1. 15.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

2. Slide 2 H. Schlingloff, Logical Specification 15.7.2008 Temporal logic Description of the dynamics of systems  Model checking of hardware  “Software model checking”: research Linear and branching time logic Temporal assertions languages  SPL, ForSpec, PSL (IEEE Standard)

3. Slide 3 H. Schlingloff, Logical Specification 15.7.2008 Example: Coffee Machine

4. Slide 4 H. Schlingloff, Logical Specification 15.7.2008 SDL Description

5. Slide 5 H. Schlingloff, Logical Specification 15.7.2008 SPL Properties

6. Slide 6 H. Schlingloff, Logical Specification 15.7.2008 Towards Temporal Logic

7. Slide 7 H. Schlingloff, Logical Specification 15.7.2008 Definability F+ can define F* X and F* can define F+ F* without X can not define F+ Similarly, interval properties can not be expressed

8. Slide 8 H. Schlingloff, Logical Specification 15.7.2008 Temporal logic “Modal logic with ‘until’”

9. Slide 9 H. Schlingloff, Logical Specification 15.7.2008 Examples

10. Slide 10 H. Schlingloff, Logical Specification 15.7.2008 Other connectives

11. Slide 11 H. Schlingloff, Logical Specification 15.7.2008 Definability U + can define U*  similar as above, U* can not define U + Unless- or Weak-until- operator In natural models it holds that

12. Slide 12 H. Schlingloff, Logical Specification 15.7.2008 The Glory of the Past First order logic can use inverse relations: R -1 (x,y) iff R(y,x) In temporal logic, use past-operators

13. Slide 13 H. Schlingloff, Logical Specification 15.7.2008 Declarative Past and Imperative Future Gabbay argues for the following normal form (φ  ψ) where φ is a pure past or present declarative formula, and ψ is a pure future imperative formula Executable temporal logic Tempura programming language (Mostowsky)  TLA Temporal logic of actions (Lamport)

14. Slide 14 H. Schlingloff, Logical Specification 15.7.2008 Temporal Logic and First Order Logic Standard Translation

15. Slide 15 H. Schlingloff, Logical Specification 15.7.2008 Two- and Three Variable Fragment FOL gives for each temporal formula a first order formula with exactly one free variable For modal logic, FOL can be refined such that the resulting formula uses only two bound variables (reuse variables inside). For the until-operator, three variables are needed and sufficient. Certain first-order theories (e.g. the theory of complete linear orders) are also in the three-variable fragment. Translation from first order formulas of these theories into temporal logic?

16. Slide 16 H. Schlingloff, Logical Specification 15.7.2008 Expressive completeness TL is called expressively complete for a certain class of models, if for every first order formula there is an equivalent temporal one  Natural model: isomorphic to the integers  Linear model: all points linearly ordered  Complete linear order: limits exist Kamp’s theorem: TL is expressively complete for complete linear orders

17. Slide 17 H. Schlingloff, Logical Specification 15.7.2008 Wrap-Up What has been achieved  logics: propositional logic, first-order logic, Z, B, OCL, Spec#  methods: normalization, model checking, theorem proving, assertional reasoning, test generation  tools: COQ, NuSMV, CZT, Octopus, SpecExplorer What remains to be done  other logics: ZFC (set theory), HOL (higher-order logic), VDM, OZ (object-Z), LTL/CTL, TLA+, ForSpec, Sugar/PSL  other methods: static analysis, handling of pointers, worst case execution time (WCET) estimation, run-time monitoring, …  more tools: integrated proof assistants (e.g. proof general, ACE assertion checking environment, Frama-C, …)

18. Slide 18 H. Schlingloff, Logical Specification 15.7.2008 Questions?

19. Slide 19 H. Schlingloff, Logical Specification 15.7.2008 Examination sample dialog?