Introduction

Formal Methods

Lecture 1



Farn Wang
Dept. of Electrical Engineering
National Taiwan University

Specification & Verification?

- · Complete & sound specifications.
- Reducing bugs in a system.
- Making sure there are very few bugs.

Very difficult!

Competitiveness of high-tech industry!

A way to survive for the students!

A way to survive for Taiwan!

. . . . . . .



# **Tragedy in the South Sci-Park**



 ${m \pm}$   ${m \varLambda}$ 

Tragedy in the South Sci-Park



Tragedy in the South Sci-Park



Tragedy in the South Sci-Park









Specifications, descriptions, & verification

- · specification:
  - The user's requirement
- description (implementation):
  - The user's description of the systems
  - No strict line between description and specification.
- · verification:
  - Does the description satisfy the specification?

. . . . . . .

Formal specification & automated verification

- formal specification:
  - specification with rigorous mathematical notations
- automated verification:
  - verification with support from computer tools.

12

王凡

6

Why formal specifications?

- to make the engineers/users understand the system to design through rigorous mathematical notations.
- to avoid ambiguity/confusion/misunderstanding in communication/discussion/reading.
- · to specify the system precisely.
- to generate mathematical models for automated analysis.

. . . . . . .

#### Why automated verification?

- to somehow be able to verify complexer & larger systems
- to liberate human from the labor-intensive verification tasks
  - to set free the creativity of human
- to avoid the huge cost of fixing early bugs in late cycles.
- to compete with the core verification technology of the future.

. . . . . . . .



# Pentium Bug (1/4)

Floating-point division

- expected precision up to 18 positions
- in practice, only 4 positions
- Pentium 60MHz 90MHz
- Example:

5505001 / 294911

wrong answer: 18.66600093

expected answer: 18.6665197

 $oldsymbol{arEpsilon}\mathcal{I}$ 

•

### Pentium Bug (2/4)

- Only for very few number pairs
- · reproducible!
- affecting large scientific computations, statistics applications, engineering computations, spreadsheet, simulation,

- - -

 may affect applications compiled with the CPU.

1'

•

#### Pentium Bug (3/4)

- discovered by Dr. Thomas R. Nicely at Lynchburg College
  - nicely@acavax.lynchburg.edu
- announced in Compuserve on 10/30/1994
- printed in media on 11/7/1994
- fixed in mid 1994, but Intel insisted
  - new chips scheduled to major customers at the end of the year.
  - no replacement unless bug effects proved individually

王凡

Ç

Pentium Bug (4/4)

- triggered a wave of research in formal verification
- Intel maintained a large team of formal method. Until a few years ago, its size was a secret.
- Now we believe computation theory could be useful.
  - Grants and funds poured in.
  - Timely achievements in theory and tools.

. . . . . . .

THE "BUG" HEARD 'ROUND THE WORLD (1/4)

Discussion of the Software Problem Which Delayed the First Shuttle Orbital Flight

John R. Garman

**Deputy Chief** 

**Spacecraft Software Division** 

NASA, Johnson Space Center

**Houston, Texas** 

Aug 24, 1981

**ACM SIGSOFT** Software Engineering Notes,

Vol. 6, Nr. 5, Oct, 1981

. . . . . . .

 $oldsymbol{arXi} oldsymbol{\mathcal{I}}$ 

THE "BUG" HEARD 'ROUND THE WORLD (2/4)

Discussion of the Software Problem Which Delayed the First Shuttle Orbital Flight

- 4/10/1981, 20 mins before the first launch of space shuttle, the 5th backup computer could not initialize.
- 4 General Purpose Computer (GPC) and 1 backup computer
- FO/FS fault-tolerant
  - one-fault-operate (still can vote)
  - two-fault-safe (still can return safely)

THE "BUG" HEARD 'ROUND THE WORLD (3/4) Discussion of the Software Problem Which

Delayed the First Shuttle Orbital Flight

- Software on the GPCs and the backup were developed by different teams.
- Cyclic processing
- Before the launch, the program on the GPCs had run for 30 hrs without problems.

THE "BUG" HEARD 'ROUND THE WORLD (4/4)

Discussion of the Software Problem Which Delayed the First Shuttle Orbital Flight

- 1 hr later, IBM dumped the memory of the GPCs and found out a software bug in timing synchrony.
- Processes in the GPCs were out-ofphase.
- The backup could not get the out-ofphase signal and claimed the GPCs were faulty.

. . . . . . .



 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 



Therac-25 Incidents

Medical linear accelerator by AECL

- Computer-controlled (DEC PDP-11)
- Dual modes of X-ray and electron
- Successor to Therac-20 and death and Therac-6 by AECI and WGR from
  available a Cate 1982 uries
  11 Therac-270 Were installed 987
  6/1985

Therac-25 incidents (continued, 2)

- Independently developed by AECL after breaking up with CGR
- A fault-tree safety analysis was performed with the assumption that software was correct.
- Controlled by legacy software from Therac-20 and Therac-6
  - Therac-20 and -6 only used computer for convenience
  - Get rid of hardware interlock since software never went wrong with Therac-20 and Therac-6
    - In fact, most software errors of Therac-20 and Therac-6 had been masked by hardware interlocks.

Therac-25 incidents (continued, 3)

- Error message happened so often that technicians thought they were normal.
- Most of the errors did not hurt.
- The AECL said
  - "Improper scanning was not possible!"
  - "This incident was never reproted to AECL prior to this date ..." (after 10 months of a filed lawsuit)

28

 $ot \in \mathcal{F}_{k}$ 

•

#### Therac-25 incidents (continued, 4)

- On May 2, 1986, FDA declared Therac-25 defective and demanded CAP.
- AECL remedied something and claimed that Therac-25 was 10,000 times safer.
- FDA believed them.
- Software errors have been identified in all these six admitted accidents.
- Finally, the hardware interlocks were put back in on Feb. 2, 1987.

29

•

#### Therac-25 incidents (continued, 5)

- Worst accidents series in 35-year history of medical accelerator
- References:
  - N. Leveson, C.S. Turner, An investigation of theTherac-25 accidents, IEEE Computer, Vol. 26, Nr. 7, July 1993, pp.18-41

30

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

**GOVERNMENT NEWS** GCN July 13, 1998 Software glitches leave Navy **Smart Ship dead in the water** 



Some more bugs (1)

- Mars climate orbiter smashed into the planet instead of reaching a safe orbit (\$165M), 1999
  - Failure to convert English measures to metric values
  - Software shut the engine off 100ft above the surface.
- US Vicennes mistook airbus 320 for a F-14 and shot it down, 1st Gulf War, 1988.
  - 290 people dead
  - Why: Software bug cryptic and misleading output displayed by the tracking software

Some more bugs (2)

Failure of the London Ambulance Service on 26 and 27 November 1992

- Load increased
- Emergencies accumulated
- System made incorrect allocations
  - more than one ambulance being sent to the same incident
  - · the closest vehicle was not chosen for the emergency
- At 23:00 on October 28 the LAS eventually instigated a backup procedure, after the death of at least 20 patients

. . . . . .

33

### Some more bugs (3)

- British destroyer H.M.S. Sheffield; sunk in the Falkland Islands war
  - ship's radar warning system software allowed missile to reach its target
- An Air New Zealand airliner crashed into an Antarctic mountain
- North American Aerospace Defense Command reported that the U.S. was under missile attack;
  - traced to faulty computer software generated incorrect signals
- Manned space capsule Gemini V missed its landing point by 100 miles;
  - software ignored the motion of the earth around the sun

["The development of software for ballistic-missile defense," by H. Lin, Scientific American, vol. 253, no. 6 (Dec. 1985),3\( \beta \). 48]

 $oldsymbol{arEpsilon}$  , which is the state of the sta

Some more bugs (4)

 An error in an aircraft design program contributed to several serious air crashes

> ["Software Engineering: Report on a Conference sponsored by the NATO Science Committee, Brussels NATO Scientific Affairs Division," 1968, p. 121]

 Dallas/Fort Worth air-traffic system began spitting out gibberish in the Fall of 1989 and controllers had to track planes on paper

> ["Ghost in the Machine," Time Magazine, Jan. 29, 1990. p. 58]

> > 35

# Some more bugs (5)

- F-18 fighter plane crashed
  - due to a missing exception condition

[ACM SIGSOFT Software Engineering Notes, vol. 6, no. 2]

- F-14 fighter plane was lost
  - to uncontrollable spin, traced to tactical software

[ACM SIGSOFT Software Engineering Notes, vol. 9, no. 5]

- Chicago cat owners were billed \$5 for unlicensed dachshunds.
  - A database search on "DHC" (for dachshunds) found "domestic house cats" with shots but no license

[ACM SIGSOFT Software Engineering Notes, vol. 12, no. 3]

. . . . . . .

*王. 凡.* 

Some more bugs (6)

- CyberSitter censors "menu \*/ #define"
  - because of the string "nu...de"

[Internet Risks Forum NewsGroup (RISKS), vol. 19, issue 56]

 London's Docklands Light Railway – train stopped in the middle of nowhere due to future station location programmed in software

. . . . . . .

### Some more bugs (7)

#### CNN.com

- Russia: Software bug made Soyuz stray.
  - STAR CITY, Russia(AP) A computer software error likely sent a Russian spacecraft into a rare ballistic descent that subjected the three men on board to check-crushing gravity loads that made it hard to breathe, space experts said Tuesday.
- Korean Air crashed in Guam and killed 228 people.
  - A poorly programmed ground-based altitude warning system
- Faulty software in anti-lock brakes forced the recall of 39,000 trucks and tractors and 6,000 school buses in 2000.
- Mars Polar lander, \$165M, 1999.
  - Software shut the engines off 100 feet above the surface.
- US\$59.5 billions loss in economy, 0.6%GDP, April 27, 2003

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 





 $oldsymbol{arXi} \mathcal{A}$ 

•

#### Bugs in complex software

- They take effects only with special event sequences.
  - the number of event sequences is factorial and super astronomical!
- It is impossible to check all traces with test/simulation.

41

•

### **Budget appropriation**



Training in Taiwan College

• • • • • •

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

Automated verification FV+simulation+testing

Competitiveness in Europe/America

- Taiwan's future Intel · Motorola · Ericssor
- Cadence Sypa

raiwan industry

3000 RMB for an engineer in China/India

...../mass production to the cus

· very little automated verification tools for largescale system development.

#### Three techniques in verification



- Testing (real wall for real cars)
  - Expensive
  - Low coverage
  - Late in development cycles
- Simulation(virtual wall for virtual cars
  - Economic
  - Low coverage
  - Don't know what you haven't seen.
- Formal Verification (virtual car checked)
  - Expensive
  - Functional completeness
    - ♦100% coverage
  - Automated!
    - With algorithms and proofs.

王凡

22

# Sum of the 3 angles = 180?



### Promise of Formal Verification (FV)?

# Use mathematics to prove the correctness of system designs!

#### Advantage:

- Functional completeness
  - Mechanical & exhaustive exploration of all cases
- · Automated verification
  - Cut down verification cost
  - Relieve us of mechanical verification tasks

. . . . . . .

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

Integration of the verification techniques

- Formal verification is still infeasible in practice.
- At the moment, we rely on the following.
  - sound descipline in system design
    - software engineering
  - simulation/testing for easy-to-find bugs
  - formal verification (automated or manuel) for early bugs or safety-critical systems.

. . . . . . .

Verification Infrastructure Model **Mathematical System** Checking **Models Descriptions** Equivalence C Checking Proof & SDL Certificate Verification TTCN 3 **Symbolic Engine** Simulation Verilog Testing (TTCN 3)

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

•

# Major desciplines (1/2)

- mode-checking
  - AT&T · CMU · UC-Berkeley · Stanford · North Carolina · Cornell · Intel · Cadence-Berkeley
- theorem-proving
  - UT-Austin · SRI · MIT · MITRE · XEROX-PARC

49

•

# Major desciplines (2/2)

- process algebra
  - + Oxford \ Cambridge \ Edinburgh \ Uppsala
- formal methods
  - + Oxford \ IFAD \ IBM UK \ CRI \Formal Systems Ltd \ Praxis \ CWI \ VERILOG

50

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

•

# Major conferences

- CAV (Computer-Aided Verification)
- FME (Formal Method Europe)
- AMAST (Algebraic Methodo. & Sw Tec.)
- TACAS (Tools & Algorithms for CAS)
- ATVA
- SAS (Static Analysis Symposium)
- FORTE(Formal Description Technique)

51

26

•

#### Major conferences

- with related sessions

\* CONCUR \* FORTE \* SAS \* CADE

\* FTRTFT \* RTCSA

\* RICSA 52

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

Theory spectrum

#### expressiveness vs verification complexity



•

#### Sources of verification complexity

- Number of system states astronomical
  - the values of all variables
  - the content of program counters
  - the messages in communication channels
- unbounded variable value ranges
- non-regular behaviors
  - inexpressible with finite-state automata.
  - stack, queue, polynomials, arithmetic, induction

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 



The state of the art

- balance betweenspecification expressiveness and
  - verification complexity.
- non-regular systems → proof checking
  - sound proof plans by engineers
  - interaction between engineers and tools
- regular systems
  - huge time/space complexity
  - efficient algorithms

\_ . . . . . . . .

 $oldsymbol{arPsi} \mathcal{F} \mathcal{R}$ 

**Deciplines** · temporal logics automaton theory • process algebrae first-order logics Petri-Net formal methods · graphical languages: statechart, modechart formal semantics **Deciplines** temporal logics a branch of modal logics - transitions between possible worlds – two modal operators: □, ♦ directed : assert for all possible worlds graphs : assert for one possible world - the model of modal logics is Kripke structure In temporal logics, : from now on, true for all states 

 $oldsymbol{arPsi} \mathcal{A}$ 

: Deciplines - temporal logics

• linear-time model





. Deciplines

temporal logics

linear-time model &

PLTL (Propositional Linear Temporal Logic)

• eventually p will be true.



★Amir Pnueli, 1996 Turing Award Winner

• • • • • •

 $oldsymbol{arXi}$ 

. Deciplines

temporal logics

linear-time model & PLTL

• p and q will never be true the same time.

$$\square \neg (p \land q)$$
 : safety property



. Deciplines

- temporal logics

linear-time model and PLTL

• p is true until q is true (p until q)



 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

. Deciplines

- temporal logics
- satisfaction relation
  - a linear-time model satisfies a PLTL formula.
- · a formula defines a set of models.
- a formula is unsatisfiable if its set of models is empty.
- check the satisfiability of P ∧ ¬ S
  - P is the implementation
  - S is the specification
  - The satisfiability problem is PSPACE-complete.

. Deciplines

- temporal logics

branching-time

& CTL (Computation-tree Logic)

• for all computations, p is eventually true.

 $\forall \Diamond p$ 

Inevitibility



正規方法:正規描述與自動驗證

#### . Deciplines - temporal logics

#### branching-time

& CTL (Computation-tree Logic)

for all computations, p is event type.

- there is a path along which p is eventually true.

 $\exists \diamondsuit p$ 

∃¬p**U** p

Reachability

#### . Deciplines

- temporal logics
- satisfaction relation
  - a tree model satisfies a CTL formula.
- · a CTL formula defines a set of models.
- a CTL formula is unsatisfiable if its set of model is empty.
- check the satisfiability of P ∧ ¬ S
  - The satisfiability problem of CTL is deterministic EXPTIME-complete.

. . . . . . .

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

. Deciplines

- model-checking

Given a model *M* and a temporal logic formula *P*, does *M* satisfy *P*?

- Usually *M* is a finite-state autoamta.
- When P is a CTL formula, the modelchecking problem is in PTIME.

. . . . . . .

Deciplines

- model-checking

- state-space analysis & exploration
  - state-space represented as a finite Kripke structure
  - nodes: system states, possible worlds,
  - arcs: state transitions
- regular behaviors
- huge state-spaces



. . . . . . .

 $oldsymbol{arXi} oldsymbol{\mathcal{I}}$ 



• • • • • •

#### . Deciplines

- model-checking

Timed automata - regular behaviors update the missile direction every 50ms until the target is hit.



 $\mathcal{Z}\mathcal{N}$ 

#### . Deciplines

#### - model-checking

Timed automata - regular behaviors update the missile direction every 50ms until the target is hit in 500ms.



#### . Deciplines

- model-checking

#### TCTL (Timed CTL)

 $\forall \Box (monitor \rightarrow \forall \diamondsuit_{<500} stop)$ 

 $\forall \Box (monitor \rightarrow x. \forall \diamondsuit (x < 500 \land stop))$ 

 $\forall \Box x. (monitor \rightarrow \forall \diamondsuit (x < 500 \land stop))$ 

. . . . . . . .

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

Deciplines
- model-checking

Hybrid automata  $\begin{array}{c} \text{Volume: V} \\ \text{temperature: T} \\ \text{safe} \\ \text{dV/dt=0/s} \\ \text{volume: V} \\ \text{temperature: T} \\ \text{volume: V} \\ \text{volume: V} \\ \text{volume: V} \\ \text{temperature: T} \\ \text{volume: V} \\ \text{volume: V} \\ \text{volume: V} \\ \text{volume: V} \\ \text{temperature: T} \\ \text{volume: V} \\$ 

#### . Deciplines

- process algebrae
- CSP, Communicating Sequential Processes
  - C.A.R. Hoare, Turing Award winner
  - Communicating Sequential Processes, Prentice-Hall, 1985
- CCS, Calculus of Communicating Systems
  - Robin Milner, Turing Award winner
  - Communication and Cuncurrency, Prentice-Hall, 1989
  - strong equivalence, observational equivalence,
     observational congruence

 $\pm$   $extcolor{1}{R}$ 

# process algebrae

#### vending machine

$$VM = (in5p \rightarrow choc \rightarrow VM \mid in2p \rightarrow toffee \rightarrow VM)$$
  
- action set:  $\alpha VM = \{in5p, choc, in2p, toffee\}$ 

- · models: traces
  - in5p choc in5p
  - in5p choc in2p toffee in2p toffee
- · process: the behavior pattern of an object
  - in syntax, a set of rules
  - in semantics, a set of traces

#### . Deciplines

# process algebrae

### operation on traces

- prefix :  $x \rightarrow P$  (x then P)
  - a guarded command
- recursion :  $P = (x \rightarrow P)$

or 
$$P = \mu X$$
.  $(x \rightarrow X)$  (least fixed-point)

• choice :  $P = (P_1 | P_2)$ 

76

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

# - process algebrae

# operations on traces

• catenation:

⟨coin,choc⟩ ^ ⟨coin,toffee⟩ = ⟨coin,choc,coin,toffee⟩

restriction:

 $\langle coin, choc, coin, toffee \rangle \uparrow \{coin\} = \langle coin, coin \rangle$ 

head & tail

 $\begin{tabular}{ll} $\langle coin, choc, coin, toffee \end{tabular} $\rangle_0 = coin \\ $\langle coin, choc, coin, toffee \end{tabular} $\rangle_0 = \langle choc, coin, toffee \end{tabular}$ 

ordering

 $s \Leftrightarrow t = (\bar{\exists} u.s \wedge u = t)$ 

• **length:** # (coin,choc,coin,toffee) =4

# **Deciplines**

- process algebra
- $(coin \rightarrow STOP_{\alpha VMS})$



•  $VMCT = (coin \rightarrow (choc \rightarrow VMCT \mid toffee \rightarrow VMCT))$ 



 $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

# - process algebra

#### Infinite behaviors

 $VMCT = (coin \rightarrow (choc \rightarrow VMCT / toffee \rightarrow VMCT))$ 



19

# **Deciplines**

process algebrae

Operations on processes concurrency: **P**||**Q** 

 InαP∩αQ, all actions must be synchronized.

•  $(c \rightarrow P)//(c \rightarrow Q) = (c \rightarrow (P//Q))$ 

•  $(c \rightarrow P) / (d \rightarrow Q) = STOP$  ; if  $c \neq d$  deadlock

80

 $oldsymbol{arXi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

# process algebrae

#### Operations on processes

 nondeternimism: P □ Q (P, Q same priority)

P [] Q (P first)

81

- communications: (c!v→ P) || (c?v→ Q)
- concatenation: P;Q
- · hiding: P/C
  - all actions in P from C are hidden.
  - C: a set of actions . . . . . . . . .

#### . Deciplines

### process algebrae

#### specifications

- tr: a place-holder for any trace
- · specification: a requirement for process

#### Example:

- At any time, the count of coins to the VM is greater than the count of chocolate pieces sold.
  - NOLOSS =  $(\#(tr \uparrow \{choc\}) \circ \#(tr \uparrow \{coin\}))$
- Before a piece of chocolate is out, no coin will be input.

 $FAIR = ((tr \downarrow coin) \circ (tr \downarrow choc) + 1)$  $\downarrow : selection$ 

• • • • •

 $oldsymbol{arEpsilon}\mathcal{A}$ 

# - process algebra satisfaction

- P sat S
  - P, a process; S, a trace specification
- Verification techniques
  - Proof-checking
    - · laws of processes and traces
  - Model-checking
    - · exploration in a finite space

. . . . . . .

#### . Deciplines

- theorem-proving
- atoms, functions, predicates, ∨, ∧, ¬, ∃, ∀
   ∀x (Man(x)→Mortal(x))

Every man will die.

- Satisfiability problem: undecidable!
  - Resolution Principle J.A. Robinson
  - proof-checking : mechanical theorem proving
  - computer support, human guidance

. . . . . . .

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$ 

# - theorem-proving

Two decidable subclasses of 1st-order arithmetic

Presburger Arithmetic, N, +, -, ∨, ∧,¬,∃,∀

$$\exists \ z \forall \ y \ (z {<} y \lor \exists x (x {+} z {<} y))$$

- elementary decision procedure
- 1st-order logic with p(x) and ≤

$$\forall y(p(y) \to \exists x (y \le x \land q(x)))$$

- nonelementary decision procedure

monadic predicate

85

#### . Deciplines

### theorem-proving

NqThm, Boyer & Moore

- A Computational Logic Handbook Academic Press, 1988
- · quantifier-free, first-order, similar to pure-Lisp
- a very famous theorem-proving environment

example: (pp. 190-197 of the book)

"a list = the reverse of the reverse of the list"

- wrong: (PROVE-LEMMA REVERSE-REVERSE (REWRITE) (EQUAL (REVERSE (REVERSE X)) X))
- correct: (PROVE-LEMMA REVERSE-REVERSE (REWRITE)
  (IMPLIES (PROPERP X)
  (EQUAL (REVERSE (REVERSE X)) X)))

86

 $oldsymbol{oldsymbol{arEquation}} \mathcal{A}$ 



- Petri-Nets

equivalent to Karp & Miller's vector

addition systems

 cannot detect the non-existence of events

marking (state):
 places → N

(2,1,0)



 $oldsymbol{arEpsilon}\mathcal{A}$ 

. Deciplines - Petri-Nets

computation (state sequence)

marking sequence

 connected with enabled transitions

- interleaving semantics



 $(2,1,0) \xrightarrow{\mathbf{b}} (1,0,1) \xrightarrow{\mathbf{a}} (2,1,0) \xrightarrow{\mathbf{b}} (1,0,1) \xrightarrow{\mathbf{a}} \dots$ 

Deciplines

Petri-Nets

Verification problems

- · infinite markings from an initial marking
- Reachability problem:

  Is there a computation from marking M1 to marking M2?

decidable but non-elementary complexity now.

- · Coverability problem
- Boundedness problem



王凡

# **Deciplines Formal Methods** originated from the industry • first, VDM (Vienna Development Method) Z notation RAISE (Rigorous Approach to Industrial Software Engineering) Estelle, from the ESPRIT SEDOS project - semantics defined with Petri-net ISO OSI for computer network architecture standard. • SDL: Specification & Description Language CCITT Z1.00, for protocol specification **Deciplines** Formal Methods VDM IBM research, Vienna, 1960s C.B.Jones & D.Bj∉rner made rigorous definitions in 1970-1982. widely accepted by the industry - with practical effect. - comparing with other academic work Many software tools - experimental or commercial

 $oldsymbol{arXi} oldsymbol{\mathcal{I}}$ 

stepwise refinement

# - Formal Methods VDM proof

# stepwise refinement, 3 components

- · direct definition
- · implicit specification
  - model-oriented specification
    - set-theoretical notation
       predicates, sets, relations, functions, sequences
- proof obligation
   direct definition→implicit specification

. . . . . .

#### . Deciplines

# - Formal Methods VDM proof

stepwise refinement, 3 components

· direct definition

```
sumn: N \rightarrow N

sumn(n) if n=0 then 0 else n + sumn(n-1)
```

· implicit specification

```
sumn(n:N) r:N
post r=n*(n+1)/2
```

proof obligation

```
n \in N sumn(n) \in N \land post\text{-}sumn(n,sumn(n))
```

. . . . . . .

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

# - Formal Methods VDM proof

stepwise refinement, 3 components

#### two rules

• rule 1 : 
$$sumn(0)=0$$

• rule 2 :  $n \in \mathbb{N}$ ;  $n \neq 0$ ; sumn(n-1)=ksumn(n)=n+k

. . . . . . .

#### . Deciplines

# Formal Methods VDM proof (1/2)

stepwise refinement, 3 components

#### From $n \in N$

| $1. \ sumn(0) = 0$                                                            | Rule 1           |
|-------------------------------------------------------------------------------|------------------|
| $2. sumn(0) \in N$                                                            | 1, <i>N</i>      |
| 3. <i>0</i> =0*(0+1)/2                                                        | N                |
| 4. $sumn(0) = 0*(0+1)/2$                                                      | =- $subs(3,1)$   |
| 5. post-sumn(0, sumn(0))                                                      | post-sumn,4      |
| 6. $sumn(0) \in N \land post\text{-}sumn(0, sumn(0))$                         | $\wedge -I(2,5)$ |
| 7. from $n \in \mathbb{N}$ , sum $n(n) \in \mathbb{N}$ , post-sum $n(n, sum)$ | n(n)             |

. . . . . . .

48

 $\mathcal{Z}$   $\mathcal{R}$ 

# - Formal Methods VDM proof (2/2)

#### stepwise refinement, 3 components

| 7.1 $n+1\neq 0$                                               |                                              | h7, <b>N</b>            |
|---------------------------------------------------------------|----------------------------------------------|-------------------------|
| 7.2 <i>n</i> +1 ∈ .                                           | N                                            | h7, <b>N</b>            |
| 7.3 <i>sumn</i> ( <i>n</i>                                    | n) = n*(n+1)/2                               | post-sumn, ih7          |
| 7.4 <i>sumn</i> ( <i>n</i>                                    | (n+1) = n+1+n*(n+1)/2                        | Rule 2(7.2,7.1,7.3)     |
| 7.5 <i>sumn</i> ( <i>n</i>                                    | $(+1) \in N$                                 | 7.4, N                  |
| 7.6 <i>sumn</i> ( <i>n</i>                                    | (n+1) = (n+1)*(n+2)/2                        | 7.4, <i>N</i>           |
| 7.7 post-su                                                   | mn(n+1)=(n+1)*(n+2)/2                        | post-sumn, 7.6          |
| infer $sumn(n+1) \in N \land post\text{-}sumn(n+1,sumn(n+1))$ |                                              |                         |
|                                                               |                                              | $\wedge$ - $I(7.5,7.7)$ |
| infer sumn(n                                                  | $n \in N \land post\text{-}sumn(n, sumn(n))$ | N-ind(6,7)              |

#### . Deciplines

graphical languages

#### statechart

- David Harel, 1986
  - science of computer programming
- developed from automaton theory
- · concurrent computations,
- · discrete events
- · nested modules

98

 $oldsymbol{arXi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

# Deciplines - graphical languages: statechart

Parallel modes for orthogonality





 $oldsymbol{arXi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

- graphical languages: modechart
- F. Jahanian, A.K. Mok, 1986
  - IEEE Transactions on SE
- extended from statechart with timing structures
- semantics defined with RTL
  - RTL (real-time logic) is also proposed by Jahanian & Mok (IEEE TC)

. . . . . .

101

Deciplines

- graphical languages: modechart





---

 $oldsymbol{\pm}\mathcal{R}$ 

| Deciplines                                                                                                                     |
|--------------------------------------------------------------------------------------------------------------------------------|
| - language semantics                                                                                                           |
| • operational semantics  – with an abstract machine, like Java machine                                                         |
| <ul> <li>denotational semantics</li> <li>– treat program as functions, types, λ-calculus</li> </ul>                            |
| <ul> <li>axiomatic semantics</li> </ul>                                                                                        |
| <ul> <li>relation between the pre-condition &amp; post-conditions of programs</li> <li>heavily used in verification</li> </ul> |
|                                                                                                                                |
|                                                                                                                                |
|                                                                                                                                |
| ·                                                                                                                              |
| Deciplines                                                                                                                     |
| - language semantics                                                                                                           |
| Axiomatic Semantics                                                                                                            |
| • sequential programs                                                                                                          |
| <ul> <li>E.W.Dijkstra, Turing Award</li> </ul>                                                                                 |
| A Discipline of Programming, Prentice-Hall, 1976                                                                               |
| <ul> <li>distributed programs</li> </ul>                                                                                       |

 $\mathcal{Z}\mathcal{R}$  52

- Chandy、Misra的UNITY

Addison-Wesley, 1988

Parallel Program Design - A Foundation

### language semantics

#### **Axiomatic Semantics**

guarded-command language

$$x,y:=x+y,0 \text{ if } y>0$$

- Fairness assumption, interleaving semantics
- program composition
- **precondition postcondition**  $\{y>0\}$  x,y:=x+y,0 if y>0  $\{y=0\}$

- 許多laws
- safety properties liveness properties

. . . . . . .

105

#### . Deciplines

#### language semantics

#### **Axiomatic Semantics**

**Example :** Given N, M, compute x,y such that

• 
$$x \times N + y = M$$

• 
$$0 \Leftrightarrow y < N$$

Program division

**declare** 
$$x,y,z,k$$
: integer initially  $x,y,z,k=0$ ,  $M$ ,  $N$ , 1 assign  $z,k:=2z$ ,  $z$ ,  $z$  if  $z$  i

end {division}

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

正規方法:正規描述與自動驗證

: Deciplines

- language semantics

#### **Axiomatic Semantics**

Properties: Given a program F

- p unless q iff for all s in  $\mathbb{F}$ ,  $\{p \land \neg q\}s\{p \lor q\}$
- **stable** *p* iff *p* unless false
- **invariant** p iff **stable**  $p \land (initial condition \rightarrow p)$
- p ensures q iff (p unless  $q) \land \exists s$  in  $\mathbf{F}$ ,  $\{p \land \neg q\}s\{q\}$

• • • • • •

: Deciplines

language semantics

#### **Axiomatic Semantics**

**Properties:** Given a program  $\mathbf{F}$ ,  $p \rightarrow q$  iff

$$\begin{array}{ccc} p \ ensures \ q & & p \rightarrow q, & q \rightarrow r \\ \hline p \rightarrow q & & p \rightarrow r \end{array}$$

$$\frac{\forall w \text{ in } W(p(w) \rightarrow q)}{(\exists w \text{ in } W(p(w))) \rightarrow q}$$

. . . . . . .

 $oldsymbol{arXi} oldsymbol{\mathcal{I}}$ 

正規方法:正規描述與自動驗證

#### . Deciplines

language semantics

#### **Axiomatic Semantics**

#### **Some theorems:**

$$\begin{array}{ccc} p \text{ unless } q, \text{ q unless } r & p \text{ unless } q \\ \hline p \lor q \text{ unless } r & p \lor r \text{ unless } q \lor r \end{array}$$

$$\frac{p \to q, r \text{ unless } b}{p \wedge r \quad (q \wedge r) \vee b}$$

. . . . . . .

109

# Practical achievements (1/6)

first-order logic & theorem-proving

- NqThm by Boyer & Moore
- 1985, the verification of a 4-bit CPU, FM 8501, to the bit level
- verification of a high-level language compiler
- A Computational Logic Handbook, Academic Press, 1988

• • • • • •

 $oldsymbol{arPsi}$   $oldsymbol{\mathcal{I}}$   $oldsymbol{\mathcal{I}}$ 

•

# Practical achievements (2/6)

#### **Formal Methods**

- occam
- IMS T800 transputer
- estimated reduction in the development time by 12 months.
- 1990 Queen's award!!!
  - (49 recepients)

11

•

# Practical achievements (3/6)

#### **Formal Methods**

- Z notations for the formal specifications
- IMS CICS
- estimated reduction of development cost by 5 millions
- 1992 Queen's award

112

 $oldsymbol{arXi}_{\mathcal{L}}$ 

•

# Practical achievements (4/6)

#### model-checking

- · Burch, Clarke, McMillan, Dill, Hwang
- · BDD symbolic manipulation
- · CMU SMV, fully automatic
- Intel 32-bit ALU / 8 registers / two-layer pipeline
- state counts up to 10<sup>120</sup>
- 4 hr 20min in SUN 4

113

•

# Practical achievements (5/6)

- Symbolic Trajectory Evaluation
- · Hazelburst, Seger
- 64-bit multiplier
- simple or Wallace tree
- · combinational circuits
- 800 sec. in Sparc 10/51

114

 $oldsymbol{arEpsilon}\mathcal{A}$ 

:

# Practical achievements (6/6)

First-order logic and linear hybrid automata

- Bosscher, Polak, Vaandrager
- proof-checking
- · Phillip audio control network, physical layer
- · voltage variations, clock rate stability
- assuming no collison, signal delay
- proving that 1/17 frequency variation is acceptable.
  - The tolerance of Phillip is 5%.
- automatically checked with Henzinger's HyTech

115

•

# Workout 1: proof of a simple program

Initially x = 0;

· consumer:

for (; 1; ) if (x > 0) x--;

· Producer:

for (; 1; ) if (x< 1) x++;

- · Atomicity assumption
- Please prove that x is always no greater than
   1.

. . . . . . .

 $oldsymbol{arPsi} \mathcal{F} \mathcal{R}$ 

•

# Another workout: Petrification

- 1. please model the two programs in the last page as Petri-nets.
- 2. Please explain the following terms.
  - 1. Safety property
  - 2. Liveness property
  - 3. Fairness assumption
  - 4. Interleaving semantics

117