Formal Methods Group ETH Zürich  by Biere, Armin et al.
Electronic Notes in Theoretical Computer Science 80 (2003)
URL: http://www.elsevier.nl/locate/entcs/volume80.html 5 pages
Formal Methods Group ETH Zu¨rich
Armin Biere, Cyrille Artho, Malek Haroud, Viktor Schuppan
Computer Systems Institute
ETH Zu¨rich, Department of Computer Science
CH-8092 Zu¨rich, Switzerland
Abstract
In this short note we give an overview on past and ongoing projects in the context
of formal methods for industrial critical systems of the Formal Methods Group of
the Computer Systems Institute at ETH Zu¨rich.
1 Introduction
The Formal Methods Group of the Computer Systems Institute at ETH Zu¨rich
exists since April 2000, though most of the members started at least a year
later. We have tight connections to other groups at the department, particu-
larly to the Computational Logic group, the Computer Systems Institute, and
the chair of Software Engineering.
Outside of ETH we have strong relations to the group of Edmund Clarke
at CMU in Pittsburgh, to the research laboratory of ST Microelectronics in
Geneva and Klaus Havelund at NASA Ames. On a regularly basis, we are also
exchanging ideas with many individuals in the electronic design automation
industry (EDA) and academia working in this area. In recent years our group
has been actively involved in the program committee and reviewing process
of various international conferences such as ICCAD, CAV, SAT and others.
To a large extent the topics of the FMICS workshop cover our areas of
interest. In particular, we are working on the veriﬁcation of real Software and
Hardware systems. Our focus is on practical methods and tools.
2 Vision
Our vision is that formal method tools will be used in the same manner as
people use compilers for high-level programming languages today. This will
not only increase the quality of the systems, but also increase productivity,
leading to a much more eﬃcient development process. One can even argue
that without formal methods, the complexity of future design can hardly be
managed, a situation that we ﬁnd in certain projects already today.
c©2003 Published by Elsevier Science B. V.
289
CC BY-NC-ND license.  Open access under 
Biere et.al.
In the short term it is necessary to address scalability issues of established
methods and in particular apply them to real designs. The eﬀort necessary
for the latter task cannot be overestimated. In particular it is necessary to
handle, i.e., parse and analyze, industrial languages. Usually this means for-
mal method tools will be at least as complex to develop as compilers for these
languages, and sophisticated formal tools will be much more complex.
In the long term, the development process itself will change, incorporat-
ing formal tools on all levels. There will be a closed formal loop starting at
requirements engineering, through design, implementation, testing, and main-
tenance. On all levels the system will be represented formally, and a formal
mapping between the representation levels exist. Reﬁnement and veriﬁcation
work hand in hand and will be supported by tools.
In the past, research in formal methods has mainly focused on these long-
term issues. We think that it is very important to concentrate on scalability
and practical tools ﬁrst. No matter how clean or eﬃcient a new design method
presents itself, if the tools do not scale, the method will not be accepted.
3 Model Checking
Probably the most successful approach in formal veriﬁcation in recent years is
model checking [8]. Originally it used an explicit state representation and was
bounded to several million reachable states. With the invention of symbolic
model checking [10], using binary decision diagrams [7], the technique is able
to handle much larger state spaces. It robustly works on sequential circuits
with several hundred state bits.
In the past we developed one of the ﬁrst eﬃcient BDD-based model checker
for the µ-calculus called µcke [4]. The µ-calculus is a very general speciﬁcation
mechanism. In the form accepted by our model checker, not only the proper-
ties, but also the system itself can be speciﬁed. We also have been working
on using BDDs for model checking purposes in general [12].
Then we explored to use SAT techniques instead of BDDs for model check-
ing [6]. This technique, called bounded model checking, became very popular
and generated a stream of new ideas and results culminating so far in the ﬁrst
international workshop on bounded model checking BMC’03.
In this context, one of the most interesting questions is how to make SAT-
based model checking complete, without sacriﬁcing capacity. Additionally, we
have been working on various aspects of bounded model checking: front ends,
formula generation, and internal data structures.
In another project [11], we used BDD-based model checkers, to verify par-
tial speciﬁcations for the root contention protocol of the FireWire standard.
Compared to other attempts in verifying this benchmark using ﬁnite models,
we were able to verify all possible conﬁgurations for a ﬁxed numbers of nodes
in a single veriﬁcation run.
More recently [5] we described a technique for translating liveness proper-
290
Biere et.al.
ties of ﬁnite state systems into safety properties by adding a state recording
device. This insight justiﬁes to concentrate on safety properties ﬁrst, when
developing model checking algorithms for ﬁnite systems. We are currently
working on better complexity results and want to apply the technique directly
to LTL.
We are also currently looking into compositional reasoning, particularly in
the context of verifying threaded and object-oriented software.
4 SAT and QBF
The success of bounded model checking [6] relies on powerful SAT solvers.
In our group we have been working on several state-of-the-art SAT solvers.
In the SAT’02 competition our solver limmat 1 was awarded winner in the
category of satisfiable industrial benchmarks.
Our new solver is called funex. It is based on similar techniques as limmat
but supports additional advanced decision heuristics. It is our new platform
for further algorithmic experiments. Particularly, we are interested in hybrid
approaches that use ideas from automatic test pattern generation (ATPG) for
circuits or BDDs.
It has been very stimulating to follow the almost unbelievable increase in
reasoning power of SAT solvers in recent years. We believe that this trend
will continue and allow more and more practical applications of SAT. It is
generally hoped that the same progress will be achieved in the context of
quantiﬁed boolean logic (QBF). QBF extends propositional logic with quan-
tiﬁers over boolean variables. The satisﬁability problem of QBF formulae,
though PSPACE hard and thus probably even more complex than SAT, is
very much related to symbolic model checking. In particular, with eﬃcient
QBF solvers it should be possible to make SAT-based bounded model checking
complete in practice.
5 Software Verification
At ETH our focus is on Software veriﬁcation, though we try to use similar
approaches as in HW veriﬁcation, on which we concentrated in the past.
In an early project, we extended jlint, a static checker for Java in the
public domain, to detect common synchronization problems in threaded Java
applications. We applied it to a large class of benchmarks [1]. Static checkers
are very fast, but usually produce a lot of warnings and also often miss certain
problems.
In joint work with NASA we deﬁned the concept of view consistency [2].
It is a generalization of the classical notion of a data race. This concept can
be used for detecting synchronization problems in threaded Java programs.
1 http://www.inf.ethz.ch/personal/biere/projects/limmat
291
Biere et.al.
A prototype of a dynamic checker for view consistency, based on byte code
instrumentation, has been implemented at NASA.
At ETH we are developing a framework jnuke for checking Java programs.
It includes a byte code reader that produces a ﬂat 2 abstract byte code rep-
resentation. Recently [9] we added the ﬁrst version of a Java virtual machine
with rollback for exhaustively generating all thread schedules.
We also added a replay mechanism [3] for the diagnosis of counter-example
traces. A set of Java class ﬁles is given as input together with a ﬁxed execution
schedule. The replayer then produces instrumented versions of the class ﬁles
which force the execution of the class ﬁles to follow the given schedule, on an
arbitrary Java virtual machine.
We are currently extending the range of Java programs that can be exe-
cuted. Critical components still missing are blocking I/O and a native method
interface. Data race detection and view consistency checking will also be
added.
Finally, together with ST Microelectronics Geneva, we are trying to verify
SDL models and their C implementation in the context of telecommunication
applications. More concretely we look into equivalence checking and trans-
lation validation. The goal is to check an abstract SDL speciﬁcation against
manually or automatically generated C code.
6 Conclusions
In the Formal Method Group of the Computer Systems Institute at ETH
Zu¨rich we work on formal veriﬁcation of SW and HW. We concentrate on
practical approaches and have extensive experience in building tools that can
handle real-world applications. Scalability is currently our major concern.
References
[1] Artho, C. and A. Biere, Applying static analysis to large-scale, multi-threaded
Java programs, in: Proc. Australian Software Engineering Conf. (ASWEC’2001)
(2001).
[2] Artho, C., K. Havelund and A. Biere, High-level data races, in: First
Intl. Workshop on Veriﬁcation and Validation of Enterprise Information
Systems (VVEIS’03), 2003.
[3] Baur, M., Instrumenting Java bytecode to replay execution traces of
multithreaded programs, Diploma thesis, ETH Zu¨rich (2003).
[4] Biere, A., Eﬃcient model checking of the mu-calculus with binary decision
diagrams, PhD thesis, University of Karlsruhe (1997).
2 inlining of all method-local sub routines
292
Biere et.al.
[5] Biere, A., C. Artho and V. Schuppan, Liveness checking as safety checking, in:
Proc. FMICS’02, Electronic Notes in Theoretical Computer Science 66 (2002).
[6] Biere, A., A. Cimatti, E. Clarke and Y. Zhu, Symbolic model checking without
BDDs, in: TACAS’99, LNCS 1633 (1999).
[7] Bryant, R., Graph-based algorithms for boolean function manipulation, IEEE
Transactions on Computers 35 (1986).
[8] Clarke, E. and A. Emerson, Design and synthesis of synchronization skeletons
using branching time temporal logic, in: IBM Workshop on Logics of Programs,
1981.
[9] Eugster, P., Java virtual machine with rollback procedure allowing systematic
and exhaustive testing of multi-threaded Java programs, Diploma thesis, ETH
Zu¨rich (2003).
[10] McMillan, K., “Symbolic Model Checking: An Approach to the State Explosion
Problem,” Kluwer Academic Publishers, 1993.
[11] Schuppan, V. and A. Biere, A simple veriﬁcation of the tree identify protocol
with SMV, in: Proc. of the IEEE 1394 (FireWire) Workshop (2001).
[12] Yang, B., R. Bryant, D. O’Hallaron, A. Biere, O. Coudert, G. Janssen,
R. Ranjan and F. Somenzi, A performance study of BDD-based model checking,
in: FMCAD’98, LNCS 1522 (1998).
293
