Specification Formalisms Book: Chapter 5

Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct. Spec. of reasonable size. Effective. Check that there are no contradictions. Check that the spec. is implementable. Check that the implementation satisfies spec. Expressive. May be used to generate initial code. Specifying the implementation or its properties?

A transition system A (finite) set of variables V. A set of states . A (finite) set of transitions T, each transition e  t has an enabling condition e and a transformation t. An initial condition I. Denote by R(s, s’) the fact that s’ is a successor of s.

The interleaving model An execution is a finite or infinite sequence of states s 0, s 1, s 2, … The initial state satisfies the initial condition, i.e., I(s 0 ). Moving from one state s i to s i+1 is by executing a transition e  t: e(s i ), i.e., s i satisfies e. s i+1 is obtained by applying t to s i.

LTL: Syntax  ::= (  ) | ¬  |  Æ   Ç  U   ¤  }  |O  | p ¤  Always  ( = “Henceforth  ”) }  Eventually  (= “  in the future”) O  “next-time  ”  U  “  until  ”  W  “  Waiting for  ”

Semantics ¤         }  O   U   W  U  Ç ¤ 

Combinations ¤} p “p will happen infinitely often” }¤ p “p will happen from some point forever”. ( ¤} p) --> ( ¤} q) “If p happens infinitely often, then q also happens infinitely often”.

A Spring Example s1s3s2 pull release extended malfunction r0 = s1 s2 s1 s2 s1 s2 s1 … r1 = s1 s2 s3 s3 s3 s3 s3 … r2 = s1 s2 s1 s2 s3 s3 s3 … …

LTL satisfaction by a single sequence malfunction s1s3s2 pull release extended r2 = s1 s2 s1 s2 s3 s3 s3 … r2 ² extended ?? r2 ² O extended ?? r2 ² O O extended ?? r2 ² } extended ?? r2 ² ¤ extended ?? r2 ² } ¤ extended ?? r2 ² } ¤ malfunction ?? r2 ² ¬ } ¤ extended ?? r2 ² (¬extended) U malfunction ?? r2 ² ¤ (¬extended ! O extended) ??

LTL satisfaction by a system malfunction s1s3s2 pull release extended A ² extended ?? A ² O extended ?? A ² O O extended ?? A ² } extended ?? A ² ¤ extended ?? A ² } ¤ extended ?? A ² } ¤ malfunction ?? A ² ¬ } ¤ extended ?? A ² (¬extended) U malfunction ?? A ² ¤ (¬extended->O extended) ?? A:

Automata over finite words A=  Alphabet (finite). S: States (finite).  : S x  x S ) S is the transition relation. I µ S are the Initial states. F µ S are the Final (accepting) states. A A B B S0 S1

Equivalently: A Kripke structure A convenient model for describing reactive systems There exists a 1-1 translation between a Kripke structure and an automaton A= S: States (finite).  µ S x S is the transition relation. I µ S are the Initial states. L: S ) 2 AP (where AP is a set of atomic propositions) S0 S1

The transition relation (S0, A, S0) (S0, B, S1) (S1, A, S0) (S1, B, S1) A A B B S0 S1

A run over a word A word over , e.g., ABAAB. A sequence of states, e.g. S0 S0 S1 S0 S0 S1. Starts with an initial state. Accepting if ends at accepting state. A A B B S0 S1

The language of an automaton The words that are accepted by the automaton. Includes AABBBA, ABBBBA. Does not include ABAB, ABBB. What is the language? A A B B S0 S1

Nondeterministic automaton Transitions: (S0,A,S0), (S0,B,S0), (S0,A,S1),(S1,A,S1). What is the language of this automaton? A,B A A S0 S1

Equivalent deterministic automaton A,B A A S0 S1 B A A S0 S1 B

Automata over infinite words Similar definition. Runs on infinite words over . Accepts when an accepting state occurs infinitely often in a run. A A B B S0 S1

Automata over infinite words Consider the word A B A B A B A B… There is a run S0 S0 S1 S0 S1 S0 S1 … This run is accepting, since S0 appears infinitely many times. A A B B S0 S1

Other runs For the word B B B B B… the run is S0 S1 S1 S1 S1… and is not accepting. For the word A A A B B B B B …, the run is S0 S0 S0 S0 S1 S1 S1 S1 … What is the run for A B A B B A B B B …? A A B B S0 S1

Nondeterministic automaton What is the language of this automaton? What is the LTL specification if B = (pc 0 =cr 0 ), A=¬B? A,B A A S0 S1

Specification using Automata Let each letter correspond to some propositional property. Example: A = P0 enters critical section B = P0 does not enter critical section. ¤ } pc 0 =cr 0 B A A B S0 S1

Mutual Exclusion ð ¬(pc 0 =cr 0 Æ pc 1 =cr 1 ) A: pc 0 =cr 0 Æ pc 1 =cr 1 B: ¬(pc 0 =cr 0 Æ pc 1 =cr 1 ) C: TRUE B A C S0 S1

L 0 :While True do nc 0 :wait (Turn=0); cr 0 :Turn=1 T0:pc 0 =L 0 ! pc 0: =nc 0 T1:pc 0 =nc 0 Æ Turn=0 ! pc 0 :=cr 0 T2:pc 0 =cr 0 ! (pc 0,Turn):=(L 0,1) T3:pc 1 =L 1 ! pc 1 =nc 1 T4:pc 1 =nc 1 Æ Turn=1 ! pc 1 :=cr 1 T5:pc 1 =cr 1 ! (pc 1,Turn):=(L 1,0) Initially: pc 0 =L 0 Æ pc 1 =L 1 L 1 :While True do nc 1 :wait (Turn=1); cr 1 :Turn=0 || Possible transitions:

The state space Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1

Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 ð : (pc 0 =cr 0 Æ pc 1 =cr 1 )

Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 ð (Turn=0 ! } Turn=1)

Correctness condition We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). We need: L(Model)  L(Spec).

Correctness All sequences Sequences satisfying Spec Program executions

Incorrectness All sequences Sequences satisfying Spec Program executions Counter examples