SEN4013

Software Verification and

Validation

Lecture 6
Finite Models (Part II)
Learning Objectives
• Understand goals and implications of finite state
abstraction
• Learn how to model program control flow with
graphs
• Learn how to model the software system structure
with call graphs
• Learn how to model finite state behavior with
finite state machines

2
Finite State Machines
• Most of the models discussed (control flow graphs,
call graphs) can be extracted from programs.
• Though, models are constructed prior to or
independent of source code, and serve as a kind of
specification of allowed behavior.

3
Finite State Machines
• A finite state machine (FSM) is a finite set of states
and a set of transitions among states, that is, a
directed graph in which nodes represent program
states and edges represent operations that
transform one program state into another.
• Since there may be infinitely many program states,
the finite set of state nodes must be an abstraction
of the concrete program states.
• Finite state machines of various kinds are
particularly widely used.

4
Finite State Machines
• A Finite State Machine is a model of computation,
i.e., a conceptual tool to design systems.
• It processes a sequence of inputs that changes the
state of the system.
• When all the input is processed, we observe the
system's final state to determine whether the input
sequence was accepted or not.

5
Finite State Machines
• A state diagram represents a finite state machine
(FSM) and contains
• Circles: represent the machine states
• Labelled with a binary encoded number or reflecting state.
• Directed arcs: represent the transitions between states
• Labelled with input/output for that state transition.

6
Finite State Machine Components
• Set of Known States:
• As the name implies, there must be a finite amount of
states our system can be in.
• Only one state can be active at a time.
• States are usually drawn with circles:

7
Finite State Machine Components
• Initial State:
• The starting point of our system.
• Initial states are usually drawn with an arrow being
pointed to them:

8
Finite State Machine Components
• Set of Accepting States:
• A subset of known states that indicates whether the
processed input is valid or not.
• Accepting states are usually drawn as a double circle:

9
Finite State Machine Components
• Alphabet:
• It is the set of all valid inputs.
• Also referred to as Language.

10
Finite State Machine Components
• Transitions:
• Rules dictating how the machine moves from one state
to another.
• These are usually drawn as two states connected by a
line:

11
Finite State Machine - Example
• Traffic lights
• A simple traffic light system can be modeled with a
Finite State Machine. Let's look at each core component
and identify what it would be for traffics lights:
• States: a traffic light generally has three states: Red,
Green and Yellow.
• Initial State: Green
• Accepting States: in the real-world traffic lights run
indefinitely, so there would be no accepting states for
this model.
• Alphabet: positive integers representing seconds.

12
Finite State Machine - Example
• Traffic lights
• Transitions:
• If we're in state Green and wait for 360 seconds (6 minutes), then we
can go to state Yellow.
• If we're in state Yellow and wait 10 seconds, then we can go to state
Red.
• If we're in state Red and wait 120 seconds, then we can go to state
Green.
• This Finite State Machine can be drawn as follows:

13
Example
• Deterministic finite state machine is described
by a five-element tuple: (Q,Σ,δ,q0 ,F).
• Q = a finite set of states
• Σ = a finite, nonempty input alphabet
• δ = a series of transition functions
• q0 = the starting state
• F = the set of accepting states
• There must be exactly one transition function
for every input symbol in Σ from each state.
• DFSMs can be represented by diagrams of this
form:

14
Example
• Write a description of the DFSM shown. Describe in words what it does.
• Q = {s1​, s2​}
• Σ = {0, 1}
• q0​ = s1
• F = s1
• The following table describes δ:
• This DFA recognizes all strings that have
an even number of 0’s (and any number
of 1’s).
• This means that if you run any input
string that has an even number of 0’s,
the string will finish in the accepting
state.
• If you run a string with an odd number
of 0’s, the string will finish in s2​, which is
not an accepting state. 15
Duals
• In a control flow graph, nodes
are associated with program
regions, that is, with blocks of
program code that perform
computation.
• In a finite state machine
representation, computations
are associated with edges
rather than nodes.

16
Duals
• This difference is
unimportant, because one
can always exchange nodes
with edges without any loss
of information, as
illustrated by the following
CFG and FSM
representations:
• The graph on the right is
called the dual of the graph
on the left.

17
Duals
• Taking the dual of the graph on the
right, one obtains again the graph
on the left.
• The choice between associating
nodes or edges with computations
performed by a program is only a
matter of convention and
convenience, and is not an
important difference between CFG
and FSM models.
• The control flow graph is a
particular kind of finite state
machine model in which the
abstract states preserve some
information about control flow
(program regions and their
execution order) and elide all other
information about program state.

18
 Mealy and Moore Machines
• Mealy machine
• Sequential system
where output depends
on current input and
state.

• Moore machine
• Sequential system
where output depends
only on current state.

19
Moore Machine
• Moore machines are finite state machines with
output value and its output depends only on the
present state.
• It can be defined as a 6-tuple (Q, q0, ∑, O, δ, λ)
where:
• Q is a finite set of states.
• Q0 is the initial state.
• ∑ is the input alphabet.
• O is the output alphabet.
• Δ is the transition function that maps Q×∑ → Q.
• λ is the output function that maps Q → O.

20
Moore Machine
• In the Moore machine shown in the figure, the output is represented
with each input state separated by /.
• The length of output for a Moore machine is greater than input by 1.
• Input: 11
• Transition: δ (q0,11)=> δ(q2,1)=>q2
• Output: 000 (0 for q0, 0 for q2 and again 0 for q2)

21
Mealy Machine
• Mealy machines are also finite state machines with
output value and its output depends on the present
state and current input symbol.
• It can be defined as a 6-tuple (Q, q0, ∑, O, δ, λ’)
where:
• Q is a finite set of states.
• Q0 is the initial state.
• ∑ is the input alphabet.
• O is the output alphabet.
• Δ is the transition function that maps Q×∑ → Q.
• λ’ is the output function that maps Q×∑→ O.

22
Mealy Machine
• In the Mealy machine shown in the figure, the output is
represented with each input symbol for each state separated by /.
• The length of output for a mealy machine is equal to the length of
the input.
• Input: 11
• Transition: δ (q0,11)=> δ(q2,1)=>q2
• Output: 00 (q0 to q2 transition
has output 0 and q2 to q2 transition
also has output 0)

23
Mealy Machine
• Transition table of the Mealy machine is shown in the below
figure.

Input = 0 Input = 1

Present
Next State Output Next State Output
State

q0 q1 0 q2 0

q1 q1 0 q2 1

q2 q1 1 q2 0

24
Conversion from Mealy to Moore Machine
• Step 1: Find out those states which have
more than 1 output associated with
them.
• q1 and q2 are the states which have Input = 0 Input = 1
both output 0 and 1 associated with
Present Next Next
them. State State State
Output

• Step 2: Create two states for these q0

states.
q10
• For q1, two states will be q10 (state
with output 0) and q11 (state with q11
output 1). Similarly, for q2, two states
q20
will be q20 and q21.
q21
• Step 3: Create an empty Moore
machine with newly generated states.
• For the Moore machine, outputs will be
associated with each state irrespective
of inputs. 25
 26

Conversion from Mealy to Moore Machine

• Step 4: Fill in the entries of the next • For q1 (both q10 and q11) on input 0,
state using the Mealy machine the next state is q10. Similarly, on
transition table shown in the table. input 1, the next state is q21.

• For q0 on input 0, next state is q10 • For q10, output will be 0 and for q11,
(q1 with output 0). Similarly, for q0 output will be 1.
on input 1, the next state is q20 (q2 • Similarly, other entries can be filled.
with output 0).

Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q1 0 q2 0 q0 q10 q20 0

q1 q1 0 q2 1 q10 q10 q21 0

q2 q1 1 q2 0 q11 q10 q21 1

Mealy Machine Transition Table q20 q11 q20 0

q21 q11 q20 1

Moore Machine Transition Table
 27

Conversion from Mealy to Moore Machine

• Step 4: Fill in the entries of the next • For q1 (both q10 and q11) on input 0,
state using the Mealy machine the next state is q10. Similarly, on
transition table shown in the table. input 1, the next state is q21.

• For q0 on input 0, next state is q10 • For q10, output will be 0 and for q11,
(q1 with output 0). Similarly, for q0 output will be 1.
on input 1, the next state is q20 (q2 • Similarly, other entries can be filled.
with output 0).

Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q1 0 q2 0 q0 q10 q20 0

q1 q1 0 q2 1 q10 q10 q21 0

q2 q1 1 q2 0 q11 q10 q21 1

Mealy Machine Transition Table q20 q11 q20 0

q21 q11 q20 1

Moore Machine Transition Table
 28

Conversion from Mealy to Moore Machine

• Step 4: Fill in the entries of the next • For q1 (both q10 and q11) on input 0,
state using the Mealy machine the next state is q10. Similarly, on
transition table shown in the table. input 1, the next state is q21.

• For q0 on input 0, next state is q10 • For q10, output will be 0 and for q11,
(q1 with output 0). Similarly, for q0 output will be 1.
on input 1, the next state is q20 (q2 • Similarly, other entries can be filled.
with output 0).

Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q1 0 q2 0 q0 q10 q20 0

q1 q1 0 q2 1 q10 q10 q21 0

q2 q1 1 q2 0 q11 q10 q21 1

Mealy Machine Transition Table q20 q11 q20 0

q21 q11 q20 1

Moore Machine Transition Table
Conversion from Moore to Mealy Machine

• Let’s convert the following Moore machine to an

equivalent Mealy machine.
Input = 0 Input = 1

Present Next Next

Output
State State State
q0 q10 q20 0

q10 q10 q21 0

q11 q10 q21 1

q20 q11 q20 0

q21 q11 q20 1

Moore Machine Transition Table

29
Conversion from Moore to Mealy Machine

• Step 1. Construct an empty Mealy machine using all states

of the Moore machine.

Input = 0 Input = 1

Present
Next State Output Next State Output
State

q0

q10

q11

q20

q21

Empty Mealy Machine Transition Table

30
 Conversion from Moore to Mealy Machine

• Step 2. The “next state” for each state can be directly

extracted from the Moore machine transition table.

Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q10 q20 0 q0 q10 q20

q10 q10 q21 0 q10 q10 q21

q11 q10 q21 1 q11 q10 q21

q20 q11 q20 0 q20 q11 q20

q21 q11 q20 1 q21 q11 q20

Moore Machine Transition Table Mealy Machine Transition Table (partial)

31
 Conversion from Moore to Mealy Machine

• Step 2. The “next state” for each state can be directly

extracted from the Moore machine transition table.

Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q10 q20 0 q0 q10 q20

q10 q10 q21 0 q10 q10 q21

q11 q10 q21 1 q11 q10 q21

q20 q11 q20 0 q20 q11 q20

q21 q11 q20 1 q21 q11 q20

Moore Machine Transition Table Mealy Machine Transition Table (partial)

32
 Conversion from Moore to Mealy Machine

• Step 3. We can see the output corresponding to each input

in the Moore machine transition table. Use this to fill output
entries. Example: Output corresponding to q10, q11, q20,
and q21 are 0, 1, 0, and 1 respectively.
Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q10 q20 0 q0 q10 0 q20 0

q10 q10 q21 0 q10 q10 0 q21 1

q11 q10 q21 1 q11 q10 0 q21 1

q20 q11 q20 0 q20 q11 1 q20 0

q21 q11 q20 1 q21 q11 1 q20 0

Moore Machine Transition Table Mealy Machine Transition Table (with duplicates) 33
 Conversion from Moore to Mealy Machine

• Step 4. In the generated transition table, q10 and q11 are

like each other (same value of “next state” and “output” for
different “input” values). Similarly, q20 and q21 are also
similar. So, q11 and q21 can be eliminated.
Input = 0 Input = 1 Input = 0 Input = 1

Present Next Next Present Next Next

Output Output Output
State State State State State State

q0 q10 q20 0 q0 q10 0 q20 0

q10 q10 q21 0 q10 q10 0 q21 1

q11 q10 q21 1 q11 q10 0 q21 1

q20 q11 q20 0 q20 q11 1 q20 0

q21 q11 q20 1 q21 q11 1 q20 0

Moore Machine Transition Table Mealy Machine Transition Table (with duplicates) 34
Conversion from Moore to Mealy Machine

• Step 4. In the generated transition table, q10 and q11 are

like each other (same value of “next state” and “output” for
different “input” values). Similarly, q20 and q21 are also
similar. So, q11 and q21 can be eliminated.
Input = 0 Input = 1

Present State Next State Output Next State Output

q0 q10 0 q20 0

q10 q10 0 q21 1

q20 q11 1 q20 0

Mealy Machine Transition Table (without duplicates)

• Note: The number of states in a Mealy machine can’t be greater than

the number of states in a Moore machine.

35
Mealy Machine in Software Testing
• A transition from one state node “a” to another state node
“b” denotes the possibility that a concrete program state
corresponding to “a” can be followed immediately by a
concrete program state corresponding to “b”.
• Usually, we label the edge to indicate a program operation,
condition, or event associated with the transition.
• We may label transitions with both an external event or a
condition (what must happen or be true for the program to
make a corresponding state change) and with a program
operation that can be thought of as a “response” to the
event.
• Such a finite state machine with event / response labels on
transitions is called a Mealy machine.

36
Using Models to Reason about
System Properties

37
Model
Correctness

• Three kinds of correctness relations that we may reason

about with respect to finite state machine models:
• The first is internal properties, such as completeness and
determinism.
• Second, the possible executions of a model, described by paths
through the FSM, may satisfy (or not) some desired property.
• Third, the finite state machine model should accurately
represent possible behaviors of the program. Equivalently, the
program should be a correct implementation of the finite state
machine model.
38
Finite State Machines - Example
• Figure illustrates a specification
for a converter among DOS, Unix,
and Macintosh line end
conventions in the form of a
Mealy machine.
• An “event” for this specification
is reading a character or
encountering end-of-file.
• The possible input characters are
divided into four categories:
carriage return, line feed, end-of-
file, and everything else.
• The states represent both
program control points and some
information that may be stored
in program variables. Graph representation (Mealy machine)

39
Finite State Machines - Example
• Finite state machine (Mealy
• Finite set of states (nodes)
machine) description of line-
• Set of transitions among states (edges) end conversion procedure,
depicted as a state transition
diagram and as a state
transition table.
• An omission is obvious in the
tabular representation, but
easy to overlook in the state
transition diagram.

Graph representation (Mealy machine) Tabular representation

40
 Example
• We require a finite state machine
specification to be complete in the
sense that it prescribes the allowed
behavior(s) for any possible sequence
of inputs or events.
• For the line-end conversion
specification, the state transition
diagram does not include a transition Graph representation (Mealy machine)
from state l on carriage return; that
is, it does not specify what the
program should do if it encounters a
carriage return immediately after a
line feed.

Tabular representation
41
 Example
• An alternative representation of finite
state machines, including Mealy
machines, is the state transition table.
• There is one row in the transition table for
each state node and one column for each
event or input.
• If the FSM is complete and deterministic,
there should be exactly one transition in
each table entry. Graph representation (Mealy machine)
• Since this table is for a Mealy machine,
the transition in each table entry indicates
both the next state and the response
(e.g., d / emit means “emit and then
proceed to state d”).
• The omission of a transition from state l
on a carriage return is glaringly obvious
when the state transition diagram is
written in tabular form. Tabular representation
42
 Example
• The desired property of this program and
of its FSM models is that, for every
possible execution, the output file is
identical to the input file except that each
line ending is replaced by the line-end
convention of the target format.
• Note, however, that the emit action is
responsible for emitting a line ending
along with whatever text has been
accumulated in a buffer.
• While emit is usually triggered by a line Graph representation (Mealy machine)
ending in the input, it is also used to
reproduce any text in the buffer when
end-of-file is reached.
• Thus, if the last line of an input file is not
terminated with a line ending, a line
ending will nonetheless be added.
• This discrepancy between specification
and implementation is somewhat easier
to detect by examining the FSM model Tabular representation
than by inspecting the program text.
43
Model Correctness
• To consider the third kind of correctness property, consistency between
the model and the implementation, we must define what it means for
them to be consistent.
• The most general way to define consistency is by considering behaviors.
• Given a way to compare a sequence of program actions to a path
through the finite state machine (which in general will involve
interpreting some program events and discarding others), a program is
consistent with a finite state machine model if every possible program
execution corresponds to a path through the model.
• As with other abstraction functions used in reasoning about programs, the
mapping is from concrete representation to abstract representation, and not
from abstract to concrete.
• This is because the mapping from concrete to abstract is many-to-one, and its
inverse is therefore not a mathematical function (which by definition maps each
object in the domain set into a single object in the range).

44
Model Correctness
• Matching sequences of program actions to paths
through a finite state machine model is a useful
notion of consistency if we are testing the program,
but it is not a practical way to reason about all
possible program behaviors.
• For that kind of reasoning, it is more helpful to also
require a relation between states in the finite state
machine model and concrete program execution
states.

45
Abstraction Function
• It should be possible to describe the association of concrete
program states with abstract FSM states by an abstraction
function.
• The abstraction function maps each concrete program state
to exactly one FSM state.
• Moreover, if some possible step op in program execution
takes the concrete program state from some state before to
some state after, then one of two conditions must apply:
• If the FSM model does not include transitions corresponding to op,
then program state before and program state after must be
associated with the same abstract state in the model.
• If the FSM does include transitions corresponding to op, then there
must be a corresponding transition in the FSM model that connects
program state before to program state after.

46
 Abstraction Function

Completed finite state machine (Mealy machine) description

of line-end conversion procedure, depicted as a state-
transition table. The omitted transition in the earlier FSM
figure has been added.

Procedure to convert among DOS, Unix,

and Macintosh line ends. 47
Abstraction Function
• Note that, in contrast to the control flow graph
models considered earlier, most of the interesting
“state” is in the variables pos and atCR.
• We posit that the abstraction function might be
described by the following table:

48
Abstraction Function

49
Abstraction Function
• With this state abstraction function, we can check conformance
between the source code and each transition in the FSM.
• For example, the transition from state e to state l is interpreted
to mean that, if execution is at the head of the loop with pos
equal to 0 and atCR also 0 (corresponding to state e), and the
next character encountered is a carriage return, then the
program should perform operations corresponding to the emit
action and then enter a state in which pos is 0 and atCR is 1
(corresponding to state l).
• It is easy to verify that this transition is implemented correctly.
• However, if we examine the transition from state l to state w, we
will discover that the code does not correspond because the
variable atCR is not reset to 0, as it should be.
• If the program encounters a carriage return, then some text, and
then a line feed, the line feed will be discarded— a program fault.

50
Abstraction Function
• The fault in the conversion program was actually
detected by the authors through testing, and not
through manual verification of correspondence
between each transition and program source code.
• Making the abstraction function explicit was
nonetheless important for understanding the
nature of the error and how to repair it.

51
Summary - Finite State Machines
• Some restrictions that are placed on the state
diagrams:
• FSM can only be in one state at a time!
• Therefore, only in one state, or one circle, at a time.
• State transitions are followed only on clock cycles.
(synchronous!)
• Mealy machines and Moore machines can be labelled
differently.
• Mealy machine: Since output depends on state and inputs:
• Label directed arcs with input/output for that state transition.
• Moore machine: Since output depends only on state:
• Label directed arcs with input for that state transition.
• Label state circles with Sk / output.

52
Summary
• Models must be much simpler than the artifact
they describe to be understandable and analyzable
• Must also be sufficiently detailed to be useful
• CFG are built from software
• FSM can be built before software to document
intended behavior

53