Showing papers presented at "Formal Methods in 1993"

Automating the Generation and Sequencing of Test Cases from Model-Based Specifications

Abstract: Formal specifications contain a great deal of information that can be exploited in the testing of an implementation, either for the generation of test-cases, for sequencing the tests, or as an oracle in verifying the tests. This papers presents automatic techniques for partition analysis in state-based specifications, specifically VDM. Test domains for individual operations are calculated by reduction of their mathematical description to a Disjunctive Normal Form. Following this, a partition analysis of the system state can be performed which permits the construction of a Finite State Automaton from the specification. This, in turn, can be used to sequence the required tests in a valid and sensible way. A tool has been developed based on the techniques applied to VDM, which has been used to develop the examples presented in the paper.

Efficient chaotic iteration strategies with widenings

Abstract: interpretation is a formal method that enables the static and automatic determination of run-time properties of programs. This method uses a characterization of program invariants as least and greatest fixed points of continuous functions over complete lattices of program properties. In this paper, we study precise and efficient chaotic iteration strategies for computing such fixed points when lattices are of infinite height and speedup techniques, known as widening and narrowing, have to be used. These strategies are based on a weak topological ordering of the dependency graph of the system of semantic equations associated with the program and minimize the loss in precision due to the use of widening operators. We discuss complexity and implementation issues and give precise upper bounds on the complexity of the intraprocedural and interprocedural abstract interpretation of higher-order programs based on the structure of their control flow graph.

Dynamical Systems, Measures and Fractals Via Domain Theory

Abstract: We introduce domain theory in the computation of dynamical systems, iterated function systems (fractals) and measures. For a discrete dynamical system (X, f), given by the action of a continuous map f: X → X on a metric space X, we study the extended dynamical systems (VX, Vf) and (UX, Uf) where V is the Vietoris functor and U is the upper space functor. In fact, from the point of view of computing the attractors of (X, f), it is natural to study the other two systems: A compact attractor of (X, f) is a fixed point of (VX, Vf) and a fixed point of (UX, Uf). We show that if (X, f) is chaotic, then so is (UX, Uf). When X is locally compact UX is a continuous bounded complete dcpo. If X is second countable as well, then UX will be ω-continuous and can be given an effective structure. We show how strange attractors, attractors of iterated function systems (fractals) and Julia sets are obtained effectively as fixed points of deterministic functions on UX or fixed points of non-deterministic functions on CUX where C is the convex (Plotkin) power domain. We also establish an interesting link between measure theory and domain theory. We show that the set, M(X), of Borel measures on X can be embedded in PUX, where P is the probabilistic power domain. This provides an effective way of obtaining measures on X. We then prove that the invariant measure of an hyperbolic iterated function system with probabilities can be obtained as the unique fixed point of an associated continuous function on PUX.

Formal Methods Reality Check: Industrial Usage

Abstract: Based on a systematic survey and analysis of the use of formal methods in the development of a dozen industrial applications, we summarize the methods being used, characterize the styles of industrial usage, and provide recommendations for evolutionary enhancements to the technology base of formal methods. The industrial applications ranged from reverse engineering to system certification; code scale ranges from 1 KLOC to 10 KLOC's. Applications included a software infrastructure for oscilloscopes; a shutdown system for a nuclear generating station; a train protection system; an airline collision avoidance system; an engine monitoring system for shipboard engines; attitude control of satellites; security properties of both a smartcard device and a network; arithmetic units; transaction processing; a real-time database for a medical instrument; and a restructuring program for COBOL

The Industrial Take-up of Formal Methods in Safety-Critical and Other Areas: A Perspective

Abstract: Formal methods may be at the crossroads of acceptance by a wider industrial community In order for the techniques to become widely used, the gap between theorists and practitioners must be bridged effectively In particular, safety-critical systems offer an application area where formal methods may be engaged usefully to the benefit of all This paper discusses some of the issues concerned with the general acceptance of formal methods and concludes with a summary of the current position and how the formal methods community could proceed to improve matters in the future

The SAZ Project: Integrating SSADM and Z.

Abstract: This paper investigates the rationale for integrating a structured systems analysis method (SSADM version 4) and a formal notation (Z). It describes the integrated specification, and discusses the advantages and disadvantages of formal specification and development for information systems.

Putting Advanced Reachability Analysis Techniques Together: the ARA Tool

Abstract: “ARA” is a verification tool which applies some recent improved speed verification techniques. ARA accepts as input systems described in Basic Lotos. With ARA, a system can be verified by showing that it is behaviourally equivalent with its specification. For comparing behaviours, ARA uses a novel CSP-like but catastrophe-free behavioural equivalence notion called “CFFD-equivalence”. ARA can also reduce the behaviour of the system into a small “normal” form, and show the result graphically. ARA applies two techniques to cope with the state explosion problem: compositional LTS construction and the stubborn set method. The paper contains a detailed example of the validation of a communication protocol using ARA. The paper concentrates on the intuition behind the various novel ideas of ARA; formal details are mostly omitted.

Specification and Validation of a Security Policy Model

Abstract: This paper describes the development of a formal security policy model, in Z, for the NATO Air Command and Control System (ACCS): a large, distributed, multi-level-secure system. The model was subject to manual validation, and some of the issues and lessons in both writing and validating the model are discussed.

Using transformations and verification in circuit design

Abstract: We show how machine-checked verification can support an approach to circuit design based on transformations. This approach starts with a conceptually simple (but inefficient) initial design and uses a combination of ad hoc and algorithmic transformations to produce a design that is more efficient (but more complex).

Real space process algebra

Abstract: The real time process algebra of Baeten and Bergstra [Formal Aspects of Computing,3, 142–188 (1991)] is extended to real space by requiring the presence of spatial coordinates for each atomic action, in addition to the required temporal attribute. It is found that asynchronous communication cannot easily be avoided. Based on the state operators of Baeten and Bergstra [Information and Computation,78, 205–245 (1988)] and following Bergstra et al. [Proc. Seminar on Concurrency, LNCS 197, Springer, 1985, pp. 76–95], asychronous communication mechanisms are introduced as an additional feature of real space process algebra. The overall emphasis is on the introductory explanation of the features of real space process algebra, and characteristic examples are given for each of these.

Reasoning about Interference in an Object-Based Design Method

Abstract: The property of a (formal) development method which gives the development process the potential for productivity is compositionality, compositional development methods for concurrent systems are elusive because of interference. A companion paper shows how object-based concepts can be used to provide a designer with control over interference and proposes a transformational style of development in which concurrency is introduced only in the final stages of design. That approach relies on restrictions to the object graphs which can arise and works for systems which involve limited interference. The current paper discusses the problems of interference and shows how a suitable logic can be used to reason — during design — about those systems where interference plays an essential role. Here again, concepts are used in the design notation which are taken from object-oriented languages since they offer control of granularity and ways of pinpointing interference. A further paper is in preparation which discusses the semantics of the object-based design notation.

Semantic Analysis of Interval Congruences

Abstract: This paper describes a new non relational semantic analysis of program integer variables. Interval congruence analysis is designed using Cousot's abstract interpretation framework, its model generalizes integer intervals and integer cosets by the definition of coset congruences. The use of a widening operator defined on rational approximations of the integer model ensures fast convergences of the iteration process whereas the diversity of patterns of the modeled integer sets increases the accuracy of the analysis.

Symbolic Model Checking for Distributed Real-Time Systems

Abstract: In this paper, we examine the symbolic model checking problem for distributed real-time systems where time is represented by the real numbers and multiple clocks are allowed. A symbolic model checking algorithm is proposed. This algorithm handles timing constraints that are written in inequalities whose two sides refer to readings of the same local clock. The timing inequalities are used as triggers for transitions in Multiclock Continuously Timed Automaton (MCTA), a variation of the Timed Safety Automaton [11] which we propose as the specification language for distributed real-time systems. We also propose MTCTL, an extension of TCTL by the introduction of multiple local clocks, for specifying system behavior to be verified.

An Embedding of Timed Transition Systems in HOL

Abstract: The theory of Timed Transition Systems developed by Henzinger, Manna, and Pnueli provides a formal framework for specifying and reasoning about real-time systems. In this paper, we report on some preliminary investigations into the mechanization of this theory using the HOL theorem prover. We review the main ideas of the theory and describe how it has been formally embedded in HOL. A graphical notation of timed transition diagrams and a real-time temporal logic for requirements have also been embedded in HOL using the embedding of timed transition systems. The proof rules proposed by Henzinger et al have been verified formally and we illustrate their use, as well as some problems we have encountered, by reference to a small example. More work is required on interfaces and proof methods to have a generally usable system.

Understanding the Differences Between VDM and Z

Abstract: This paper attempts to provide an understanding of the interesting differences between two well-known specification languages.

Selling Formal Methods to Industry

Abstract: This paper addresses some of the questions involved in attempting to introduce formal methods into industry on a broader basis. Marketing aspects and the importance of teaching programmers how to use formal methods are stressed.

A Two-Phase Approach to Reverse Engineering Using Formal Methods

Abstract: Reverse engineering of program code is the process of constructing a higher level abstraction of an implementation in order to facilitate the understanding of a system that may be in a “legacy” or “geriatric” state. Changing architectures and improvements in programming methods, including formal methods in software development and object-oriented programming, have prompted a need to reverse engineer and re-engineer program code. This paper presents a two-phase approach to reverse engineering, the results of which can be used to guide the re-implementation of an object-oriented version of the system. The first phase abstracts formal specifications from program code, while the second phase constructs candidate objects from the formal specifications obtained from the first phase.

Mechanizing some advanced refinement concepts

Abstract: We describe how the HOL theorem prover can be used to check and apply rules of program refinement. The rules are formulated in the refinement calculus, which is a theory of correctness preserving program transformations. We embed a general command notation with a predicate transformer semantics in the logic of the HOL system. Using this embedding, we express and prove rules for data refinement and superposition refinement of initialized loops. Applications of these proof rules to actual program refinements are checked using the HOL system, with the HOL system generating these conditions. We also indicate how the HOL system is used to prove the verification conditions. Thus, the HOL system can provide a complete mechanized environment for proving program refinements.

Role of VDM(++) in the Development of a Real-Time Tracking and Tracing System

Abstract: This article describes our experience with the use of the formal specification languages VDM and VDM++, in the evolutionary development of a real-time distributed system for the tracing and tracking of load-units in combined road-rail traffic.

On the Smooth Calculation of Relational Recursive Expressions out of First-Order Non-Constructive Specifications Involving Quantifiers

Abstract: The work presented here has its focus on the formal construction of programs out of non-constructive specifications involving quantifiers. This is accomplished by means of an extended abstract algebra of relations whose expressive power is shown to encompass that of first-order logic. Our extension was devised for tackling the classic issue of lack of expressiveness of abstract relational algebras first stated by Tarski and later formally treated by Maddux, Nemeti, etc. First we compare our extension with classic approaches to expressiveness and our axiomatization with modern approaches to products. Then, we introduce some non-fundamental operations. One of them, the relational implication, is shown to have heavy heuristic significance both in the statement of Galois connections for expressing relational counterparts for universally quantified sentences and for dealing with them. In the last sections we present two smooth program derivations based on the theoretical framework introduced previously.

Geometric Logic in Computer Science

Abstract: We present an introduction to geometric logic and the mathematical structures associated with it, such as categorical logic and toposes. We also describe some of its applications in computer science including its potential as a logic for specification languages.

Real-Time Refinement

Abstract: The refinement calculus is extended for real-time system development. Heuristic rules for deriving high-level designs from Z specifications are also given. A detailed example of real-time refinement is presented.

Invariants, Frames and Postconditions: a Comparison of the VDM and B Notations

Abstract: VDM and B are two “model-oriented” formal methods. Each gives a notation for the specification of systems as state machines in terms of a set of states with operations defined as relations on that set. Each has a notion of refinement of data and operations based on the principles of reduction of non-determinism and increase in definedness.

Specifying a Safety-Critical Control System in Z

Abstract: This paper presents a formal specification in the Z notation for a safety-critical control system. It describes a particular medical device but is quite generic and should be widely applicable. The specification emphasizes safety interlocking and other discontinuous features that are not considered in classical control theory. A method for calculating interlock conditions for particular operations from system safety assertions is proposed; it is similar to ordinary Z precondition calculation, but usually results in stronger pre-conditions. The specification is presented as a partially complete framework that can be edited and filled in with the specific features of a particular control system. Our system is large but the specification is concise. It is built up from components, subsystems, conditions and modes that are developed separately, but also accounts for behaviors that emerge at the system level. The specification illustrates several useful idioms of the Z notation, and demonstrates that an object-oriented specification style can be expressed in ordinary Z.

Newtonian arbiters cannot be proven correct

Abstract: Computing hardware is designed by refining an abstract specification through various lower levels of abstraction to arrive at a transistor layout implemented in a physical medium Formalizing the refinements—one task of the mathematical semantics of computation—involves proving that the device described at each level of abstraction does indeed behave as prescribed by the description at the next higher level One obstacle to this goal that has long been recognized is that certain classes of behaviors can be physically realized only approximately The notorious problems of metastable operation precludes, for example, the realization on classical principles of flipflops that react in bounded time to arbitrary input signals The literature suggests that the difficulty lies ultimately in the specification's requiring that the realizing device react properly in bounded time We show, however, that a simple-time-unbounded synchronization problem, namely, mutual exclusion by means of an arbiter, cannot be solved with perfect reliability using continuous, ie, Newtonian, physical phenomena In particular, for any physical device operating on Newtonian principles that satisfies specific assumptions concerning an arbiter's input—output behavior, there always exist competing requests to which it reacts by granting them all

Generalising Interpretations between Theories in the context of (pi-) Institutions

Abstract: The structural property of π-institutions which requires consequence to be preserved under changes of language is weakened. The proposed weakly structural π-institutions encompass logics in which consequence does depend on the choice of non-logical symbols by associating locality conditions with signatures or signature morphisms. They also enable new logics to be defined by reusing existing ones, extending and adapting them in order to build formalisms that better fit the applications whose specification they are intended to support.

Formal analysis of correctness of behavioral transformations

Abstract: Much has been said about the importance of formal verification in hardware synthesis, but little has been done. Where it has been applied at all, it has only been used on simple, idealized examples. This paper describes the application of formal semantic analysis and verification to part of a working high-level synthesis system. The process revealed several significant errors in that system, errors that had previously been undetected. This experience leads to some reflections on the need for a rigorous, formal basis for hardware specification and synthesis, and on the value of formal techniques.