formal methods of systems specification logical specification of hard- and software

29.4.2008

Formal Methods of Systems SpecificationLogical Specification of Hard- and Software

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

and

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

http://www.hu-berlin.de/index.html

29.4.2008 Slide 2H. Schlingloff, Logical Specification

Recap: Propositional Logic

• SyntaxPL ::= Ρ | | (PL PL)

• Semantics Propositional Model M: (U,I); Interpretation I: Ρ ↦ U Validation relation M ⊨

- M ⊨ p if I(p)=true- M ⊭ - M ⊨ () if M ⊨ implies M ⊨

Validity (⊨), Satifiability (SAT())

• Calculus axiom schemes: weakening, distribution,

excluded middle rule: modus ponens


Q.: exponential blowup?

(rs) = ((rs) (sr))(q(rs)) = ((q(rs)) ((rs)q))= ((q ((rs) (sr))) (((rs) (sr)) q))(p(q(rs))) = (p(q(rs))) ((q(rs))p)= (p((q((rs) (sr))) (((rs) (sr))q)))

(((q((rs) (sr))) (((rs) (sr))q))p)

p (q r) (¬q s)q (t u)p ((t u) r) (¬ (t u) s)

logarithmic reduction by introduction of abbreviations?


Boolean Quantification

QPL ::= Ρ | | (QPL QPL) | Ρ QPL

• intuitively, p (p) means p is „hidden“

•M ⊨ p if there is an M‘= (U,I‘) such that I‘(q)=I(q) for all qp and M‘ ⊨

•⊨ p ((p:=) (p:=Τ))

•∀p = ¬p ¬; ⊨∀p ((p:=) (p:=Τ))


Conciseness and Complexity

•Quantified formulae can be logarithmically more concise = [… ((rs)t) … ((rs)t) … ((rs)t) …] (p(p ((rs)t)) [… p … p … p …])

•Quantified formulae can be exponentially harder to analyze SAT(PL) is NP-hard, SAT(QPL) is PSPACE-

hard To check whether p holds one has to

check both alternatives


Boolean Normal Forms

• DNF (disjunctive normal form) each formula is equivalent to a disjunction of conjunction of

literals e.g. ((p¬ qr) (¬pq¬r) (p¬q¬r)) obtained by truth table

• CNF (conjunctive normal form) de Morgan dual of DNF used in PLAs (programmable logic arrays)

• NAND-, NOR-normal form (p|q)=(p¬q); ¬p=(p|p); (pq)=(p|¬q) used for gate arrays

• Algebraic normal form XOR of conjunction of (positive) propositions used in linear feedback shift registers


•next week: tree normal form (ordering of variables)


Boolean Modelling of Reactive Systems

•Many modelling formalisms are being used Transition systems Parallel and hierarchical transition systems,

statecharts Shared variables programs UML diagrams Abstract state machines ...


Transition Systems

• Transition system TS=(,S, , S0), where is a nonempty finite alphabet S is a nonempty finite set of states S S is the transition relation, and S0 S is the set of initial states

• similar to a nondeterministic finite automaton, with many initial states but without finite states

• transition system generates a (finite or infinite) word w0w1w2... iff there are states s0s1s2s3... such that s0 S0 and each (si,wi,si+1) Δ


Example

={up, dn}

• S={off, tape, memory, play} ={(off,dn,tape), (tape,up,off), (tape,dn,memory),

(memory,up,off), (memory,dn,play), (play,dn,tape), (play,up,off)}

• S0={off}

off

memorytape play

dn

dn dn

dn

up up up


Parallel Transition Systems

•Parallel transition system T=(T1,…,Tn) each Ti is a transition system

SiSj=

• interleaving semantics on its private alphabet, each Ti can make an

independent move synchronization is via common events

•example: power switch and camcorder mode


Example

•T=(switch, camera)

•{pwr_fail, pwr_res} are private to camera

•synchronization alphabet {up,dn}

•how big is the state space?

but_hi

but_lo

dn up

off

on

dn,pwr_res

up,pwr_fail

memorytape

play

dn

dn dn

onswitch camera

dn


•The global transition system T associated with a parallel transition system (T1,…,Tn) is defined as T=(, S, , S0), where

= i

S= S1 … Sn

S0 = S1,0 … Sn,0, and

((s1,…,sn),a,(s1‘,…,sn‘)) iff for all Ti

- if ai, then ((s i),a,(s i‘))i, and

- if ai, then s i=s i‘.


Shared Variables

•A shared variables program is given by a tuple (V,D,T,s0), where V=(v1,…,vn) is a set of program variables

D=(D1,…,Dn) is a tuple of corresponding finite domains Di={di1,…,dim}

TDD is a transition relation, and s0 = (d11,…,dn1) is the initial state


Example (1)

•A request granting algorithm V={request,state} D=({true, false}, {ready, busy}) T=(((true, ready), (true, busy)),

((false, ready), (false, ready)), ((true, busy), (true, busy)), ((true, busy), (true, ready)), …)


Example (2)

•Euclidean algorithm gcd(a, b) if a = 0 return b while b ≠ 0 if a > b then a := a − b else b := b − a return a

•Shared variables program V=(a,b) D=(Nat, Nat) (finite?) T={((0,0),(0,0)), ((7,4),(3,4)), ((3,4),(3,1)), …} s0=D


Transition Systems and Programs

• For every (parallel) transition system there is an equivalent shared variables program of the same order of size.

• The translation in the other direction may cause an exponential blowup.

• Exercise: describe the translations!In which sense are the translations equivalent?


Transition Relation as Boolean Formula

•State=(d1,…,dn) (diDi)•Transition relation T can be defined by a

propositional formula T

atomic propositions: let V‘={v1‘,…,vn‘}

P={(x=y) | x,y (VV‘Di)} Any propositional formula T in this alphabet

defines a transition relation via the following conventionIf s=(d1,…,dn) and s‘=(d1‘,…dn‘), then (s,s‘) T iff M ⊨ T, where I(vi)=di and I(vi‘)=di‘.


Example

• request granting algorithm V={request,state} D=({true, false}, {ready, busy}) T=((request=true)(state=ready)(state‘=b

usy))

•„Propositional logic as a programming language“

•Used in model checkers such as nuSMV

formal methods of systems specification logical specification of hard- and software

Documents