15.7.2008

Formal Methods of Systems SpecificationLogical Specification of Hard- and Software

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

and

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

15.7.2008 Slide 2H. Schlingloff, Logical Specification

Temporal logic

•Description of the dynamics of systems Model checking of hardware “Software model checking”: research

•Linear and branching time logic

•Temporal assertions languages SPL, ForSpec, PSL (IEEE Standard)

15.7.2008 Slide 3H. Schlingloff, Logical Specification

Example: Coffee Machine

15.7.2008 Slide 4H. Schlingloff, Logical Specification

SDL Description

15.7.2008 Slide 5H. Schlingloff, Logical Specification

SPL Properties

15.7.2008 Slide 6H. Schlingloff, Logical Specification

Towards Temporal Logic

15.7.2008 Slide 7H. Schlingloff, Logical Specification

Definability

• F+ can define F*

• X and F* can define F+

• F* without X can not define F+

• Similarly, interval properties can not be expressed

15.7.2008 Slide 8H. Schlingloff, Logical Specification

Temporal logic

•“Modal logic with ‘until’”

15.7.2008 Slide 9H. Schlingloff, Logical Specification

Examples

15.7.2008 Slide 10H. Schlingloff, Logical Specification

Other connectives

15.7.2008 Slide 11H. Schlingloff, Logical Specification

Definability

•U+ can define U*

similar as above, U* can not define U+

•Unless- or Weak-until- operator

• In natural models it holds that

15.7.2008 Slide 12H. Schlingloff, Logical Specification

The Glory of the Past

• First order logic can use inverse relations:R-1(x,y) iff R(y,x)

• In temporal logic, use past-operators

15.7.2008 Slide 13H. Schlingloff, Logical Specification

Declarative Past and Imperative Future

•Gabbay argues for the following normal form

(φψ)

where φ is a pure past or present declarative formula, and ψ is a pure future imperative formula

•Executable temporal logic

•Tempura programming language (Mostowsky) TLA Temporal logic of actions (Lamport)

15.7.2008 Slide 14H. Schlingloff, Logical Specification

Temporal Logic and First Order Logic

Standard Translation

15.7.2008 Slide 15H. Schlingloff, Logical Specification

Two- and Three Variable Fragment

• FOL gives for each temporal formula a first order formula with exactly one free variable

• For modal logic, FOL can be refined such that the resulting formula uses only two bound variables (reuse variables inside). For the until-operator, three variables are needed and sufficient.

• Certain first-order theories (e.g. the theory of complete linear orders) are also in the three-variable fragment.

• Translation from first order formulas of these theories into temporal logic?

15.7.2008 Slide 16H. Schlingloff, Logical Specification

Expressive completeness

•TL is called expressively complete for a certain class of models, if for every first order formula there is an equivalent temporal one Natural model: isomorphic to the integers Linear model: all points linearly ordered Complete linear order: limits exist

•Kamp’s theorem: TL is expressively complete for complete linear orders

15.7.2008 Slide 17H. Schlingloff, Logical Specification

Wrap-Up

• What has been achieved logics: propositional logic, first-order logic, Z, B, OCL, Spec# methods: normalization, model checking, theorem proving,

assertional reasoning, test generation tools: COQ, NuSMV, CZT, Octopus, SpecExplorer

• What remains to be done other logics: ZFC (set theory), HOL (higher-order logic), VDM,

OZ (object-Z), LTL/CTL, TLA+, ForSpec, Sugar/PSL other methods: static analysis, handling of pointers, worst

case execution time (WCET) estimation, run-time monitoring, …

more tools: integrated proof assistants (e.g. proof general, ACE assertion checking environment, Frama-C, …)

15.7.2008 Slide 18H. Schlingloff, Logical Specification

Questions?

15.7.2008 Slide 19H. Schlingloff, Logical Specification

Examination

•sample dialog?