take 0 time long like the delay and assignment constructs. As

seen above with relational duration calculus the meaning of assignment is defined using

the chop operator. These semantics of these two types of commands can both bedescribed using relational duration calculus as described above.


13/25


3. Model Checking [6]Given a model of the system Mand a logical property P , model checking involves the

process to show that P is true forM. Thus, if the system is in an initial state s, with

Model Checking one tries to show that Ps =| . The choice of the model must be made in

a way that the properties of the system can be easily described. The Model built musthave a level of abstraction enough to hide irrelevant details and keep only those relevantto prove correctness. For example, the model for a real-time system should describe the

variation of state over time. The system can be modeled using a state transition diagram

or a Kripke Structure. Informally, a Kripke structure describes state transitions but inaddition, each state contains a number of logical formulae which are true for this state. To

describe properties of systems changing with time, temporal logic is used to write the

statements that describe the model (the property). The property can be written in atemporal logic and then it is shown if the property is true for the model. The computation

of the system can be described by the model as a sequence of states which is achieved by

transitions from one state to the other.

Systems can have multiple paths of execution. Thus properties of such system can be

written in CTL due to its ability of reasoning about multiple time lines. Given a model of

a traffic light controller, it is important to check if this model does not permit that twolights are green at the same time. This is a safety property. This can be written as, in all

execution paths, it is always true that ))()^(( 21 tgreentgreen where 1t and 2t are traffic

lights. This is written as (AG )))()^(( 21 tgreentgreen where A represents all

execution paths and G states that the assertion is globally true throughout the entire

execution path.

It can be shown that the expressive power of LTL and CTL are different. For example in

LTL one cannot specify truths for certain paths as done in CTL using the E quantifier. Onthe other hand strong fairness cannot be expressed in CTL [5]. CTL* is a temporal logicthat has the expressive power of the two temporal logics combined together. In this logic,

the temporal operators can be applied without any constraints. For example one can writeAP, which states that for all paths, P is true infinitely often. Using CTL*, properties

such as fairness can be proved for systems that have more than one computation paths.

For certain instances, the proofs to show that a property is true for a Model can be fullyautomated using Model Checkers. This is done using Model Checking Algorithms that

given a model of the system such as Kripke Structure S and a property described in a

logic such as a CTL* formula f . The algorithm finds if f is true for S . Thus, system

designers do not need to have a huge expertise in proof techniques. The system designers

need only create a model to give as input and encode the requirements of the system aslogical formulae. If a property is not true for a Model, the Model Checker gives a counter

example which helps in understanding the reason of why the property is not true for the

system. Unfortunately, the system can contain a huge number of different computationpaths, leading to the state explosion problem. Different model checking algorithms

handle this problem with techniques to reduce the search space. However, this does not


14/25


always work and so the model checker must either divide the design and model check

each part on its own or else reduce the number of independent variables.

Model checking is a very important method in formal methods with regards to the

analysis of specification and design of a system. The problems found in the design due to

model checking save effort in redesigning, re-writing the code and testing again. Twoalgorithms that can be used for modeling the system are described in this section: Binary

Decision Diagrams (BDDs) and Timed Automata.

3.1Binary Decision DiagramsBinary Decisions Diagrams (BDDs) are structures that represent Boolean functions. Theidea of BDDs was inspired from the Shannon Expansion [4]. The Shannon Expansion

expresses a Boolean function as the sum of two sub functions. This can be done by

converting the function into if-then-else normal form. To convert a Boolean function

fhaving a variable x in if-then-else normal form the following rule is used

]0[[],1/[ xfxfxf =

The rule says that if x is true then substitute x with 1, otherwise substitute x with 0. Thesub-formulae are then applied the same rule until no sub-formulae contains any more

variables. Thus, each formula is split into two parts, one where the variable is true, and

one where the variable is false. A decision tree can be built from these formulae by

having each formula pointing to each its sub-formulae. For example yxt = in if-then-

else normal form becomes )1,0(),0,1( = yyxt . A more complex example is the

following:

Figure 2 [3]

This function can thus be represented as a Binary Decision Diagram (BDD) as shown in

figure 2. Note that the dashed (solid) edge represents the variable represented in the nodehaving a value 0 (1).

Note that 110t and 000t , 111t and 001t , and 00t and 11t are all equal. Merging these nodes

together we create a binary decision diagram with no duplicate nodes which is

represented in figure 3.


15/25


The BDD is effectively a graph. In this way one can use graph algorithms to analyze the

Boolean function being represented. A BDD is said to be ordered if node x comes before

node y if yx < . A reduced BDD is a BDD where there are no redundant nodes, that is

no nodes where both edges go to the same node. If a graph has no duplicate nodes, no

redundant nodes and is ordered then the BDD is called Reduced Ordered Binary Decision

Diagram (ROBDD). The BDD in the figure is an ROBDD since it has no redundantnodes and is ordered. Note the small size of an ROBDD compared to the BDD from

where it was converted. It can be shown that there is a unique ROBDD for every Boolean

function and that it takes constant time to see if an ROBDD is a tautology. On the otherhand, the construction of an ordered BDD is computationally intensive. For example

choosing the best ordering for a given BDD is NP-Hard.

Figure 3 The representation of )1,0(),0,1( = yyxt [3]

Figure 3 The ROBDD of Figure 2 [3]


16/25


Checking if the Boolean formula represented by a BDD is a tautology and if two BDDs

are equivalent takes constant time. BDDs are applied in formal verification in two fields.BDDs can be used to check satisfiability of a Boolean formula and can be also used to

compare if two combinational circuits are equivalent. The output of combinational

circuits is a function of the input given and does not depend on the inputs given

previously. Each circuit is a representation of Boolean formula which has a uniqueROBDD. Hence by comparing the ROBDD of two circuits one can find if two

combinational circuits are equivalent.

3.2Timed Automata [3]As one can see from the temporal logics such as CTL and duration calculus, real-timesystems can be modeled effectively. However it is useful to describe such systems in

terms of transitions between states with respect to the flow of time. This can be achieved

through a specialized form of automata: timed automata.

Given a set of symbols

, while in an automaton, reading a symbol

a in a state b willmake a transition to a state c given tcab ),,( , in a timed automaton, the reading of

symbol a in a state b will make a transition to a state c if the time in the system is .Time is represented by a non-negative real number where if two events a and b happen

at time 1t and 2t , where 12 tt > then b happens later than a . Thus the flow of time can

be described by a sequence of real numbers. Timed automata accept an infinite set of

timed words described by ),( a where *a and is the time at which a is accepted.

Time is represented using the positive real number. A number of clocks can be defined

for a timed automaton. These clocks are real numbers giving the time. Clocks can bereset in a transition and constraints on the time given by a clock can be made. A transition

can happen if a constraint is satisfied. Figure 4 shows an example of a timed automata.

Figure 4 A timed automata producing strings }2.|),){((122

+


17/25


Formally, we can define a timed automata as a 5 tuple >< ,,,,, tCQQ o where

Q is the set of states

oQ is the initial state

is the alphabet

Cis the set of clocks

)(2 CSStC : the set of transitions.

A transition is described by >< )(,,,', Cass . A transition from s to 's is made by

accepting a , resetting the clocks in to 0 if the constraints on the clocks )(C are true.

Timed automata are used in modeling of real-time finite-state systems. The theory of

automata can then be used to prove properties about the system [18]. An example of such

a system is a gate controller. After describing the design as a timed automaton, certain

properties such as if the gate is never closed longer than an amount of time can be

proved. This is a safety property. Such properties can be proved or disproved by

analyzing the time constraints between the open and closed states. This shows theconvenience of modeling using timed-automata for such systems.

Timed Automata can be used for scheduling problems. The timed automata used here is a

variant of the timed automata described in the timed automata section. This variant can

be described as a 5 tuple >< tfsCQ ,,,, where

Q is the set of states

Cis the set of clocks

s is the initial state

f is the final state

tis a set of transition relations.

The transition functions are of the form >< )(,,', Ccss . The transition from s to s with

the clocks in c reset to 0, happens if the clock constraint )(C is true.

Consider having a set of jobs each made of a number of operations. Each operation needs

to use resource for a fixed time. Only one operation can be put on the machine at a given

time. Finding the start time of each operation and which machine it will use to minimize

the time taken to complete the entire process is known the job-shop scheduling problem.

This problem can be shown to be NP-Complete.

The shop scheduling problem can be posed as a time-automata and the shortest path (in

terms of time) from the initial state to the final state is found. For every job J, one timed

clock is made. For every operationj using a resource m , two states are created. The first

state represents the job waiting to start called m and the second state represents the step

executing m . In the transition between the two states the clock of the job is set to 0. For

example, let us consider two jobs: )}3,(),4,{( 211 mmJ = where )}3,{( 12 mJ = . Each job is

represented as a set of operations. An operation is in turn represented as a tuple


18/25


),( ba where a is the machine to be used and b is the time allocated on the machine a. The

jobs can be represented as a timed automata as shown in Figure 5.

Figure 5 Job represented as a timed automata. Note that the state corresponds to the machine being

used and the time before a transition can be made (the machine stops) is no less than the time

required for the step to use the machine [18].

However both jobs are in the same system so the two automata have to be combined

together. However, when merging states together one must not merge two states that areusing the same resource to conserve mutual exclusion. Instead of having two states s1

and s2 with the same resource, one must consider the case of having s1 using the resource

while s2 waiting or vice versa. Let us consider the merging of the two automata. Initially,

both machines are waiting to be used. Thus the first state is 11 mm . Now there are two

possibilities: either a transition to 11mm or 11 mm since both jobs need to use the same

resource so one job waits until the other finishes. This is applied to all states and the

automata representing the job-shop scheduling in this case is given below. Note how the

automaton grows for only two jobs. The computationally intensive part is the building of

the automata rather than finding the shortest path. The representation automata of the two

jobs merged together is found in figure 6.

Thus, job-scheduling problem is reduced to a timed-automata and then finding the

shortest path from the initial to the final state is achieved. In this way different techniques

to develop heuristics to get good solutions for the scheduling problem can be found and

different insights on the scheduling problems can be developed.


19/25


Figure 6 The two jobs described by a single automata. The shortest path in terms of time will give the

optimal schedule. The graph as more than two paths to preserve mutual exclusion [18].

3.3 Runtime Verification [7]In Model Checking a model of the system is checked to see if it satisfies a given property.

Thus Model Checking increases the trust in the design of the system. However, Model

Checking does not check the actual implementation. To check the implementation testing

techniques are used. However testing is neither formal nor does it give any guarantee thatthe implementation satisfies a property. Formal Verification, on the other hand sits

between Model Checking and testing. With Formal Verification one can see if a property

is satisfied along a trace of execution of the system. While increasing the trust of the

system more than testing, it still does not provide a guarantee like in Model Checking

since to do so, all traces of execution must be checked. However, runtime verification is

applied to the running program continuously and if there is a case where the

implementation does not satisfy a property, the failure is logged. In this way, the reason

why that particular execution failed can be used to find the source of the error and change

it in less time.

Runtime verification is achieved by having an observer that views the execution of theprogram and checks that the property is true along all the execution trace. The observer

can be thought of as a monitor. The observer logs information on the execution trace that

can be used for analysis. The properties in this case are expressed in Linear Temporal

Logic since only the actual execution trace is dealt. Thus, only events in one timeline are

being dealt with and the reasoning can be done using this logic.


20/25


When using runtime verification care must be taken to ensure that the effect of the

observer running with the program does not effect if the property is true for the execution

trace or no. For example suppose that there is a property for a system stating that the time

taken between a request and a response should be less than 200ms. With the system

running without the observer, the property is true for the system. However when the

observer is introduced a slow down can make the property false. One should also takecare of the correctness of the observer of the monitor itself. Incorrect behavior of the

monitor can effect the execution of the program itself, which if run by itself could have

run correctly.

Runtime verification is a method of getting more confident about the correctness of the

implementation of the system. With runtime verification the behavior of the system with

its environment, such as the hardware and operating system is understood better. The

changes of the environment may not be known before execution and these cases cannot

be handled by testing, showing that runtime verification helps in the delivery of a more

reliable system.

4. Compiler Correctness [13]

In the introduction it was mentioned that that the actual behavior of the program built

depends on the compiler and systems software. The behavior of the program can become

more predictable and increases confidence that the program is correct if one can show

that the compiler with the program is being compiled is correct. Compiler Correctness

means that if a statement a in the source language is converted into a statement 'a into the

target language, the meaning of a is the same as the meaning of 'a . Ensuring correctness

implies that when the compiled code is executed it will behave as is defined in the source

code.

Let us suppose that a language that represents expressions involving addition,

subtraction, multiplication and addition is compiled to a target language which is run on a

single address computer with an accumulator and 4 instructions: li (load immediate),

load, store and add. To prove the correctness of the compiler one must start by defining

the semantics of source and target language. As explained in the section on semantics,

semantics provide meaning to each command. By showing that the semantics of the

command in the source language are equal to the semantics in the target language, the

correctness of the compiler is shown. Although the proof of correctness for the compiler

described above is quite straightforward, the task complicates more when other

commands are introduced, such as loops which in the target language can be handled

with jump statements.

Using a compiler that is shown to be correct is of extreme importance in critical systems.

A compiler that has been proved correct implies that behavior of the implementation is

the same as the behavior of the program executed from the object code will behave as

defined in the source code used to produce the object code. Hence the properties true for

the program described in the source will be also true for the program in the object code,

thus increasing further the trust in the system.


21/25


5. Learning Formal Logic using the Functional Paradigm [12]

The difficulties encountered when learning Formal Logic can be due to various reasons.

One could mention the failure to understand how a proof works. The distinction between

theorems and meta-theorems is also important to understand formal logic. The notation

used can introduce difficulty initially to students. Perhaps having a meta-language withwhich students are familiar to represent the concepts of formal logic can help in reducing

these difficulties. For students who have a background in functional programming,

formal logic can be introduced by using a functional language as the meta-language. The

syntax of functional languages is very readable compared to languages in other

paradigms. The language used in this demonstration is Gofer, the predecessor of Haskell.

The formal logic introduced is Hilbert Logic. In this logic system, well-formed-formulae

(wff) are built from variables, negation and implication. There are three axiom schemas:

)(| ABA (1)

))()(())((| CABACBA (2))()(| ABBA (3)

An axiom schema is a wff where the variables represent any wff. When the variables are

substituted with wff the axiom schema becomes an axiom.

The inference rule used is Modus Ponens:

B

BAA |,|

A proof in Hilbert logic is made of a non-empty set of hypothesis T, a number of steps n

from 1s to ns that lead to a conclusion a. This is written as aT | . Each step can be a

hypothesis, an axiom or an application of Modus Ponens using two previous steps. It can

be shown that Hilbert Logic is both sound and complete. Soundness of a logic system

implies that all conclusion proved are true. Completeness of a logic system implies that

all true conclusions can be proved.

In the functional meta-language a well-formed-form is represented as:

data Wff = Var String | Not Wff | Wff :=> Wff

The structure of the proof is then described. Note that K, S and CP represent axiom

schemas 1,2 and 3 respectively. Hyp and MP represent the Hypothesis and Modus

Ponens respectively.

data Prf = K Wff Wff | S Wff Wff Wff | CP Wff Wff

| Hyp Wff | MP Prf Prf

Sequents relate the set of hypothesis with the conclusion of a proof:Data Seq = [Wff] :|- Wff


22/25


Function seq gives the sequent described by a proof. seq :: Prf -> Seq. This provides

a way to get the hypothesis and conclusion from a proof.

seq :: Prf -> Seq

seq (K x y) = [] :|- (x :=> (y :=> x))

seq (S x y z) = [] :|- (x:=>(y:=>z)) :=>

(x:=>y):=>(x:=>z)seq (CP x y) = [] :|- (Not x :=> Not y) :=> (y :=> x)

seq (Hyp x) = [x] :|- x

seq (MP p q) = (ws `union` hs) :|- z = if w == x

where ws |- x = seq p

hs |- w :=> z = seq q

Note that seq is a partial function since it assumes that the proof is given in a correct

form. However, a proof must be first checked that it is in a good form before applying it

to seq. The checking of a proof is done using:

gp :: Prf -> Bool

gp (MP p q) = gp p && gp q && isImp cq&& cp == limp cq

where (cp,cq) = (con p,con q)

gp _ = True

isImp x checks ifcq is an implication. limp p returns the left side of the implication p.

con p returns the conclusion of a proofp. Using seq and gp, proof checking can be

achieved. This is done using the function just, which finds if a sequent has all the

hypothesis of the proof and the conclusion of the sequent is the same as that of the proof.

just :: Prf -> Seq -> Bool

just pr (h :|- c) = gp pr && con pr == c &&

hyps pr `subset` h

This is achieved by checking ifpr is a good proof and then checking if the conclusion of

the proof is the same as the conclusion of the sequent. It is then checked if the hypothesis

of the sequent contains all the hypothesis of the proof.

With the just function we can define ch | , )):|``.Prf:(| chjustppch ( .

Students being introduced to formal logic can understand this definition better.

Consider proving xxwffx |.: . This means writing a proof p such that (p x) just

([]:|-x:=>x) is true.

0. xxK)(| xxx

1. x)(xxK ))((| xxxx

2.xx)(xxS

))())((()))(((| xxxxxxxxx

3. 21MP)())((| xxxxx

4. 30MPxx |


23/25


Using the functional meta-language, the proof can be written as

p x = MP (K x x) (MP (K x (x:=>x)) (S x (x:=>x) x))

Proving even the simplest properties of implication are long, tedious and difficult.

However such proofs can be made easier using the deduction theorem. The deduction

theorem can be written in the following way:

The deduction theorem states that given a set of hypothesis }{hhs , from which c is

concluded, then one can prove that using hs as a hypothesis, one can conclude ch . Forexample, proving ))((| yyxx can be done by first proving yyxx |},{ , then

using the deduction theorem to obtain the actual proof. This can be done by using a

function ded which satisfies:

con p)h :ut` h :|-s p `withojust` (hypded h p `gp p =>

Thus ded, given a proof of form chhs |}{ will create a proof for chhs ! . ded is

an implementation of the construction got from the proof of the deduction theorem. The

deduction theorem is proved by constructing an algorithm that given chhs |}{ ,

creates a proof for chhs ! . Using ded we can prove ))((| yyxx .

1) proofp1 is obtained from yyxx |},{

p1 = MP (Hyp (Var x) (Hyp ((Var x:=>Var y))

2) Secondly, p2 is obtained from yyxx )(|}{

p2 = ded (Var x :=> Var y) p1

Finally, we obtain a proof p3 for ))((| yyxx

p3 = ded (Var x) p2

Using the functional paradigm, a gentler introduction can be given to formal logic.

Concepts which are found difficult in the beginning such as the structure of proofs and

the role of the meta-theorem in Hilbert Logic are explained easily in this manner. A layer

of experimentation with proofs is also obtained where students can practice writing

proofs.

Conclusion

The more complex and critical systems are, the more important it is to reduce to

minimum errors in the system. Correctly applied design and testing techniques achieve

conchs :|- h:conc` [h]) :|-(hs `union =>


24/25


this up to a certain degree. For example, with these techniques alone one cannot show

that a design of vending machine gives back the exact change exactly. To ensure that a

design meets the requirements or that the implementation is faithful to the design formal

methods have to be used. As already mentioned not all methods are equally good to be

used on any system. Experience and expertise are necessary in employing these methods

successfully. For example in the case of using axiomatic semantics finding an invariantfor a while loop is not an easy task and requires skill. Neither is the task of finding the

property which is true for the entire interval in duration calculus. However from the

number of success stories of formal method one can see that the correct use of the

methods described to specify, model and verify systems leads to a software or hardware

product of a much higher quality.

References

[1] What is formal methods? http://shemesh.larc.nasa.gov/fm/fm-what.html. Last

Referenced: 13th April 2007.

[2] Anthony A. Aaby. Semantics of Programming Languages.http://cs.wwc.edu/ aabyan/LN/PL/book/book.html Last Referenced: 13th April

2008, 2004.

[3] Dill Alur. A theory of timed automata. Theoretical Computer Science, 126:183

235, 1994.

[4] Henrik Leif Anderson. An introduction to binary decision diagrams. In Lecture

Notes for 49285 Advanced Algorithms E97. Technical University of Denmark,

1997.

[5] Alessandro Artale. Formal Methods: Computational Tree Logic.

http://www.inf.unibz.it/ artale/FM/slide4.pdf. Last Referenced: 13th April 2007,

2007.

[6] E.M. Clarke.Model Checking, chapter 3. 2000.[7] Marc Geilen. On the construction of monitors for temporal logic properties.

Electronic Notes in Theoretical Computer Science, 2001.

[8] Anthony Hall. Seven myths of formal methods.IEEE Software, 7, 1990.

[9] David Harel.Algorithics - The Spirit of Computing. Addison-Wesley, 1987.

[10] C.A.R. Hoare. Laws of programming. Communications of the ACM, 30:672686,

1988.

[11] C.A.R. Hoare. A calculus of durations. Information Processing Letters, 40:269

276, 1991.

[12] B.A. Sufrin J. Leifer. Deduction for functional programmers. Functional Pearl,

Journal of Functional Programming, 6:365373, 1993.

[13] John McCarthy and James Painter. Correctness of a compiler for arithmeticexpressions. Proceedings Symposium in Applied Mathematics, Vol. 19,

Mathematical Aspects of Computer Science, pages 3341, 1967.

[14] Robin Milner.A Calculus of Communicating Systems. 1980.

[15] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis, Oxford

University, 1998.

[16] Gordon J. Pace. Hardware Design Based on Verilog HDL. PhD thesis, Oxford

University, 1998.


25/25


[17] Kenneth Slonneger. Syntax and Semantics of Programming Languages. Addison-

Wesley, 1995.

[18] Oded Maler Yasmina Abdeddaim. Jobshop scheduling using timed automata.

Computer Aided Verification, pages 478492, 2001.