Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Slide 2 H. Schlingloff, Logical Specification Recap: Propositional Logic Syntax PL ::= Ρ |  | (PL  PL) Semantics  Propositional Model M: (U,I); Interpretation I: Ρ ↦ U  Validation relation M ⊨  - M ⊨ p if I(p)=true - M ⊭  - M ⊨ (  ) if M ⊨  implies M ⊨   Validity ( ⊨  ), Satifiability (SAT(  )) Calculus  axiom schemes: weakening, distribution, excluded middle  rule: modus ponens

Slide 3 H. Schlingloff, Logical Specification Q.: exponential blowup? (r  s) = ((r  s)  (s  r)) (q  (r  s)) = ((q  (r  s))  ((r  s)  q)) = ((q  ((r  s)  (s  r)))  (((r  s)  (s  r))  q)) (p  (q  (r  s))) = (p  (q  (r  s)))  ((q  (r  s))  p) = (p  ((q  ((r  s)  (s  r)))  (((r  s)  (s  r))  q)))  (((q  ((r  s)  (s  r)))  (((r  s)  (s  r))  q))  p) p  (q  r)  ( ¬ q  s) q  (t  u) p  ((t  u)  r)  ( ¬ (t  u)  s) logarithmic reduction by introduction of abbreviations?

Slide 4 H. Schlingloff, Logical Specification Boolean Quantification QPL ::= Ρ |  | (QPL  QPL) |  Ρ QPL intuitively,  p  (p) means p is „hidden“ M ⊨  p  if there is an M‘= (U,I‘) such that I‘(q)=I(q) for all q  p and M‘ ⊨  ⊨  p   (  (p:=  )   (p:=Τ) ) ∀ p  = ¬  p ¬  ; ⊨∀ p   (  (p:=  )   (p:=Τ) )

Slide 5 H. Schlingloff, Logical Specification Conciseness and Complexity Quantified formulae can be logarithmically more concise   = [… ((r  s)  t) … ((r  s)  t) … ((r  s)  t) …]    (  p(p  ((r  s)  t))   [… p … p … p …]) Quantified formulae can be exponentially harder to analyze  SAT(PL) is NP-hard, SAT(QPL) is PSPACE-hard  To check whether  p  holds one has to check both alternatives

Slide 6 H. Schlingloff, Logical Specification Boolean Normal Forms DNF (disjunctive normal form)  each formula is equivalent to a disjunction of conjunction of literals e.g. ((p  ¬ q  r)  ( ¬ p  q  ¬ r)  (p  ¬ q  ¬ r))  obtained by truth table CNF (conjunctive normal form)  de Morgan dual of DNF  used in PLAs (programmable logic arrays) NAND-, NOR-normal form  (p|q)=(p  ¬q); ¬p =(p|p); (p  q)= (p| ¬ q)  used for gate arrays Algebraic normal form  XOR of conjunction of (positive) propositions  used in linear feedback shift registers

Slide 7 H. Schlingloff, Logical Specification next week: tree normal form  (ordering of variables)

Slide 8 H. Schlingloff, Logical Specification Boolean Modelling of Reactive Systems Many modelling formalisms are being used  Transition systems  Parallel and hierarchical transition systems, statecharts  Shared variables programs  UML diagrams  Abstract state machines ...

Slide 9 H. Schlingloff, Logical Specification Transition Systems Transition system TS=( ,S, , S 0 ), where   is a nonempty finite alphabet  S is a nonempty finite set of states   S    S is the transition relation, and  S 0  S is the set of initial states similar to a nondeterministic finite automaton, with many initial states but without finite states transition system generates a (finite or infinite) word w 0 w 1 w 2... iff there are states s 0 s 1 s 2 s 3... such that s 0  S 0 and each (s i,w i,s i+1 )  Δ

Slide 10 H. Schlingloff, Logical Specification Example  ={up, dn} S={off, tape, memory, play}  ={(off,dn,tape), (tape,up,off), (tape,dn,memory), (memory,up,off), (memory,dn,play), (play,dn,tape), (play,up,off)} S 0 ={off} off memorytapeplay dn up

Slide 11 H. Schlingloff, Logical Specification Parallel Transition Systems Parallel transition system T=(T 1,…,T n )  each T i is a transition system  S i  S j =  interleaving semantics  on its private alphabet, each T i can make an independent move  synchronization is via common events example: power switch and camcorder mode

Slide 12 H. Schlingloff, Logical Specification Example T=(switch, camera) {pwr_fail, pwr_res} are private to camera synchronization alphabet {up,dn} how big is the state space? but_hi but_lo dn up off on dn, pwr_res up, pwr_fail memorytape play dn on switch camera dn

Slide 13 H. Schlingloff, Logical Specification The global transition system T associated with a parallel transition system (T 1,…,T n ) is defined as T=( , S, , S 0 ), where   =   i  S= S 1  …  S n  S 0 = S 1,0  …  S n,0, and  ((s 1,…,s n ),a,(s 1 ‘,…,s n ‘))  iff for all T i - if a  i, then ((s i ),a,(s i ‘))  i, and - if a  i, then s i =s i ‘.

Slide 14 H. Schlingloff, Logical Specification Shared Variables A shared variables program is given by a tuple (V,D,T,s 0 ), where  V=(v 1,…,v n ) is a set of program variables  D=(D 1,…,D n ) is a tuple of corresponding finite domains D i ={d i1,…,d im }  T  D  D is a transition relation, and  s 0 = (d 11,…,d n1 ) is the initial state

Slide 15 H. Schlingloff, Logical Specification Example (1) A request granting algorithm  V={request,state}  D=({true, false}, {ready, busy})  T=(((true, ready), (true, busy)), ((false, ready), (false, ready)), ((true, busy), (true, busy)), ((true, busy), (true, ready)), …)

Slide 16 H. Schlingloff, Logical Specification Example (2) Euclidean algorithm gcd(a, b) if a = 0 return b while b ≠ 0 if a > b then a := a − b else b := b − a return a Shared variables program  V=(a,b)  D=(Nat, Nat) (finite?)  T={((0,0),(0,0)), ((7,4),(3,4)), ((3,4),(3,1)), …}  s 0 =D

Slide 17 H. Schlingloff, Logical Specification Transition Systems and Programs For every (parallel) transition system there is an equivalent shared variables program of the same order of size. The translation in the other direction may cause an exponential blowup. Exercise: describe the translations! In which sense are the translations equivalent?

Slide 18 H. Schlingloff, Logical Specification Transition Relation as Boolean Formula State=(d 1,…,d n ) (d i  D i ) Transition relation T can be defined by a propositional formula  T  atomic propositions: let V‘={v 1 ‘,…,v n ‘} P={(x=y) | x,y  (V  V‘   D i )}  Any propositional formula  T in this alphabet defines a transition relation via the following convention If s=(d 1,…,d n ) and s‘=(d 1 ‘,…d n ‘), then (s,s‘)  T iff M ⊨  T, where I(v i )=d i and I(v i ‘)=d i ‘.

Slide 19 H. Schlingloff, Logical Specification Example request granting algorithm  V={request,state}  D=({true, false}, {ready, busy})  T=((request=true)  (state=ready)  (state‘=busy)) „Propositional logic as a programming language“ Used in model checkers such as nuSMV