A brief overview of NASA Langley's research program in formal methods by unknown
N93-12958
A Brief Overview of NASA Langley's
Research Program in Formal Methods
System Validation Methods Branch
NASA Langley Research Center
Hampton, Virginia
September 21, 1992"
Abstract
This paper presents an overview of NASA Langley's research program in formal methods.
The major goal of this work is to bring formal methods technology to a sufficiently mature
level for use by the United States aerospace industry. Towards this goal, work is under-
way to design and formally verify a fault-tolerant computing platform suitable for advanced
flight control applications. Also several direct technology transfer efforts have been initiated
that apply formal methods to critical subsystems of real aerospace computer systems. The
research team consists of six NASA civil servants and contractors from Boeing Military Air-
craft Company, Computational Logic Inc., Odyssey Research Associates, SRI International,
University of California at Davis, and Vigyan Inc.
Motivation
NASA Langley Research Center has been developing techniques for the design and validation
of flight critical systems for over two decades. Although much progress has been made in
developing methods which can accommodate physical failures, the design flaw remains a
serious problem [2, 3, 4, 5, 6, 7, 8].
A recent report by the National Center For Advanced Technologies i has identified "Prov-
ably Correct System Specification" and "Verification Formalism For Error-Free Specifica-
tion" as key areas of research for future avionics software and ultrareliable electronics systems
[9]. Aerospace engineers attending the NASA-LaRC Flight Critical Digital Systems Tech-
nology Workshop [10] listed techniques for the validation of concurrent and fault-tolerant
computer systems high on the list of research priorities for NASA.
*This is an updated version of the a paper entitled "NASA Langley's Research Program in Formal
Methods" presented at COMPASS 91 [1].
1A technical council funded by the Aerospace Industries Association of America (AIA) that represents the
major U.S. aerospace companies engaged in the research, development and manufacture of aircraft, missiles
and space systems and related propulsion, guidance, control and other equipment.
PRIE(_DING PAGE. BLANK NOT FILMED
9
https://ntrs.nasa.gov/search.jsp?R=19930003770 2020-03-17T10:32:36+00:00Z
A further motivation for the use of formal methods is the practical limitations of life-
testing methods to quantify reliability in the ultrareliable domain. Unfortunately, the quan-
tification of reliability in the presence of design faults has been found to be infeasible whether
applied to hardware or software (standard or fault-tolerant) [11]. Therefore the use of non-
statistical method is necessary.
Formal Methods
Formal methods are the applied mathematics of computer systems engineering. There are
many different types of formal methods with various degrees of rigor. The following is a
useful (first-order) taxonomy of the degrees of rigor in formal methods:
Level-I: Formal specification of all or part of the system.
Level-$: Formal specification at two or more levels of abstraction and paper and
pencil proofs that the detailed specification implies the more abstract spec-
ification. : ......
Level-3: Formal proofs checked by a mechanical theorem prover.
Level I represents the use of mathematical logic or a specification language that has a
formal semantics to specify the system. This can be done at several levels of abstraction.
For example, one level might enumerate the required abstract properties of the system,
while another level describes an implementation which is algorithmic in style: :Leve! 2 formal
methods goes beyond level 1 by developing pencil:and-paper proofs that t=he_mpre concrete
levels logically imply the more abstract-property oriented levels. Level 3 is the most rigorous
application of formal methods. Here one uses a seini-aut0matic theorem pr0ver:to make sur_
that all of the proofs are valid. The Level 3 process of convincing a mechanical prover is
really a process of developing an argument for an ultimate skeptic who must be shown every
detail.
It is also important to realize that formal methods is not an all-or-nothing approach.
The application of formal methods to the most critical portions of a system is a pragmatic
and useful strategy. Although a complete formal verification of a large complex system is
impractical at this time, a great increase in confidence in the system can be obtained by the
use of formal methods at key locations in the system.
z
E
Z
=
Research Team
The Langley formal methods program involves both in-house researchers and industrial/academic
researchers working under contract to NASA Langley. Currently the in-house team consists
of six civil servants and one in-house contractor (Vigyan Inc.). NASA Langley has awarded
three contracts specifically devoted to formal methods (from the competitive NASA RFP
1-22-9130.0238). The selected contractors were SRI International, Computational Logic
Inc., and Odyssey Research Associates. The three contracts are five-year, task assignment
contracts with total spending authority at approximately $2.5M per contract. Another
task-assignment contract with Boeing Military Aircraft Company (BMAC) is being used to
10
explore formal methods as well. Through this contract BMAC is funding research at the
University of California at Davis and California Polytechnic State University to assist them
in the use of formal methods in aerospace applications.
NASA Langley's Research Strategy
The basic strategy of the research effort is to apply existing formal methods to challenging
aerospace designs. This strategy leverages the huge investment of DARPA and National
Security Agency in development of tools and concentrates on the problems specific to the
aerospace problem domain. We have sought to build a strong inhouse research program
as well as use contracts with the leading U.S. formal methods research teams (i.e. SRI,
CLI, ORA) and aerospace industrial teams (BMAC, Draper Labs). In the short term we
are seeking to apply formal methods to critical subsystems. In the medium term we are
designing and verifying a reliable computing platform. Only in the long-term will we seek to
make production-quality verification tools that are easily used by design engineers without
overly specialized, detailed knowledge of formal methods.
The design of a digital flight control system involves two dissimilar activities:
1. design and implementation of control laws
2. design of the fault-tolerant computing platform which executes the control laws
Although these design activities are intimately connected, they require uniquely different
skills. The first activity requires knowledge of feedback control theory and aerodynamics as
well as numerical methods. The second activity requires knowledge of fault-tolerance theory
and computer architecture. Although both activities are essential, we are concentrating at
this time on the second activity. To facilitate the development and demonstration of tools
and techniques to support the second activity, a reliable computing platform (RCP) is being
developed. Also, several tasks are underway to facilitate the transfer of formal methods
technology to aerospace industry.
The Reliable Computing Platform
The Reliable Computing Platform (RCP) dispatches the control-law application tasks and
executes them on redundant processors. The reliable computing platform performs the
necessary fault-tolerant functions and provides an interface to the network of sensors and
actuators.
The RCP consists of both hardwareand software components. A real-time operating sys-
tem provides the applications software developer with a reliable mechanism for dispatching
periodic tasks on a fault-tolerant computing base that appears to him as a single ultra-
reliable processor. Traditionally, an operating system has been implemented as an executive
(or main program) that invokes subroutines implementing the application tasks. Commu-
nication between the tasks has been accomplished by use of shared memory. This strategy
is effective for systems with nominal reliability requirements where a simplex processor can
11
be used. For ultra-reliable systems, the additional responsibility of providing fault tolerance
makes this approach untenable.
For these reasons, the operating system and replicated computer architecture must be
designed together so they mutually support the goals of the RCP. A multi-level hierarchical
specification of the RCP is shown in figure 1.
[ Uniprocessor System Model (US}]
I
IFault-tolerantt eplicatedSynchronousModel(RS)I
I
IFault-tote,'antDistributed Synchronous Model (DS)]
I
l Fault-tolerant Distributed Asynchronous Model (o,4)J
I
I Local Ezecutive Model (LE) I
I
[ Ifardware/Software Implementation]
Figure 1: Hierarchical Specification of the Reliable Computing Platform (RCP)
The top level of the hierarchy describes the operating system as a function that sequent
tinily invokes application tasks. This view of the operating system will be referred to as the
uniprocessor specification (US}, which is formalized as astate transition system and for-rns
tiae'baS|S o_ the-spec|fi_a-tlon for the RCP. Fault tolerance is achieved by voting results com-
puted by the replicated processors operating on the same inputs. Interactive consistency
checks on sensor inputs and voting of actuator outputs require synchronization of the repli-
cated processors. The second level in the hierarchy (RS) describes the operating system as
a synchronous system where each replicated processor executes the same application tasks.
The existence of a global time base, an interactive consistency mechanism and a reliable
v0t|ng mechanism are assumed at thlsqevel. Level 3 of the hierarchy breaks a frame into
four _quential pI/_es__Tlils allows a more explicitmodeling of interprocessor communica-
tion and the time phasing of computation, communication, and voting. At the fourth level,
the assumptions of the synchronous model must be discharged. Rushby and von Henke [12]
report on the formal verification of Lamport and Melliar-Smith's [13] interactive-convergence
clock synchronization algorithm. This algorithm can serve as a foundation for the implemen-
tation of the replicated system by bounding the amount of asynchrony in the system so that
it can duplicate the functionality of the DS model. Dedicated hardware implementations of
the clock synchronization function are a long-term goal. The LE model is currently under
development. This model describes the actions on each local processor delineating how each
processor schedules tasks, votes results and rewrites its own local memory with voted val-
ues. Of primary importance in this specification is the utilization of a memory management
2
Z
r._
i
--Z
12
unit by the local executive in order to prevent the overwriting of incorrect memory loca-
tions while recovering from the effects of a transient fault. There will probably be another
level of specification introduced before the final implementation in hardware and software is
reached. The research activity will culminate in a detailed design and prototype implemen-
tation. Figure 2 depicts the generic hardware architecture assumed for implementing the
replicated system. Single-source sensor inputs are distributed by special purpose hardware
executing a Byzantine agreement algorithm. Replicated actuator outputs are all delivered
in parallel to the actuators, where force-sum voting occurs. Interprocessor communication
links allow replicated processors to exchange and vote on the results of task computations.
As previously suggested, clock synchronization hardware may be added to the architecture
as well.
The hardware architecture is a classic N-modular redundant (NMR) system with a small
number N of processors. Single-source sensor inputs are distributed by special purpose
hardware executing a Byzantine agreement algorithm. Replicated actuator outputs are all
delivered in parallel to the actuators, where force-sum voting occurs. Interprocessor com-
munication links allow replicated processors to exchange and vote on the results of task
computations. This is illustrated in figure 2.
[)rocf_sso r
Replicate
1
Sensors ]
L
! !
Ilnleractive Consistencyl
Distribution Network
hderprocessor
Communication Link
[nterprocc,_;.gor
Communication Link
Processor
Replicate
R
J I
1 1
Figure 2: Generic hardware architecture.
The Division of Labor
The in-house team at NASA has been orchestrating the effort to apply formal methods to
the RCP. The design problem has been decomposed into several separate activities, some of
13
which are being investigated by contractual teams and others by the in-house team.
efforts are roughly divided as follows:
in-house:
SRI:
CLI:
ORA:
BMAC:
system architecture, clock synchronization
Clock synchronization, fault-tolerance
Byzantine Agreement Circuits, clock synchronization
Byzantine Agreement Circuits, applications
Hardware Verification, formal requirements analysis
The
NASA In-house Work
The in-house team has concentrated on the system architecture for the RCP. The top two
levels of the RCP were originally formally specified in standard mathematical notation and
connected via mathematical (i.e. level 2 formal methods) proof[14, 15]. Under the assump-
tion that a majority of processors are working in each frame, the proof establishes that the
replicated system computes the same results as a single processor system not subject to fail-
ures. Sufficient conditions were developed that guarantee that the replicated system recovers
from transient faults within a bounded amount of time. SRI subsequently generalized the
models and constructed a mechanical proof in Ehdm [16]. Next, the NASA inhouse team
developed the third and fourth level models. Tile top two levels and the two new models
were then specified in Ehdm and all of the proofs were done mechanically using the Ehdm
5.2 prover[17,18] _- _ _ .... _ = _ _
Inhouse work is underway to design an d implemen t a fault-tolerant clock synchronization
circuit capable of recovery from transient faults [19, 20]. The circuit is being implemented
using programmable logic devices (PLDs) and FOXI fiber optic communications chips [21].
Contractual Efforts
SRI International
The redundancy management strategies of virtually all fault-tolerant systems depend upon
some form of voting which in turn depends upon synchronization. Although in many systems
the clock synchronization function has not been decoupled from the applications (e.g. the
redundant versions of the applications Synchronize by messages), research and experience
have led us to believe that solving the synchronization problem independently from the ap-
plications design can provide significant simplification of the system [22, 23]. The operating
system is built on top of this clock-synchronization foundation. Of course, the correctness
of this foundation is essential. Thus, the clock synchronization algorithm and its implemen-
tation are prime candidates for formal methods. The verification strategy shown in figure 3
is being explored. The top-level in the hierarchy is an abstract property of the form:
V non-faulty p,q: IC/,p(t) - Cq(t)l < 6
where $ is the maximum clock skew guaranteed by the algorithm as long as a sufficient
number of clocks (and the processors they are attachcd to) are working. The function Cp(t)
14
[Maximum Clock Skew Property I
T
I
I Synchronization Algorithm I
T
I
[Digital Circuit Implementation]
Figure 3: Hierarchical Verification of Clock Synchronization
gives the value of clock p at real time t. The middle level in the hierarchy is a mathematical
definition of the synchronization algorithm. The bottom level is a detailed digital design of
a circuit that implements the algorithm. The bottom level is sufficiently detailed to make
translation into silicon straight forward.
The verification process involves two important steps: (1) verification that the algorithm
satisfies the maximum skew property and (2) verification that the digital circuitry correctly
implements the algorithm. The first step has already been completed by SRI International.
The first such proof was accomplished during the design and verification of SIFT [13]. The
proof was done by hand in the style of most journal proofs. More recently this proof step
has been mechanically verified using the Ehdrn theorem prover [12]. In addition, SRI has
mechanically verified Schneider's clock synchronization paradigm [24] using Ehdm[25]. A
further generalization was found at NASA Langley [20] 2. The design of a digital circuit to
distribute clock values in support of fault-tolerant synchronization has been completed by
SRI International and is currently being formally verified?
SRI is currently writing a chapter for the FAA Digital Systems Validation Handbook
Volume III on formal methods[26]. The handbook provides detailed information about digital
system design and validation and is used by the FAA certifiers.
Computational Logic Inc.
Fault-tolerant systems, although internally redundant, must deal with single-source informa-
tion from the external world. For example, a flight control system is built around the notion
of feedback from physical sensors such as accelerometers, position sensors, pressure sensors,
etc. Although these can be replicated (and they usually are), the replicates do not produce
identical results. In order to use bit-by-bit majority voting all of the computational repli-
cates must operate on identical input data. Thus, the sensor values (the complete redundant
suite) must be distributed to each processor in a manner which guarantees that all working
processors receive exactly the same value even in the presence of some faulty processors.
This is the classic Byzantine Generals problem [27]. CLI is investigating the formal verifica-
2The bounded delay assumption was Shown to follow from the other assumptions of the theory.
3Uniike the NASA inl_0U-seclreuit, the SRI intent is that the convergence algorithm be implemented in
software.
15
tion of such algorithms and their implementation. They have formally verified the original
Marshall, Shostak, and Lamport version of this algorithm using the Boyer Moore theorem
prover [28]. They have also implemented this algorithm down to the register-transfer level
and demonstrated that it implements the mathematical algorithm [29] and then subsequently
verified the design down to a hardware description language (HDL) developed at CLI [30].
CLI has reproduced the SRI verification of the interactive convergence algorithm using the
Boyer-Moore theorem prover [31]. CLI has also developed a formal model of asynchronous
communication and demonstrated its utility by formally verifying a widely used protocol for
asynchronous communication called the bi-pha._e mark protocol, also known as "Bi-_-M,"
"FM" or "single density" [32]. It is one of several protocols implemented by microcontrollers
such as the Intel 82530 and is used in the Intel 82C501AD Ethernet Serial Interface.
Odyssey Research Associates
ORA has also been investigating the formal verification of Byzantine Generals algorithms.
They have focused on the practical implementation of a Byzantlne-resilient communications
mechanism between Mini-Cayuga micro-processors [33, 34, 35]. The Mini-Cayuga is a small
but formally verified microprocessor developed by ORA. It is a research prototype and
has not been fabricated. The communications circuitry would Serve as a foundation for __
fault-tolerant architecture. It was designed assuming that the underlying processors were
synchronized (say by a clock synchronization circuit). The issues involved with connecting-
the Byzantine communications circuit with a clock synchronization circuit and verifying the
combination has not yet been explored.
Another task that has been started with ORA is to apply their Ada verification tools to
aerospace applications. This effort consists of two subtasks. The first subtask is to verify
some utility routines obtained from the NASA Goddard Space Flight Center and theNASA-
Lewis Research Center using their Ada Verification Tool named Penelope [36]. This subtask
was accomplished in two steps: (1) a formal specification of the routines and (2) formal-
verification of the routines. Both steps uncovered errors in the routines [37]. The second
subtask was to formally specify the mode-control panel logic of a Boeing-737 experimental
aircraft system using Larch (the specification language used by Penelope) [38].
A joint project between ORA and Charles Stark Draper Laboratory (CSDL) has been
initiated. The CSDL has been funded by NASA Langley to build fault-tolerant computer
systems for over two decades. They have recently become interested in the use of formal
methods to increase confidence in their designs. ORA has formally specified an important
circuit (called the scoreboard) of the Fault-Tolerant Parallel Processor (FTPP) [39] in Cal-
iban [40]. Work is currently underway to formally verify the circuit.
|
i
i
Boeing Military Aircraft Co.
The Boeing Company has been sponsored by NASA Langley to develop advanced validation
and verification techniques for fly-by-wire systems. As part of the project, Boeing is exploring
the use of formal methods. The goal of this work is two-fold: 1) technology transfer of formal
methods to Boeing, and 2) assessment of formal methods technology maturity.
1(i
NASA Langley has been involved in a cooperative research partnership with Boeing to
facilitate the acceptance and adoption of this high-risk, high-payoff technology by Boeing.
The first step was to demonstrate that formal verification of "real" hardware devices is, in
fact, feasible. The first Boeing tasks concentrated on applying the HOL hardware verification
methodology to a set of hardware devices. With the assistance of a subcontract with U. C.
Davis, Boeing verified a set of hardware devices, including a microprocessor[41], a floating-
point coprocessor similar to the Inte18087 but smaller[42, 43], a direct memory access (DMA)
controller similar to the Intel 8237A but smaller[44], and a set of memory-management
units[45, 46]. U. C. Davis also developed the generic-interpreter theory to aid in the formal
specification and verification of hardware devices[47, 48, 49], and a horizontal-integration
theory for composing verified devices into a system[50, 51, 52, 53].
After demonstrating the feasibility of verifying standard hardware devices, Boeing was
ready to apply the methodology to a set of proprietary hardware devices being developed
inhouse for use in a number of aeronautics and space applications. NASA sponsored a Boeing
engineer to work with the Processor Interface Unit (PIU) design team to formally specify
and verify the device. Although the NASA contract with Boeing will end in FY93, Boeing
has already capitalized on the NASA program and has started their own IR&D effort to
continue applying formal methods to the set of devices.
The cooperative research effort with Boeing has helped NASA Langley to assess the
maturity of formal methods technology with respect to state-of-the-practice digital fiight-
control systems. First, Boeing was tasked to analyze the suitability of the VIPER chip for
application to digital flight controls and to assess the design/verification methodology used
on the VIPER[54] 4. The generic-interpreter and horizontal-integration theories developed at
U. C. Davis provide models to guide the specification and verification of hardware devices.
Application of formal methods to the PIU has demonstrated that formal methods can be
practically applied to the digital hardware devices being developed by Boeing today and has
given NASA insight on how to make the process more cost effective.
Work is also progressing on a methodology for formal requirements analysis for aircraft
systems[58, 59]. This work, being performed under a subcontract to California Polytechnic
State University, includes development of a Wide-Spectrum Requirements Specification Lan-
guage (WSRSL) and prototype tools to support the language. A set of requirements for an
Advanced Subsonic Civil Transport (ASCT) developed by a Boeing engineer under previous
NASA funding is being rewritten in WSRSL to demonstrate the use of the language and
toolset. Since WSRSL is a formal language, the specification can be formally analyzed for
syntactic correctness, completeness, and consistency. NASA Langley is currently evaluat-
ing WSRSL as a candidate requirements specification tool for the fly-by-light/power-by-wire
project. Future plans include possible development of an automatic translator to Ehdm (SRI
International's theorem prover) to facilitate verification of functional correctness as well.
4NASA Langley has just completed a 3 year Memorandum of Understanding (MOU) with the U.K.
Royal Signals and Radar Establishment (RSRE) in formal methods. The MOU focused on the VIPER
microprocessor and the verification methodology used in its development. Computational Logic Inc. and
Langley inhouse researchers also performed assessments of the VIPER project[55, 56, 57].
17
NASA FM Repository
An anonymous FTP account has been set up at Langley to make the research results readily
available. Formal specifications, research papers, and other useful information will be stored
in machine-readable form. To access this repository, one must issue the following command:
"ftp air16.1arc,nasa.gov'. One then supplies "anonymous" as the user name and his FTP
address a_ the password.
==,
Summary
Although the NASA program covers a wide-spectrum 0f theoretical and practical problem
domains, it is strongly focused on the goal of designing a fault-tolerant reliable computing
base which can support real-time control applications. Much progress has already been made
in applying formal methods tO Criiical subsystems such as Clock synchronization, Byzantine
agreement, voting, etc. The challenge ahead is to integrate all of these activities to accom-
plish a complete verification of the total RCP system and to continue the transfer of this
technology to the aerospace industry.
References
[1] Butler, Ricky W.: NASA Langley's Research Program in Formal Methods. In 6th
Annual Conference on Computer Assurance (COMPASS 9I), Gaithersburg, MD, June
1991.
[2] Leveson, Nancy G.: Software Safety: What, Why, and How. Computing Surveys,
vol. 18, no. 2, June 1986.
[3] Neumann, Peter GI: Some Computer-Related Disasters and Other Egregious Horrors.
ACM SIGSOFT Software Engineering Notes, vol. 10, no. 1, Jan. 1985, pp. 6-12.
[4] Hamilton, Margaret: Zero-defect software: the elusive goal. IEEE Spectrum, Mar. 1986_
[5] Saab Blames Gripen Crash on Software. Aviation Week gJ Space Technology, Feb. 1989.
[6] Joyce, Ed: -Software Bugs: A Matter of Life and Liability. Datamation, May 1987.
[7] Garmen, John R.: The Bug Heard 'Round The World. ACM SIGSOFT Software
Engineering Notes, vol. 6, no. 5, Oct. 1981, pp. 3-10.
[8] Rogers, Michael; and Gonzalez, David L.: Can We Trust Our Software? Newsweek,
Jan. 1990.
[9] Key Technologies For the Year _000. National Center for Advanced Technologies, 1250
Eye Street N.W., Washington, D.C. 20005, June 1991.
=
18
[10]
[11]
[]2]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[211
Meissner, Charles W., Jr.; Dunham, Janet R.; and (eds.), C. Crim: Proceedings of the
NASA-LaRC Flight-Critical Digital Systems Technology Workshop. NASA Conference
Publication 10028, Apr. 1989.
Butler, Ricky W.; and Finelli, George B.: The Infeasibility of Experimental Quantifi-
cation of Life-Critical Software Reliability. In Proceedings of the ACM SIGSOFT '91
Conference on Software for Critical Systems, New Orleans, Louisiana, Dec. 1991, pp.
66-76.
Rushby, John; and yon Henke, Friedrich: Formal Verification of a Fault-Tolerant Clock
Synchronization Algorithm. NASA Contractor Report 4239, June 1989.
Lamport, Leslie; and MeUiar-Smith, P. M.: Synchronizing Clocks in the Presence of
Faults. Journal of the ACM, vol. 32, no. 1, Jan. 1985, pp. 52-78.
Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L., II: Formal Design and
Verification of a Reliable Computing Platform For Real-Time Control (Phase 1 Results).
NASA Technical Memorandum 102716, Oct. 1990.
Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L.: High Level Design Proof
of a Reliable Computing Platform. In Dependable Computing for Critical Applications
_o, Dependable Computing and Fault-Tolerant Systems, pp. 279-306. Springer Verlag,
Wien New York, 1992. Also presented at 2nd IFIP Working Conference on Dependable
Computing for Critical Applications, Tucson, AZ, Feb. 18-20, 1991, pp. 124-136.
Rushby, John: Formal Specification and Verification of a Fault-Masking and Transient-
Recovery Model for Digital Flight-Control Systems. NASA Contractor Report 4384, July
1991.
Butler, Ricky W.; and Di Vito, Ben L.: Formal Design and Verification of a Reli-
able Computing Platform For Real-Time Control (Phase P Results). NASA Technical
Memorandum 104196, Jan. 1992.
Di Vito, Ben L.; and Butler, Ricky W.: Formal Techniques for Synchronized Fault-
Tolerant Systems. In 3rd IFIP Working Conference on Dependable Computing for Crit-
ical Applications, Mondello, Sicily, Italy, Sept. 1992.
Miner, Paul S.: A Verified Design of a Fault-Tolerant Clock Synchronization Circuit:
Preliminary Investigations. NASA Technical Memorandum 107568, Mar. 1992.
Miner, Paul S.: An Extension to Schneider's General Paradigm for Fault-Tolerant Clock
Synchronization. NASA Technical Memorandum 107634, Langley Research Center,
Hampton, VA, 1992. To be published.
Miner, Paul S.; Padilla, Peter A.; and Torres, Wilfredo: A Provably Correct Design of
a Fault-Tolerant Clock Synchronization Circuit. To appear in the llth Digital Avionics
Systems Conference, Seattle, WA., Oct. 1992.
19
[22] Lamport, Leslie: Using Time Instead of Timeout for Fault-Tolerant Distributed Sys-
tems. ACM Transactions on Programming Languages and Systems, vol. 6, no. 2, Apr.
1984, pp. 254-280.
[23] Goldberg, Jack; et al.: Development and Analysis of the Software Implemented Fault-
Tolerance (SIFT) Computer. NASA Contractor Report 172146, 1984.
[24] Schneider, Fred B.: Understanding Protocols for Byzantine Clock Synchronization.
Cornell University, Ithaca, NY, Technical Report 87-859, Aug. 1987.
[25] Shankar, Natarajan: Mechanical Verification of a Schematic Byzantine Clock Synchro-
nization Algorithm. NASA Contractor Report 4386, July 1991.
[26] Computer Resource Management, Inc.: In Digital Systems Validation Handbook - vol-
ume III, no. DOT/FAA/CT-88/10. FAA. =
[27] Lamport, Leslie; Shostak, Robert; and Pease, Marshall: The Byzantine Generals Prob-
lem. ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, July
1982, pp. 382-401.
[28] Bevier, William R.; and Young, William D.i Machine Checked Proofs of the Design and
Implementation of a Fault-Tolerant Circuit. NASA Contractor Report 182099, Nov.
1990.
29] Bevier, William R.; and Young, William D.: The Proof of Correctness of a Fault-
Tolerant Circuit Design. In Second IFIP Conference on Dependable Computing For
Critical Applications, Tucson, Arizona, Feb. 1991, pp. 107-114.
[30] Moore, J Strother: Mechanically Verified Hardware Implementing an 8-bit Parallel IO
Byzantine Agreement Processor. NASA Contractor Report 189588, Apr. 1992.
[31] Young, William D.: Verifying the Interactive Convergence Clock Synchronization al-
gorithm Using the Boyer-Moore Theorem Prover. to be published as a NASA CR,
1992.
[32] Moore, J Strother: A Formal Model of Asynchronous Communication and Its Use in
Mechanically Verifying a Biphase Mark Protocol. NASA Contractor Report 4433, June
19_}2 _=
[33] Srivas, Mandayam; and Bickford, Mark: Verification of the FtCayuga Fault-Tolerant
Microprocessor System (Volume 1: A Case Study in Theorem Prover-Based Verifica-
tion). NASA Contractor Report 4381, July 1991.
[34] Bickford, Mark; and Srivas, Mandayam: Verification of the FtCayuga Fault-Tolerant
Microprocessor System (Volume _: Formal Specification and Correctness Theorems).
NASA Contractor Report 187574, July 1991.
i
2O
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
[47]
[48]
Srivas, Mandayam; and Bickford, Mark: Verification of a Fault-Tolerant Property of a
Multiprocessor System. In Theorem Provers in Circuit Design: Theory, Practice and
Ezperience, Nijmegen, The Netherlands, June 1992. To appear.
Guaspari, David: Penelope, an Ada Verification System. In Proceedings of Tri-Ada '89,
Pittsburgh, PA, Oct. 1989, pp. 216-224.
Eichenlanb, Carl T.; and Harper, C. Douglas: Using Penelope to Assess the Correctness
of NASA Ada Software: A Demonstration of Formal Methods as a Counterpart to
Testing. To be published as a NASA Contractor Report, 1991.
Guaspari, David: Formally Specifying the Logic of an Automatic Guidance Controller.
In Ada-Europe Conference, Athens, Greece, May 1991.
Harper, Richard E.; Lala, Jay H.; and Deyst, John J.: Fault Tolerant Parallel Pro-
cessor Architecture Overview. In Proceedings of the 18th Symposium on Fault Tolerant
Computing, 1988, pp. 252-257.
Srivas, Mandayam; and Bickford, Mark: Moving Formal Methods Into Practice: Veri-
fying the FTPP Scoreboard: Phase I Results. NASA Contractor Report 189607, May
1992.
Windley, Phil J.; Levitt, Karl; and Cohen, Gerald C.: Formal Proof of the AVM-I
Microprocessor Using the Concept of Generic Interpreters. NASA Contractor Report
187491, Mar. 1991.
Pan, Jing; Levitt, Karl; and Cohen, Gerald C.: Toward a Formal Verification of a
Floating-Point Coprocessor and its Composition with a Central Processing Unit. NASA
Contractor Report 187547, Aug. 1991.
Pan, Jing; and Levitt, Karl: Towards a Formal Specification of the IEEE Floating-Point
Standard with Application to the Verification of Floating-Point Coprocessors. In 24th
Asilomar Conference on Signals, Systems (_ Computers, Monterrey, CA., Nov. 1990.
Kalvala, Sara; Levitt, Karl; and Cohen, Gerald C.: Design and Verification of a DMA
Processor. To be published as a NASA Contractor Report, 1992.
Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Formal Verification of a Set of
Memory Management Units. NASA Contractor Report 189566, 1992.
Schubert, Thomas; and Levitt, Karl: Verification of Memory Management Units. In
Second IFIP Conference on Dependable Computing For Critical Applications, Tucson,
Arizona, Feb. 1991, pp. 115-123.
Windley, Phil J.; Levitt, Karl; and Cohen, Gerald C.: The Formal Verification of
Generic Interpreters. NASA Contractor Report 4403, Oct. 1991.
Windley, Phil J.: The Formal Verification of Generic Interpreters.
Automation Conference, San Franciso, CA, June 1991.
,i
- _.•
In 28th Design
21
[49] Windley, Phil J.: Abstract Hardware. In ACM International Workshop on Formal
Methods in VLSI Design, Miami, FL, Jan. 1991.
[50] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Formal Mechanization of
Device Interactions With a Process Algebra. to be published as a NASA CR, 1992.
[51] Schubert, Thomas; Levitt, Karl; and Cohen, Gerald C.: Towards Composition of Veri-
fied Hardware Devices. NASA Contractor Report 187504, Nov. 1991.
[52] Pan, Jing; Levitt, Karl; and Schubert, E. Thomas: Toward a Formal Verification of
a Floating-Point Coprocessor and its Composition with a Central Processing Unit. In
ACM International Workshop on Formal Methods in VLSI Design, Miami, FL, Jan.
1991.
[53]
[54]
Kalvala, Sara; Archer, Myla; and Levitt, Karl: A Methodology for Integrating Hardware
Design and Verification. In ACM International Workshop on Formal Methods in VLSI
Design, Miami, FL, Jan. 1991.
Levitt, Karl; and et. al.: Formal Verification of a Microcoded VIPER using HOL. to
be published as a NASA CR, 1992.
[55] Brock, Bishop; and Hunt, Jr., Warren A.: Report on the Formal Specification and
Partial Verification of the VIPER Microprocessor. NASA Contractor Report 187540,
July 1991.
[56] Carrefio, Victor A.; and Angellatta, Rob K.: A Case Study for the Real-Time Ex-
perimental Evaluation of the VIPER Microprocessor. NASA Technical Memorandum
104098, Sept. 1991.
[57] Butler, Ricky W.; and Sjogren, Jon A.: tlardware Proofs Using EHDM and the RSRE
Verification Methodology. NASA Technical Memorandum 100669, Dec. 1988.
[58] Fisher, Gene; Frincke, Deborah; Wolber, Dave; and Cohen, Gerald C.: Structured
Representation for Requirements and Specifications. NASA Contractor Report 187522,
July 1991.
[59] Frincke, Deborah; Wolber, Dave; Fisher, Gene; and Cohen, Gerald: Requirements
Specfication Language (RSL) and Supporting Tools. to be published as a NASA CR,
1992.
22
Welcome and Introduction
Charles Meissner, Jr.
Head, System Validation Methods Branch
NASA Langley Research Center
23
WELCOME
AND
INTRODUCTION
FORMAL METHODS WORKSHOP
NASA LANGLEY RESEARCH CENTER
AUGUST 11-13, 1992
Charles W. Meissner, Jr.
NASA Langley Research Center
k
NASA ORGANIZATION
VERTICAL CUT TO SVMB
CODE A INASA ADMINISTRATOR
ii =k
OFFICE OF
AERONAUTICS AND SPACE
TECHNOLOGY._,
LANGLEY I
RESEARCH I
CENTER J
FLIGHT I
SYSTEMS
DIRECTORATE
I SYSTEM Ill
I VALIDATION II
I METHODS g
24
LANGLEY FAULT-TOLERANT DIGITAL SYSTEMS
HISTORICAL PERSPECTIVE
CA. 1972 ARCS
CARSRA
SIFT
FTMP
CARE III
LIC SOFTWARE
IAPSA
SURE/ASSIST
CA. 1992 AIPS
L
F'T SYSTEM DESIGN
RELIABILITY ANALYSIS
F-T COMPUTER
F-T COMPUTER
RELIABILITY
S/W ERROR ANALYSIS
F-T DFCS DESIGN
RELIABILITY ANALYSIS
DISTRIBUTED F-T SYSTEM
ULTRARELIABLE DIGITAL 'AVIONICS
CONTROL SYSTEMS BECOMING THE PRACTICAL EQUIVALENT OF PRIMARY
STRUCTURE
• U.S. FAR 1309-1 Requires P(fail)<10 -9for statistical compliance
• Reliability can't be estimated to this level
• Experienced engineering and operational judgement used for compliance
FAULT-TOLERANT DIGITAL SYSTEMS ARE NECESSARY FOR PRACTICAL
REALIZATION OF ADVANCED CONTROL
• Analog functionality insufficient for advanced control
• Analog too high in size, weight, power
• Digital system components not adequately reliable - use redundancy to
Increase rellablllty
25
FORMAL METHODS FOR
FLIGHT-CRITICAL SYSTEMS
• The only sclentificaliy satisfactory approach to aspects of the
digital validation process is through reasoning
Formal methods may become Important sooner than is
commonly supposed in the aerospace community
T T
=
SVMB has put an emphasis on formal methods
. Industry/FAA focus is essential feature of our formal methods
work- -
t
=
!
!
t
|
26
Why Formal Methods?
Ricky Butler
System Validation Methods Branch
NASA Langley Research Center
27
• • • • * • • • D
28
I "!! I'
'I!!!
29
I.
-@
i..
.2
!
,m
_ "_ o
• _ _
__ ._
• • • •
J
!
i
m..
0
_° i°
i_._- _
_ ggi
3O
_. °_)
_ ._
_o_
31
J32
z,_ __
| |
33
34
El
It
n
85
.|
.i
I=]
's
,[|
LiJ •M
" LS, i _ t
i _"
!ll
_1|}
_i__J
I " i
J
4l
|
m
.|
1
J
|
l
t
.4" .
A
I1
Ju
i7
<:::::::::::::::::: !
_:::::::::::::::::: _.
<_::::::::::::::::::
• ,lJ i
j L
_ 1_¸
°_
[_
<<n_
_.__
F
_-_.v
_V
II
v-3
vI <
• v
tll 111
l
36
EI
\ • 87
hI)
-%.
bdD
<
I.I t4
lj _xl
t..
"_ tl
<
II
m
W
r_
38
"_ II
i ! II _.. ,..
=
5_
_<<
_3
lo
J
*Ii
1!i1_i i
" " " "t_
11- II i _ _
h% II
_" '" _ ° ii
3g
< I
I
0
O
0
|
*1
m|
o • •
I
i
!
..... i
i
,.=
.|
u
i
E
t_ _ _
• _i° i _-
,- _ S S S
'_ _; _
_t ._- ":_1" • " .....
z
z
;>
r_
n
• i
40
_1_.;:;-
". ,_
_3
,tl
a° !i
i_-_ -_
•- _ _ _ i ,L
"" ii
J
!
J
J
_ i_o_ o.
_ _ __
_ _ . •
42
Design Sp
Tutorial
ecification Techniques
Ben DiVito
ViGYAN
43
044
XXXXXx
KXXX
KxXX
N
J
J
X×
45
.|
°I
S
i[
o
I-i
_ b o|- |
.!-_ _.-
1},,, P"
._
. |
[..,
|
• _. _.
:s
. I-I
_ [ L ..
"GI _ ,I!
0
1,
1
i
13
i
|
,,4
all
]
i6
II
•-_ _
;; , t
•,_ "_ >
-
,..1
_..;=
oo
@
II
II
_ _._
o_
'! ]:_ li_,
] !" L]
__. .- .
@ =
_p '%3
T
,_ i1
46
II °. _i
•_ o
i n _' _"
" _S _"
,.., _..,,
' _ ", _ r_ u_
_4
47
.!
2
.I.i "s-
i i :
:' _ _i_ ""j:ii_.
,I _.,_. !I_
Iol
- !
_I __
• _, I _
.[___
i
]
, m SI'I ,,
"_ _ II _ _ II
II _'_
if,--, ff ff
.._
n _
II
I!
t.
II
|<
i
_< _
e _
o_
N N
,i
i
i
- _ " _-'-I_.........
il • it • • •
i
i
==
48
Code
Tutorial
Verification Techniques
C. Michael Holloway
Syst,(_m Validation Methods Branch
NASA L_mgley Research Center
49
Q;
t,-
.1
u
0
r-
t-
O
,1
t_
U
Q;
>
Q;
"0
0
U
c-
O
F-
_J
) _._
a> .__
_ E E _
,0 "_ Q;aJ _
• @ • •
b
e-
_J
>,U
-1-
, .J
u
_h
2
5O
q-
0
0
n
0
0
t-
O
t_
U
,1
>
0
U
t_
E
0
EL
E _ _
n
,, _ '-_
•-_ ' _
u
u _
t-
_--_ _
_ _ .-_ _ _ .__
• _
Q; _ u
0 u
_:_ -_
_ _ _-
_ g
E_ _
_J
Q;
_._
o _,
.-_7 o _
._.- )
_o u.m
<f_
g
I
.._ _
_ •
_ r _
r-
U
@
Ul
c-
O
_'_ o_
e,,, t_
-J
•.& ,,.,
E _
t_ e,"
X ,_
w
@ C
"- I.LI
O
m
.=
@
,. O _
li' "w _ ..
_ ""
_8
_e
i'
O _
e- o
°_
e'-
_ O
_ °_
<1) -_
.-J i_.
o_
E _
X
wE
@ O
O
_2
E
e-
.J
o
AI
o
_J
tt.
N
V
Vl _-
<
--., Vl
II w
__ <
_ w II
_._>_
51
(,t)
°m
>.,
m
,t-
,<
e,,,,,
n
e,,,,
0
,i
X
UJ
i-°
o
g g
Z -= LU <:
1 1 T T T
14.
-,m
,j
VI
v_ "I_ <
,"3 II
< ._ '_
° 0 v 0 _
_._. . ..I..n v_
- 1Z.VI
o+-,'
I[
o
52
: A Vl¢
__ -t- +
0 < _ '-
o _ ? _ -_-_
_: .? n _ n _ .,
.-_ -- _.. V. _ %' V
0 '_" _ _ "_- Vl -- Vl
°m -_
"_ v . = _ ._ v
¢- .,, _ _• v V_ _ v
v < Vl <O Vl ,( _. --(,.) - o - - C
II II > .-_ v_
v
0 < < +
:_ -.-7, ---.--
t_ -- -- Vl
f_) Vl Vl _
0 _.'.> __ ">
13,. -. _' n I_
t'_ Vl e _
e'- ----'. ._ _ v
0 v Vl t_
• m _ Vl
,,_ < vl -
0 II 4, < V_ <M o_ = -
r- n n vi _
v II0
-_ _- <
(,_ vii n w Z
'I I -- "_ "_ Vl
'4,-- < AI VI ..
"_" _ _- - vl
AI -- .
<
_ ^, £
Ill I_ ill
q
u'l
b9
0
n
c-
O1
C
i1
N
I1
e-
_o
, i°i
0
£
t-
O
0
Z
."
.-- _ t""
.__ _ _ _ '_
_.,- _=- = _ L_
X
¢n g Is
u 8_: E
o "_ 8 _,
a_ _ _go _g
°_
_ -
.i "0 0
0
53
gl
t_
E
n,
ol
C
,w
"0
m
c
0
U
>
0
n
E
L_
0
e-
u
t_
U
,m
e-
e-
o_
o
>
o
0
0
u
$
'0
e-
_ ._o
_ .--
I I I
m
o
,w
0
m
r-
E_
@
.-. _.. =
c o ._
o "g
E _ v
°i .o
"_ _
__ _
54
The FAA DFCS Handbook
Formal Methods Chapter
John Rushby
SRI Int(u'mttiona.1
55
o
o
z
ea .O
4_
E u_
LL
n
0_
v-I
D
D
<
G
0
e-
"O
C:
._m
n-
n
<
U_
Z
e'-
U_
n,
c=
e-
<
_o<
u_U
c E v
cu_
c_ :E
E
O
u
u
56
•o _ o_ _ e_. _
® .. c -_ __ _:
RO _
"-- _: 0
•- _ _'_
t: _
O >_ .- _
"o ,-
., i'I
< _'_
• •
_ 0
0
.__ _ __ _°r-
'-- ,_ oll
u _ _- u_ _ _ u_ "0
: '_ - o
• • • •
J::
U
0
e-
E
u.
E
Q;
,_ °--
c_ U
_5 .u
4a I,_
.--
e"
_0 _'_ X
"0
0
U
e- "0
0
E
a.a
i
U
"0
_J
r"
,4
W--
.£3
"0
o
e-
E,-,
_ m
e0 CO
E_
v
e-
._o
U
o_
O_
U
"0
e-
£.
e-
o_
o
£
._u
E
u
o__
0
oJ
o_ E¢0
_, _>
u
v
,6.,
.o
E
o o 0 o o
L_
6
a_
h.
6
C_
E
O"
"0
¢0
E
q_
"0
0 :
0
!i
CO
h-
?
o
_3
o
c-
o
aJ
u
c
0
U
u
r-
t'N
g6
,!i
g_
_'_
e-
0
u
U
E
g.
e-
"0
"_ O"
U e-
0 _
"1_ e'-
E_
o ._ _
o
,q-
0
e-
E
E
e-
0
E
0
r-
E
_5
6
0
Y
u o_
_ _- 0
_ _ ,__
_ o
t- ,--
m _ _ _ u.
e-
_I 0 0 0 0
E
0
tJ
kJ
f_
0 _ U
•-_ _ _
_s
o o
U
57
= _
u ----
_u '" =
- = _ 0 0
_ ie_ g
E _ E o
__ _=_ __ _ _ 0 0 0
o
N
P_
N
e-
0
£
E
t_
E
e-
v
e-
e-
U
_ _.-_ _ _
o _ _
0 0 .-
u a. _J 1
i]0 0 0 0 0
O.
e
_m
_D
tn
0
£
E
E
_- tn
o_
m
,1
E
tO
o _ > _ .__ ._
E,_ _ E
b-Oo _,_
-_ _ _ o
,- _ -- • ._l O.
0
2 ao'= _o >
._ . = _o,_
o, .o
_l Q. U w n U
o E
E _o
o _ _ _ E
_ o _o
o _ _!
fl,_
=
Z
58
CO,
o
0
.w
>
C
.9
U
.m
O.
C
0
0
7-
C
0
U
W
0 0 0 0
"0
v_
O_
.C
v
aJ e-
0 0 6
<
o
J=
E
U.
0
4,,I
U. C
o
C_
u_
Z
o
ol
Ch
f_
o
,-J
r_
.9
tfl
o
O.
N
L_ t_
<
0
e-
E
0
u1
"0
0
£
a)
E
E
0
Z
c_
v
0
e- . ,__
0
t.-
C
E_
E
N
e-
?,
E
"0
E
o
t.-
4-,
o
.u
0
E
0
C
0
.w
0
U
8
o
E
U
t.- .w
o _ _
.- 0
e- i1_
_ E
_ 8
• •
e-
• <
59
W
"0
0
:E
m
0
0
0.
,<
U
E
o
u
.x
C
£
¢.
LLI
U
<
U_
E
U')
Q
,tJ
E
E
0
.,C
E
E
.2,°
t-
O
4_
"0
£
C:
C:
z
o--
,,- E
0
:e'5
._._=
_E
o_8=
<88
£
t-
O
a..
9
"0
t_
P_
g_
0 r'-
_5
_o_
"0 "0
"5
'S
O.
0
_tJ
t_
>
<
o
¢.
.8
,9.0
:E
oI,,I.
o
o
'S
"0
t_
C
0
,m
¢--
8
"0
C:
O_
.g
--I
>,
E
=.5
O.
U")
,z"-
"0
0
U_
,<
6O
I:
0
M
"0
0
e-
E
0
o_
o_
C
#
E
t'-
I-
" "0
"o .->'
C ¢" 0
•-__ _ _
X
£
0
.1=
E
0 _
_ E
> __
m C_ E
e0
"a_ _,X
.£ 8
Survey of State-of-Practice
Formal Methods in Industry
Dan Craigan
ORA Canada
61
Overview of Presentation
Survey of State-of-Practice:
Formal Methods in Industry
I Purpose, sponsors and researchers.
• Method for conducting survey.
Dan Craigen
ORA Canada
dan(_ora.on.ca
NASA Langley, Virginia
11 August 1992
• Cases: An overview.
• Example case: TCAS.
• Example feature: Tools.
• Observations.
Purpose, sponsors and researchers
• To provide an authoritative record on the prac-
tical experience to date.
• To better inform industry and government
bodies developing standards and regulations.
• To provide pointers to future research and
technology transfer needs.
• Value added: Case studies and analysis.
Purpose, sponsors and researchers
• AECB, NIST, NRL.
• Dan Craigen, Susan Gerhart, Ted Ralston.
62
Method for Conducting Survey Process
• Initial questionnaire,
• Literature review.
• Structured interviews (Second questionnaire).
• Raw notes, case report, review.
• Review committee.
Method for Conducting Survey
Questionnaires
• Initial questionnaire and structured interview
• Organizational context.
• Project content and history.
• Application goals.
• Formal metl_ods factors.
• Formal methods and tool usage.
• Results.
Method for Conducting Survey
Analytic framework
• Product features.
• Process features.
• FM R&D summary.
• Key events and timing.
Method for Conducting Survey
Product Features
• Client satisfaction.
• Cost.
• Impact of product.
• Quality.
• Time-to-market.
63
Method for Conducting Survey
Method for Conducting Survey Process Features
Process Features • Design.
• Cost. • Developing reusable components.
• Impact of process.
• Pedagogical.
• Tools.
• Using existing reusable components.
• Maintainability.
• Requirements capture.
• V&V.
10
Method for Conducting Survey
FM R_D Summary
• Methods: specification; design and implemen-
tation; validation and verification. [uses]
Method for Conducting Survey
Key Events and Timing
• Starter.
• Tools: language processors; automated rea-
soning; other tools. [tools]
• Recommendations to FM community. [needs]
• Booster.
• Status.
11
64
12
Case's: AH Ovo0vi_'w
• CASE
- SSADM toolset; commerci,,l; Z.
- 340pgs Z/English; 550 scl_emas;
37KLOC obj. C; 16.5 lines/day
• CICS
- Transaction processing; commercial; Z;
PS/2 tools.
268KLOC new/modified code;
50KLOC traced to Z sl)ec_;
9% improvement in cost;
60% reduction ill APARS.
13
Cases: An uvervlew
• Cle;lllrOOll_
COBOl_ structuring and Attitude control;
conlmercial and government;
functional specs, and testing. [Method]
- 80KLOC; (20KLOC reused; 18KLOC
cllanged; 34KLOC new)
- 34 lines/day; error rate of 3.4/KLOC
(I/20tll industry average).
• Darlington
- Shutdown system; regulatory; A-7 style and
program function tables.
-SDSI 1362LOC Fortran; I185LOC As-
sembler
SDS2: ]3KLOC Pascal (??).
14
Cases: An Overview Cases: An Overview
• LaCoS
- Engine management and a distributed con-
troller; ESPRIT and commercial;
Raise [Method].
• Multinet Gateway
- Network security; NCSC; GVE, etc.
-- 10pgs math; 80pgs Gypsy; 6KLOC OS.
• I-BACS
- Smartcard security application; security; FDM.
-- 300 lines of FDM; 25001ines of C.
• Tektronix (oscilloscope)
- Reusable software architecture; commercial;
Z; Fuzz.
- 200KLOC of code; 15pgs of Z specs (twice).
• SACEM
-Automatic train protection system; safety
critical and RER; B, Hoare triples; B tool.
- 9KLOC verified code; Total of 315,000 per-
son hours.
15
65
• TCAS
- CAS Logic and surveillance; regulatory; state
charts with DNF tables.
-?KLOC of pseudocode; specs about the
same size.
16
Cases: An Overview
• Transputer
-T-800 FPU, VCP; commercial; Z, HOL,
mathematics.
-- FPU: 100pgs Z; 4KLOC Occam; VCP about
106 states.
Example case: TCAS
• Traffic Alert and Collision Avoidance System.
• TCAS I, II, III.
• Congressional fiat (1993).
• HP-A[B
- real-time data-base; commercial; HP-SL.
- 55pgs HP-SL; 1290 lines of spec and design;
4390 lines of code.
• Grand Canyon collision.
• Time span from early 80s.
1990.
Leveson in June
17
TCAS-
• Playersi RTCA Inc. (SC 147), FAA, UC lrvine,
Mitre, Lincoln Labs.
• Interview profile: Leveson, Nivert, Lubkowski,
White.
• CAS Logic and surveiilance system.
• 7 KLOC pseudocode.
• 700 pages English description. [Terminated]
• Loss of intellectual control.
19
66
18
TCAS
• FM for safety analysis.
automated deduction] _
{model checking and
• Statecharts.
• DNF tables for conditions.
• iteration on notation.
• Strong support from SC 14Tand industry.
• Currently at IV&V [15 pys over 8 months].
20
Product real ures
Client satisfacticm t
Cost n/a
Impact of product n/a
Quality n/a
Time to markel II/LI
General process fe_ltures
Cost n/a
Impact of process -t-
Pedagogical +
Tools n/a
Specific process features
Design +
Developing r. comp. n/a
Reusing r. comp. n/a
Maintainability Ilia
Reqts. capture +
Vc_.V n/Li
TCAS (Key Events)
• Slarter: FAA seeking better rqts. for deployed
and troublesome system; Leveson looking for
demo project.
• Booster: SC 147 willing to accept new ap-
proach; Readable notation.
[
• Status: CAS Logic formalism and pseudocode
in IVY. Surveillance logic current.
31
22
TCAS (R&D)
TEAS (R&D)
• Tools: LaTeX.
• Uses: Mod. to Statecharts
- Concurrency as parallel slate machines.
- -l-abular notation.
- Specs. reviewable and IV&V.
- CAS Logic from pseudocode and Englisll.
• Needs:
-- Safety analysis tool.
- Automated deduction and model checking.
-- Well-formedness checker.
-- Foundational issues.
• Conclusions: successful transition and applica-
tion.
23
67
24
Tools (Usage) Tools (Usage)
• CASE (SSADM): Prototype Z parser and type-
checker.
• CICS: PS/2 based toolsuite w/ editor, type-
checker, semantic analyser (Z).
• Cleanroom: Editors, waste paper basket.
• SACEM: B.
• TBACS: FDM, scrolling, pencil and paper X-
ref.
• Tektronix: Fuzz editor, typechecker and pretty
printer.
• Darlington: Microsoft Excel.
• TEAS: LaTeX.
• LaCoS: Raise toolset. • Transputer: Occam transformation system, in-
house refinement checker.
• Multinet: GVE, Extractor.
• HP: HP-SL syntax checker.
25 26
TOOLS (Needs)
• CASE (SSADM)" schema expander, enhanced
editor, browsing and X-ref. TOOLS (Needs)
• CICS: schema expander, semantic analyzer (for
all Z), configuration management.
• Cleanroom: Extracting and tracking verifica-
tion events.
• Darlington: automated deduction, PoG, book-
keeping.
• LaCoS: Experience with automated reasoning
tools.
27
68
• Multinet: Better automated deduction, improve-
ments for industrial scale, soundness, better
notation. _
• SACEM' Better integration with other V&V.
• TBACS: Better interface; large expressiOns and
many proof steps.
28
Tools (Analysis)
TOolS (Needs)
• Tektronix: schema expander, refinement proof
tool, pre-condition calculator.
• TCAS: safety analysis tool, automated deduc-
tion, language checker, sounclness.
Did tile formal methods tools help or
hinder the development of the product?
Were the tools reliable?
CA CI CL DA LA MG SA TB TE TC TR HP
- + 0 n/a 0 0 + + - n/a + 0
• Not a large role (lack of tool support).
• Transputer: refinement cl_ecker forlarge state
spaces.
• HP: Language checker and belier notation (not
ambitious! ).
• Problems due to newness and primitiveness.
• Need for language clleckers, bookkeeping.
• Don't be too ambitious.
29
• Automated deduction in critical applications.
30
Observations
Features:
• Definite positive influence on design, require-
merits, V&V, and pedagogical.
• Positive influence on 'in]pact on process' and
quality.
• Neutral on COSt.
Observations
Formal methods
• Metllods: state machine; 1st-order predicate
calculus; reviewability; complete refinement.
• Tools: Language processors; bookkeeping;
browsing; x-ref.
• Needs: Integration with other V&V; concur-
rency and timing; lower barriers of entry.
31
69
32
Availability of Report
• Availability within 2-3 months.
• Send email to dan(_ora.on.ca, or mail to:
Dan Craigen
ORA Canada
265 Carling Avenue, Suite 506
Ottawa, Ontario K1S 2El
Canada
33
:7-- .... _;_ "_ " _ ...... L_ :
=
70
Formal Modelisation
Susan Gerhart
National Science Foundation
71
Modelisation
Sure you've proved it correct,
but what does the system REALLY do?
Susan L. Gerhart
sgerhart@nsf.gov
Subjects:
The SACEM Case
(continued from Dan Craigen's presentation)--
how FM was embedded in an industrial process
Issues of "modelisation"
Software Engineering for a
"Formal Methodist"
Requirements .................. M_ema[_ _1 of the system U_t alk)ws
property exptoratmn
•,_oecirlca_n .................... "the system" expressed m m3thum.alcal
notalions
Design ................................. Operaf_0n decomposilio_s and dala
refinements
In_IplemenfallO,It ........... Code • Asse_ons • Assumpuons
Validation ........................ Spec, Execution or _ools of prop_rt=es
Vet;rcalLk)n .................... IdenlilicallOdl and discharge Of cur reclnos,s
obligations
Documenta_ ................ Prose and dcagrams thai go wilh the
mathematical nofalioe]
Life Cycle .......................... Gel the spocifi¢,,3tiOn righl and agreed upon
Background Point of View
SACEM:
Train control for the Paris Metro
The Job,"
Shorten the irain intervals to 2 minutes to avoid a new Paris line
nd
_nvince me Pa;=s Transi! Authonly the system was safe
_J_ up an internalional business in safe train conlJ'Of systems
Who."
GEC_'Matra/CSEE + Parts Tran=t Aulho¢-ily
The Process:
I _ ............................ _ had to go with new soltwale and
hardware
Explored fault loierance, discovered woof el correclness led'=niqoes.
did safely studies
1_ ................................I;_ilt prototypes.
verified code one w_y,
found new way 10 sperry and vellly.
worked w_th authorlt;ss to demonstrale safety,
brought on-line
I_ ......................... ¢k_monsltated capability on Othetr systen_l.
commorciaJizing tools used in the p_
The Results:
Vur,ficdl_on was clem_nstrated as an eddilion [o simulation, without
excess cosl ar_ with s_J,'lificant added assurance
Spec¢ficat,Dn dnd mc-defisalio_l malured and an ir_lustrial process
was defined
SACEM System
Salely Cunts
Tram "A" TFa_ _8"
!
ChaJienge$:
• Different kinds ol *roing stock" to deloct,
some protected and some no!
• VariatK)ns in track-beae(_ lechnofogy, tunnels & m/ors.
• Gelling the train "home" when it's system does lail
• Encoded si_e procsssa¢ (rather than complex synchmnzz_,<l
multi-processor) -- as fad.sa/e as possible
72
SACEM lessons for Formal Methods
An industrial process has been put in "place that is evolving
toward
UIKJerslOOdand documsnled
Me:=sumd and luedictable
Regarded as cost _tloctive
Tool sul)portud
Probably comparable Io MoO 0055
Many lechniques can play together,
(although not in concert yet)
SADT I_ gsaphical syslem decomposition and analysis
FSM (Gtaf_.,_) s_ulatoq
Hazard a_alysis
Gperat_nal sc_nartol (SO0 o_ tt_m)
ReaJ tkne dasign sl_tutalio_1
ProlOly_ system
Code venflcalion & specification roii.emenl
Technology Transfer problems could be overcome
A m_nager umJefslood _nd SluCk wdh it
The coslomor was educoled (and did lhtHr own lh_g)
Proving could bu cred_y comprom_sod
MOCJutis;JIiOflW_l It'Jip _;yl_t|leSlzetheir Io_,.;ulIs
SACEM Background
maintained spe¢ outermost guided by dew
vwv refined down vVW
until too detaded
until too sophislcated
maintained code innermost Iollowl_Cjho;_dors, not
Total: 315,000 hours (V&V = 1.5 x Development)
formal prool 32 4%
module lus_'tg 20 I%
funciiona! testing 25 9%
re-specification 2t 6%
Vslldsflon Ellort
/J_lla_3Ja_Nu_ of p_ocoduras proven |(xmaUy: ! ! ! 2 !
Nun_ of procedures oov_ed in so,. global t_ts !20 33
Number ol p_ocodures teslc,_clsomf g/oba_ 79 67
IN=,._,_,p_.d.,ost,.t_ _y ....... tO. t67
Modellsatlon
The process ol gelting all the stakeholders to understand
and agree that the working description conveys the
intended system. Subsumes requirements analysis,
mathematical modeling, etc.
In SACEM,
TrKJuk ItainS. beacordl, encoded mpmc, .
Salely pnnc_es
The description nolalK)n ilseN
The OfOCeSSOI using the doSr_iptlon
Problems encountered with modelisatton in SACEM:
L_c_'_oue code des_,ll_k)n di_Iconnocled tro_n 3h_ Iheo_em"
Co_Jn'ency _ficu_t Io e_l_'eu in to_ tov_ n_d_
Ddf_anl reptesunlabo,ls, dilletent ana/ysas wa,'o used for
assurance (roe _okJ IL_)
MlUly kiNdS ol system vlewl: c_ti_o_r, rmhv W sv_lch41tg.
mlcrowocussor developer,i_mal vurfl|o_
Relmemunts were OK. bul mute was a code gap [now
generated)
Carry-over from Requirements
Analysis
Given a language and tools, how do you express the
requirements and mode/the system 9
Translate English and diagrams to sets, logic, etc
and translate back and forth, but
how do you reed and civ,_..kmuse?
what diagrammatic tech_KlUeS maWn FMs?
CORE, JSD, GIST, SADT etc provide:
sla_;_ard lyslem topresenlal_ons
ways Io get ddle_l v_,uwl:_r;_s
domain modeqng tech#dques
Software process modeling offers:
Guidelines _ use
_S|S lot"do_ ¢olktctlOqal_ UVOIIIu_I rtt_ltlCs
Oppo_unllios Io_ IITIUCfJIUII4JI_I, U 0 with I_L,III_
IBa._Capf>oar0_lca Ot /llLIri;.Igll,.Ibillly
73
Modelisation Process
identification
Enulie$
Constraints among enUlies
Operations arzd their parameters
Representation
Enb_es become values of a type
Types must be defined to co_strucl, modify, and examine their
CODteNIS
Repzesenlat_on issues are conzzdered, e O. orde[i_l, du_Zk_,
ptirmtNe types, alfnOu]es
Acld+tional properties of the data types Item requirements
Operations defined with their parameters
Restnctloes _e expressed as preconditions
I1$ effects &re defme_ in terms of p&ramele," values bef_e
afl_ execul_n
Syslem inv&rianls are formulated from pro_B_de$ _ the $_em
iS requ_ed c_ expecled to have
Im/&r_ants are proved by ir_ectJon;
(And a collection o/definitions is built up)
SACEM Case
"Complete" application of form a|method_
Shows us potential for integration of FM into broader
system engineering
Displays interaction of problem domain and formalization
Modelisation
Process aspecf to add toFMs as languages & tools
Integration of standard computer science with application
domains ...................
Challenge to FM Vendors:
write down your process model
and
show how modefisat_n Fs peit-On'hed
74
The limitations of the model are identified, e.g.
Omitted opmations = data delads
Irnp&_t derm+tion5
Aesump_0n$ about ine op&razmg errv=ronrnent
(system and users)
D_gtee el co,"K:urrency expressed
Reliat3_li_f of comnl+JniCallOn medal
Performance, rerv01,_'¢_, and ,_ requlzsmenls thai musl be
met by the imptementslton
A plan for using the model is developed, e.g+
Id_NJfyin_ the ri_iesl Of leasI UflCk)t_OOd _ lot+ fL_rther
anak/sls or refinen_nl
lintel1 IOward more exlensNe mod_$
Formal l;_of _ propert_s of the
Val_atfon. eg.
Prololyp_ Irom Ihe model
RevteW$, inspections+ and other peer analyses
AnlmaUon of the mode++
_&rlarlos IO sli_ulale response Item cesrorrlors
Formal Methods Technology
Into FTPP
Rick Harper
Charles Stark Draper Labs
Insertion
75
Formal Methods Technology
Insertion
into
The Fault Tolerant Parallel
Processor
presented at the
Second NASA Langley Formal Methods
Workshop
11-13 August 1992
presented by
Rick Harper
Advanced Computer Architectures Group
The Charles Stark Draper Laboratory, Inc.
Cambridge, MA 02139
NASA Folmal Uelhod S Workshop _-13 Augul4 I_J2 NASA rorn'dl Methods Wofksh_O ! 1-13 A_;lusf 11)92
Forma[Methods Technology
Insertion into the FTPP
Objective:
Use formal specification and verification of
critical FTPP hardware and so,ware
compoPi-_nts to reduce the Incidence of
com-mor_-m0de failuresdue 1o specification
and implementation errors
Formal methods do not help avoid many sources
of common-mode failures
environmentally-induced faults: EMI,
radiation, heat, water, corrosives, sand (!)
Formal methods are not the only solution to
common-mode fault avoidance, removal, and
tolerance
Mature components, standards c0mpllance,
design automatio_ooTs, ruthless per-'_ecution
of complexity, conservative design practices,
simulation, testing, various CMF
deiec lion/re covery-mec/lanls-m s
76
Fault Tolerant Parallei Processor
High-throughput high-rellabiiity/availability
computer for hard real-time applications
Uses many Processing Elements (PEs) in
= =
paraltel for high throughput
Uses redundant PEs for high reliability
Tolerates erbi|rary failure manl3eslatioils
(" Byzantine Resilient';)
Designed primarily to tolerate uncorrelated
hardware fauiis
Programmed in Ada
Fault Tolerant Parallel Processor
(,FTPP}
Can trade throughput (parallelism) for
reliability (redundancy) in real-time
Can be dynamically reconflgured to optimize
mission reliability end availability
Supports mixed simplex, triplex, and
quadruplex rodundancy
Allows heterogeneous processing resources
Parallelism _ transparent to programmer
Fault tolerance _ trantparent to programmer
Current FTPP Applications
"The Army Fault Tolerant Architecture (AFTA)
Program"
Funded by: Army Electronics Integration
Direclorate / NASA
Application: Helicopter TF/'rA/NOE/FCS
"Heterogeneous FTPP"
Funded by: Army Strategic Defense
Command
Application: Battle Management
"Fault Tolerant IMU Processor"
Funded by: s commercial aerospace company
Application: IMU processing
"N_"A Forn_ll Methods Workshop 11-13 August lffi)2 [ N-_-C_A"Fomtll Mothodi Workshop I I- 13 Augu'_'_ 9-9:_ 6
Cluster 3 (C3) FTPP
Third-generation FTPP
Processing Elements
Support 3 to 40 PEs per clusler
680x0sf 80960s, MIPS R3000s, i860s, or
DSP32C signal processors
Network Elements
100 Mbit/sec fiber optic interchannel links
facilitate fault conlalnment and physical
dispersion
Standard bus interface to Processing
Elements
Software
XDAdeTM-based operating system with
CSDL extensions
FTPP C3 Architecture
NAIA F0emld Melho(Jl WorilhOp 11-13 Augull 91_ • NASA F_'ra¢ _! Wor s_o# f 1-13 AU_lUOl t992
77
Layered View of FTPP Components of FTPP Suitable for
Formal Methods Insertion
Processing Elemenl
Network Element
FCR Backplane Bus
VG Synchronization Software
Task Scheduling Soffware
Intar-VG Communication Software
FDIR Software
}_]_SA Fo_al_h-_'mp 1!-t3 August 1B92 g Formal Mlthodll Work shop 11-13 Au_t 1_2
Processing Element
Formally specified / verified mlcrop_0cessor can
be used in FTPP
Processors inter_ace to _PP over Standard bus
(e.g., VMEbus) , : : :_: : _._
Not all processors in FTPP need be formally-:
verified
Could use small number of formally verified
processors to form quad or triplex Byzantine
resilient core VG which runs e simple verified
kernel
Core VG responsible for mo_llt,_dng other
VGs (including CMFs) and resetting offenders
Using vo__=_t _apabUfly-or_lE ......
- Throughpul O! core_fG-not_rSsue...c-an get
desired throughput adding higher-throughpui
VGs in a heterogeneous parallel processing
All VGs communicafe-us[n_BRVC: ::
78
Network Element
Executes performanc e-critJca_Byza_tln_ ::: ..... :
resilience algorithms ....... _ _ :
Provides BRVC abstraction :::
Generates vote, FT_C._ltnk. and other syndromes
All components execute specifiable and verifiable
algorilhms
Bus interface
Voter / syndrome accumulafor
FTC
Global Conlroiler
Scoreboard
Substantla i body of related work from formal
methods community Is relevant to these functions
_J_r,_J_ F_rmd I_thod_ WCZfk/lllOp t-1_-1_=_92 12 "
!
=
=
m
Network Element Architecture FCR Backplane Bus
Backplane bus used for PE-NE communication
NE partitioned Into bus-dependent and bus-
Independenl sections
Can relrolit NE to formally specified/verified
backplane bus by modifying bus-dependent
section
Formal model of backplane bus needed
Backplanes are a common component of
many systems
A formally specified and verilied backplane
could find wide use in critical syslems
Powerful building block for ullrareliable systems:
Formally specilled and verified processor
resident on formally specified and vorified
backplane bus card
Byzantine Resilient Virtual Circuit
Inter-V, G Communication Abstraction
a
,ml
_,11.¢ Y[h t
17 ii
_ e
,ld,.(. J
.... kl_,lltl',I II
JJllll_ll lenl by non-faulty members of s source VG Ire
(:orrectly dei|vered ¢o the non.fluffy members or rec|pMnls
Non-faulty fflembers of recipient VGI receive messages In the
(wlhlr eenl b)_ the non-feully members ol the _ource VG
Non-Ilully nlemberl of recipient VGI rSCSlVe messages in
|dlnlicll order
The IblOlull l|mel ol arrival o! corrl.apondlng melelgel el the
members of recipient VOs dllter by a known upper bound
The time between I '.'slid message IrXtnsmlillon request and
ntllllgl delivery pGnllnl a know. upper bound
The BRVC !=blllrection Is supported by the NEe
VG Synchronization
VGe are synchronized upon periodic timer
Interrupts (e.g., at 100 Hz)
Timer Inlerrupl$ occur within a bounded skew on
ell members of VG
Upon timer Interrupt a VG performs a
synchronizing act (I.e., message passing using
BRVC)
Send message to self
Await reception
I P,I(_Mcmt_r
o
I-......,,--'t
I
" %t_,lhll_ " IIm_
79
Rate Group Scheduler
FTPP (:3 ueas tinmr-boead praempllve tale group
ichoduter
Vm'kmt of rate-monotonic scheduling optimized
for Itecltive talk luitsa having harmonic Iteration
rates
Teaks Interact only ¢ frame boundacm
P,." :--H--_ :|,-F;._ ':k-- _,N.J.---I
FTPP 05 echedzdee appropriate ta_s st each
#m boundary
7_moikxmdwy I Comp_tld _ SUlnld RGI
4. :1. 2, I 4. 3, 2, 1
4 4
I-3 4, 3 4+ 3
4, 3, 2 4, 3. 2
4-S 4 4
Inter-VG Communication
FTPP tuks communicate using message passing
q[ueoe,, millage 08 _ places message onto
outgoing queue to NE
FTPP O8 determines desUnatlon VG from task-to-
VG mapping table
OS lranmits message queue to destinatinn VG
using BRVC
Recipient VG's OS reads message from NE and
places Into destination leak inpul message queue
=et.¢LeYe_.lmllsage as csll accesses appropriate
lask input queue and deUvers message Io Ink
All schedulise and inter-VG communication
assertions are indeoendenl oJ YO redundancy
level
FDIR
FOIR partitioned for valldatabtllty
Local FDtR runs off each VG
symm _m ran,,o,id,s_nai'd_a (e.g,,:
fonm_ sedaedvo)
Alg_rilhm:_........... : .........
Loc_Foe
Execulea soil _sfs
Scrubs RAIl (h-_k_p+ndent of
chareclerlst_s of nppllcat_n task suets)
Periodically frammllts self test resuiis is
syslem FDIFI via "presence message"
System FDtR
EseminH con_mts Lqd syndromes o4
preleMcs nlessa_es to diagnose senders
Failure to receive presence meSlage within
bounded _ impt_le common-mode failure
O4eancle(
Many recovery polick.I possible in FTPP
Reduce redundancy level
l_mlegrat, feu_l_edc_ponent
Rep[ece fauJted +omponent with spare
System FD]R_llerm_-_es epproprbter_very _::!
tmnmrnt_ recovery commands to local FO_
.ed.++vm+r..........:
performs gk)bal sysiem-level recovery
Musl M |hal iys|em FDIR determines corre_
recovery action as s function of diagnosed
component
Mull show thai local or system FDIR correctly
ca_rles ou( q)eclfled recovery
80:
Heterogeneous Kernels on FTPP
Not all kernels tn FTPP need be Identical as
long as they can communicate using BRVC
FTPP can host rate group scheduler on
production VGI and small formally varified
kernel on formally verllled VGs
Message aassln_a throu_oh BRVC subsumes
synchronlz!tlon so Ihe formally verified
kernel would not sxD!!cllly Perform
synchronization of redundant sites
The formally verified VG would execute the
system FDIR function
Work in Progress: Scoreboard
Specification and Verification
Currently collaborating with eRA to formally
specify Scoreboard
Scoreboard Is s crlllcal component of FTPP
Comprises approximately 50% of NE circuitry
Enforces BRVC abstraction
Business Model:
FM experts working closely with engineering
staff having little exposure to formal methods
Separate funding (Draper not specifically
funded to collaborate)
Scoreboard described in VHDL and constructed
using aulomated synthesis (Synopsys)
VHDI. used as common language between Draper
and eRA
_TAs--"F'__, _-_----_'_'-';( _-_
_iSA'F"_'_--_II Workshop IS-13 AuguSt Igg2
Conclusions from Scoreboard
Specification and Verification
Formalization of Scoreboard requirements
uncovered several specification omissions and
ambiguities
Collaboration would have been closer and Impact
on design greater if Draper had been specifically
funded to participate
Incremental cost on a $2.4M brassboard
development program Is small
Benefit to cost ratio is very high during the
conceptual study and dalaJled design phases
Work Planned and Critical Needs
Work Planned
Components similar to remainder of HE (i.e., FTC,
voter) have been formally specified/verified
Would like to adapt this work to FTPP
Actively seeking FV processor to design Inlo
FTPP
Planning to develop selected subset of RCP
software for FTPP
Viable processor
Formal subset of VHDL, with nonempty
Intersection of syntheslzeabla and tarsal subsets
Continued formalization of FTPP NE
Formal model for FCR backplane bus
Formalization of critical OS functionality
Business model for formal methods insertion
NASA Fol'm_ Skimods Workthop l_'i_J "_--2_"
81
_ iL .........
=
.... =Z_ = i i L
82 _
Z
Formal Methods at
IBM Federal Systems
David Hamilton
IBM Federal Syst, ems
PREC£DING PAGE BLANK ROT FILMED
83
Formal Methods
Technology Transfer
Some Lessons Learned
David Hamilton
IBM Federal Sector Corporation
Second NASA Langley Formal Methods Workshop
Aug/92
Introduction and Purpose
• To cover
1. Some IBM involvement in Formal Methods (FM)
projects
2. A perspective on difficulties of.technology transfer
(beyond a single project)
Purpose is not to
- sell the "IBM approach"
- argue against feasibility of FM
Purpose is to
- learn from other FM technology transfer projects
- suggest some possible future directions
Contents
Inlroduclio_ _ Purpotlo ............................................ t
Hatlan Millz _ $J[W ............................................... 2
Clomv_m ....................................................... 4
SEDL ........................................................ g
_lepw lie Vet f ¢&( ¢m ...............................................
C1C$ ........................................................
rol_ (Vor f caz on ot ZSz) ........................................... "1:
Other PrOjKII _ AI_Cl4KIh_I ....................................... 1t
Piece on (_l;_/ (mid.Ill ........................................... 12
_um_ae, y ...... t3
Cone tUlliOcql ................................................. 14
Aue_ i
Harlan Mills and SEW
Mills led massive software engineering education
program
- Software Engineering Workshop was cornerstone
II 2 week course
JJ Taught to all programmers
II Required to pass final exam
SEW centered on mathematically-based verification
- Functional instead of axiomatic
II model oHentad instead of property oriented
II designed to scale up (stepwise refinement)
II easier for programmers to understand
- 2 pieces
1. Deriving program functions
II Trace tables (basically manual symbolic
execution)
II Recurson instead of loop invariants
2. Module-oriented
II abstract data types
JJ constraints/closure on state data (abstract
state machine)
Au_ 2
84
Harlan Mills and SEW ... Cleanroom
• SEW designed to be practical
- relatively informal
- scaled up via abstraction/refinement
- lots of examples and exercises
- final test : pass/fail
• Advocated for all programming, not just critical parts
• no support beyond education
• Named after silicon chip manufacturing environment
• Built on SEW foundation, adding
- Continuous inspections (SEW style verification)
- Statisical testing (MTI'F prediction)
• Advertised through case studies, not classes
- no tools
- no consulting
• General reaction was that it was impractical
- too tedious
- seemed only for toy problems
• Did not gain widespread use
Demonstration projects using highly skilled
developers
To demonstrate benefits
To show it can be done, it is practical
• Demonstrations projects were success stories
&ug,_ 3 Au¢,_g 4
Cleanroom ... SEDL
Showcase project was COBOLJSF
- Transforms unstructured COBOL into structured
COBOL
- 52,000 SLOCS developed using Cleanroom
- Results
II 740 SLOCS / labor month
II 3.4 errors / KSLOC (before first execution) (70
ave incl. UT)
II no error ever found during operational use
Advocacy of Cleanroom continues
- Widespread use not yet attained
- But there is a lot of interest in Cleanroom
o Intended to support SEW/Cleanroom verification
concepts
Built as an extension to Ada
SEDL compiler generates Ada
Supports design execution
- though SEDL generated code my be inefficient
Includes
- Abstract data types (set, list, map, etc.)
- User defined data models
II model vs. representation
II constraints
- Supports mathematical notation
II {X in CHARACTER : x/= "Q'}
n exists X in S : P(X) and exists Y in T : P(Y)
II P>l and not (exists Q in 2..P-1 : P rein Q = O)
• Use of SEOL is not widespread
85
=
Other Projects and Approaches Note on Quality Emphasis
Application above the code level
- Development of a "Box Structures" design
language
- Development of a "Box Structures" approach to
requirements
- Results
II SA/SO approach to design most popular new
approach
• Software quality has extreme emphasis
- Great emphasis on process improvement
- Serious attention given to quality goals and
measurement
- Quality motivaUon programs
II Requirements still written in English
Emphasis on SEW concepts
- Concepts generally well accepted
- Loss of rigor reduces mathematical basis
II awards and recognition
II Manned Flight Awareness program
• There is willingness to work hard and invest for quality
The question is not what or how much but how
- FM Is generally perceived as not helping
AWld_ !1 A_I_2 _2
Summary Conclusions
e
AW_4:
Goal was to Increase the use of formal mathematical
approaches to software development (beyond a single
project)
1. First through education
2. Then through demonstration projects
3. Then through tool support
4. Then by making methods more practical
5. Finally through direct support (consulting)
There have been successes
- not nearly as widespread as desired
This story is not unique to FM
- The problem is with technology transfer, not with
technology
Conclusion: Technology Transfer is very hard, even
with
- extensive education
- tools support
- demonstrated successes
Possible future directions
- More consulting ('hand holding') (product
champions)
- Use only a core group (FM may just not be for
everybody)
- Require use of FM (selected groups)
- Success story close to home
II technology transfer diminishes rapidly as a
function of distance
II long term committment is required (success
story requires continued follow-up)
- Different formal method(s)
- Different toots (e.g., theorem prover)
A_ll/_l t4
FiL/vi_D
87
== ==
]
=.
!i
88
Reliable Computing Platform
Ben DiVito
ViG_:_-N
pREOED_NGPAGE BLANK [_OT FILMED
89
0 0 0f. ,._
0
v
A
_U
j
i
0
k
0
0
9O
jj il
..u
_3
91
J• • • 9
J
:|
|
!
3
j I
J
z_
92
i
• n,,q
_d
o
!
lii t ]I
!
i
,l
i Blj
_T1..T
] ]
_r
i
_._. _
_-I_ _ -_
i ':F g
93
w--i
i
O'
!
I
_ r.. tl
_ ._.._
_ _ ..._o
_ _, __
__ _ _
o
C
g4
! i i
• _ "_..
°_ °- •
A
II
\
,.j
B
,|
z
!.i
i
i
i
i
.Z
!.i
a
.|
_v
r,.p
95
o!
l !
1°
j.I
!
._, t_
0
. _ ._ m
.,.'l
-- N
!i
Z
,i
96
¢
IP
tp
"7
"_ _e i
._. _ _
_.._ _
i !i:.
! :li
.... _ =
E
i[
tl
i
c
5
g
I iIi
i!l I! !l
'4='
o
o T
!
|
.(
c.
=
g
>.
J
jJ_:
• t
° :i
'' !
J
i
J
.2
• 97
!
r_
j
j. .i
|
jj
IiJ_J
" ii i
w
!
j_
.|
_j
j _ _ _
_ _ • . _ _ _.:
Ji _ _,,,
_ 4
III
.2
g
0
i i!i
.-
__._" ,,..
0j
4al
g8
_r
Ic
il. <
.I-,
•_ j _,_
•_ _.j
11
T_
" !i
.@ _i
i:
2.
_i
=
I, i
T _'_ _I
• _'_ i _!
__
_" _
_ _ _"
-i
,tl
.l
99
o p_ .o
o
"1' _1_.
_.- _ _ _ _ _
¢I
•= _..£
g _
_.,, -,_ _|_ <7"<
_ _"
100
=
Clock Synchronization
Verification and Implementation
Paul Miner
Systems Validation Methods Branch
NASA Langley Research Center
101
"i l!i
102
Oo
6llI
_I_ :-_
J_
<::...
.- C: -,_t_ _
c .- EbO w'N
P,
E_ , ,, , '_w _ uJ_
J
@;
C
- i_._ _ _
_._=
_.._ = .o.._
N "_
N
_= _= _ .__
v _, _ .__
°o_,'-- "- e
o:" "- g F_'b"
103
0i
.j
•'Io "_ "o
= £ _'._E m ._'_ .=
i
• • • • •
.&-.
13
0,.
;O
u
"o --
4..) "-- "_
._ u E •
® 8
d,
= 8
.E
e-
i
.i '-" °
__,_ ._ _ 8 .; _
-_ "E _ _ E
_ = _ _._. ._ _,_
•-, _= ,.- -_- ,.,
• • • • 9 • • •
0
N
,E
-_-_ _._ '_ _,-o
._ _0_ -_,-_ _
" ,_ o._._
-5 _ - •
0
m-d
!
c
104
.-_ _ _ ,_ "_'_ ._ .. _" •
__ .
T106
C
NASA's Strategy for Technology Transfer
Sally Johnson
Systems Validation Methods Branch
NASA Langley R,('soarch Center
PR£C_DING PAC._ BLANK i_,_OTFILMED
107
NASA'S STRATEGY FOR
TECHNOLOGY TRANSFER
by
Sally C. Johnson
NASA Langley Research Center
GOAL
Technology Transfer to hldustry
One of NASA's major goals is to provide tile U.S. aerospace indus-
try with the tools and techniques they will need to be world-class
competitors ill tile coming decades.
108
Tech lmlogy Tra n.s fi'_r
EXJS'I'JNG
FORMAl. M F.TI I( )1)."; INI)[ JS'l'l,tY
"['O()I.S & TF.I'I INI()IIILg NI'EI).g
,";YSTI':M I:AA
I)1,:.%1(;NI'RS
FORMAl. MI-TIIOI).S
"STArI'I ;. OF TI II- PI! A('I'I('I -"
Wc.'king with ll,_lll._l, ry
• Iloeillg I_111 Imrclwarl; verilic;ll.io,i
• Ih.,illz4 SVM Ilar_lware w.,rilirali,DH
• (:SI)l,/()ll A ._('l)l'(_J)llal'(I Illll'(JWlll'(_ Vi_l'i|J(';lt. ioII
• ()IIA Vl:rilil:alhJlL -I" Alibi _ll)l)lic_ll.i(_ll NIII'|.w;II'I} frlllii NASA (_o_1-
(I;ll'll iillll .IollJl._.l
- I,'o1"111_11nl)(;cilicllLiltn ;111(I vl.rili('lll, ioll o1" (:ahnldar Ill.ilil, ios
- Mo_h,-(,olfl.rol i)llll(:l I.gic of IIo(;itlg 7:17 (}Xl)l;l'illlelll.lll s ysl,(;lll
Sl)et:ilil_d itl I,;IITII
• ('lwrt_lltly IH.'sHillg i'lllHr_, I-'-,i_'_'t,._
109
Working with the FAA
• Digital Systems Validation Ilandbook Chapter
J Tutorial presentation to SWAT (SoftWare Advisory Team)
• Formal speciflcatioli of GCS application
• RTCA committee DO 178B standard
110
Verification of FTPP Scoreboard
and Spectool
Mark Bickford
()dyss('y I1cscarch Associates, Inc.
111
_0 _
t/3
112
t-
O
r_
L-
o
0
c £O_
.o ._ -o
o _ E _ o o
'_ > o o _ '_
o
CL 0 _ 0 _ 0 c
rl 0 O- 0 _ 0
_o rr co < a_ 0
_-:) _ _ (.4) _'_ _ E
0
0
J
(o
rr
Or
0
c
0
o
I;
113
J114
m
J
|
2
=
2
=
00
c
o
8.
o9
J
c/)
(D
115
m0 0 13 n 0 n
O_
B
0
_ ®_
I1 '+
u. _.1 ¢_ 1:!"
i+j++
=
=
i
116 ---
"0
> -
'_ 00 i E
v
b
O_ >
" E
E m
E o_ ,_ ,_ o
• × 1"
8 _ w
C II
0 '_
_. =
o rn
n n n n
W
Z
0 z
0 m ..
-_ >
c
p o. ._o
8 _ o
0 •
0 0 '-"
>, >, _
o o $
W
7
m
0
U_
Z
m
b
0
O
E
,--
),... O
O
O"
E
•_ )--
05
r- W
o
c
O
"o
8
o
O,
O
(O
8
o
t_
C)
117
C:)
0
I.--
0
o.
Q:
LU
118
,w,-
EU}
A (,I) (/I
A I}
CI) IJ,
IJ ", I (/)
o'} I) ,I "-"
{'}, , I ,I U)
II _ _ _: -,I
LT_ •,1 _
I_ _ t_ II i
0
-M _ 01 {/'J _ "'
(/) (D ....
04 I_I II
,--I _ tr_ e)
V 0 rl
:3 1,_ M .,I
_J O, V: :J
0 O, -,I I._
,.a: ,_ r,, _}
(D ,---
I:.
II I ] "
• j (-.]
o,] (n
-g
"0 .* 0
{-: O_
I
u) _ .I II
-,-I O
O '-.-"J I O
• (",1 U)
II to
II .. 4J ,-
,--., o9 (./) _ ._
L-_ _ • v {j} V
I
_) 1 ] I j E} 4 j
;_ :zJ ;J .,_ ::]
0 0 0 --' 0
(0 09 CO it)
• .i _.4
:,<:
-r.,I
m II
II
>¢
rd
v
r_ _-I
r_ rd
-H -H
[,, [_,
119
wE
' 1
120
0
0
121
00
122
I#l
I
(3
-" _(s)
_ _- Is) u)
(f) U) 0'l
4 I _.._, (/}
(D (1) _, ;j (."
II I) - I) 'l ul
u) _.1 (si ._; 111 >
. (]) ,:_ , I u) 'l
. ,, u ,) i .... ,l
() () (I) (ZJ ., m
is} _> :_ .l', n'] - ,j ..a
.... (ri II ( ) ,i, II u_ _t
i], " "_- .... I I
(1) ,t _ tll -__ (1)
.- ii . II :1 -,I [I
,I - ,i I J y. -,I l i b "
',1 l-J, :l -, _ I :1 I (tl II
II o _]) il _.1 +tt lJ n] til
v ,t _i) " " 0 1. _ ,C In "cJI" I) .,I I.i "'" --
il Itl $i _1 ,"> (-) 11
(} ,l" _tl 0 I ,. 0 _
.,I (I) i) .,I ,i', "' -,I (', I
w
II ;_j lq u) II ',' _l II ," 0 I
..... ctl ll'l ,, rll () u)
,_: ._:- .L: :,', ,I
_tl (l} iLl (t) _iJ _]J "
11';' Ii ;<' Ii ;"
,.1) (l) (1)
, I , I • I
[.. ( ) (,,)
II
& d
• ° !.], E
113 _ o
l_ _ " ""--m ._ m
.__ iZ_ f') ":
o em _)
Q) E jr:
_m "0 (..) I _ ca E
? T ? x +"q) _) u] --i
_.J _ 0
-- o_ 0_ I
-- _.m m x E
00 o__ ? 1" ? ? _- o,_ E
E _ _ '," '-" "," o _1_ ®E m ,-
(I) _ r- c- c- c- 0 _, _1 --
> o 0 0 0 0 _ m m
.._ ::3 c700
17 17 n 17
I+
ORIGINAL _ l_
123 OF POORQUkJ_ITY

Q)
(D
r T-
tO
r
E o
"r"
> > <
[3 0 0
"0
0
'--I
o .__ c_
_ ._ _ _ -_ E
m :-- ._.9. mJ3 > O "4"* >
q) el. O)
N = - _ -
o _ "_ E o o_
C_ T =_ < w I
0 0 0 0 0 0
12.5
R
u')
E _
_L .
126
o
_T
Boeing's Work in Formal Methods
Dave Fura
The Boeing Company
PRECE[NNG PAGE BLANK P,1OTFILMED
127
_O
"0
C
a)
W
0
!.,!!j i
iJ
i- 'Ji!!
!=
2
T
=
i
E
m
128
AC
0
Ib
iIij
0
J
iL
129
"10
0
0
E
ID
0
0
2
O.
O.
UI
,tr
ii
0
.J
0
Q.
x
Iiilii I w
li!#!
!II!1 -1
_. I _
Ill
- ! !
N _
i " =+t
i 0 o_
u _ O
130
"10
Or
r-C
E_
OO
u. ,,-,
"i !
•- _°I |i
!/ ! i"ii i
02
02
131
.i. n i
7 7
i.
z
132
DO-178B and Formal Methods
George Finelli
Assistant Head, System Validation Methods Branch
NASA Langley Research Center
PRECEDING PAGE _NK rlOT FILMED
133
a
z
0
ri-
m
I--
n-
!
'r: o-
°_o 8 .-
O_U U. ¢:--
0
-1-
I-
uJ
_1
n-
O
U.
C_
Z
m
cO
|
0
C]
I
m
0
- 'T,
E_® .--
134
uJ
I--
0
Z
..J
0
u.
Mm _
_ C_E
'" _._ o
o _
_ WQO
.,J ,_i "_. _.z_'_
el N
O
F-
ii
Z
_.9.
,.,1
ffl
O "
o_
,tn, ,.
o_
,.: N
I I
E
e4
_ °_
"8.0
® _ " 0
!i_ g _ o_
• • • •
135
: z
i
i-
=
136
Introduction to
the Boyer-Moore Theorem Prover
Warren Hunt
Computational Logic, Inc.
PREOEDING PAGE BI.ANK NOT FILMED
137
mr
i l i Ill
138
139
I!
140
z
|
|
m
141
142
|
!
I
=
i
i
÷
!
I
!
II
_H
143
iiiiiiiii_i......
_t|,l
2
144
145
it --
I
i46'
ri=.
_r'
Z
..o.
147
L=
=
!48
Introduction to PVS
Natarajan Shankar
SRI International
149
Specification and Verification using PVS
N. Shankar
shankar_csl,srl.com
Computer Science Laboratory
SR] International
Outline
This talk is a short tutorial on specification and
verification, using PVS as an illustrative example.
• Background to PVS
• Overview of PVS
• Some Examples
Background: Past Experience
Considerable accumulated experience on
verification at SR!
Systems developed at SR| include: Boyer-Moore
Prover, HDM, OBJ, STP, EHDM, etc.
Other Systems used include: Affirm, RRL,
Gypsy, Muse, etc.
Verifications include: Byzantine fault-tolerant
clock synchronization, Byzantine Agreement,
G6del's first incompleteness theorem, and many
others.
3
Background: EHDM
Designed at SR] around 1984.
A specification environment based on
higher-order logic with parametric modules,
implementation mappings, Hoare logic prover,
etc.
Theorem prover based on skolemization, manual
instantiation, and Shostak's decision procedures.
Example verifications Include: Byzantine
fault-tolerant clock synchronization, Ramsey
theorem, Byzantine Agreement, Fault-masking
and Transient recovery, etc.
C.-
=
z
150
Background: Lessons Learnt
Decision procedures are extremely useful but
only a small part of what is needed.
Highly automatic theorem provers are
Inappropriate: difficult to control, and provide
very little useful feedback.
Low-level proof checkers are inefficient (both in
machine and human terms), and also fail to yield
a satisfactory proof.
Logics with limited expressibility are easily
mechanizable, but place a large burden on the
specifier.
Some highly expressive notations are nice for
pencil-and-paper work, but might be difficult to
adequately mechanize.
PVS
Started In mid-19go.
The goal was to combine clear notation with a
productive proof development environment to
produce machine-checked, yet "humanly
readable" proofs.
PVS was primarily Influenced by EHDM, but also
adapts ideas on language and Inference from
]MPLY, Boyer-Moore prover, LCF, HOL, ML,
Nuprl, Yedtas, OBJ, and many other systems.
PVS consists of a core language definition,
parser, typechecker, and proof checker.
Contributors to PVS Include Sam Owre, John
Rushby, Friedrich von Henke, David Cyrluk, Judy
Crow, Carl Witty, and Steven Phillips.
PVS: Overview
PVS has been used to check proofs of
• the Boyer-Moore majority algorithm
• ordered binary tree insertion
• a version of the Schr0(ler-Bernstein theorem
• Byzantine Agreement
• a pipelined processor (due to Saxe), and
other hardware examples.
These proofs can typically be completed in less
than a day.
Overview: Decision Procedures
PVS proofs make heavy use of arithmetic
decision procedures. Any THEOREMbelow is
automatically proved.. CONJECTURESare either
false or unproved by decision procedures.
ar|thu4tic : TNI_ItT
BI_III
Z,1._: VU _Imber
arith : 11qrOP.EIq
x < 2*y AID 7 ( $*v II(PLII[S $,0= • tS*v
badar Ith : COl3ECTOlU[
x • 2* 7 J]l_ • • 3.1r JNPL]'I_ 3*x _ .17*v
badlrith2 : CONJECTUJ_
s<0 AID y_O II(IPLIES z*7_O
blaise: COil JECTVltK
(x/y) > • lltPI[.IES • • (7ov)
|ooddiv : COBJ ECTORE
yl-O liD (x/7) • • IIIPLTtS • • (Tev)
ll5otkordtv: _8J(
7 /" o An, (•/7) • (vl]F) ZllIPl,tSS ((x-v)/1) _ o
i, J, k: VIA Snt
latarlth : _W
2*1 • S lJ_ i • i IIqPLII_ 5 = 2
badLr|th$: COII31_ruRE
2*• < S lID • ) t 'J[IIPLIES • • 2
tritkuetl¢
151
Type Correctness Conditions
Denominator for division must be non-zero.
Typechecking the previous theory generates type
correctness conditions, baddtv_TCCl is not
provable, hence a type error.
nrithmttc: TllrnlY :.
B[G_I[
a, y, v: VAin number
arltb : THEOREM
x < 2 * y Ago y < S * V IMPLIES S • x < 18 • v
bndar Ink: COMJECTURE
n < 2 • y AND y < 3 • • IN?LIES S * x < 57 * •
badar |Oh2 :COM JECTO_
x < 0 AID y < 0 IMPLIES I * 7 • 0
baddiv: _l Jgc'ruP.E
(z I y) > • IMPLIES x > (y * v)
Subtype TCC |anerlLtod for y
boddiv.TCCl: OgLIOATIOg (FORALL (y: nuuber): y I- 0)
|ooddi• : COIJ_
y I= 0 Ago (x / y) • • IMPLIES n > (y • v)
anotberdtv : TNEOIkEIq
y 1- 0 AND (x I y) • (• / y) IMPLIES ((z - v) I y) • 0
i, J, k: VIM Inn
Intarlth: THEOREM 2 * i < S Ago i ) I IMPLIES I - 2
badtrlth$: COMJECI_ 2 • _ < S AND a • i |MPLIES a - 2
END aritb_tlc
Abstract datatype theory
binary.tree.adair: TYPE] : _llEORT
BF_IR
binary_tree: TYPE
lest?, node?: PgED[binary_trae]
_oaf: (leaf?)
node: [T, binary_trot, binary.tree -> (node?)]
val: [(node?) -> 1]
left: [(node?) -• binary.tree]
right: ((node?) -) binary_tree]
Iost.exteneionallty: AIION
(FOAALL (lest?.war: (leaf?)): lest - leafY.rat)
node.entensionallty: AXIOI'I
(FORALL (node?.var: (node?))!
node(vol(nodeT_var), left(node?_war), rtgbt(node?.vtr))
• noda?_var)
val_nade: AXIOM
(F_tILL (nodal.war: T), (noda2.vnr: binary_tree),
(nodeS.ray: blnary.tree):
rnl(node(nodal.var, node2.var, nodeS.tar))
= node l.var) ......
left.node : AIiOW :_-
(FORALL (nodel_vnr_ T), (node2.var: blnary_tree),
(nodeS.vat: blnary_tzee):
left(node(nodal.vat, node2.var, _odeS.var)) " node2.var)
right.node: AXIOM • _ * _.....
(FOltALL (nodal.vat : Y), (node2.var: binary_tree),
(nodeS_•st: blnnry.trea):==- ...... _-
rtsht(node(nodal_vnr, node2.vs_r, nodeS.tar)) • _ode$.var)
11
152
Example: Binary Trees
Binary trees can be defined as abstract
datatypes.
The following datatype declaration introduces
the constructor leaf with recognizer leaf?, and
constructor node with accessors val, left, and
right_ and recogniz--eT-_o-d_. .............
Typecheck;ng ...................this datatype declaration
generates the theories binary_tree_adt and
binary_tree-rec.mod (shown below).
binary.tree IT : 7YF*F._ : DATATYPE
M_GTJ
1oaf : ]oaf?
node(•a1 : T, left : blnary_tree, risbt : blnary_tree) : _oda?
END binary.tree
10
blnary_tree.disJolnt: AXll_q
(FDMALL (binary.tree.war: blnary.tre*):
SOT (leafY(binary.tree.war) AND noda?(blnary.trea_var)))
binary.troe_Inclnslvet AIION
lanf?(blnary.tree.var) OMnodo_(blnary_trae_var))
binary.tree.induction: _IIOM _ _ ..........
(FOgALL (P: PRED(blnary.tre*]):
p(laaf)
m
(_ORALL (nodal.vat: T), (node2.var: binary.tree),
(nodeS.vat: binary_tree):
p(nnds_.var) AND p(nodo3.var)
IMPLIES p(node(nodel.var, node2_var, nodeS_vaT)))
IMPLIES (FOItALL (binary.iree.Vdr_ binazy_iree)£ =
p(binary.trae.var)))
binnry.trse.nnt_ro¢((leaf? .fu : mat),
(nrdoT_/u: [7, nat, nst -> net]))."
[binary.tree -> nnt] -
LJU_BDA (binary.tree.vat: binary_tree):
CASES blnarF_tree_vsr Of
I,-_ : Isl/Tofsn,
node(nodol.var, node$ovar, nodeS°vex):
node?_fnn(nodel_var,
binoryotree.natorec (leaf?of u,
nrde?.fsn ) (nods2.vnr),
btnnry.t rao.nnt _roe (leaf ?°fun,
nrds?_fu) (node$.nar))
EIIDCASES
binnry.tree_ordinal_roc((leaf?ofU: ordinal),
(nodo?°fu: [T, ordinal, ordinal
*> ordinnl])):
[binary_tree *> ordinal] =
LAKBDA (btnary.trSOoVar: binary_tree):
CASES blntryotrOo.var OF
lesf: lsnf?_fnn,
node(nodal_vat° node$.vn:, nodeS.nor):
node?.fun(nodei.vnr,
blnarT.troe°ordinal.rec(leaf?ofun ,
nodo?.fen)(sode$.vnr),
btnnry_troo.ordtnnl_rec(loof?.fu,
node?./nn)(nodeS.var))
ENDCASES
END binnry_troo.edt
Recurslon combinator
b|nixT.tree_rsc.uod_r: 1RPE, r_ni_*: 1R1PE]: TIIIE_T
lf_OIl
OSIWG binary.tree.adt IT]
binnry_treo.roc((leaf?_fu: ruse) ,
(nods?.fnn: [Y, rule° rs_o -> range])):
[binary.tr** *> ruse] •
LJlQDA (binary.tree_vat: binary_tree):
CASES btnary.trno_var Or
leaf: lee/?.fsn,
sods(nodal.vat, nrde2_var, nodeS.vat):
nods?.fua(nodel.var,
binary.tree.rec(leaf?_fnn, sode?.fun)(node2.vor),
btnnryotree.ye¢(leaf?.fun, node?.fun)(nodeS.vnr))
ENDCASE3
ESD binary.tree_roe_nod
12
Ordered Binary Trees
obt IT : TYPE, <= | (total°order?[T])] : TflrnRT
BEOl|
OSlJlG binnxy.troa.ndt, blnnry.treo.rs¢.n_d
A, R, C: VAR binaryotrnn[T]
r, y, zt VAR T
pp: Vii PiED[T]
checknll((pp : PRES[T]), A): heel -
binary.tree.roe(TRUE,
(LANDDi s, (a, b : beol):
(n An b AND pp(s))))(I)
t, J, k: TAR nat
line(h) : net •
blnary.trne_re¢(O, (LIJ_BDA z, i. J: I • J • l))(i)
ordered?(A) : ItP.C_tSlVE boo1 =
(IV node?(A) TNI_I (chockall((LiHBDA y: y<=vol(i)), loft(A)) AND
¢hocknlX((LANDDA y: vnl(A)<-y), rloht(A)) AID
ordored?(lnft(i)) AI_ ordered?(risht(A)) )
ELSE TRUE _IY)
BY SiRe
insert(n, A): ItEC1_Sl_fl[ btn_7.trea[T ] •
(ClSES A Or
le_tr: node(x, leaf, leaf),
node(y, |, C): (XF n<ey TREE node(y, insert(z, B). C)
IDJE node(y, B, insert(n, C))
ESDIF)
EImCA$1_)
BY (LAHRDA n, A: size(A))
orderodT.inoert.step: FOIt)NLA
pp(x) AND checkall(pp, A) INPLXES
checkull(pp, tneort(x. A))
ordered?sinister F_A
orderod?(A) ZKPLIES orderod?(|nssrt(r, A))
END obt
13
Example Proof
ordnred?.lssert :
i .......
{1} (FOI_tLL (x: T). (An binsr7.trne):
ordorod?(A) ;NPLIES oz_lered?(insert(z, A)))
Rule? (induct "A")
Àeducate I on A,
this yields 2 enbKoals:
erdered?.|nsort.l :
i .......
41} (FO_iLL (n: T): orderrdT(leaf) IMPL|Im orderedT(tnnert(n, leaf)))
Rule? (skolemf)
For the top quLutlfior in 1, ve introduce $kolem conetute: (xf$)
thin ellt_]Ifles to:
orderod?.ineert.l :
i .......
{i} orderod?(lea/) ZNPLIES orderrd?(insert(n!$, /*sf))
Rule? (dslmp)
Applying dieJunctivo stmplifl¢ntion,
this sluplifieo to:
orderedT.tnsert.l :
4-1) orderndT(leaf)
i .......
{1} ordered?(Insert(n_$, leaf))
Xol*? (rewdte "insert")
ILegrittl_ ustn 8 insert,
this simplifies to:
14
153
erdered?.insert.l :
[01] ardersd?(leaf)
J.......
_1} ordored?(noda(z_$, leaf, leaf))
_sle? (rewrite "ordered?" -J-)
Reerttie| elan| ordered?,
this 81upli/ie8 to:
ordersd?.intert.l :
[-1] ordered?(leaf)
j .... ...
_1} (¢heckall((LAKBDl (y: T): y _- sf$), leaf)
JRD ¢hecka11((LLK6D& (y: T): z!3 <= 77, leaf)
AID ordered?{les_) AND ordertd?(lea/))
Rule? (assert)
;nvokis( decision procedures,
this simplifies ton
ordered?.ineert.l :
[-1] ordered?(leat)
| .......
{i) ¢heckell((LIKBgA (7: Y): y <_ Z!$), leaf)
4mD checkell({L_qBDA (y: T): s!3 <-_), leaf)
Rule? (auto-rewrite "blnory_tree-rec[T. booI]')
_nsta111n| aUtOSttiC nitrites:
binary.tree-roe[T, bool],
this simp)ifles to:
ordsred__insert ,t I
[-1] ordersd?(leaf)
| .......
[1] chstkall((LANBDA (y: T): y <= z93), leaf)
AgD checkall((LAHBDA (y: T): s!$ <- y), lee/)
orderod?.IMert ,2 x
Uo . .....
_1} (IroJtALL (nodal.vet: T), _uode__yer: bleary.tree),
(nodeS.van : binary.tree) :
(FO_LL (x: T):
erdsrod?(node2.vtr_ ]NPL]_S orderod?(iusert(n, Bode2.var)))
AgD
(FORILL (z: Y)t
ordered?Cnods3.var)
INPL] _-q erdered?(lssart{z, noda3.sar)))
IMPLIES
(rORILL _n: T)s
ordered?(nodn(uoSel.vtr, node2_ver, node3_var))
INPLIES orderm4?(imeert(s, nods(nodei.var,
node2_var,
nodeS_vet)))))
Rule? (sko|eml)
For the top quL_tif|sr in |, st Introduce Sk01eu constants:
(nodei_var!4 node2.var!S node$_var!e) _
this simplifies to:
ordered?Jnsert.2 :
J .......
_1) (FOItALL (_: T):
ordered?(node2.ver!S) INPL|ES erdered?(lnsert(x, node2.vtr:S)))
AID
(FOP_LL (x: T):
ordered ?{noda3_v_dr _6)
IMPLIES ordsred?(insart(n, node3-vtr!e)))
INPLIES
(FORILL (x: T):
srdered?(node(nodet_var!4, n_isl_var!5, node3_vsr!6))
ZNPLIES erdsred?(issert(z, node(nodet.van_4,
node2_var ! S,
nodeS_ray! e))))
154
Rule? (then (spllt)(rewrlte "checka."))
Splttttn I on, Junctions,
this yields 2 sebt|oele=
ordered?Jnesrt.l.l :
[-I] ordored?(leef)
U.......
_l} checkall((LAmJDA (y: T): y <- z!3), leaf)
Re_rtttn B usi.g ¢hetkall,
This complete| the proof of ordered?.insert.|.l.
ordersd?.tHart.t.2
[-13 ordered?(leef)
| .......
_1) chetkell((LIRRDA (y: T): sis <- y), lee!)
_e_rttJl_ esJn_ c_ecbell,
This completes the _rOOf at ordered?Jnsert.l.2.
This coupletes the proof of ordered_-i_sertoi, "
Rule? (dslmp)
Apply|uS dlsJ_nctivs slmp11ficatlo_,
this simplifies _to:
ordered?.inssrt._ _ " " "
|-i) (ro_.c_ (s, T): . - ......
ordsred?(n_de:_ver!$) .....
_NPL_ES ordered?(ineert(s, node_.var_8)))
4-2) (F_ALL (t: T)_
• rd-er ed ? (u_de $.var !e)
tMPLIE$ ordered?(tesert(x, uode3.ver!6)))
| ....... : .
{1} (YOItALL (z: T)_ ....
orderedY(node(nodelovar!4, node2-ver!S, _ode3_vsr!6) )
_NPL]ES ordered?(inssrt(z, node(nodel.ver_4,
nods2-varV6o
nods$.var!6_)))
Rule? (skolem!) . - _
For the top quutlfler in |, ee introduce Skoles eonstuts: (x!?)
ordered?.ineert.2 :
[-1] (FO_ALL (x: T):
ordered?(nsde2.ver!S)
|NPLIES ordered?(tnssrt(u, node2.var!6))) _
[-_3 (FI_ALL (x: T_." _
ordsrsd?(uode3_var_e) - -
|K?LIES orderedT(inssrt(x, uo_e3.ver!6)))
{1} ordered?(uods(nodei_var!4, node2_rer!_, node3.vax!6))
INPL|ES ordered?(tnsert(x!7, nods(_odsLver!_,
node2.var!5,
node3_varf6)})
=
i
lone? (rewrite "ordered?" -J-)
Re_ritin| nsiq erderedY,
thee li_plttiom to:
ordored?.luirto_ i
[-1_ (_]tALL (s: ?):
arderod?(nedi2.varlS)
INPLIU ordered?(tniert(z, node2.vulS)))
[-23 (FOtALL (xi 1):
orderod?(node$_varte)
iHPLI mt ordered?(lnsart(z, nodeS-vet!el))
| .......
{1) (checkill((LiiDDA 47: T)z y <- nodel.vul4), nodel.vtrIS)
IND chacktll((LllBDl (yl 1): aodai.vlrl4 <= y)0 nodeS.vitrO)
IllD ordared?(nodni-varI5) _ ordared?(nodel_vir!$))
IMPLIES orderod?(tnieit(z!7, nodi(nodal.virtd,
Rile? (dMmp)
lpplyin| disjunctive linplificatton,
this olnplilies to:
orderod?.lniert.2 :
nodal.rifle,
andeS.yarnS)))
I-i] (FORILL (x: T):
ordere_l?(node2_viilS)
INPLTE3 ordarod?(tnnrt(z, nodo2_virtS)))
[-2] (F_ALL (in T):
ordorod?(nodeS_rule)
IMPL|E3 ordsrod?(ineart(n, nodo$.varle)))
|-$) ckeckall((LAmtDA (y: T): • <= nodal.var!4), noda2.vez!5)
_-4) ¢heckall((LINBDA (y: T): nodal_vat!4 <= y), nodeS_vat!El
_-6) ordarad?(node2-vtrt6)
_-6) orderod?(_oda$_virle)
| .......
{1) ordirod?(lnoert(zt?, node(nodal_oar!i,
nodo2.varIS,
nodo$_varle)))
ael.? (rewdte "insert" "l')
Raliitin| asia| insert,
this simplifies to:
irdarod?.tniart .2 :
[-13 (FOtILL (xi ?):
ordorod?(nodei_vtr iS)
|RPLI N oIdared?(innoTi(n, nodoi.varIS)))
[-2] (refILL (z: T):
order ed ?(node $_vir id)
IMPLIES oiderod?(lnoerl(x, nodal.oar!S)))
[-3] (lickiII((LIHBDi (I'. Ill y <- nodil_vnrii), nodal.railS)
I-el chiokill((LllIDl (y." l): nodil.illFt4 l- y), n_ol_rari#)
['el ordered? (nodil.var l 1)
[-6] ordered?(nodo$.vu I$)
J-------
41} orderod?((IP tit <= node!.varl4
node (nodal_vet i4,
insert(x!?, nodal.lit I S),
nodeS_vat i 8)
ELSE
node (n ode i .vat ! 4,
nodo2_vir .iS,
insert(liT, nodeS.vat !el)
_IY))
lille? (lift-If)
Ltitini IF-oenditionn to the top lovolj
thin oiIplifte8 toe
orderod?.lniert .2 :
[-1] (_tILL (n_ iS:
or dar od? (node2-rLv 18)
]NPLI II orderod?(lnsert(z, nodel_larlS)))
[-23 (POItILL (x: T)i
ordered? (nodel.vir 16)
11(PLIEI orderod?(tnsort(r, nodol.larIO)))
[-$3 ckockiII((LIKBDI (yi l)i y <u Iodol.var!l), Iodn2.varl$)
[-4] checkall((LAliDl (7: _): nodal.void <= 7), aode$.varl6)
[-83 il_lered? (nodsi_iu iS)
[-63 ordnrndT(node$_vu 98)
,(1} IF nit <" nodei_virl4
TIE!
ordered? (node (nodeS.vat 14,
insert(ill, node2.vir 16),
nodeS.vii#d))
ELSE
ordered? (node (nodal-vaT t4,
nodal.vailS,
tHeft(hi?, nodel.vir is)))
_mDlp
Role? (propS)
By propositional 8tilplificatien,
this yields 2 slbioalsl
ordarod?.tniort.2.1 i
_-t} II? <- nidei.vlrti
[-2] (FOaALL (x: 1):
@rdared?(nodel.rnrIS)
I_PLiF_ orderod?(insort(r, nodel.virIS)))
[-3] (FOtALL (l: 1):
ordarod?(node$_var!8)
IMPLIES ordered?(innert(x, nodeS_rifle)))
1-43 ¢hicklll((LIHlDI (•: l): y I- I_ll.virl4), nodil_¥lr!_)
l-S] chicknll((LAHDDI (l: 1): nodit.riri4 <- l), nodi$_rlI!l)
[-8] oTdorad?(nodol.variS)
[-7] ordered?(nodo$.varlO)
| .......
{l) orderi_l?(node(aodei.viri4, insert(liT, nodei_var!S), nodeS.rifle))
Rule? (rewrite "ordered?" _-)
Relittin| olin| ordered?,
this itnpllllel tel
ordirodl.tnieri.2.1 :
I-el 117 <t nodil.viri4
[-i] (FORILL (s_ i):
orderod?(node2._ir!S)
INPLIES ordarid?(lnsert(e, nodeS.oar!S)))
(-$) (rOtlLL (z: iS:
ordared?(noda$.vlrtd)
INPLIES arderod?(lnoart(z, nodeS-rifle)))
I-i] chocklll((LilIDt (In l): I <8 nodal.in!l), nodal_vailS)
[-63 chsckilI((LIKBD& (y: T): nndet-vir!4 <= 7), nodeS_vat!S)
[-4] ordarsd?(nodsi.rnrIS)
[-7] ordered?(nodi$.var!8)
_1} (chockall((LItIDl (yi T): 7 <, nodei.var!4),
insert(x!7, aodel.rer!S))
AID cbockill((LIMBDI (7: T): nodeS.vet!4 <= y), nodeS.vat!8)
lID ordered?(tnsort(s!10 sodil.oar!$))
lID oFdered?(nodi_.rlr!#))
155
hle? (quant?)
Found •ubetltntion:
• pt• X_7t
l_stnntlatln| qua_tlfind variables,
thl• •Implifln• to:
ordnred?.ln•ur_.2.i :
[-1] x_7 <= aodnl-var|4
_-2) •rdnrud?(nodn2_v_S) INPLIES ordurnd?(tneert(x!7, noda2_var!6))
[-3] (FORILL (n= T):
ordnred?(nodnl_vLr_8) ....
IHPLIP.S ordered?(tne•rt(u, nodeS_vat!6)))
[-4J ch•cknll((LAPrBDA (y: ?): y <= nodol_var!4), nede_ovar!S)
(-6] ¢h•ckaII((LANBDi (y: T): nodeS.st•|4 <- y), nodel-var!O)
[-63 ord•rod?(nede2-•tr|6)
(-73 ord•rod?{nodn$_var|e)
J.......
[J] (¢becka]I({LJNBDA (p: ?): 7 <, nodal_vat!4).
inJ•rt(e!7, nodn2-•ar!S))
A]ID chockall((LANBDA (7: T): nodal.vet!4 <= y), nod•$_var!6)
AND ordorod?(lnnert(z!7, uodn2_vur_6))
AID ordared?(nodel_vur!e))
Rul•? (propS)
B7 propositions1 •Inpllficntiou,
this siu_pltfie8 to:
hi•? (rewrite "ordered?" _-)
neuritis! u•lu 8 ordnred?,
this •impllfie• tot
ordnred?.ln•nrt,2.2 :
[-i) (PmtiLL (x: 1):
orderod?(nod•2-var_S)
|ffPLl_ ord•red?(in••rt(u, noda2_var!S)))
[-:] (FORALL (•: T):
ord•red?(nodnl_var|e)
IMPLIES srdered?(insert(u, nodeS_vireO)))
[-3] nhnnkal|((LMfBDA (y: T): y (" _od•J_var!4), node__var!G)
(-4] ¢h•ckall((Li_Pi (y: T): nodnl.vo_r!4 <= 7), nodal.vat!el
[-S] ordnrnd?(aoUn2_vtr!6)
(-63 ordnred?(nod•S_vsr_6)
|. .... ..(1) x!7 <_ andes.varY4
(ch•ckIll((LAI(BDi (7: T): 7 _= :edel_vnr!4), nodo2_var!S)
lgD
chocknll((LAICBD4 (7: T): nodnl_vtr!4 <8 7),
in•orS (n!?, nodel.vnr aS))
A_D ord•red ?(uodn_ver _6)
igD ordnredT(inenrt(u!7, nodeS_vat!el))
_ulu? (quant? -2)
Found •ub•titution:
• guts •_7,
Instuntlatin| qnutlfi•d variables,
this simplifies to:
156
orderedT.i=snrt.2.i :
_-t) urderad?(i_sert(u!7, =ode2.var!$))
[-_] X_? <= nedel.vur!4
[-3] (PORALL (•: T)=
ordnredT(nodnl.va_!e)
|ICPL|ES erdnred?(tnrer_(x, nodel_vur!S)))
[-4] ¢heckall((LiMBDA (y: T): y <m nod•l_vtr!4), nod•2_vnr_S)
[-S] checkall((Lilq_Di (7: ?): nodel.vtr!4 <= 7), n_d,3_vtr!e)
[-el ordored?(nodn2_vez!6)
[-13 0rderod?(node$.vut_e)
_I) checktll((LINBDi (y: T): 7 <= nodal_vat!4),
i_•ert(x_7, node2.vnr!$))
hie? (rewrite "ordered? insert_st Up,, )
Reeritin_ usiu( orderod?.insnrt_step, ._-
Thls ¢oupl•tas the proof of ordsred?.Insart.2.i.
orderod?.inlort,2.2 :
(-1] (FESILL (x: 1):
ordernd?(nodt2.vnr!_)
I_PLIES orderedT{inaert{•, nodo2_vnr!S)))
(-2] (F1]IkALL (x: T):
ordered?{nodn$.var!6)
IMPLIES _rdored?(tus•rt(x, nodel.vur'e))) ....
(-3] ¢hnckall((Lll(BDl (y: T): y <= _ode_.vur!4), n_Se__Var!_)
[-4] chnckall((L_NB_4 (y: T): nodel.•ur!4 <= Y), nodnl_vnr!6)
[-6] ord•radT(node2.vari$)
[-6] ord•rad?(nodo$.var!e)
!....... _z_, _ _ _ i_i
ordered?(n0deTno_-ei_vtr!4,-
o_dered?.insert,2.2 :
[-i] (tO,iLL (x: T):
ordered ? (eode2.•ar !S)
II_LIES ord•red?(ine•rt(z, node2_vnr!S)))
_-2} ord•rnd?(nods$.var!6) INPLIES ordnred?(tnsert(z!7, nodn3.vnrte))
[-3] chncknlI((LAESDA (y: T): 7 <` ned•i-vat!4), nede2-vnr!_)
[-4] chnckall((LiMBD4 (y: T): nodal.rut!4 <= 7), nodo3.vnr!e)
[-6_ ordered? (nede2.v_ur !S)
[-6_ oz_iernd?(nede$.vtr!4) : =_ =:,_ _ -
| ..... .. _
[1] u!_ <= nodel.•nr!4
[2] (chnckall((L&NBDA (7: T): y <- nedsl.var!4), node2.vnr!6)
in•err(x!7, nodu3.vtr._) - -- -
AND ordered?(node__vnr ! S)
AND ord•rod?(inu•rt(x!7, nede3_rar!e)))
hle? (propS]
B7 propositional •impllflcatlon,
thls 8implifi•n to:
ordured?.insort.2.2 | .....
t-i} ordered?(insert(x!?, nodel.vnr !8))
(-2] (FOItlLL (x: T):
ordered?(noda2.•_r ! _
IMPLIES ordarod?(in•ert(•, nodg__vur!S)))
[-3] checknl1((L_N_DJ (y: T): 7 <= uedni-var!4), uode2.var!_)
[-4] checkall((LANBDA (y: T): nod•l-vat!4 <,. y),_od_ar!e)
[-$] ordernd? (l_edt2.vir !_)
(-6] oral stud? (nede$.v_r !e ) ...........
{1} chackull((L/JdBDi (y: T): nod•l_vnr:4 <= y),
insert (u!T, node$.var !6))
[2] r!7 <'- nedeJ.•lr!4
Z
q
|
t
!
=
2
hle? (rewrite "ordered?JnsertJtep")
Itelrrittn| uetq orderod?-luert_ltop,
this eimplltioe to:
ordered?_lneert .2.2 :
E-i) 6rdered? (tneert(x_7, node$_vtr 96))
[-23 (F_tJLL (x: ?)=
ordered? (no'el_veer ! 6)
INPLIES ordarod?(lnsert(x, nodal-vatS)))
[-3] checkall((Li_DA (Y: T): y (" sodal_var_4), noael_rarIS)
[-4] cbeckall((LlnDA (7: T)= nodai.v_r_4 <o 7), node$_varle)
[-6] ordered? (node2.vtr _S)
[-6] ordered_ (node$.rtr) 6)
| .......
41) nodel.wr14 <0 x_7
[2] chackslI((LANBDA (y: T): uodel.vsr_4 <- y),
lasert(l_7, aodeLrtr _e))
[3] st? <- so_ei.v_rt4
hle? (typepred "obt.<-')
Addtn| type ¢onstraiste for obt.< e,
this etnpliftes to:
ordered?.lnsert .2.2 :
4-1} total.order? IT) (obt.< =)
[-23 ordered?(tsaort(s _7, modeS_vatS el)
[-33 (FOIt&LL (s: 7):
order od?(nodelovtr tS)
INPLIES ordered?(iseart(x, nodal_verbS)l)
[-4) checkall((LANBDA (Y: T): 7 <" nodoi_vtr_4), nodel.vsr .*8)
E-S) chockall((LARBDA (y: T): nodal_varY4 <= 7), nodeS.varY8)
• [-6] ordered? (nodal-vat .I6)
[-7] ordered? (node$.vu t 8)
| .......
[1] aodel.ver94 <- x17
[2] checkall((LAl(-1®4 (y: T)t nodal.verSa <- y),
lxeert (s aT, nodeS_vat _4))
[$] st7 <- nodal.varY4
taler (rewrite "total-order?")
Itovrit51_ Icing tottl.order?,
thls 8iwpllfle8 to=
ordered?.inssrt.2.2 :
ardered?(lasert(xt ?, s*ode$_vu !el)
[-3] (FlXtILL (s: T)=
0taler od?(nodel.vLr !S)
INPLIF3 ordered?(taeert(x, aode2.rartS)))
[-4] checkalI((LAI(BD4 (y: T): y <- nodal.vatS4), nodal.raftS)
[-el checkallf(LANBDA (y= T): nodal.re.J4 <= 7), nodal_verSe)
[-63 order ed? (nodel.vLr t$)
[-7] ordered? (nodeS.veer t4)
| .......
[1] nodal-varY4 <= x_?
(3] checkall((LAIqJD& (7: Y): nodal.tar!4 <- y),
lasers (x l?, noda3_var _@))
(3] s_7 <= sodel.var_4
hle? (quartS?)
Fo_d sabot it:ties:
y |eta ztT,
S |eta sodel.varP4,
|nstentiattnJ quint/fled vtrtableeo
thl8 eilq)llflee to:
ordorodY.insort .2.2 :
4-1) nodal.v_r14 <- xl7 OR :t7 <= uodei.vtr_4
[-2] orderod?(laeort(z_ 7, node$_var t el)
E-3] (FOItALL (xz T):
arderod?(madel_re_r !3)
]IIPLIES orderod?(lnsart(z, nodal_vatS)))
[-43 ¢hockall((LAMBDA 47: T): y <= nodal_varY4), nodal.yetiS)
[-6] checkall((LANBD_ (7: 1): sodaS_vat!4 <= y), u6del_vxrt_)
[-el orders4? (nodal-vat t S)
[-7] ordered? (nodeS.vet t4)
i .......
[1] sode|.vtrf4 <- z_7
[3] checksII((L_NBDA (7: T): nodal.varY4 <- 7),
insert (x _7, aode_-vtr _4))
[3] st? <= nodol_var!4
hla? (propS)
By proposttiosal elupltf|catiolt,
This completes the preo_ of ardarod?.l:sert.2.2.
This couplatee the proof of orderod?.l_sert.2.
Q.E.D.
Save the nev proo_? (Yes or _o) 7as
gould yes like s brief printout of the l_oof? (Yes or Be) yes
ordered?.tnsert :
m.......
{_) (FOR_LL (x: T), (As blesT.tree):
ordered?(A) II(PLII_ ordared?(lnsert(z, J)))
ludgctSng o_ i,
which yields 2 s_t_oale=
ordared?_tssert.i =
J......
41) (FU_tLL (x: 7): orderod?(laaf) INPLZ_S ardored?(Insert(x, leaf)))
For the top qxtntifler |a l, re istrodsce $koleu congteJ_t8_ (sill
Applying disjunctive elmplltlcatlon,
Ravrltln| uslsg lasers,
Ra_rltln 8 uin 8 ordered?.
lnvokin_ decision procedures,
Installin8 utoumtic ravrites:
bint_y_tree_rec[T, boo1),
Splittin| con_usctions,
rhtcb 7telds 2 s_bsoels:
ordared?.lneert.l.i :
4-t} ordered?(laaf)
| .......
41) checktll((L_J_BD4 (_= T): _ <" sills _eaf)
Rerritin| ulna checkall,
This co,plates the J_roof of ordered?.tnaert.l.l.
ordere_?_|nsert.l.2
4-1} erdared?(|eat)
41) checktll((LJJql"DA (y: 7): z_3 <= y), lolL/)
Re_ritia| :elnJ checkall,
This couplatae the proo£ of ordarad?.tneert.l.2.
157
orderod?olueort .2
| .......
41} (FORILL (nodal.vat: T), (node2ovar: btsezT-tree_, i :
(nodeS.vat: binary_tree) :=
(FOY_LL (x : T) :
ordsrodT(=ods2-vsr) INPLIES urderodT(tusert(n, uods2-vnr)))
AJD
(FOIU, LL (=: T):
ordered?(uode$_ve_r)
IMPLIES orderodT(lneert(so nodeS_ear)))
IHPLIES
(FOIUILL (u: Y)1
ordered?(uode(nodsl_utr, nods2_ver, uode$_ver))
IHPLIE5
urdsrodY(tueert(x ° node(nodal-vat,
uode2_var,
aods3.sar)))))
For the top quantifier lu l, we tutroduce |lkolem coustsmt8:
(nodet.sur_4 node2.var!S node$.vtr+6)
App17tn 8 disjunctive eiu_lificotion,
For the top qusmtifior tu l, we introduce Skoleu coustuts: (x!7)
Xevrttiu| uaiu| ordoredY,
ApplTtu | disjunctive siuplifictttou,
]tevritiu| using insert,
Llfttug IF-coudittous to the Sup level,
B F propositional |inplificntion,
which yields 2 subKoal8:
ordered%inner, f2.2 =
|-i) (t_tltt(x:T):
orderod?(uode2_varfS)
IHPLI_ orderedT(insart(x, nods2_ver!S)))
urdored?(nods$.varle)
IMPLIS_t orderodT(iusert(z, nudeS_Tar!e))) _: _
_-3) checkall((LIBDl (7= T)= 7 <" nodnf-vtr!4), node2_var!S)
_-4} chncknll((LinD4 (7: T)_ nodal.sir!4 <= y_-, node3.enrt_
_-6} ordered? (node2-v&r ! $)
| .......
_2} ordsrod?(node(uodsl-var!4,
node2_var|S,
tnsert(n_7, node$.vur!O)))
ltewrttin| u'ing ordered?,
lnetauttattng quantified variables,
B7 propositional siupliftcatlan,
P_eritiug ustug orderodT_lnsert-step, =_ =_-_ =_ _ : .... ::
Addtu K tJpe constraints for obt.< u,
Rsgritiug ustnJ total.order7,
Instsuttattng quutiftud variables,
By propositiOnai si_piiftcatian,
This completes the proof of ordsrodY_tnJnrt.2.2.
O.E.n.
158
orderodT.innsrt.2.1 |
4-1}
q-s}
{-4)
{-s}
-_}
ut7 <- uodsl.rarf4
(FO_ALL (n: T): ....
urdsred?(nods2.var|S)
|NPLIES ordorodT(iusart(s, uo_e2_var!S)))
(FOAILL (n: T):
ordered?(nodeS.var_e) .............
INPLIES orderod#(tusort(s, nodeS.sariS)))
cbIckalI((LAHBDI (7: T): y <= uodel-varf4), uods_.vnr!5)
cbeckall((LAK_D_ (7: T): uodsl.var!4 <= y), uods$__ar!8)
ordorsdT(uode_.ver_S)
ordorsdT(sodeS.var_6)
I .......
_1} orderod?(nods(nodei-var!4,
insert(u!7, uods2.vur!S),
nodeS_vurY6))
_svrltiug uslnl ordsrod?,
Instautlatlu I quutl/Isd variables,
By propositional slupllflcatlon,
Reuritiu| sits| urdor_lT.tu|ort_stop,
This couplote8 the proof ot ordsred_.iueart.2.1_
Notes on the Language
The core logic ts a simply typed higher-order
logic.
S pecifj+cations are §tru_cturedinto Dara_metric +
theories, .................
=
Types can be parameters.
Assumptions can be used to constrain the
parameters.
Set-like predicate subtypes can be defined. :
These make the domains and ranges of
operations explicit.
Theorem proving is employed to carry out
typechecking. _.... ; _ _ ....
Automatic facilitiy for generating abstract
datatype theories. - .....
15
L
Notes on the Proof checker
Sequent representation for proof goals.
Backwards proof construction by applying
red uctions.
Heavy use of powerful decision procedures for
equality and inequality.
Powerful primitive inference steps.
Roughly twenty such steps.
Strategy mechanism for encapsulating proof
patterns.
Ability to save and rerun proofs and partial
proofs, and display proofs.
Conclusions
PVS exploits the synergy between language and
inference.
The combination of powerful inference steps:
decision procedures, rewriting, propositional
simplification, etc., makes it effective to develop
proofs that are both certified and convincing.
Future goals:
• To enhance the language to further exploit
the inference capabilities
• To generate readable proof outlines
• To make proofs robust and easier to
maintain
16 17
159
ii60
Logical Foundations of Computing
over the Floating Point Reals
Richard Platek
Odyssey Research Associates, Inc.
PI:_EC_D{NS PAGE B!.ANK NOT FILMED
161
Logical FoundationS of
Computations over the Reals
Richard Platek
Odyssey Research Associates
ORA
12August 1992
NASA FM Workshop
O O RA Corp. 1992
SL-0046
i
162
Two ORA Technical Reports
"Verification of Numerical Programs Using Penelope"
"Denotational Semantics of Numerical Programs"
(DORA Corp, 1992 _1_"_/_
SL-0046 2
Basic Problem
What does it mean to say that a given program "computes" a real valued
x
function such as sine x or e when it never"really does?
Classical answer:
The program computes an approximation which is "sufficiently accurate"
But what does that mean?
J
O ORA Corp, 1992
SL-0046
163
Two Fundamental Problem Areas
£3 Scientific Computations
simulations, cacluation of engineering solutions, numerical experiments to
explore theories, "number crunching" as part of experiments
correctness is vital for decision making
£3 Embedded Computations
computers as part of coninuous systems
sense-compute-activate
O ORA Corp, 1992 A_'_"}/'_
SL-0046 4
Botton Up Interpretation
We reason at the level of the CPU and Floating Point processor so that we can
calculate tight error bounds and we use numerical analysis techniques to
estimate the accuracy of the computation.
Perfectly fine, but too concrete
A. Numerical Programs are not written in machine language or assembler.
They are written in higher order languages like Fortran, C, Ada. The
concrete analysis is not portable across CPU's.
B. The concrete analysis is not portable across FPP's. We should reason in
terms of the IEEE floating point standard or the Brown model.
In particular, our specs and proofs should be independent of the word length of
the machine reals except in so far as the word length is knowable at the
programming language level (e.g., Ada's float'small)
J
© ORA Corp, 1992
SL-0046
164
Verifying floating point computations
O Algebraic properties of floating point operations are a mess; and detailed
descriptions are highly implementation dependent.
O Little automated support exists.
O We are incorporating support for both quantitative and qualitative error
analysis into Penelope.
This talk concerns qualitative error analysis.
O O RA Corp, 1992 _ll_'_/,'_
SL-0046 6
Sources of error
o Roundoff error
O (Mathematical) Truncation error
O Implementation strategies (modeled by non-determinism)
J
O ORA Corp, 1992
SL-0046
165
Example of Compiler Implementation Strategies
In both C and Ada the statements
X := y .I, Z;
if x = y * z
may set w to either o or 1 !!!
then w := 0 else
w := 1 end;
© ORA Corp. 1992
SL-0046
Qualitative error analysis
Intuitively: prove programs under the assumption that various sources of error
are present but "negligible"
Not equivalent to assuming that error is non-existent
J
166
© ORA Corp, 1992 _")/_
SL-0046 9
Qualitative analysis of roundoff error: asymptotic
correctness
Mathematical model via limits
If a program is run on increasingly accurate machines, then its answer
approaches the specified result in the limit.
Mathematical model via algebra
Use a model of "approximate reasoning."
The algebraic model is easier to use
i'
@ ORA Corp, 1992
SL-0046 10
Algebra for approximate reasoning
Introduce additional predicates on
numbers"
x is close to y
x is not close to y
x<y or x is close to y
x < y and x is not close to y
Relations to standard operations
the
O ORA Corp, 199_
SL-0046 11
167
Substitution in Approximate Reasoning
If f is continuous, x _ y =:_ f(x) ,_ f(y)
Therefore,
x '_ x 1 and Y _ Yl _ x + y "_ xl + Yl
But comparisons are not continous
x_y and x<z does not imply y<z
© ORA Corp, 1992SL-0046 12
Algebra of approximate reasoning
Mechanical translation of (many) facts of ordinary algebra tO facts of
approximate algebra.
For example"
(x Jr-i)2 > x
translates to
(x + 1)2 _ x
J
© ORA Corp, 1992
SL-0046 13
168
Modeling Ada floating point operations
Introduce specification predicate for each basic operation
t-p/us(=, y, z):
z iS a possible result of evaluating x + y
Sample property:
Fplus(z, tJ, z) =_ z _ x Jr y
fie(x, y, b):
b is a possible result of evaluating x <= y
Sample properties:
fie(x, y, true) _ x < y
fie(=, y,.false) _ z > y
,J
© ORA Corp, 1992
SL-0046 14
Example specification and proof
function mysqrt (a, small : in float) return float;
should compute the square root of a to within sma i 1
O ORA Corp. 1992
St-0046 15
169
Naive specification Ofmysqrt
IN a > 0.0 and small > 0.0
KETUKN z SUCH THAT Iz2 - aI _< small
© eRA Corp. 1992
SL-0046 16
71 _ J I
Amended specification of my s q r t
IN a __>0.0 and small _ 0.0
RETURNz SUCHTHAT12- al< smal_
O eRA Corp, 1992 _-_
170
|
z
=_
=
=
=_
T.
z
O ORA Corp, 1992
SL-0046
Calculation will use Newton's method
For any a> O,
where
v/a -- limiti__ooXi
xo -" a+l
zi+l - 1/2(zi + a/z,)
IB
J
Code for mysqrt
function mysqrt (...) is
x : float;
begin
if (a <= small) then
return 0.0;
end if;
x:=a+l.O;
while (x*x-a >= small)
x := (x+(a/x))/2.0;
end loop;
return x;
end mysqrt;
loop
Loop invariant annotation:
small, x,a,(x 2 -- a) _ 0.0
O ORA Corp, 1992
SL-0046 19
171
Proving termination of the loop
Proving termination of the loop
Loop bound annotation:
loop bound x 2- a
contraction 1/4
lower bound small
© ORA Corp, 1992
SL-0046 2O
function sqrt
is
begin
return mysqrt
Accurate Square Root
(a: = in float) return float
(a, float'small);
end;
© ORA Corp, 1992
SL-0046 21
./ 172
Embedded Systems
Want to be able to reason about computer controlled real world systems.
Want to know what the system does in real space/time.
The total syste can be described by logico-differential equations.
J
© ORA Corp, 1992 _"}/'_
SL-0046 22
Example
State variables
x(t : Real) : Real
y(k : Int) : Int
Transition Relations
= f(x(t), y(_))
y(k+l) = g (x(1), y(k))
,tt = max integer < t
O ORA Corp. 1992
SL-0046 23
173
174
Formal Safety Analysis
Nancy Leveson
University of California at Irvine
PRECEDING PAGe. BLA_K i'qOT F_LM£D
175
,,,,,,,n,
._
•_. $
0
176
J177
1=
178
Zt_q
Q
¢J3
0
0
L,&
0
q_,..
Z;_
.<
.4<
Nr._
_Z
<
179
J
J
_ i _
• • Q • •
180
-.b
0
I
b.,
o
181
_= -_i _ ] - ._ -
=..
=l
._P
%
=l
=l
r_
÷
>_
t_
u
f-i
¢J
i
>
°_
> "_
b_3
1..,
0
U
o_
> ii
-_ ¢1
uo '=
° ==_ i
182
0 '
O.
d
0
i "i
.o o_
•, _ _
J ii_'-
!i o!
183
• i
184
.2
o,,,i
o .# _o88
"_ "_ ,,,,,,_ _i
"_ _ _ __._._
.o _ _ _ o
185
W _.I "
I._1 o . "_ ._ o .....
_ -_ .._,_ "_ :_
._- .:
_P_
186
Ud
187
= "i
,,IZ _
.,=g w
E"=,-, -=-
=o
o=
o_ ,,
Oo _j
N
=o
188
±2
eO
=o
_'
,,, t_
"_ _
_._- _ _
o"
?
,r

.'_° i " n
_. .= S
,_ tu U
s,, "_
!!!it
_._ !!_.! _
_. ,
190
191
:i
i=
192
I
I
I
I
:d
i,,,. w,t I _
:i. i!°°:I_ _°°
193
!
!
!
!
!
194
0
I_1_!: i. i .-
I; r I r!!l; 5
I'_ I ._l._
I! /J_l_
i ._, ! _, .
, ' _ _._
gt
"' ii _ .-
o ii _ z
0
0:_ :_
:__ ' i _-
195
._-= _
• G
_ 0
_ _._
_ _ -_ _ 0
_ _Lo'_
_ _ o g_.-_
• ,, in _'_
._..-, | _ O_
0_' - _ _ o
,,
o w¢_-- >
,,,,,?._,,,_ v
• ,._ _. _ _
__" _
.__ ._.._ ._. ,_,.._,. _ ,_
, ==
196
• <
197
198
The FM9001
Warren Hunt
Computational Logic, Inc.
PRF,GEDING PAG_EB_'_I',,_Ki',rOT F|LP_._'_:D
199
f"t_
i
I
I
f
i ".,., _ I:::
01_
_0.,-
i
200
f++
! ++++_!- ++++,_ ...+.+++-_..+P_ _.-+ .+ ...
r- >,o ._.m_' .o ._,
• +, . ,,<_ •
J
i
f
J
i
;
Im
201
fJ
r
_=_
>
._, "_ ®,_
o "o _ ._o_
_ o _ _
__ . _
_ • • _ •
I.
202
f+i
| ,.+.+_,,, -m _ (...:
• -0 -.+!
,_ o §
+,.+++=°°+._ + ._-+ _.++_=
LL _C I_ LL. C
J
Im
f
,:,+
=,
n
-I:
_i-
o I -
o
-!- -I_t
t+1
-12 "--V'__.___ 9 __. _
-IE] -I_
i!
_!itfill
.+,_+-,+I
++++++'',',+]+ +i+._lj_,+
Ill+lip+.:+++=++ =
++++
+,i+,lJ++l!i,,++,
li|ll|++++m++m;m
-h
J
|
203
ff
2
E
c_
1 TTTT
_J
t
i
204
J
1
f _
0
mini
Q.
,Ira
IJ.
q)
.C
I-
"OOiOIO_O_010|OIC_C_O_O,O_
OtOlO;OiOIOtOiO|O_O|O_OiO_
OlOlOlOlOlOlOl01C_O, OlO=O,
010101 O'OtO|
0|010_
ololo_
olo_oI
OlOlO!
0|0101
OlOlOI
OlOlOzOJOsOlOiOzC_OlOlOfO!
OlOiOmOzO_O_O|OlOZO_OlOiO!
O_O|OlO_O_OlO_OIC_OlOlOiO
_,. 0t01!0_
i_ o.o.o,010_0|0_0_0_
c_c_o_
0 0_0_0_
Z • .J X '_ Z • • W _ 0 II 'I[
- !
: i!,_illi
J
|
n
i
Jl
i|
205
f_ •
,
l !
J
|
J
im
11
J
f
+ !
i
+! + + ,
i _ - °
• • • • nnn c
|
!
im
fz_._° E ®
. .
_ =,__ _.-=_
"_. e- _ _
.-_ _..
o,
J
Im
f
•- . _
-_°
_E _ 0 _ _
J
I
Im
207
ff
_o,
C _
i!_. RI---ill-- ,
J
.gq
J
208
fo
|
J
i
Im
f
J
i
Im
209
210
foo
I--
J
i
II
J
I
Im
211
141
"§_ ®
• _= _--_
08_ ,,u.m
J
|
212
fZI:I!:"iiiiiiiiiOOOOOO0 oo00
||JJJJ| JJt_ |D |m |
' ' '!! !! a
J
i
II
f
-- _ _,
g= g
o_ z
i. _ "o
IIIIIIII
llIlllll
_I_
213
Fo.o =_
_ _ _ _ _.__
°°,-.:_ .__ _
I
Im
214
Derivational Techniques for Hardware
Steve Johnson
Indiana University
215
Design Derivation*
Steven D. Johnson
and
Bhaskar Bose
Computer Science Department
|luliana University
---- |}_slll n derivat|ow
_rmd|_cd metkod*
e_.dudhm, d_ivstlee. *lc
Tl_t DDD aylt@m
Slntu
A=p,'ct* or dedp =lgcbr=
I_xptr|me_(atloa
FMA_= de,iv.ti_
FMgflOI dcwi_llon
Co_rlu.lom¢
Mult;modd fe_*mi_
_,_u. fc_m4d .ytt_nN
_| _ I4SF MIPN.7114_', NOT il
=llllp. ¢=e_ i1_ tm
w,l,_n, A_ i., im
216
i
_iTwiq_ L_
Design derivation
formal sUstem
• a long.age, r.l_ of syntax
• tran._for.mlions, nll_.'s¢,i"r,'a._.fing
formalization
• representing design.q as expre_ions
• representing de,igning _ an inference process
For example, verification
• proof d an implementation, E [= I D S
• derhration of an implementation, S =_ I
[rA(., _,0 _- (.. _) I
rA(.,=, 0 = (., e} I
where 1
] , = (°_ +ab)_+(._+ =_)d
L e=.=+(,;4'__l
(., b,.) _- (',")1
,r_ J
d=e*& J
rAl.,_,d _ (.,_'l ]
_e_ |
(=,_,)=/IA(,,O|
='+_' I
n_(.,_) _ (..d l
=&ere |
. = °i+_m_ I
1 =1, + (.i + itll}=
'11! ! c2 *k
3 |c 2, e1¢.¢ e_
'FJ'2 _3 a_ + sl_
sj .,.j(o.l.O
s .,__ .oj(.,l,0
l (,,,I+_)_
' I _+,'
p I*t-
t_ .,,.X.,_,.)
s/dl :_m.X.,,kc)
s i I aJ
12 I gk
l_ -.x..,.O
t |it, _ ,,,.,i(a.6,c)
eJ,,X,.i.O
s (o&+ ib)c _.,a_{.,k c)
e re.J(., kO
imume
aamw
stew
vl, |1, }.21
AI, I t._t
:)Io 2.2|, 2 _l.3
_ellmr
vl, 21, _14.1
^i, 2A2
DZ, $4.L, 243
excl, mkJdle
^B, 1.8, 1.5. l.I
^!, I.'/
I, 3, 2?
idemue
v£,il
vl_, 4, I
inmme
VI, 45,44 I
Al, 44.2
DI, 44.1,443
lutlm_
Vi, 43, 46,1
AI, 41J_l
_1, 4.11.1, 4.ll3
^E. 41, 4S, 4.?
:_1, 4.1, 4.0
^£. l. 3, 5
Deduction and Derivation...
o haw a lot in common
o reflect common modes of rcamning
o involve "proof engineering"
o should be integrated
S =.% S, (¢0
=% S_ (C_)
•,.% S3 (Ca)
I. E
2. I
3. It
4. 1_
[
k. I,
$
|llllyfl.
|Jlllnl.
tilt. k
Digital Design Derivation system
(Dl)D)
• An interactive transformation system based on
first-order' functional expressions
• Specialized for digital system derivation
DI)D a.q a formal system
• A core of .-ecure algebra
o Extensibility
o Derivation management
Modes of expression
_vlot
P
D
"t_i_ dau"
S
m
217
ml/m t..l_ ii.
Single Pulser
"SP penemtes a unit pulse for every pwlse ne_elved"
ml/m t.,i.d Ul.
(YO
1/o
define ($0 In Out) =
(it (- 0 (? In))
(so (> Zn) (_ 0 Out))
(el (> In) (! 0 Out)))
define (S1 In Out) t
(it(-o (?In))
(so (>Za) (_ t out))
(st (_ Zn) (t o out)))
A
define (SP In) - Out
.where
I - (cons 0 In)
Dut " (ands I (nots In))
In = (0, O, 1, I, 1, O, O, 0,... )
x = (o,o,o,i, 1,1, o,o .... )
Out = {0, O, O, O, O, 1, O, 0,...)
B
ID 1,,_ l.,r,_ ii, i=_
218
Behavior to structure:
define (FAC n) = (F n 1)
vhers
(F u v) m (if (zeroT u)
(F (dcr n) (._py u v)))
define (FACsystem n) - (list V R)
vhere
V - (coat n (Dee,U))
V - (cons t (MPY U V))
a - (ZERO? U)
FM8501 specification [Hunt]
{d*_a goIq {?o|-f|l* _tl-m I-fiq v-{laI l-fill i-fill lit)
(If (llll_p 1aS)
(11l$ zq-ftle _i-_U a-flaG ,-_lq I-flq I-Ylq)
(tort (rq-_ || e-a_ia_- olw4 -t-_ll- lm_t
Tll-ltll r_l-m c-_lq v-na_ I-YlI 8 u-YlsB)
(reel-_-itier-ell-_lto
Tq-ille r_l-_ c-YlaJ ,-flq s-_l_ I°YlI I)
(ip4*ll-v
(i-_aoa*l {_*A_-Ilatr_cffil_ Tq-tlll reel-.J)l
a-flq
(¢ (_-ell-cv*r_llta rq-_lle TNI'WO ¢'tle¢}))
('_*tJ"
(t-_c-a_ (cl_e*l-iMt_¢_la yq-flle y*ll-m))
v-tlq
(_ (t_-*II-CV-T*IIIII T_toflle rml-m I-tl_l))
(_-Ze-lCt (cl_ell-lmeS_¢tla Fq-_ll* •eli-roD
I-tl_
(llrop (t_-Io-lal (_ {t_-all-cv-ru_lU
• q-ill• r_l-_ c-flq))))l'
(,_,t,o,
(t-zz-sal (cmrrn_-lla_r_citm _q-_lle Yaat-_a))
i-ilq
(mq*tl_ {tm-io-ta (iv (tm-lle-zv-yoeal_e
T_o_lle Teal-_a a-_lal|))3)
(car ll_l))l
B
ml/to _._ t_ m
Serialization
dofine (FACsIst*I n) - (list V R)
vhere
U = (con* n (DCRU))
V " (con* 1 (HPY U V))
R - (ZEXO? U)
define (FAC n) - (FOn i)
where
(FO u v) - (it (zero? u)
V
(rlu (spy u v)))
(Fiu v) - (FO (dcr u) v)
FM8501 implementation [Hunt]
(dell Itl-_l_in (at reed mille it•el re•el _-stoTe Iala-ovt
rmi-fll* _iiy-ell c-ll. i ,-fl* l 2-_1•¢ i-_i*g
a r_ b-rq I l In I l_q r el
_-giIeI-I_-MOS_ 7 oraclm}
(if (u|lalp eYl¢li)
Ill., ur _ wit. it.el re.at It-liars Ilia-It lq-lil.
edit-It ¢-fl t .-il I l-fl I i-ill a-Ill t-rl t'I. I
vtalall veil-sea II_-lliCt-#q-ilat_)
(lli-II_Igi {u_r e4r I-rq dll©i lilit l@-liOli)
laid ill I-Yq)
{_vll...r l-Yq ll-ilOYl}
{lllli I¢iY oYlili})
(riiel (lii o_l¢ll))
IlO-ilOYi 1i-II0FI I-il• I .-Sia I S-YI. i l-Yl l
l-iq Ill)
{i.t.-e_l I.li-#ii i-it I i-_, I i-Ylq 1-,, I ,.r)
(,q-tile rq-lil, dlil-gll I-lq., 10-.,0I,
re4e_)
{eldi-_el eld•-Hl •el*ill. l-_a i ir •lilt)
lc-¢l t l-fll I . _e I I_ q t-_q .al)
I.-tlq ,-11_8 I-_ol i'•.l I'flii I'_el lit)
(i-ill I i-ill I i-ll i br N i-lie I l-re I lii)
(l-fls i t-flail l-re I t.-vq ¢-fla I I-r_ ill
(.-lq .-lq ,lml-! •el-ilia I-_. I ..r r.l.ll
tbrql t.r, I ,llaal-,I if-fill I-ill .,y •..*tl
(I-r_l l-r,l viii•l-! earl
m_-lallh_l-illlO _
(drool (c.i eric|e))
(•_It (ill lyacl•))}
{rmal_ yli|Oue_ _eld lYlte s4ldr-out data-all
_ma_+vetc_-il slaty
(dteck (c_ areola))
[iiall [cur oracle)})
[leici-do_ ram m_lte (d_set (car eymel•))
_ia-_l M_r-eut )
[ed'r _lclil
Ill
219
Block diagram of BIGmachine
Superimposed architectures
Architecture derived from SOFT
:_ .
Detail of a local factorization
lartrt¢ _ _1. m
220
Physical organization of FM8501
e
o
Structural manipulation
Expcrimcnts with FM8501/2
i'--I
L_k l_¢h4ma" I
g
0
Procedural abstraction
define (FAC n) - (F n 1)
vhere
(F u v) " (if (zero? u)
v
(F (dcr u) (HPY u v)))
define (HPY n m) = (H n m O)
vhere
(H v x y) - (if (zero? v)
Y
(if (even? v)
(M (/2 v) x C.2 y))
(H (12 v) x (+ (*2 y) x))))
221
80
mtr_ J_ _L
]neorporating procedures
define (FAC n) - (F n i O)
whets
(_ u v v z) - (if (zero? n)
v
(M U V V U))
(H u v v z) - (it (zoro? u)
(F (dcr x) v 0 #)
(if (even? u)
(M (/2 u) v (*2 v) z)
(M (/2 u) v (+ (.2 v) v) x)))
o
Ib_/_ _ tL m
Sequential Decomposition
u,_/l
M
W
(FO u v m dm) =
(it (zero? u)
v
(cons (list ! u v)
(Fiu v (> m) (> dm))))
(rt u v m d m) -
(coal (list 0 u v)
(it (hi? (? dm))
(FO (dcr u) (? m) (> a) (> dlm))
(r! n v (> m) (> da))))
Design derivation
Construction of an implementation by equivalence
preserving transformations.
Eo_Ej_r2_ ..- _G
malntAin!ng the global view
_) making local transformations
(]) mt*r_lane design
0 no "complete" algebra
0 fixes "equi_lcnce"
0 iwltil_its cleverness
mlfm Aq._ it
Interactive verification
222
Results of Workshop Survey
Each participant at the workshop was asked to complete a detailed survey. 1 Fifty-three people returned
the survey; this section presents the results.
For each question asked on the survey, the specific question is reproduced and the answers to the question
are tabulated below. If a person circled multiple answers to a question for which only one answer was
expected, the results were weighted. For example, in response to question 2, one Formal methods developer
circled both b and c. This was tabulated as 0.5 for b and 0.5 for ¢.
Totals or averages are given where appropriate. Not every person answered every question on the survey,
so the totals for different questions may vary.
1. What is the nature of your organization?
a. University b. Formal methods developer
c. Government d. Aerospace industry
Question 1
a b c d e
Industry 0 0 0 22 6
Government 0 0 14 0 0
University 2 0 0 0 0
FM Developers 0 9 0 0 0
Note: Six people did not believe that the four listed choices accurately described the nature of their
organization. The specific answers given were: transportation, railway transportation, non-profit
lt&D org, industry/coamercial, othar, and don't imow. For the purpose of recording the answers, these
6 surveys are grouped with Industry.
2, What is your primary job function?
a. Basic research b. Applied research
d. Hanagenent
c. Product development
e. Other
Question 2
a b c d e
Industry 1 17 5 2 3
Government 1 5 0 4 3
University 1 1 0 0 0
FM Developers 3 1.5 0.5 4 0
Totals 6 24.5 5.5 10 6
Please rate your understanding of formal methods theory and practice:
b. Somewhat fmailiar c. gnowledgable
3.
e. Expert
Question 3
a b c d e
Industry 8 10 6 4 0
Government 6 4 3 0 1
University 0 0 0 1 1
FM Developers 0 0 0 1 8
Totals 14 14 9 6 10
a. Wovico
d. Considerable
1NASA Langley personnel involved in planning and conducting the workshop did not fill out &survey.
223
Note: One of the goals of the workshop was to attract people with widely varying understanding of
formal methods. These numbers suggest that this goal was met.
4. What is the general level of awareness of formal methods within your organization?
a. None b. Xinimal ¢. Sparse
d. Moderate e. Considerable
Question 4
a h c
Industry 7 13 4
Government 4 8 1
University 0 0 0
FM Developers 0 0 I
Totals 11 21 6
d e
I 3
0 1
2 0
0 8
3 12
6. Before attending this workshop, how gould you have rated the state-of-the-art of
formal methods in terms of its potential for iamediate application?
a. Not usable b. Needs more time ¢. Nearly ready
d. Ready now e. Has boon ready
Question 5
a b c d e
Industry 4 16 4 3 1
Government 2 5 4 1 1
University 0 1 1 0 0
FM Developers 0 0 6 1 1
Totals 6 22 15 5 3
Note: Three FMdevelopers, one who answered d and two who answered c augmented their responses
with the comment"for some applications."
6. low that you've attended this workshop, hoe would you rate the state-of-the-art of
formal methods in terms of its potential for immediate application?
a. lot usable
d. Ready now
b, leeds more time
e. Has been ready
c. learly ready
Question 6
a b c d e
Industry 1 16 8 3 0
Government 0 4 6 2 0
University 0 0 2 0 0
FM Developers 0 0 7 1 1
Totals 1 20 23 6 1
Note I: See note for Question 5.
Note _: The results to this question demonstrate that the workshop did alter some people's perceptions
of the state-of-the-art. Particularly interesting is that before the workshop, the perception of the state of
the art by nine people was at one or the other extreme, but after the workshop, the number of people at one
or the other extreme was reduced to two.
224
7, Please rate the extent to
organization:
a. |over
d. Occasionally
uhich fornal nethods is practiced today within your
b. Selden c. Sporadically
e. Often
Question 7
a h c d e
Industry 15 9 2 1 1
Government 9 3 0 2 0
University 0 0 0 1 1
FM Developers 1 0 2 1 5
Totals 25 12 4 5 7
Note: One FM developer answered a, and added the comment Uon our own systems."
8, When do you think that fornal nethods rill be used often in your conpany?
a. 0-2 years b. 2-5 years c. 5-10 years
d. 10-20 years e. Never
Question 8
a b c d e
Industry 5 7 12 3 1
Government 4 3 3 2 0
University 1 0 1 0 0
FM Developers 5 2 1 0 0
Totals 15 12 17 5 1
Note: An individuM from industry answered c with the comment "unless required by customers
earlier."
9. Hog difficult do you feel
a. Extraely
d. Sonowhat
it is to put formal nethods into practice?
b. Very c. Moderately
o. None at all
Question 9
a h c d e
Industry 7 9 12 0 0
Government 2 ? 4 1 0
University 0 1 1 0 0
FM Developers 2 3 4 0 0
Totals 11 20 21 1 0
10. 1re you personally inclined to apply formal methods on a design project in the near
future?
a. Strongly inclined b. Moderately inclined c. Indifferent
d. |or inclined e. Would quit first
225
ll.
Question 10
a b c d e
Industry 13 9 1 5 0
Government 8 6 0 0 0
University 2 0 0 0 0
FM Developers 6 3 0 0 0
Totals 29 18 1 5 0
How veil prepaxedare the professionals in your organization through education and
previous training to absorb the technology of formal methods?
a. Minimally b. Somewhat c. £dequately
d. Receptive e. Well prepared
Question 11
a b c d e
Industry 15 8 3 0 2
Government 7 ? 0 0 0
University 0 1 1 0 0
FM Developers I 0 0 1 7
Totals 23 16 4 1 9
12. In your organization, which of the following obstacles exist that inhibit or
prevent the use of formal methods? (chock all that apply)
___ Management believes it is impractical
.__ Engineering staff believes it is impractical
.__ Lack of sufficient knowledge about formal methods
.__ Lack of required skills
___ Up-front cost too high
.__ Have had negative experiences in the past
___ Do not believe it is useful
___ Be obstacles exist
(Mgmt)
(E g)
(sk tV.
(Co,t)
(Neg)
CNot) ........
.........
Question 12
Mgmt En8 Know Skill Cost New Not None
Industry 10 13 24 20 10 4 6 2
Government 5 4 13 11 6 1 4 0
University 0 0 1 0 0 2 0 0
FM Developers 1 2 1 1 3 0 0 4
Totals 16 19 39 32 19 7 10 6
Note: An industry representative checked He obstacles exist, but added the comment "except
funding."
13. How would you rate the potential benefits of using formal methods?
a. Negligible b. Somewhat useful c. Moderately useful
d. Helpful e. Significant
226
Question 13
a b c d e
Industry 0 5 1 4 18
Government 0 0 1 4 9
University 0 0 0 1 1
FM Developers 0 0 1 3 5
Totals 0 5 3 12 33
Note: A person from industry circled e, but added the caveat, "if it does all that is advertised."
14. Hog gould you rate the costs of formal methods technology relative to the costs of
current practice?
a. Excessively higher
d. Somewhat loser
b. Somewhat higher
e. Much loser
c. Equivalent
Question 14
a b c d e
Industry 4 13 5 4 2
Government 2 8 0 0.5 1.5
University 0 2 0 0 0
FM Developers 0 2 5 0 0
Totals 6 25 10 4.5 3.5
Note J: A government representative circled • and added "over system life cycle."
Note _: An industry person circled a, with the additional comment "don' t see lq_ replacing anything
--- it only adds confidence and cost to date."
15.
Note:
Bow aggressively eould you recommend your management pursue the use of formal
methods technology?
a. Forget it
b. Keep up eith developments
c. lttempt small pilot projects
d. £ttempt larger applications
o. Full speed ahead
Question 15
a b c d e
Industry 0 6 20 2 0
Government 0 0.5 10.5 2 1
University 0 0 2 0 0
FM Developers 0 0.5 2 4.5 1
Totals 0 ? 34.5 8.5 2
One industry representative answered c and added the comment "to completion I"
16. How much empirical evidence on the benefits of formal methods do you feel is
available for managers to make informed decilions regarding its use?
a. Insufficient b. Nearly sufficient c. £dequate
d. More than adequate e. Plentiful
227
Question 16
a b c d e
Industry 22 2 3 0 1
Government 8 2 3 0 0
University 1 0 1 0 0
FM Developers 4 3 0 0 2
Totals 35 7 7 0 3
17. Rate the importance of reusable formal verifications such as verified clock
synchronization circuits and verified softvare modules.
a. |one at all b. Someghat c. Moderately
d. Very e. Extremely
Question 17
a b c d e
Industry 2 2 7 6 10
Government 0 5 4 3 0
University 0 0 0 1 1
FM Developers 0 0 0 4 4
Totals 2 7 11 14 15
18. Rate the importance of generic _ools (such as, semi-automatic theorem provers,
specification language typecheckers) that can be applied to softeare/hardeare
development ...... =, ................
a. gone at all b. Somewhat c. Moderately
d. Very e. Extremely
Question 18
a b c d e
Industry 0 2 5 I1 10
Government 0 1 4 6 3
University 0 0 0 0 2
FM Developers 0 0 2 2 5
Totals 0 3 11 19 20
19. Rate the importance of the capability of formal methods to produce trusteorthy
solutions of difficult problems i_ computer science.
a. Jone at all b. Someehat c. Moderately
d. Very o. _tremeiy
k
Question 19
a b c d e
Industry 1 3 5 12 7
Government 0 1 4 4 5
University 0 1 0 1 0
FM Developers 0 0 1 2 6
Totals 1 5 10 19 18
228
Note: An industryperson wrote: "(a) who cares (practically) about CS? (c) for real problems.
We need trustworthy solutions to real problems:"
20. Where in the life-cycle do you feel formal methods can be applied most cost-
effectively?
a. Requirements
d. Zmplementation
b. High-level design
e. Maintenance
c. Detailed design
Question 20
a b c d e
Industry 15.5 8 3.5 0.5 0.5
Government 9.33 2.83 1.33 0.5 0
University 0.45 0.45 0.45 0.45 0.20
FM Developers 1.67 5.67 0.33 0 0.33
Totals 26.95 16.95 5.61 1.45 1.03
21. Where in the life-cycle do you feel formal methods can yield the most significant
benefits, irrespective of cost?
a. Requirements b. High-level design c. Detailed design
d. Implementation e. Maintenance
Question 21
a b c d e
Industry 20.33 2.83 3.33 0 0.5
Government 9.33 1.83 0.83 0 0
University 1.33 0.33 0.33 0 0
FM Developers 1.5 1.5 3 1 1
Totals 32.5 6.5 4.5 1 1.5
22. How long does it take to
a. Less than 2 weeks
d. 6 months to I year
become proficient in formal methods?
b. 2 weeks to I month c. I to 6 months
e. I to 5 years
Question 22
a h c d e
Industry 0 0 2 16 9
Government 0 0 1 5 6
University 0 0 0 0 2
FM Developers 0 0 1 ? 0
Totals 0 0 4 28 17
Note 1: Two people, one from government and one from industry, said that the answer to this question
was "dependent on background."
Note g: A person from a university circled e, and annotated the answer with "or more."
23. b'hat is your opinion of the following statement: rrProficiency in formal methods
requires a high degree of mathematical sophistication." ?
a. Agree strongly b. 1grew c. Io opinion
d. Disagree e. Disagree strongly
229
24.
Question 23
a b c d e
Industry 9 14 1 2 2
Government 5 6 1 1 0
University 0 1 0 1 0
FM Developers 0 6 0 2 0
Totals 14 27 2 6 2
Note: An industry representative circled a, but added, "but it shouldn't be the case!"
To each of the following areas assign a nulber from 1 to 8 to denote the importance
of the area. Use 1 to denote that the area is extremely important, and 5 to denote
that the area is not important at all, Please assign a 0 to any area about which
you have no opinion.
___ Basic modeling techniques
___ Code verification (especially for ada)
___ Education and training
___ Integrated verification systems
--- Mechanical theorem provers
Reusable deductive theories (libraries of definitions and theories)
--- Reusable, verified 8oftgare libraries
___ Special purpose verification tools (such as Spectool, DDD. k Penelope)
___ Specification languages
___ Worked examples
Question 24: Industry
0 1 2 3 4 5 I Avg.
Model. Tech. 3 ll 8 4 2 0
Code Verif. 4 10 5 6 3 0
Education 2 15 10 0 0 1
Int. Ver. Sys. 4 10 8 5 3 0
Mech. T. Prov. 4 2 11 7 4 0
R. Ded. Theo. 5 5 11 3 4 0
R. Soft. Lib. 2 7 11 3 5 0
Sp. Purp. Tool 5 0 7 14 2 0
Spec. Langs. 1 14 8 3 1 1
Examples 2 11 9 4 2 0
1.9
2.1
1.5
2.0
2.5
2.3
2.2
2.8
1.8
1.9
Question 24: Government
0 I 2 3 4 5 I Avg.
Model. Tech. 2 5 4 0 0 2 2.1
CodeVerif. 2 4 2 5 0 1 2.3
Education 0 6 0 5 0 2 2.4
Int. Ver. Sys. 3 0 2 4 2 1 3.2
Mech. T. Prov. 1 3 2 3 1 2 2.7
R. Ded. Theo. 2 1 2 4 3 1 3.1
R. Soft. Lib. 1 2 2 4 3 1 2.9
Sp. Purp. Tool 4 1 2 4 1 1 2.9
Spec. Langs. 1 4 3 2 1 2 2.5
Examples 1 6 2 2 0 2 2.2
230
\Question 24" University
0 1 2 3 4 5
Model. Tech. ".... 1 i 0 0 0 0
CodeVerif. 0 0 0 0 0 0
Education 0 0 0 0 0 0
Int. Ver. Sys. 0 0 0 0 0 0
Mech. T. Prov. 0 0 0 0 0 0
R. Ded. Theo. 0 0 0 0 0 0
R. Soft. Lib. 0 0 0 0 0 0
Sp. Purl). Tool 0 0 0 0 0 0
Spec. Langs. 0 0 0 0 0 0
Examples 0 0 0 0 0 0
Avg.
1.0
...... --
Question 24: FM Developers
0 1 2 3 4 5 [ Avg.
Model. Tech. 0 6 2 1 0 0 1.4
CodeVerif. 0 3 2 2 1 1 2.4
Education 0 6 2 1 0 0 1.4
Int. Ver. Sys. 0 5 1 2 1 0 1.9
Mech. T. Prov. 0 3 3 2 1 0 2.1
R. Ded. Theo. 0 3 6 0 0 0 1.7
R. Soft.Lib. 0 4 2 4 0 0 2.0
Sp. Purp. Tool 0 3 2 1 3 0 2.4
Spec. Langs. 0 3 6 0 0 0 1.7
Examples 0 5 2 1 1 0 1.8
No_e 1: Answers of 0 were ignored in calculating the averages.
Nofe _: For a few respondents, the answers to this question seemed inconsistent with answers to other
questions. We suspect that some people may have failed to read the question carefully, and as a result reversed
the ordering (that is, used 5 to denote extreme importance and 1 to denote no importance); however, we
recorded their responses as given.
25. To each of the folloeing tools and techniques assign a number from 1 to
5 to denote your perception of the usefulness of the tool/technique. Use
1 to denote that you believe the tool/technique may be extremely useful,
and 5 to denote that you believe the tool/technique is useless. Please
assign a 0 to any tool/technique about which you have no opinion.
___ Boyer-Moore ___ DDD ___ EVES
___ HOL .__ Modelieation ___ |uprl
___ Penelope .__ PVS/Ehdm ___ Safety analysis
___ Spectool
231
JQuestion" 25: Industry _
0 1 2 3 4 5 Avg.
Boyer-Moore 9 1 4 10 3 1 2.9
HOL 8 1 7 6 5 1 2.9
Penelope 12 0 9 4 3 0 2.6
Spectool 16 0 6 4 2 0 2.7
DDD 19 0 2 4 3 0 3.1
Modelisation 14 5 2 3 2 2 2.6
PVS/Ehdm 5 6 10 5 1 1 2.2
EVES 20 0 3 3 1 1 3.0
Nupd 23 0 3 0 1 1 3.0
Safety Analysis 8 14 3 2 1 0 1.5
Question 25: Government
0 1 2 3 4 5 Avg.
Boyer-lVIoore 7 1 3 2 0 0 2.2
HOL 8 2 0 3 0 0 2.2
Penelope 11 1 1 0 0 0 1.5
Spectool 13 0 0 0 0 0 -
DDD 12 0 1 0 0 0 2.0
Modelisation 8 1 2 0 0 0 1.7
PVS/Ehdm 7 3 1 2 0 0 1.8
EVES 12 0 0 1 0 0 3.0
Nuprl 12 0 0 1 0 0 3.0
Safety Analysis 5 5 1 1 0 l 1.9
Question 25: University
0 1 2 3 4 5 [ Avg.
Boyer-Moore 0 1 I 0 0 0 1.7
HOL
Penelope
Spectool
DDD
Modelisation
PVS/Ehdm
EVES
0 0 2 0 0 0 2.0
1 0 1 0 0 0 2.0
1 0 1 0 0 0 2.0
I 0 1 0 0 0 2.0
2 0 0 0 0 0 -
0 2 0 0 0 0 1.0
0 0 1 1 0 0 2.5
2.0
4.0
Nuprl 0 0 2 0 0 0
Safety Analysis 1 0 0 0 1 0
Question 25: FM Developers
0 1 2 3 4 5 I Avg.
Boyer-Moore 0 0 5 1 0 0 2.2
HOL 0 0 3 2 2 0 2.9
Penelope 0 3 0 2 2 0 2.4
Spectool 1 3 0 3 0 0 2.0
DDD 2 0 1 3 0 1 3.2
Modelisation 3 I 1 1 I 0 2.5
PVS/Ehdm 0 I 5 I 0 0 2.0
EVES I 1 3 2 0 0 2.2
Nuprl 0 0 0 I 4 2 4.1
SafetyAnalysis 2 1 2 1 1 0 2.4
232
Note: See the notes for Question 24.
26. How expressive should a formal language be?
a. Very expressive (such as g and VDH) b. To the level of hlgher-order logic
c. To the level of Ist order logic d. To the level of Prolog
e. To the level of propositional calculus
Question 26
a b c d e
Industry 14 6 2 1 0
Government 2 4 0 0 1
University 1 0.5 0.5 0 0
FM Developers 3 4 2 0 0
Totals 20 14.5 4.5 1 1
Note: Four people, one Hem industry and three Hem government, did not answer this question, but
wrote the following commentsinstead: "depends on application," "to understanding of user," "this
needs to be decid#d on the basis of the domain of application requirements," and "depends on
when it is used."
27. How important is it to have a specification language that can mimic the notation
typically employed in the problem domain?
a. None at all b. Somewhat c. Noderately
d. Very e. Extremely
Question 27
a b c d e
Industry 0 3 5 12 6
Government 0 2 3 2 5
University 0 0 0 1 1
FM Developers 0 0 3 4 2
Totals 0 5 11 19 14
Note I: A member of the government answered e, and included thecomment: "to be accepted by
the engineers and program managers."
Note g: Anothergovernmentrepresentative did not circle an answer, but wrote "I¢ must not necessarily
mimic but must be readable by experts in the problem domain."
28. Now important is the availability of powerful decision procedures in a theorem
prover (for example, decision procedures for linear arithmetic and propositional
calculus)?
a. None at all b. Somewhat c. Moderately
d. Very e. Extremely
Question 28
a b c d e
Industry 0 3 8 7 5
Government 0 1 3 3 2
University 0 0 1 1 0
FM Developers 0 0 1 2 6
Totals 0 4 13 13 13
i=j
j
!
|
233
29. To each of the following areas assign a number from 1 to 5 to denote your opinion
as to the importance of NASA sponsoring york in the area. Use 1 to denote that you
believe it is extremely important for NASA to sponsor work in the area, and 8 to
denote that you believe HASA should not sponsor any work in the area.
___ Theoretical research (for example, developing theorem provers)
___ Applied research (for example, pilot projects applying formal methods)
___ Joint projects between traditional engineering groups and formal methods experts
___ Workshop8 such as this one
Qnestlon 29: IndustrYo I 2 3 4 ,5 1]_. .'l'i.'ort_tical Research 0 8 5 7 3 ,5
Applied R,_search 0 19 6 0 0 3
Johlt Projects 0 :2:1 2 2 I 0 |1.3 11.3
Workshops 0 17 7 2 2 0/1.6 [
Q,m_stlon 29: Gl_vernment
............... 0. 4
J'l'heoretical Research 0 3
IApl,lied lteseardl 0 10
[Joint Project.s 0 9
[Workshops 0 II
:t 3 4 5[.Avg
5 I 4 0
1 1 0 1 [ 1.5
"} 0 1 0 [ !.5
1 0 0 1 I 1.4
Que.stion 20- University ]
0 l :2 3 4 5 I Avg; l
Theoretical Research 0 0 1 I 0 0 I' "2"5 I
Applied Research 0 2 0 0 0 0 I ].0 j
Joint Projects 0 1 1 0 0 0 I 1.5 IWorkshops ! .
Theoretical Research 0 4 2 2 l 0
Applied Research 0 5 4 0 0 0
Joint Projects 0 5 4 0 0 0[ 1:4 [
Workshoi>s 0 2 d 2 1 0 ] 2.2 I
Nolei See the notes for Question 24.
..... -: z4- _ ; :
Questions 30-32 were not multiple choice. Only a few representative comments from each organizational
category are included below. 'l'he._ comments are presented exactly as given; no editing has been done. For
these questions, Government and University participants haw' been grouped together.
30. Want formal methods have you used?
Industry: Boyer-Moore, cleanroom, Clio, EIII)M, IIO1,, Spectool, teml_,>ral logic, VDM, Z
Gov £_ Univ: Boyer-Moore, cleanroom, DDD, EIII)M, llOl,, VDM
234
FM Developers: Boyer-Moore, Clio, EHDM, EVES, HOL, PVS, Penelope, SDVS, Spectoo], temporal
logic, Z
31. In chat applications and parts of the life-cycle have you used forual methods?
Industry: requirements modeling, design, and testing, conceptual study, detailed design, verification of
algorithms, implementation
Gov £_ Unlv: software requirements, high level requirements, avionics software, missile systems, electronic
message systems, design, implementation, academic research projects
FM Developers: hardware designs, microcode, detailed design, algorithms, high-level HW design
32. Any additional comments?
Industry:
• ''Workshops of this type where interested industries can attend and participate are
excellent opportunities for technology transfer. I gould encourage IASA to continue
this type of interaction. ' '
• ''I gould very much like to see a survey of (1) methods (2) languages & (3) tools
presenting PROs & C0lis of each. As a novice ganting to enter the field, ghere do
I start?' '
• ''Tools are very important to this effort. Paper and pencil will not spread to industry. ''
• ' 'It would have been nice to actually solve some simple problems using a formal technique
rather than seeing lots of talks about proofs. ''
• ' 'Suitable applications of FMs was not elaborated on. I still cannot say 'where'
one should apply 'what ' FM. ' '
• "Mood to separate Rt/ FM's from St/ FN's.''
• ' 'This is one of the only forums I have attended that has had equal representation
from the software and hardware cozuaunity sharing roughly e_ual concerns and a common
interest in a technology of equal value and benefit to each community. ''
• ' 'You are overcautious about overselling .... ''
Gov £_ Univ:
• ''We must find a way to better find errors in Reqm'ts''
• ''It is important for NASA to take a leadership position in Formal Methods for civilian
aerospace applications. ' '
• ''FM appears to be currently the most feasible means of adding rigor and consistency
to the software development process.' '
• ' 'Keep holding this workshop! ' '
• ''I really wish copies of slides had been available at the conference. It would greatly
simplify notetaklng. ''
FM Developers:
• ''There is no 'royal road' to FH for industry."
• ''FM is powerful for educating designers.''
• ' 'Formal methods are no panacea''
235
236
NASA Formal Methods Workshop Attendees
Jorgen B. Andersen
HoneyweN, Inc.
Box 21111
Phoen_,AZ 85036-1111
Bob Baker
Research Triangle Institute
PO Box 12194
Research Triangle Park, NC
rlb@rti.rti.org
27709-2194
Mark Blckford
Odyssey Research Associates, Inc.
301 Dates Drive
Ithaca, NY 14850
email: mark@oracorp.com
Bhaskar Bose
Indiana University
215 Lindley Hall
Bloomington, IN 47405
Danlele Bozzolo
Union Switch and Signal, Inc.
5800 Corporate Drive
Pittsburgh, PA 15237
Jerome F. Coffel
I loneyweU, Inc.
3660 Technology Drive
MN65-3240
Minneapolis, MN 55418
emall: J coffel@src.honeywell.com
Richard Covington
NASA Jet Propulsion Laboratory
MS 125-233
4800 Oak Grove Drive
Pasadena, CA 91109
Dan Cralgen
ORA Canada
265 Carling Avenue
Suite 506
Ottawa, Ontario KIS 2E 1
CANADA
email: dan@ora.on.ca
Ronald T. Crocker
Motorola, Inc.
1501 West Shure Drive
Arlington Heights, IL 60004
email: crocker@mot.com
Ricky W. Butler
NASA Langley Research Ctr.
Mall Stop 130
Hampton, VA 23681-000 l
emall: rwb@air 16.1arc.nasa.gov
Jim Caldwell
NASA Langley Research Center
Mail Stop 130
Hampton, VA 23681-0001
email: caldwell@cs.comell.edu
Mark Crosland
Boeing
MS 88-12
P.O. Box 3707
Seattle, WA 98124
Jim Dabney
Intermetrics, Inc.
I 100 Hercules
Suite 300
Houston, TX 77058
Victor Carreno Mike DeWalt
NASA Langley Research Center FAA
Mall Stop 130 ANM- 106N
Hampton, VA 23681-0001 1601 Lind Avenue, S.W.
email: vac@air16.1arc.nasa.gov Renton, WA 98055-4056
pI_E.C,EDING PA_ BLANK NOT FILMEI2
237
Ben Di Vito
Vigyan, Inc
NASA Langley Research Center
Mall Stop 130
Hampton, VA 23681-0001
email: bld@air 16.1arc.nasa.gov
Audrey Dorfman
Vitro Corporation
600 Maryland Ave., SW
Suite 300, West Wing
Washington, DC 20024
George Finelli
NASA Langley Research Center
Mail Stop 130
Hampton, VA 23681-0001
email: gbf@air 16.1arc.nasa.gov
Gene Fisher
California Polytechnic State Univ.
Dept. of Computer Science
San Luis Obispo, CA 93405
Scott French
IBM Corporation
3700 Bay Area Blvd.
Houston, TX 77058-1199
David Fura
Boeing Defense and Space Group
P.O. Box 3999
Seattle, WA 98124
Jane Gaby
Martin Marietta Energy Systems
MS 8203, Bldg. 9112
P.O. Box 2009
Oak Ridge, TN 37831-8203
Susan Gerhart
NaUonal Science Foundation
1800 G. Street, N.W.
Room 304
Washington, DC 20550
email: sgerhart@nsf.gov
Holly Gibbons
Intermetrics, Inc.
I 100 Hercules
Suite 300
Houston, TX 77058
email: gibbons@inbox.hous.inmet.com
Allen Goldberg
Kestrel Institute
3260 lllllrich Ave.
Palo Alto, CA 94304
email: goldgerg@kestrel.edu
David Goldschlag
National Security Agency
9800 Savage Road •
M352 (D. Goldschlag)
Ft. Meade, MD 20755-6000
David Hamilton
IBM Corporation
3700 Bay Area Blvd.
Houston, TX 77058-1199
Charles Hardwick
University of Houston-CL
2700 Bay Area Blvd.
Houston, TX 77058
email: hardwick@cl.uh.edu
Rick Harper
C. S. Draper Laboratory
555 Technology Square
Cambridge, MA 02139
email: harper@draper.com
Paul Hayes
NASA Langley Research Center
MS 473
Hampton, VA 23681-0001
Connie Heitmeyer
Naval Research Laboratory
Code 5546
Washington, DC 20375
238
C. Michael Holloway
NASA Langley Research Ctr.
Hampton, VA
email: c.m.holloway@larc, nasa.gov
Michelle McElvany Hugue
Allied-Signal Aerospace Co.
Aerospace Technology Center
9140 Old Annapolis Road
MD 108
Columbia, MD 21045-1998
email: michelle@batc.allied.com
Warren Hunt
Computational Logic, Inc.
1717 West Sixth Street
Suite 290
Austin, TX 78703-4776
email: hunt@cll.com
Larry Hyatt
NASA Goddard Space Flight Center
Code 302
Greenbelt, MD 20771
Charles Hynes
Ames Research Center
Mail Stop 21 I-2
Moffett Field, CA 94035-1000
Ramu lyer
Motorola, Inc.
3701 Algonquin Road
Suite 601
Rolling Meadows, IL 60008
email: ramu@mot.com
Willliam Jackson
Martin Marietta Corporation
P.O. Box 179
MS 7330
Denver, CO 80201
John James
P.O. Box 7372
Fairfax Station, VA 22039-7372
Damlr Jamsek
Odyssey Research Associates, Inc.
301 Dates Drive
Ithaca, NY 14850
Jack Janelle
Honeywell, Inc.
21111 North 19th Ave.
Phoenix, AZ 85027- ! 111
Jim Jenkins
NASA Headquarters
Code RJ
Washington, DC 20546
Sally Johnson
NASA Langley Research Ctr.
Mail Stop 130
Hampton, VA 23681-0001
email: scJ @air 16.1arc.nasa.gov
Steve Johnson
Indiana University
Computer Science Dept.
Bloomington, IN 47405
John Kelly
NASA Jet Propulsion Laboratory
MS 125-233
4800 Oak Grove Drive
Pasadena, CA 91109-8099
Kathryn Kemp
NASA Headquarters
Code QT
Washington, DC 20546
John Knight
University of Virginia
Dept. of Computer Science
Charlottesville, VA 22903-2442
email: knlght@virginia.edu
Robert Kovach
NASA Headquarters
Code DO
Washington, DC 20546
239
Larry Lacy
Rockwell InternaUonal Corp.
Collins Flight Control
400 Collins Road NE
Cedar Rapids, IA 52498
Jay Lala
C. S. Draper Laboratory, Inc.
555 Technology Square
Cambridge, MA 02139
email: lala@draper.com
H. Grady Lee
Vitro Corporation
400 Virginia Ave., SW
Suite 825
Washington, DC 20024
Miriam Leeser
Cornell University
School of Electrical Engineering
Phillips Hall
Ithaca, NY 14853-5401
email: mel@ee.cornell.edu
Nancy Leveson
University of California at Irvlne
ICS Dept.
Orvome. CA 92717
Beth Levy
The Aerospace Corporation
Mail StaUon M 1/099
PO Box 92957
Los Angeles, CA 90009-2957
email: blevy@aero.org
Patrick Lincoln ....
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025
Charles W. Meissner, Jr.
NASA Langley Research Ctr.
Mail Stop 130 ....
Hampton, VA 23681-0001
email: c.w.meissner@larc.nasa.gov
Sievcn Miller
Rockwell International
Collins Commercial Avionics
400 Collins Road NE
Cedar Rapids, IA 52498
r
Paul Miner
r ASA  search Ct .
Mail Stop 130
Hampton. VA 23681-0001
emall: psm@air 16.1arc.nasa.gov
John Munro
Martin Marietta Energy Systems, inc.
Oak Ridge National Laboratory
P.O. Box 2008
Oak Ridge, TN 37831-6008 _-
Philip Newcomb
Boeing Computer Services
P.O. Box 24346
MS 7L-64
Seattle, WA 98124-0346
email: philu@atc.boeing.com
Stephen Nicoud
Boeing Computer Services
P.O. Box 24346
MS 7L-64
Seattle, WA 98124-0346
email: stephen@boeing.corn
Eric Peterson
Honeywell, Inc.
Air Transport Systems Div.
Box 21111
Phoenix, AZ 85036-1111
Richard Platek
Odyssey Research Associates, Inc'
301A Dates Drive
ithaca, NY 14850
Joseph Profeta
Union Switch and Signal, Inc.
5800 Corporate Drive
Pittsburgh, PA 15237
240
T
=
iPatricla Remacle
NASA Langley Research Center
Mall Stop 125A
Hampton, VA 23681-0001
Alice B. Robinson
NASA Headquarters
Code QR
Washington, DC 20546
John Rushby
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025
email: rushby@csl.srl.com
David Russinoff
ComputaUonal Logic, Inc.
1717 West Sixth Street
Suite 290
AusUn, TX 78703-4776
email: russ@cli.com
Mark Saaltink
ORA Canada
265 Carling Ave., Suite 506
Ottawa, Ontario KIS 2E l
CANADA
email: mark@ora.on.ca
Peter Saraceni
FAA Technical Center
ACD-230, Bldg. 201
AflanUc City Airport, NJ 08405
Carl Schaefer
MITRE Corporation
Washington Software Engineering Center
7525 Colshire Drive
McLean, VA 22102-3481
email: schaefer@mitre.org
Frank Schneider
Jet Propulsion Laboratory
4800 Oak Grove Drive
Pasadena, CA 91109-8099
Philllp Shaffer
GE Aircraft Engines
One Neumann Way
MD A320
Cincinnati, OH 45215-6301
shaffer@athena.crd.ge.com
K. S. (Doc) Shankar
IBM Corporation
3700 Bay Area Blvd.
Houston, TX 77058-1199
NataraJan Shankar
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025
email: shankar@csl.sri.com
Subash Shankar
Honeywell, Inc.
MN65-2100
3660 Technology Drive
Minneapolis, MN 55418
Greg Shea
Software Productivity Consortium
2214 Rock Hill Road
Hemdon, VA 22070
email: shea@software.org
Mandayam Srivas
SRI IntemaUonal
333 Ravenswood Ave.
Menlo Park, CA 94025
Richard Taylor
Atomic Energy Control Board
C.P. 1046, succursale B
270, rue Albert
Ottawa, Canada KIP 5S9
Susan Voigt
NASA Langley Research Center
Mail Stop 288
Hampton, VA 23681-0001
email: suev@csab.larc.nasa.gov
241
Chris Walter
Allied Signal Aerospace Company
Aerospace Technology Center
9140 Old Annapolis Road
MD 108
Columbia, MD 21045-1998
email: chris@batc.allled.com
:c
Robert E. Waterman _
NASA Goddard Space Fit. Center
Code 302
Bldg. 6, Rm. 5-229
Greenbelt, MD 20771
Isaiah White
Boeing Defense & Space Group
P.O. Box 3999, MS 8H-09
Seattle, WA 98124-2499
Lloyd Williams
Software Engineering Research
264 Ridgevlew Lane
Boulder, CO 80302
Phll Wlndley
University of Idaho
Computer Science Department
Moscow, ID 83843
email: windley@cs.uldaho.edu
Robert Wyman
Lawrence Llvermore National Lab.
P.O. Box 808
Livermore, CA _94550
h
242

/Oath4pdngand m,aJntmLntngthe data needed,and oon_le¢|ng_ teviewin9 the oo#eotlonel Inlom_t_o_. Sen<loommonte;eoa_d_gtheebu_l_ eotlmml,or mhyother ampeclo_thil
oohoflonot _, k_ euggeetk_ne forrod_ Ih_*burden.1oWa._in_on Iteadqua_ereServk_o.Ir_edo,'_e fork,d_.-rn_ionOpw_iorm aN/P,qpod_, 1215JeffenM)nDm_
H_h,,_y, 8_, t204, _, VA 2:B_-430_, _ Io the O_ o_M,,_geme_l ,_1Budo_. Pa_.wo#. Re_lo_ P_ {0704-0m8), W_hln_aon,IX: 2O5O3.
1. AGENCY USE ONLY (Lea'_,eblank) 3. RF..I;'OR'f DATE 3. REPORTTYPE AND DATES COVEREO
November 1992 Conference Publication
4, TITLE AND 8uoTrrLE .... 6. FUNDING NUMBERS
Second NASA Formal Methods Workshop 1992 WU 505-64° 10-05
e. AUTHOR(S)
Sally C. Johnson, C. Michael Ih)lloway, a.d Ricky W. Budcr, Compilers
7. PERFORMIN_ ORGANIZATION NAME(S) AND ADDRESS(ES)
NASA Langley Research Center
Hampton, VA 23681-0001
9. SPONSORING i MONITORING AG'F_NCY NAME(S) AND ADDI_ESS(ES)
National Aeronautics and Space Administration
Washington, DC 20546-0001
8. PERFORMING ORGANIZATION
REPORT NUMBER
10. SPONSORING/MONITORING
AGENCY REPORT NUMBER
NASA CP-10110
11. SUPPLEMENTARY NOTES
This workshop was chaired by Ricky W. Butler and Sally C. Johnson of NASA Langley Research Center.
13o. DIBTRi'BU_ION / AVAILABILITY 8_rATEMENT
Unclassified - Unlimited
Subject Category 61
13. _4B_I'RACT (MaMmum 200 words)
12b. DISTRIBUTION CODE
This report documents the Second NASA Langley Formal Methods Workshop held at the NASA Langley Research Center,
August 11-13. 1992. The primary goal of the workshop was to bringtogether formal methods researchers and aerospace
industry engineers to investigate new opportunitiesfor applying formal methods to aerospace problems. The first part of the
workshop was tutorial in nature. The second pad of the workshop explored the potential of formal methods to address
current aerospace design and verificationproblems. The third part of the workshop involved on-line demonstrations of
state-of-the-art formal verification tools. Also a detailed survey was filled in by the attendees; the results of the survey are
compiled [n this report.
14. SUBJECT TERMS
Formal methods; Digital flightcontrol; Verification;Specification; Design proof
17. SECURITN' CLAS_FICATION 18. SECURITY CLASSIFICATION
OF REPORT OF THIS PAGE
Unclassified Unclassified
NSN 7540-0t.280-5500
19. SECURITY CLASSIFICATION
OF ABSTRACT
15. NUMBER OF PAGES
16. PRICE CODE
20_ uMrrATION OF ABSTRACT
Standard Form 298 (_ev_2-ag)
Pre_ by ANSIStd.230-10
298- f_
=
%
F
£
i
=
