Formal Methods in software development a.y.2016/2017 Prof. Anna Labella 12/5/2018

Semantics syntactical data F functional symbols- constants P predicate symbols An interpretation M a non empty set (domain) A F  a set of functions fM on A (An) P  a set of relations PM on A (An) 12/5/2018

Semantics A subset is the interpretation of a 1-ary predicate A n-ary relation is the interpretation of a n-ary predicate 12/5/2018

An example: arithmetics syntactical data F: f1(-,-), f2(-,-), f0(-), c P: - = -, P1(-,-) An interpretation M Natural numbers (domain) Functions : - + -, - . -, s(-), 0 Predicates: - = -, - ≤ - 12/5/2018

Semantics environments Assigning values l: var  elements of A 12/5/2018

Semantics Summing up, we are given with 12/5/2018

An example: arithmetics 2 f1(c,x)=x always true in the interpretation f2(c,x)=x sometimes true sometimes false in the interpretation depending on the assignment x(f1(c,x)=x) true in the interpretation x(f2(c,x)=x) true in the interpretation x(f2(c,x)=x) false in the interpretation x(f1(c,x)=f1(c,x)) valid 12/5/2018

Semantics An interpretation M is a model of  M |=l  : 12/5/2018

Semantics: satisfiability 12/5/2018

Exercises 12/5/2018

Semantics: validity is valid if for every intepretation and for every environment M |=  12/5/2018

Properties Soundness  |-   M |=  Completeness M |=    |-  Indecidability Compactness Expressivity 12/5/2018

Second order logic Existential second order logic Universal second order logic Peano’s arithmetics 12/5/2018

Specification, verification and logics [H-R ch.3] Logic provides: A framework for modelling systems A specification language for describing properties to be verified A verification method to ascertain whether the description of the system satisfies the properties 12/5/2018

Possibilities of approaching model verification Proof-based Γ |-- φ Γ is the description while φ is the property to be satisfied Degree of automation: Fully automatic Full behaviour Sequential Reactive …. A priori Model based M |= φ M is a finite model (only one) Manual One property Concurrent Terminating ….. A posteriori 12/5/2018

We are possibly dealing with Γ |-- φ Γ |= φ M |= φ 12/5/2018

We are possibly dealing with Γ |-- φ Γ |= φ M |= φ 12/5/2018

We are possibly dealing with Γ |-- φ Γ |= φ M |= φ 12/5/2018

Model Checking Concurrent systems Reactive systems Temporal aspects Automatic Based on a builded model Verifying satisfiability of properties A posteriori Provides a counterexample Concurrent systems Reactive systems Temporal aspects 12/5/2018

A formula can change its truth value A model M is a transition system We model our system using the description language of the model checker We code the property to be verified in the same language and the model checker should say whether M,s |= φ or not for a given state s In this last case it is often possible to have a counterexample 12/5/2018

Models and states A model M is a transition system A model M is an abstraction: it can describe very different things We have states and and transitions between them. An assignment statement can make the model move from one state to another one We can think of a transition system as a set S of states together with a binary relation    S ✕ S and a labeling function L: S  P(atoms) 12/5/2018

A transition system 1 12/5/2018

A transition system 2 unwinding 12/5/2018