Maude in a Nutshell - Universidade Federal Fluminensecbraga/maude-in-a-nutshell/unb.pdfThis course...
Transcript of Maude in a Nutshell - Universidade Federal Fluminensecbraga/maude-in-a-nutshell/unb.pdfThis course...
Maude in a Nutshellwith Pecan Pie
Christiano Braga
Instituto de Computacao,Universidade Federal Fluminense, Niteroi, Brazil
Feb. 13-17, 2016
IX Workshop de Verao em MatematicaDepartamento de Matematica
Universidade de Brasılia
Acknowledgments
• Daniele Nantes Sobrinho, for the invitation.
• Narciso Martı-Oliet, for sharing his notes on Maude and RewritingLogic and for comments on a previous version of this talk.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 2 / 163
This course
Essentially:
• specification,
• automated reasoning, and
• metaprogramming in Maude,
always discussing their theoretical foundations.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 3 / 163
Outline
1 Overview
2 Equational logics and Rewriting LogicMany-sorted Equational LogicOrder-sorted specificationsMembership Equational LogicRewriting modulo axiomsRewriting Logic
3 Search, LTL model checking and narrowingSearchLTL model checkingNarrowing
4 Linear Temporal Logic of Rewriting and MetaprogrammingLinear Temporal Logic of RewritingMetaprogramming
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 4 / 163
Schedule
Part I Part II Part IIIOverview Search and Temporal Logic
LTL model checking of Rewriting
Equational logics and Narrowing MetaprogrammingRewriting Logic Some Pie
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 5 / 163
Overview
OVERVIEW
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 6 / 163
Overview
What is Maude?
http://maude.cs.uiuc.edu
A specification language and system whose descriptions denote theories inRewriting Logic (RWL).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 7 / 163
Overview
What is RWL?
• A logic to reason about concurrent systems.
• The state of a system is denoted by a term in a suitable rewrite theory.
• Computations are deductions in the given rewrite theory.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 8 / 163
Overview
RWL rules of deduction, graphically
(Reflexivity)
t t
(Transitivity)
t1
t2
t3
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 9 / 163
Overview
RWL rules of deduction, graphically
(Equality)
u
=
u′
v
=
v ′
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 10 / 163
Overview
Rules of deduction, graphically
(Congruence)
f
t2t1 t3 t4
f
t ′2t ′1 t ′3 t ′4
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 11 / 163
Overview
RWL rules of deduction, graphically(Replacement)
t
t2t1 t3 t4
t ′
t ′2t ′1 t ′3 t ′4
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 12 / 163
Overview
What is Maude?
• RWL has some incarnations: Maude, in this course.
• Deductions in RWL correspond to rewrites in Maude.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 13 / 163
Overview
State-transition systems in MaudeSpecification
n1n2start
s0
t1n2s1 n1t2 s5
c1n2s2 t1t2
s3
n1c2 s6
c1t2s4 t1c2 s7
Verification
M |= ϕ?C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 14 / 163
Overview
Maude language: Specification
1 ( fmod SYSTEM i s2 s o r t s StateNum Conf P r o c S t a t e .3 ops 0 1 2 3 4 5 6 7 8 : −> StateNum .4 ops n1 n2 t1 t2 c1 c2 : −> P r o c S t a t e .5 op s < ‘ , > : StateNum P r o c S t a t e P r o c S t a t e −> Conf .6 op i n i t i a l : −> Conf .7 eq i n i t i a l = s 0 < n1 , n2 > .8 endfm )9 (mod MUTEX−SYSTEM i s i n c SYSTEM .
10 r l [ s0−>s1 ] : s 0 < n1 , n2 > => s 1 < t1 , n2 > .11 r l [ s0−>s5 ] : s 0 < n1 , n2 > => s 5 < n1 , t2 > .12 r l [ s1−>s2 ] : s 1 < t1 , n2 > => s 2 < c1 , n2 > .13 r l [ s1−>s3 ] : s 1 < t1 , n2 > => s 3 < t1 , t2 > .
. . .
1 r l [ s7−>s1 ] : s 7 < t1 , c2 > => s 1 < t1 , n2 > .2 endm)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 15 / 163
Overview
Maude language: Specification
n1n2start
s0 s 0 < n1, n2 >
t1n2s1 n1t2 s5
c1n2s2 t1t2
s3
n1c2 s6
c1t2s4 t1c2 s7
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 16 / 163
Overview
Maude language: Specification
n1n2start
s0
t1n2s1 n1t2 s5
c1n2s2 t1t2
s3
n1c2 s6
c1t2s4 t1c2 s7
rl [s0→s1] : s 0 < n1, n2 > => s 1 < t1, n2 >
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 17 / 163
Overview
Simulation with term rewriting
M ∼ Rsi → sj ∼ si ⇒ sj
1 ( r ew r i t e [ 3 ] i n i t i a l . )
1 r ew r i t e i n MUTEX−SYSTEM :2 i n i t i a l3 r e s u l t Conf :4 s 0 < n1 , n2 >
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 18 / 163
Overview
State-space exploration with search
M ∼ Rsi → sj ∼ si ⇒ sj
1 sea rch [ 3 ] i n MUTEX−SYSTEM : i n i t i a l =>∗ C : Conf .2
3 So l u t i on 14 C : Conf −−> s 0 < n1 , n2 >5
6 So l u t i on 27 C : Conf −−> s 1 < t1 , n2 >8
9 So l u t i on 310 C : Conf −−> s 5 < n1 , t2 >
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 19 / 163
Overview
Model checking Linear Temporal Logic
M, s0 |= ϕ
Safety: G¬(c1 ∧ c2)
Liveness: G(t1 → Fc1)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 20 / 163
Overview
LTL model checking in RWL
M, s |= ϕ ∼ K(R, k)Π, [t] |= ϕ
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 21 / 163
Overview
Maude language: VerificationProperties in LTL
1 (mod MUTEX−PROP i s i n c MODEL−CHECKER . i n c SYSTEM .2 sub so r t Conf < S t a t e .3 sub so r t P r o c S t a t e < Prop .4 op s a f e t y : −> Prop .5 op l i v e n e s s : −> Prop .6 va r s N : StateNum . va r s P1 P2 : P r o c S t a t e .7
8 eq s N < P1 , P2 > |= P1 = t r u e .9 eq s N < P1 , P2 > |= P2 = t r u e .
10
11 −−− S a f e t y : G \neg ( c1 \ l a n d c2 )12
13 eq s a f e t y = [ ] ˜ ( c1 /\ c2 ) .14
15 −−− L i v e n e s s : G ( t1 −> F c1 )16
17 eq l i v e n e s s = [ ] ( t1 −> <> c1 ) .18 endm)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 22 / 163
Overview
Maude language: VerificationRunning the model checker
1 (mod MODEL−CHECK−MUTEX i s i n c MUTEX−SYSTEM . i n c MUTEX−PROP . endm)
1 reduce i n MODEL−CHECK−MUTEX :2 modelCheck ( i n i t i a l , s a f e t y )3 r e s u l t Bool :4 t r u e5
6 reduce i n MODEL−CHECK−MUTEX :7 modelCheck ( i n i t i a l , l i v e n e s s )8 r e s u l t ModelCheckResu l t :9 c o u n t e r e x a m p l e (
10 s 0 < n1 , n2 > , ’s0→ s1 , s 1 < t1 , n2 > , ’s1→ s311 s 3 < t1 , t2 > , ’s3→ s7 s 7 < t1 , c2 > , ’s7→ s1)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 23 / 163
Overview
Liveness problem
n1n2start
s0
t1n2s1 n1t2 s5
c1n2s2 t1t2
s3
n1c2 s6
c1t2s4 t1c2 s7
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 24 / 163
Overview
Fixing the liveness problem
n1n2start
s0
t1n2s1 n1t2 s5
c1n2s2 t1t2s3 n1c2 s6
c1t2s4
t1t2 s8
t1c2 s7
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 25 / 163
Overview
Maude language: VerificationFixing the liveness problem in Maude. . .
1 (mod MUTEX−SYSTEM−LIVE i s i n c SYSTEM .2 r l [ s0−>s1 ] : s 0 < n1 , n2 > => s 1 < t1 , n2 > .3 r l [ s0−>s5 ] : s 0 < n1 , n2 > => s 5 < n1 , t2 > .4 r l [ s1−>s2 ] : s 1 < t1 , n2 > => s 2 < c1 , n2 > .5 r l [ s1−>s3 ] : s 1 < t1 , n2 > => s 3 < t1 , t2 > .6 r l [ s2−>s0 ] : s 2 < c1 , n2 > => s 0 < n1 , n2 > .7 r l [ s2−>s4 ] : s 2 < c1 , n2 > => s 4 < c1 , t2 > .8 r l [ s3−>s4 ] : s 3 < t1 , t2 > => s 4 < c1 , t2 > .9 r l [ s4−>s5 ] : s 4 < c1 , t2 > => s 5 < n1 , t2 > .
10 r l [ s5−>s3 ] : s 5 < n1 , t2 > => s 8 < t1 , t2 > .11 r l [ s5−>s6 ] : s 5 < n1 , t2 > => s 6 < n1 , c2 > .12 r l [ s6−>s0 ] : s 6 < n1 , c2 > => s 0 < n1 , n2 > .13 r l [ s6−>s7 ] : s 6 < n1 , c2 > => s 7 < t1 , c2 > .14 r l [ s7−>s1 ] : s 7 < t1 , c2 > => s 1 < t1 , n2 > .15 r l [ s9−>s7 ] : s 8 < t1 , t2 > => s 7 < t1 , c2 > .16 endm)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 26 / 163
Overview
Maude language: Verification. . .and model checking it
1 reduce i n MODEL−CHECK−MUTEX−LIVE :2 modelCheck ( i n i t i a l , s a f e t y )3 r e s u l t Bool :4 t r u e5
6 reduce i n MODEL−CHECK−MUTEX−LIVE :7 modelCheck ( i n i t i a l , l i v e n e s s )8 r e s u l t Bool :9 t r u e
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 27 / 163
Overview
Narrowing
Rewriting : t( #»x )→∗ t ′( #»x )Narrowing : ∃ #»x t( #»x ) ∗ t ′( #»x )
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 28 / 163
Overview
Maude language: VerificationNarrowing search
1 sea rch [ , 6 ] i n MUTEX−SYSTEM−LIVE :2 s N1 : StateNum < t1 , P : P r o c S t a t e > ˜>∗ s 2 < c1 , n2 > .3 So l u t i on 14 N1:StateNum −−> 1 ;5 P : P r o c S t a t e −−> n26 So l u t i on 27 N1 : StateNum −−> 3 ;8 P : P r o c S t a t e −−> t29 So l u t i on 3
10 N1 : StateNum −−> 7 ;11 P : P r o c S t a t e −−> c212 So l u t i on 413 N1 : StateNum −−> 8 ;14 P : P r o c S t a t e −−> t215 No more s o l u t i o n s .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 29 / 163
Overview
Maude language: VerificationNarrowing search
n1n2start
s0
t1n2s1 n1t2 s5
c1n2s2 t1t2s3 n1c2 s6
c1t2s4
t1t2 s8
t1c2 s7
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 30 / 163
Overview
Temporal Logic of Rewriting
• Linear Temporal Logic (LTL): state formulae — interpreted overKripke structures (transitions are pairs)
• Computation Tree Logic (CTL*): state formulae with pathquantification
• Action CTL (ATL*): action formulae — interpreted over labeledtransition systems (transitions are triples)
(s, a, s ′)(s ′, b, s ′′) . . . |= Xaϕ
• Temporal Logic of Rewriting (TLR*): CTL* with action patterns
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 31 / 163
Overview
Temporal Logic of Rewriting
• Linear Temporal Logic (LTL): state formulae — interpreted overKripke structures (transitions are pairs)
• Computation Tree Logic (CTL*): state formulae with pathquantification
• Action CTL (ATL*): action formulae — interpreted over labeledtransition systems (transitions are triples)
(s, a, s ′)(s ′, b, s ′′) . . . |= Xaϕ
• Temporal Logic of Rewriting (TLR*): CTL* with action patterns
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 31 / 163
Overview
Temporal Logic of Rewriting
Example: a fault-tolerant communication protocol
req : [C ,S ,N, nil ]→ [C ,S ,N, nil ] S . (C ,N)reply : S . (C ,N)[S ]→ [S ] C . (S , f (S ,C ,N))rec : C . (S ,M) [C , S ,N,W ]→ [C , S ,N,M]dupl : I . CNT → I . CNT I . CNTloss : I . CNT → null
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 32 / 163
Overview
Temporal Logic of Rewriting
Example: a fault-tolerant communication protocol
req : [C ,S ,N, nil ]→ [C ,S ,N, nil ] S . (C ,N)reply : S . (C ,N)[S ]→ [S ] C . (S , f (S ,C ,N))rec : C . (S ,M) [C , S ,N,W ]→ [C , S ,N,M]dupl : I . CNT → I . CNT I . CNTloss : I . CNT → null
Properties
• Under fairness assumptions, after sending a message, a client willeventually receive an answer from the queried server.
• However, messages may arrive out-of-order, be duplicated or even getlost.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 33 / 163
Overview
Temporal Logic of Rewriting
Example: a fault-tolerant communication protocol
req : [C ,S ,N, nil ]→ [C ,S ,N, nil ] S . (C ,N)reply : S . (C ,N)[S ]→ [S ] C . (S , f (S ,C ,N))rec : C . (S ,M) [C , S ,N,W ]→ [C , S ,N,M]dupl : I . CNT → I . CNT I . CNTloss : I . CNT → null
Rule req
Rule specifying that a client [C ,S ,N, nil ] may send a message S . (C ,N)requesting an information N to a server S .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 34 / 163
Overview
Temporal Logic of Rewriting
Example: a fault-tolerant communication protocol
req : [C ,S ,N, nil ]→ [C ,S ,N, nil ] S . (C ,N)reply : S . (C ,N)[S ]→ [S ] C . (S , f (S ,C ,N))rec : C . (S ,M) [C , S ,N,W ]→ [C , S ,N,M]dupl : I . CNT → I . CNT I . CNTloss : I . CNT → null
One can not tell, from a sequence ρ of states, which rule was applied:
1 [a][b, a, 7, f (a, b, 7)]a . (b, 7)[c , a, 17, nil ]2 [a][b, a, 7, f (a, b, 7)][c , a, 17, nil ]
. . .
From step 1 to 2 either req(b) was applied and ρ |= φ or loss was appliedand ρ 6|= φ.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 35 / 163
Overview
Temporal Logic of Rewriting
• The model for a TLR* formula is not a sequence of states π but ofpairs (π, γ) where π is a sequence of states and γ a sequence ofrewrite proofs between them.
• In computations of the form (ρ, γ), (ρ, γ′) . . ., γ could be an infinitesequence of req(b) actions; and γ′ could be an infinite sequence ofdupl actions.
• Therefore, (ρ, γ) |= req(b) and (ρ, γ) 6|= dupl , together with(ρ, γ′) |= dupl and (ρ, γ′) 6|= req(b).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 36 / 163
Overview
Reflection in Rewriting Logic
R ` t → t ′ ⇔ U ` 〈R, t〉 → 〈R, t ′〉 ⇔ U ` 〈U , 〈R, t〉〉 → 〈U , 〈R, t ′〉〉 . . .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 37 / 163
Overview
Reflection in Maude
1 (mod META−MUTEX−SYSTEM−LIVE i s i n c FULL−MAUDE . i n c MUTEX−SYSTEM−LIVE . endm)
2
3 ( reduce upModule (MUTEX−SYSTEM−LIVE ) . )
1 r e s u l t SModule :2 mod ’MUTEX−SYSTEM−LIVE i s3 . . .4 s o r t s ’ Bool ; ’ Conf ; ’ P r o c S t a t e ; ’ StateNum .5 op ’0 : n i l −> ’ StateNum [ none ] .6 . . .7 eq ’ i n i t i a l . Conf = ’ s < ‘ , > [ ’ 0 . StateNum , ’ n1 . ProcState , ’ n2 .
P r o c S t a t e ] [ none ] .8 . . .9 r l ’ s < ‘ , > [ ’ 0 . StateNum , ’ n1 . ProcState , ’ n2 . P r o c S t a t e ] =>
10 ’ s < ‘ , > [ ’ 1 . StateNum , ’ t1 . ProcState , ’ n2 . P r o c S t a t e ]11 [ l a b e l ( ’ s0−>s1 ) ] .12 . . .13 endm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 38 / 163
Overview
Reflection in Maude
1 ( reduce upTerm (MUTEX−SYSTEM−LIVE , s 0 < n1 , n2 >) . )
1 r e s u l t GroundTerm :2 ’ s < ‘ , > [ ’ 0 . StateNum , ’ n1 . ProcState , ’ n2 . P r o c S t a t e ]
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 39 / 163
Overview
Reflection in MaudeMeta-Level narrowing search
1 ( reduce metaNarrowSearch ( axCohComplete (2 upModule (MUTEX−SYSTEM−LIVE ) ) ,3 upTerm ( s N1 : StateNum < t1 , P : P r o c S t a t e >) ,4 upTerm ( s 2 < c1 , n2 >) ,5 none , ’∗ , unbounded , 6 , unbounded ) . )
1 r e s u l t R e s u l t T r i p l e S e t :2 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,3 ’N1:StateNum <− ’1.StateNum ;4 ’P : P r o c S t a t e <− ’ n2 . P r o c S t a t e |5 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,6 ’N1 : StateNum <− ’3.StateNum ;7 ’P : P r o c S t a t e <− ’ t2 . P r o c S t a t e |8 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,9 ’N1 : StateNum <− ’7.StateNum ;
10 ’P : P r o c S t a t e <− ’ c2 . P r o c S t a t e |11 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,12 ’N1 : StateNum <− ’8.StateNum ;13 ’P : P r o c S t a t e <− ’ t2 . P r o c S t a t e
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 40 / 163
Equational logics and Rewriting Logic
EQUATIONAL LOGICS AND REWRITING LOGIC
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 41 / 163
Equational logics and Rewriting Logic
Choice of Equational Logic
Rewriting Logic is parameterized by a choice of Equational Logics:
• Many-sorted equational logic
• Order-sorted equational logic
• Membership equational logic
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 42 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Many-sorted signatures
• A many-sorted signature is a pair (S ,Σ) where S is a set of sorts andΣ a family of operation symbols f : s1 . . . sn → s.
• The set of terms with (sorted) variables of a given many-sortedsignature (S ,Σ) is denoted
TΣ(X ) = TΣ,s | s ∈ S
where X = Xs | s ∈ S.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 43 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Many-sorted equations
• A Σ-equation is a universally quantified expression
(x : s)l = r
where x : s is a finite set of variables and l and r ∈ TΣ,s(x : s) forsome sort s.
• A conditional Σ-equation is a universally quantified expression
(x : s)l = r if∧
1≤i≤mui = vi
where (x : s)l = r and ui = vi are Σ-equations.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 44 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Many-sorted specifications
A many-sorted specification is a triple
(S ,Σ,E )
where (S ,Σ) is a many-sorted signature and E is a set of Σ-equations.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 45 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Matching
Given a many-sorted signature (S ,Σ) and X a set of S-sorted variables,
• Ground substitution: σ : X → TΣ
• Term substitution: σ : TΣ(X )→ TΣ
• t matches u iff ∃σ.[σ(t) ≡ u], where t, u ∈ TΣ(X )
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 46 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Equational rewriting
• t →E t ′ by the application of (x : s)l = r if• l matches a subterm t|p of t with substitution σ and• t ′ = t[σ(r)]p, that is, t|p ≡ σ(l) is replaced by σ(r).
• Only admissible equations: vars(r) ⊆ vars(l).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 47 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Equational rewriting - Properties
• Confluencet
E
∗
∗E
t1
E∗
t2
∗E
t ′
• Termination: no infinite rewritings
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 48 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Equational rewriting - Properties
• Confluence + termination ⇒ canonical form: t ↓E , t ∈ TΣ(X )
• To check t = t ′ means to check the syntactic equivalencet ↓E≡ t ′ ↓E .
• Equations in conditions are checked this way.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 49 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Example
(Thanks to Fabricio Chalub)
Schonfinkel’s combinatory logic
1 fmod CL i s2 s o r t Exp .3 ops S K : −> Exp [ c t o r ] .4 op : Exp Exp −> Exp [ g a t h e r (E e ) ] .5 va r s x y z : Exp .6 eq K x y = x .7 eq S x y z = x z ( y z ) .8 endfm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 50 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
ExampleCurry combinators & Natural numbers in S B K I
1 ≡ ((SB)(KI ))2 ≡ ((SB)((SB)(KI )))3 ≡ ((SB)((SB)((SB)(KI ))))
. . .
1 fmod CL−EXT i s i n c CL .2 ops B C I : −> Exp .3 eq B = ( ( S (K S ) )K) .4 eq C = ( ( S (K( ( S S ) (K K) ) ) ) ( ( S (K K) ) S ) ) .5 eq I = ( ( S K)K) .6 endfm7 fmod CL−NATURALS i s i n c l u d i n g CL−EXT . i n c NAT .8 op $ : Nat −> Exp .9 var n : Nat .
10 eq $ ( s ( n ) ) = ( S B) $ ( n ) .11 eq $ ( 0 ) = (K I ) .12 op p l : −> Exp . op t i : −> Exp . op ex : −> Exp .13
14 eq p l = ( ( C I ) ( S B) ) .15 eq t i = ( (B( ( C C) (K I ) ) ) ( ( C B) p l ) ) .16 eq ex = (C ( (B(C ( ( C C) ( ( S B) (K I ) ) ) ) ) t i ) ) .17 endfm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 51 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
ExampleFrom combinator expressions to Nat: let e1, e2 be expressions and n be thecombinatorial expression of number n.
1e1e2 = e1e22e1e2 = e1e1e23e1e2 = . . .
1 fmod NATURALS−CL i s i n c l u d i n g CL−NATURALS .2 va r s x y : Exp .3 ops eqv eqv−aux : Exp −> Nat .4 ops i j : −> Exp .5
6 eq eqv ( x ) = eqv−aux ( x i j ) .7 eq eqv−aux ( x y ) = eqv−aux ( x ) + eqv−aux ( y ) .8 eq eqv−aux ( i ) = 1 .9 eq eqv−aux ( j ) = 0 .
10 endfm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 52 / 163
Equational logics and Rewriting Logic Many-sorted Equational Logic
Example
Let’s execute CL!(You may need to resize the stack size before executing it: in MacOsX the
command is ulimit -s hard.)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 53 / 163
Equational logics and Rewriting Logic Order-sorted specifications
Order-sorted specifications
• Allows for the specification of partiality by means of sort inclusion.• A sort for natural numbers without 0 allows for a total operation
specification of division, such as
op div : Nat NzNat→ Nat .
• Subsorts: defined by means of constructors and interpreted as setinclusion.
• Allows for operation overloading.
• Preregularity: a term must have a least sort.
• Sort-decreasing equations: a conical term should have the leastpossible sort among the sorts of all the terms equivalent to it by E ,using only operator declarations.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 54 / 163
Equational logics and Rewriting Logic Order-sorted specifications
Properties of Maude functional modules
• Preregularity
• Equations are assumed admissible, sort-decreasing, confluent andterminating.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 55 / 163
Equational logics and Rewriting Logic Membership Equational Logic
Membership equational logic specifications
• MEL generalizes order-sorted equational logic by allowing thesubsorting relation to be specified by a general property and not onlyby constructors.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 56 / 163
Equational logics and Rewriting Logic Membership Equational Logic
Membership equational logic specifications
• Signature in MEL: (K ,Σ, S) where K is a set of kinds, (K ,Σ) is amany-kinded signature and S = SK |k ∈ K is a K -kinded set ofsorts.
• Atomic formuae: Σ-equations or membership assertions t : s where thas kind k and s ∈ SK .
• General sentences, where X is a set of K -kinded variables:
(∀X ) t = t ′ if (∧
i ui = vi ) ∧ (∧
j wj : sj)
(∀X ) t : s if (∧
i ui = vi ) ∧ (∧
j wj : sj)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 57 / 163
Equational logics and Rewriting Logic Membership Equational Logic
Membership equational logic specifications
Declarationop div : Nat NzNat→ Nat .
can be understood as
op div : [Nat] [NzNat]→ [Nat] .
cmb N div M : Nat if N : Nat and M : NzNat .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 58 / 163
Equational logics and Rewriting Logic Rewriting modulo axioms
Rewriting modulo axioms
Given an equational theory A,
t matches u modulo A if ∃σ(σ(t) =A u)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 59 / 163
Equational logics and Rewriting Logic Rewriting modulo axioms
Rewriting modulo axioms in Maude
• Binary operators may be declared with attributes denoting structuralaxioms:
• associativity,• commutativity,• idempotency,• id: t where t is the identity element.• left or right identity
• Given a set of attributes A in a signature, Maude synthesizes amatching algorithm for A and equationally rewrites modulo A.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 60 / 163
Equational logics and Rewriting Logic Rewriting modulo axioms
Rewriting modulo axioms in Maude
Structural axioms give rise to rewriting on:
• binary trees (A = ∅)• nonempty lists (A = associative attribute)
• lists (A = assoc and id)
• multiset (A = assoc + comm)
• set (A = assoc + comm + idem)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 61 / 163
Equational logics and Rewriting Logic Rewriting modulo axioms
Exercise!
Move back to Section 1 and study how the different equational logics wereused in the specifications there.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 62 / 163
Equational logics and Rewriting Logic Rewriting Logic
Rewriting Logic
• A logic of change where (computationally) a rewrite t → t ′ isunderstood as local concurrent transition.
• The structure of a concurrent system is represented in RewritingLogic by an equational theory and the behavioral part by rewrite rules.
State ↔ TermTransition ↔ Rewriting
Distributed structure ↔ Algebraic structure
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 63 / 163
Equational logics and Rewriting Logic Rewriting Logic
Rewriting Logic specification
• R = (Ω,E , L,R) where the equational specification (Ω,E ) is itssignature, L is a set of labels, and R is a set of labeled (conditional)rewrite rules of the general form
r : t → t ′ if (∧i
ui = vi ) ∧ (∧
wj : sj) ∧ (∧k
pk → qk).
• Sentences are rewrites of the form
[t]E → [t ′]E
where [t]E , [t′]E ∈ TΩ,E (X ).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 64 / 163
Equational logics and Rewriting Logic Rewriting Logic
Mixing equations and rules
Coherence
t
!E/A
1
R/A// t ′
!
E/A w
u1
R/A// u′
!
E/A
>>
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 65 / 163
Equational logics and Rewriting Logic Rewriting Logic
Maude system modules
• Code Rewriting Logic specifications: mod (Σ, E ∪ A, R) endm, wherefmod (Σ, E ∪ A) enfm is a functional module, with A the set ofstructural axioms, and R is coherent with respect to E .
• Strategy: to reduce terms to canonical form before applying rules.
• Effect of rewriting modulo E ∪ A with just an algorithm for A.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 66 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculus(Thanks to Narciso Martı Oliet.)Modeling variables
1 f t h VAR i s p r o t e c t i n g BOOL .2 s o r t s Var VarSet .3 sub so r t Var < VarSet .4
5 op empty−s e t : −> VarSet .6 op U : VarSet VarSet −> VarSet [ a s s o c comm i d : empty−s e t ] .7 op i n : Var VarSet −> Bool .8 op \ : VarSet VarSet −> VarSet .9 op new : VarSet −> Var .
10
11 va r s E E ’ : Var . va r s S S ’ : VarSet .12
13 eq E U E = E .14 eq E i n empty−s e t = f a l s e .15 eq E i n E ’ U S = (E == E ’ ) o r (E i n S ) .16 eq empty−s e t \ S = empty−s e t .17 eq (E U S ) \ S ’ = i f E i n S ’ then S \ S ’ e l s e E U ( S \ S ’ ) f i .18 eq new ( S ) i n S = f a l s e [ nonexec ] .19 e n d f t h
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 67 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculus
Syntax, substitutions and free variables
1 fmod LAMBDAX : : VAR i s2 s o r t LambdaX .3 sub so r t X$Var < LambdaX .4
5 −−− Lambda a b s t r a c t i o n s6 op \ . : X$Var LambdaX −> LambdaX [ c t o r ] .7
8 −−− A p p l i c a t i o n9 op : LambdaX LambdaX −> LambdaX [ c t o r ] .
10
11 −−− S u b s t i t u t i o n12 op [ / ] : LambdaX LambdaX X$Var −> LambdaX .13
14 −−− F r e e v a r i a b l e s15 op f v : LambdaX −> X$VarSet .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 68 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculusSyntax, substitutions and free variables
1 va r s X Y : X$Var . va r s M N P : LambdaX .2
3 −−− F r e e v a r i a b l e s e q u a t i o n s4 eq f v (X) = X .5 eq f v (\ X . M) = f v (M) \ X .6 eq f v (M N) = f v (M) U f v (N) .7 eq f v (M [N / X ] ) = ( f v (M) \ X) U f v (N) .8
9 −−− S u b s t i t u t i o n e q u a t i o n s10 eq X [N / X ] = N .11 ceq Y [N / X ] = Y i f X =/= Y .12 eq (M N) [ P / X ] = (M [ P / X ] ) (N [ P / X ] ) .13 eq (\ X . M) [N / X ] = \ X . M .14 ceq (\ Y . M) [N / X ] = \ Y . (M [N / X ] )15 i f X =/= Y and ( not (Y i n f v (N) ) o r not (X i n f v (M) ) ) .16 ceq (\ Y . M) [N / X ]17 = \ ( new ( f v (M N) ) ) . ( (M [ new ( f v (M N) ) / Y ] ) [N / X ] )18 i f X =/= Y /\ (Y i n f v (N) ) /\ (X i n f v (M) ) .19
20 −−− Alpha c o n v e r s i o n21 ceq \ X . M = \ Y . (M [ Y / X ] ) i f not (Y i n f v (M) ) [ nonexec ] .22 endfm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 69 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculus
β and η reductions
1 mod BETA−ETAX : : VAR i s2 i n c l u d i n g LAMBDAX .3
4 var X : X$Var .5 va r s M N : LambdaX .6
7 r l [ b e t a ] : (\ X . M) N => M [N / X ] .8 c r l [ e t a ] : \ X . (M X) => M i f not (X i n f v (M) ) .9 endm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 70 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculusVariables as natural numbers
1 view Nat from TRIV to NAT i s2 s o r t E l t to Nat .3 endv4
5 fmod NAT−SET−MAX i s6 p r o t e c t i n g (SET ∗ ( op , to U ) ) Nat .7 op max : Set Nat −> Nat .8
9 var N : Nat . var S : Set Nat .10
11 eq max ( empty ) = 0 .12 eq max (N U S ) = i f N > max ( S ) then N e l s e max ( S ) f i .13 endfm14
15 view VarNat from VAR to NAT−SET−MAX i s16 s o r t Var to Nat .17 s o r t VarSet to Set Nat .18
19 var S : VarSet .20 op empty−s e t to empty .21 op new ( S ) to term max ( S ) + 1 .22 endv
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 71 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculus
Untyped lambda calculus with natural numbers as variables
1 mod UNTYPED−LAMBDA−CALCULUS i s2 p r o t e c t i n g BETA−ETAVarNat .3 endm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 72 / 163
Equational logics and Rewriting Logic Rewriting Logic
Example — Lambda calculus
Let’s execute lambda calculus!
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 73 / 163
Equational logics and Rewriting Logic Rewriting Logic
Exercise!
Move back to Section 1 and study how rewrite rules were used to modelthe behavior of the concurrent system.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 74 / 163
Search, LTL model checking and narrowing
SEARCH, LTL MODEL CHECKING AND NARROWING
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 75 / 163
Search, LTL model checking and narrowing Search
Search
• Rewriting logic specifications are non-deterministic.
• Maude may animate such specifications with the rewrite t
command, where t is a term.
• If one wants to explore all computations the search t =>? t’
command must be used where t is a ground term, t’ is term withvariables (a pattern) and =>? is one of possible rewrite relations =>*,=>+ or =>!, denoting zero-or-more computations, one-or-morecomputations, and a search for canonical terms, respectively.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 76 / 163
Search, LTL model checking and narrowing Search
DPLL
• Davis-Putnam-Logemann-Loveland is a procedure for SAT solving.
• It can be formalized by a sequent-based inference system withsequents ∆ ` Γ where ∆ is a set of literals (p or ¬p) and Γ a set ofclauses. The symbol denotes the empty clause.
• A formula ϕ must be in conjunctive normal form (conjunction ofdisjunction of literals)
• Γ is satisfiable if ∆ ` ∅ is derivable from ∅ ` Γ.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 77 / 163
Search, LTL model checking and narrowing Search
DPLL sequent calculus
∆ ` Γ, l ∨ C(subsume) if l ∈ ∆
∆ ` Γ
∆ ` Γ, l ∨ C(resolve) if ¬l ∈ ∆
∆ ` Γ,C
∆ ` Γ, l(assert) if l 6∈ ∆,¬l 6∈ ∆
∆, l ` Γ
∆ ` Γ,(close) if ∆ 6= ∅ ∨ Γ 6= ∅∅ `
∆ ` Γ, l ∨ C(split) if l 6∈ ∆,¬l 6∈ ∆, C 6=
∆, l ` Γ ∆,¬l ` Γ,C
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 78 / 163
Search, LTL model checking and narrowing Search
DPLL sequent calculus in Maude
1 mod DPLL i s p r o t e c t i n g QID .2 s o r t s L i t e r a l Context C l a u s e C l a u s e S e t Sequent .3 s u b s o r t s Qid < L i t e r a l < Context C l a u s e < C l a u s e S e t .4
5 op ˜ : L i t e r a l −> L i t e r a l .6 op n u l l : −> Context .7 op , : Context Context −> Context [ a s s o c comm i d : n u l l ] .8 op , : C l a u s e S e t C l a u s e S e t −> C l a u s e S e t [ a s s o c comm i d : n u l l ]
.9 op [ ] : −> C l a u s e .
10 op \/ : C l a u s e C l a u s e −> C l a u s e [ a s s o c comm i d : ( [ ] ) ] .11 op |− : Context C l a u s e S e t −> Sequent .12 op i n : L i t e r a l Context −> [ Bool ] .13
14 var p : Qid .15 var l : L i t e r a l .16 var CTX : Context .17 var C : C l a u s e .18 var CS : C l a u s e S e t .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 79 / 163
Search, LTL model checking and narrowing Search
DPLL sequent calculus in Maude1 eq ˜ ( ˜ ( l ) ) = l .2 eq l i n l ,CTX = t r u e .3
4 eq [ c o n t r a c t i o n ] : C , C = C .5
6 eq [ subsume ] : l ,CTX |− CS , ( l \/ C) = l ,CTX |− CS .7
8 eq [ r e s o l v e 1 ] : p ,CTX |− CS , ( ˜( p ) \/ C) = p ,CTX |− CS , C .9 eq [ r e s o l v e 2 ] : ˜( p ) ,CTX |− CS , ( p \/ C) = ˜( p ) ,CTX |− CS , C .
10
11 eq [ c l o s e 1 ] : CTX |− C , CS , [ ] = n u l l |− [ ] .12 eq [ c l o s e 2 ] : CTX, l |− CS , [ ] = n u l l |− [ ] .13
14 ceq [ a s s e r t ] : CTX |− CS , l = CTX, l |− CS15 i f ( l i n CTX) =/= t r u e and ( ˜( l ) i n CTX) =/= t r u e .16
17
18 c r l [ s p l i t 1 ] : CTX |− CS , ( l \/ C) => l ,CTX |− CS19 i f ( l i n CTX) =/= t r u e and ( ˜( l ) i n CTX) =/= t r u e and C =/=
[ ] .20 c r l [ s p l i t 2 ] : CTX |− CS , ( l \/ C) => ˜( l ) ,CTX |− CS , C21 i f ( l i n CTX) =/= t r u e and ( ˜( l ) i n CTX) =/= t r u e and C =/=
[ ] .22 endm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 80 / 163
Search, LTL model checking and narrowing Search
DPLL sequent calculus in Maude
Let’s execute DPLL in Maude!
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 81 / 163
Search, LTL model checking and narrowing Search
Exercise!
Move back to Section 1 and study how the search command was used tounderstand the behavior of the concurrent system.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 82 / 163
Search, LTL model checking and narrowing LTL model checking
Model checking
• Is a decision procedure for temporal logic.
• Combines automata induced by a system specification and propertyspecification.
• Maude allows for model checking of Linear Temporal Logic (LTL)formulae.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 83 / 163
Search, LTL model checking and narrowing LTL model checking
LTL
ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | Xϕ | ϕUϕ | ϕ | ♦ϕ
• > is a formula that always holds at the current state.
• Xϕ holds at the current state if ϕ holds at the state that follows.
• ϕUψ holds at the current state if ψ is eventually satisfied at a futurestate and, until that moment, ϕ holds at all intermediate states.
• ϕ holds if ϕ holds at every state from now on.
• ♦ϕ holds if ϕ holds at some state in the future.
• Note that: ♦ϕ = >Uϕ and ϕ = ¬♦¬ϕ.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 84 / 163
Search, LTL model checking and narrowing LTL model checking
Kripke structures
A Kripke structure A = (A,→A, L)
• A is the set of states.
• →A⊆ A× A is the transition relation.
• L : A→ 2AP is the labeling function that specifies which atomicpropositions hold in a given state.
• A path is a function π : N→ A with π(i)→A π(i + 1) for every i .
• The suffix of π starting at π(i) is denoted πi .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 85 / 163
Search, LTL model checking and narrowing LTL model checking
LTL semantics
Satisfaction relation
A, a |= ϕ⇔ Aπ |= ϕ for all paths π with π(0) = a
A, π |= p ⇔ if p ∈ L(π(0))A, π |= > ⇔ alwaysA, π |= ϕ ∨ ψ ⇔ A, π |= ϕ or A, π |= ψA, π |= ¬ϕ ⇔ A, π 6|= ϕA, π |= Xϕ ⇔ A, π1 |= ϕA, π |= ϕUψ ⇔ there exists n ∈ N such that A, πn |= ψ
and, for all m < n,A, πm |= ϕ.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 86 / 163
Search, LTL model checking and narrowing LTL model checking
Kripke structures associated with rewrite theories• Given a module M specifying a rewrite theory R = (Σ,E ,R),
• chose a kind k in M as the kind of states,• define state predicates Π and their semantics in a module, say M-PRED,
by means of the operation
op |= : State Prop −> Bool.
declared in the predefined module SATISFACTION.
• The Kripke structure associated with R is
K(R, k)Π = (TΣ/E ,k , (→1R)•, LΠ).
where (→1R)• is the one-step reflexive extension of the rewrite relation
R and LΠ is the labeling function that assigns to a term in TΣ/E ,k theset of atomic propositions in Π which are true.
• Under some assumptions on M and M-PRED, including that the set ofreachable states from [t] is finite, the relation K(R, k)Π, [t] |= ϕbecomes decidable.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 87 / 163
Search, LTL model checking and narrowing LTL model checking
Exercise!
• Move back to Section 1 and study how the model check commandwas used to verify safety and liveness.
• Run the model checker for strong liveness: If a process waits infinitelyoften, then it is in its critical section infinitely often.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 88 / 163
Search, LTL model checking and narrowing Narrowing
Narrowing relation
• A term t narrows to a term t ′ using a rule l ⇒ r in R and asubstitution σ if
1 there is a subterm t|p of t in a nonvariable position p of t such that land t|p are unifiable via σ, and
2 t ′ = σ(t[r ]p) is obtained from σ(t) by replacing the subtermσ(t|p) ≡ σ(l) with term σ(r).
• Narrowing can also be defined modulo an equational theory A.
• Currently, there are some restrictions on the allowed rules. Forexample, they can not be conditional.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 89 / 163
Search, LTL model checking and narrowing Narrowing
Some Pie
• A Rewriting Logic Semantics for the Generalized SubstitutionLanguage
• Joint (ongoing) work with David Deharbe, Anamaria Moreira andNarciso Martı-Oliet
• ETMF 2016
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 90 / 163
Search, LTL model checking and narrowing Narrowing
Motivation
• The B method is a leading technique to develop and reason oncomponent-based software.
• B specifications, described in the Abstract Machine Notation, can betransformed to descriptions in the Generalized SubstitutionLanguage.
• The main technique in the method is to validate invariants aboutrefinements of a B machine into another.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 91 / 163
Search, LTL model checking and narrowing Narrowing
Proposal
We would like to endow the B method with the different automatedanalysis techniques available in the Maude system: simulation byrewriting, state space exploration with search, symbolic analysis withnarrowing and temporal logic model checking.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 92 / 163
Search, LTL model checking and narrowing Narrowing
Approach
Let G be the Rewriting Logic semantics for GSL, g a GSL program, and ϕa property one wishes to validate with respect to g .
G, g |= ϕ (1)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 93 / 163
Search, LTL model checking and narrowing Narrowing
This talk: GSL semantics
We propose a Rewriting Logic semantics for GSL equivalent to aStructural Operational Semantics for GSL.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 94 / 163
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 95 / 163
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto)∪abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 96 / 163
The transition relation relates pairs of asubstitution (a GSL program) and astore
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 97 / 163
The transition relation relates pairs of asubstitution (a GSL program) and astore, a finite map of variables tonatural numbers (in this simplifiedspec).
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)×((Subst × Sto)∪abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 98 / 163
The transition relation also specifiesthat a GSL program may terminateabnormally.
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 99 / 163
Simple assignment v := E assigns tovariable v in the store the valueresulting from the evaluation ofexpression E.
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 100 / 163
Pre-condition substitution P | Sbehaves as substitution S whenpredicate P is true or aborts otherwise.
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 101 / 163
Bounded choice substitution S1 [] S2behaves either as substitution S1 or S2.
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 102 / 163
Guarded substitution P ==> S behavesas substitution S when P is true orterminates normally, behaving as skip,otherwise.
Search, LTL model checking and narrowing Narrowing
GSL Structural Operational Semantics
Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)
E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)
(simple)
P, sto −→∗ trueP | S, sto −→ S, sto
(pre 1)P, sto −→∗ false
P | S, sto −→ abort(pre 2)
(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto
P, sto −→∗ trueP ==> S, sto −→ S, sto
(guard 1)P, sto −→∗ false
P ==> S, sto −→ skip, sto(guard 2)
(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 103 / 163
Unbounded substitution @v.S behaves assubstitution S after replacing alloccurrences of v in S with some value n.We assume that v is free in S.
Search, LTL model checking and narrowing Narrowing
Structural Operational Semantics in Rewriting Logic
Transitions are identified with rewrites.
Structural Operational Semantics rules
Pf (
#»t ) −→ γ
(t)
Rewriting Logic rules
ceq[t] : f (#»t ) = γ if P, if Jf K is functional (deterministic).
crl[t] : f (#»t )⇒ γ if P, if Jf K is relational (non-deterministic).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 104 / 163
Search, LTL model checking and narrowing Narrowing
Conditional rewriting logic semantics for GSL
Simple assignmentceq [simple] : (v := E, sto) = (skip, sto ′) if
(E, sto) = n ∧ sto ′ := update(sto, v, n)Pre-conditionceq [pre1 ] : (P | S, sto) = (S, sto) if (P, sto) = true
ceq [pre2 ] : (P | S, sto) = abort if (P, sto) = false
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutionceq [guard1 ] : (P ==> S, sto) = (S, sto) if (P, sto) = true
ceq [guard2 ] : (P ==> S, sto) = (skip, sto) if (P, sto) = false
Unbounded choicecrl [uchoice] : (@v.S, sto)⇒ (S[n/v], sto) if v 6∈ var(sto)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 105 / 163
Search, LTL model checking and narrowing Narrowing
Conditional rewriting logic semantics for GSL
Simple assignmentceq [simple] : (v := E, sto) = (skip, sto ′) if
(E, sto) = n ∧ sto ′ := update(sto, v, n)Pre-conditionceq [pre1 ] : (P | S, sto) = (S, sto) if (P, sto) = true
ceq [pre2 ] : (P | S, sto) = abort if (P, sto) = false
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutionceq [guard1 ] : (P ==> S, sto) = (S, sto) if (P, sto) = true
ceq [guard2 ] : (P ==> S, sto) = (skip, sto) if (P, sto) = false
Unbounded choicecrl [uchoice] : (@v.S, sto)⇒ (S[n/v], sto) if v 6∈ var(sto)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 106 / 163
Simple assignment,pre-condition andguarded substitutionhave a functionalsemantics.
Search, LTL model checking and narrowing Narrowing
Conditional rewriting logic semantics for GSL
Simple assignmentceq [simple] : (v := E, sto) = (skip, sto ′) if
(E, sto) = n ∧ sto ′ := update(sto, v, n)Pre-conditionceq [pre1 ] : (P | S, sto) = (S, sto) if (P, sto) = true
ceq [pre2 ] : (P | S, sto) = abort if (P, sto) = false
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutionceq [guard1 ] : (P ==> S, sto) = (S, sto) if (P, sto) = true
ceq [guard2 ] : (P ==> S, sto) = (skip, sto) if (P, sto) = false
Unbounded choicecrl [uchoice] : (@v.S, sto)⇒ (S[n/v], sto) if v 6∈ var(sto)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 107 / 163
Bounded andunboundedsubstitutions have arelational semantics.
Search, LTL model checking and narrowing Narrowing
Conditional rewriting logic semantics for GSL
Simple assignmentceq [simple] : (v := E, sto) = (skip, sto ′) if
(E, sto) = n ∧ sto ′ := update(sto, v, n)Pre-conditionceq [pre1 ] : (P | S, sto) = (S, sto) if (P, sto) = true
ceq [pre2 ] : (P | S, sto) = abort if (P, sto) = false
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutionceq [guard1 ] : (P ==> S, sto) = (S, sto) if (P, sto) = true
ceq [guard2 ] : (P ==> S, sto) = (skip, sto) if (P, sto) = false
Unbounded choicecrl [uchoice] : (@v.S, sto)⇒ (S[n/v], sto) if v 6∈ var(sto)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 108 / 163
Bounded substitutions rewrite modulocommutativity. Only one rule is needed.
Search, LTL model checking and narrowing Narrowing
Conditional rewriting logic semantics for GSL
Simple assignmentceq [simple] : (v := E, sto) = (skip, sto ′) if
(E, sto) = n ∧ sto ′ := update(sto, v, n)Pre-conditionceq [pre1 ] : (P | S, sto) = (S, sto) if (P, sto) = true
ceq [pre2 ] : (P | S, sto) = abort if (P, sto) = false
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutionceq [guard1 ] : (P ==> S, sto) = (S, sto) if (P, sto) = true
ceq [guard2 ] : (P ==> S, sto) = (skip, sto) if (P, sto) = false
Unbounded choicecrl [uchoice] : (@v.S, sto)⇒ (S[n/v], sto) if v 6∈ var(sto)
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 109 / 163
Variable n is existentially quantified in the rule for unboundedchoice. Replacement operation [ / ] is equationally defined on thesyntax of substitutions.
Search, LTL model checking and narrowing Narrowing
Executability of unbounded choice rule in Maude
• The representation of transitions as rewrites provides us with a directmapping from the SOS specification of GSL to Rewriting Logic.
• However, the rule for unbounded choice is not executable in theMaude system due to the existentially quantified variable onright-hand side of the rule.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 110 / 163
Search, LTL model checking and narrowing Narrowing
Unbounded choice and narrowing in Maude
• One way to execute such specifications in Maude is throughnarrowing.
• Narrowing is a generalization of term rewriting that allows for freevariables in terms (as in logic programming) and replaces patternmatching by unification in order to (non-deterministically) reducethese terms.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 111 / 163
Search, LTL model checking and narrowing Narrowing
Executability requirements for narrowing in Maude
Essentially, a system module mod(Σ,G ∪ E ∪ Ax ,R)endm, for thenarrowing relation, must fulfill the following requirements:
1 only associative and commutative axioms may be used in Ax ;
2 rules in R must be unconditional, topmost and may not be specifiedby a single variable in the left-hand side of the rule;
3 rules in R must be coherent with respect to E ∪ Ax .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 112 / 163
Search, LTL model checking and narrowing Narrowing
Making GSL semantics unconditional
Let op be a binary operation in the conditional GSL semantics, that is, asimple assignment, a pre-condition or a guarded substitution, T be astatement, that is, either an expression or predicate, S a GSL substitution,and γ a GSL substitution,
crl (op(T ,S), sto) ⇒ (γ(val , S), sto) if T ⇒ val
rl (op(T ,S), sto) ⇒ (T , op(T ,S), sto)rl (val , op(T ,S), sto) ⇒ (γ(val , S), sto).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 113 / 163
Search, LTL model checking and narrowing Narrowing
Making GSL semantics unconditional: unfoldingstatements
Let op be a binary operation in the conditional GSL semantics, that is, asimple assignment, a pre-condition or a guarded substitution, T be astatement, that is, either an expression or predicate, S a GSL substitution,and γ a GSL substitution,
crl (op(T ,S), sto) ⇒ (γ(val , S), sto) if T ⇒ val
rl (op(T ,S), sto) ⇒ (T , op(T ,S), sto)rl (val , op(T ,S), sto) ⇒ (γ(val , S), sto).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 114 / 163
The configuration being rewritten becomes a triple during theevaluation of the statement.
Search, LTL model checking and narrowing Narrowing
Making GSL semantics unconditional: folding values
Let op be a binary operation in the conditional GSL semantics, that is, asimple assignment, a pre-condition or a guarded substitution, T be astatement, that is, either an expression or predicate, S a GSL substitution,and γ a GSL substitution,
crl (op(T ,S), sto) ⇒ (γ(val , S), sto) if T ⇒ val
rl (op(T ,S), sto) ⇒ (T , op(T ,S), sto)rl (val , op(T ,S), sto) ⇒ (γ(val , S), sto).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 115 / 163
After the statement is fully evaluated, the configurationbecomes a pair again.
Search, LTL model checking and narrowing Narrowing
Unconditional GSL rewriting logic semantics
Simple assignmenteq [simple1 ] : (v := E, sto) = (E, v := E, sto)eq [simple2 ] : (n1, v := E, v 7→ n2 sto) = (skip, v 7→ n1 sto)
Pre-conditioneq [pre1 ] : (P | S, sto) = (P, P | S, sto)eq [pre2 ] : (true, P | S, sto) = (S, sto)eq [pre3 ] : (false, P | S, sto) = abort
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutioneq [guard1 ] : (P ==> S, sto) = (P, P ==> S, sto)eq [guard2 ] : (true, P ==> S, sto) = (S, sto)eq [guard3 ] : (false, P ==> S, sto) = (skip, sto)
Unbounded choicerl [uchoice] : (@p.S, sto)⇒ (S[n/p], sto), for some n, where p is a place holder.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 116 / 163
Search, LTL model checking and narrowing Narrowing
Unconditional GSL rewriting logic semantics
Simple assignmenteq [simple1 ] : (v := E, sto) = (E, v := E, sto)eq [simple2 ] : (n1, v := E, v 7→ n2 sto) = (skip, v 7→ n1 sto)
Pre-conditioneq [pre1 ] : (P | S, sto) = (P, P | S, sto)eq [pre2 ] : (true, P | S, sto) = (S, sto)eq [pre3 ] : (false, P | S, sto) = abort
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutioneq [guard1 ] : (P ==> S, sto) = (P, P ==> S, sto)eq [guard2 ] : (true, P ==> S, sto) = (S, sto)eq [guard3 ] : (false, P ==> S, sto) = (skip, sto)
Unbounded choicerl [uchoice] : (@p.S, sto)⇒ (S[n/p], sto), for some n, where p is a place holder.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 117 / 163
Unfolding statements
Search, LTL model checking and narrowing Narrowing
Unconditional GSL rewriting logic semantics
Simple assignmenteq [simple1 ] : (v := E, sto) = (E, v := E, sto)eq [simple2 ] : (n1, v := E, v 7→ n2 sto) = (skip, v 7→ n1 sto)
Pre-conditioneq [pre1 ] : (P | S, sto) = (P, P | S, sto)eq [pre2 ] : (true, P | S, sto) = (S, sto)eq [pre3 ] : (false, P | S, sto) = abort
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutioneq [guard1 ] : (P ==> S, sto) = (P, P ==> S, sto)eq [guard2 ] : (true, P ==> S, sto) = (S, sto)eq [guard3 ] : (false, P ==> S, sto) = (skip, sto)
Unbounded choicerl [uchoice] : (@p.S, sto)⇒ (S[n/p], sto), for some n, where p is a place holder.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 118 / 163
Folding values
Search, LTL model checking and narrowing Narrowing
Unconditional GSL rewriting logic semantics
Simple assignmenteq [simple1 ] : (v := E, sto) = (E, v := E, sto)eq [simple2 ] : (n1, v := E, v 7→ n2 sto) = (skip, v 7→ n1 sto)
Pre-conditioneq [pre1 ] : (P | S, sto) = (P, P | S, sto)eq [pre2 ] : (true, P | S, sto) = (S, sto)eq [pre3 ] : (false, P | S, sto) = abort
Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)
Guarded substitutioneq [guard1 ] : (P ==> S, sto) = (P, P ==> S, sto)eq [guard2 ] : (true, P ==> S, sto) = (S, sto)eq [guard3 ] : (false, P ==> S, sto) = (skip, sto)
Unbounded choicerl [uchoice] : (@p.S, sto)⇒ (S[n/p], sto), for some n, where p is a place holder.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 119 / 163
Since p can not be part of the store, we simply consider it aplaceholer, a sort disjoint of the sort of variables.
Search, LTL model checking and narrowing Narrowing
Equivalence of conditional and unconditional semanticsmodulo unfolding
Proposition
Let C be the conditional rewriting logic semantics for GSL and U theunconditional one.
C ` t → t ′ ⇐⇒ U ` t →/ρ t′
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 120 / 163
Search, LTL model checking and narrowing Narrowing
Fulfilling narrowing executability requirements
Recall from Slide 112:
1 only associative and commutative axioms may be used in Ax ;
2 rules in R must be unconditional, topmost and may not be specifiedby a single variable in the left-hand side of the rule;
3 rules in R must be coherent with respect to E ∪ Ax .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 121 / 163
Search, LTL model checking and narrowing Narrowing
Fulfilling narrowing executability requirements
Recall from Slide 112:
1 only associative and commutative axioms may be used in Ax ;
Axioms are used only for bounded choice operator which is associativeand commutative.
2 rules in R must be unconditional, topmost and may not be specifiedby a single variable in the left-hand side of the rule;
3 rules in R must be coherent with respect to E ∪ Ax .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 122 / 163
Search, LTL model checking and narrowing Narrowing
Fulfilling narrowing executability requirements
Recall from Slide 112:
1 only associative and commutative axioms may be used in Ax ;
2 rules in R must be unconditional, topmost and may not be specifiedby a single variable in the left-hand side of the rule;
All rules in the unconditional Rewriting Logic semantics of GSL areunconditional. They only apply to operators at the top and theirleft-hand side pattern is not composed by a single variable.
3 rules in R must be coherent with respect to E ∪ Ax .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 123 / 163
Search, LTL model checking and narrowing Narrowing
Fulfilling narrowing executability requirements
Recall from Slide 112:
1 only associative and commutative axioms may be used in Ax ;
2 rules in R must be unconditional, topmost and may not be specifiedby a single variable in the left-hand side of the rule;
3 rules in R must be coherent with respect to E ∪ Ax .
The rules do not give rise to critical pairs as their left-hand sidepatterns are disjoint.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 124 / 163
Search, LTL model checking and narrowing Narrowing
Support for Abstract Machine Notation
We equationally reduce from AMN syntax to GSL syntax.
1 eq BEGIN S END = S .2 eq PRE P THEN S END = P | S .3 eq IF P THEN S ELSE T END = (P ==> S ) [ ] ( neg (P) ==> S ) .4 eq IF P THEN S END = IF P THEN S ELSE s k i p END .5 eq X := b o o l ( P ) = IF P THEN (X := t r u e ) ELSE (X := f a l s e ) END
.6 eq CHOICE SS END = SS .7 eq S OR T = S [ ] T .8 eq S OR (T OR SS ) = S [ ] (T OR SS ) .9 eq ANY X WHERE P THEN S END = (@ X . (P ==> S ) ) .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 125 / 163
Search, LTL model checking and narrowing Narrowing
A trivial example
Just to illustrate how narrowing command works:
1 ( sea rch [ , 2 ] i n SAMN−EXAMPLE :2 CHOICE3 ANY x WHERE t r u e THEN y := x + s ( 0 ) END4 OR5 ANY x WHERE t r u e THEN y := x END6 END, STO: S t o r e ˜>∗ s k i p , STO ’ : S t o r e . )7
8 So l u t i on 19 STO ’ : S t o r e −−> #13: S t o r e y |−> #7:GNat ;
10 STO: S t o r e −−> #13: S t o r e y |−> #12:GNat11 So l u t i on 212 STO ’ : S t o r e −−> #13: S t o r e y |−> s (#7:GNat ) ;13 STO: S t o r e −−> #13: S t o r e y |−> #12:GNat14 No more s o l u t i o n s .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 126 / 163
Search, LTL model checking and narrowing Narrowing
Search as an instantiation of our validation approach
Let us recall Equation 1 from Slide 93,
G, g |= ϕ.
The search command of Slide 126 instantiates it as follows,
SAMN-EXAMPLE, CHOICE . . . OR . . . END |=∃STO,STO ′[(g ,STO) (skip, STO ′)]
such that the Maude module SAMN-EXAMPLE includes the Maudemodule that specifies the unconditional Rewriting Logic semantics ofGSL.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 127 / 163
Linear Temporal Logic of Rewriting and Metaprogramming
LINEAR TEMPORAL LOGIC OF REWRITING ANDMETAPROGRAMMING
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 128 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Linear Temporal Logic of Rewriting
• LTLR generalizes LTL with action patterns:
ϕ ::= p | δ | ¬ϕ | ϕ ∧ ϕ | Xϕ | ϕUϕ | ϕ | ♦ϕ
• Spatial action patterns describe properties of one-step rewrites(equivalently, one-step proof terms) in R.
• Examples of ground spatial action patterns to describe one-steprewrites are, where u1, . . . , um are ground terms, and where ifl : t → t ∈ R, then x1, . . . , xn ⊆ vars(t):
• l : one-step proof terms involving a rule in R with label l .• l(x1\u1; . . . ; xm\um) : one-step proof terms with a rule label l whose
matching substitution φ satisfies [φ(xi )]E∪A = [ui ]E∪A.• t[l(x1\u1; . . . ; xm\um)]p : one-step proof terms that are instances of
the pattern l(x1\u1; . . . ; xm\um) where the corresponding rewriteshappen at position p of [t]E∪A.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 129 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Linear Temporal Logic of Rewriting
• The semantics of LTLR formulas ϕ is defined by the satisfactionrelation R, [t]E∪A |= ϕ, on a computable deadlock-free rewrite theoryR.
• By definition, R, [t]E∪A |= ϕ holds if and only if for each infinitecomputation (π, γ) starting at [t]E∪A in R, the path satisfactionrelation R, (π, γ) |= ϕ holds.
• The path satisfaction relation for LTLR is quite similar to that ofLTL. The key difference between the LTLR and the LTL semantics isthe semantics of spatial action patterns. Specifically, the relationR, (π, γ) |= δ holds iff the first proof term γ(0) of the currentcomputation satisfies the spatial action pattern δ.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 130 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Linear Temporal Logic of Rewriting
Path satisfaction relation of LTLR:
R, (π, γ) |= p ⇔ [π(0)| = p]E∪A = [true]E∪AR, (π, γ) |= δ ⇔ [γ(0)| = δ]E∪A = [true]E∪AR, (π, γ) |= ¬φ ⇔ R, (π, γ) 6|= φR, (π, γ) |= φ ∧ φ′ ⇔ R, (π, γ) |= φ and R, (π, γ) |= φ′
R, (π, γ) |= Xφ ⇔ R, (π, γ)1 |= φR, (π, γ) |= φUφ′ ⇔ ∃k ∈ N s.t. R, (π, γ)k |= φ′∧
∀0 ≤ i < k(R, (π, γ)i |= φ)
Recall that ♦ and modalities can be specified using U and ♦,respectively.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 131 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Model checking LTL
(Thanks to Ariel Gurfinkel, SEI/CMU)
• Checking the satisfiability
S , s0 |= ϕ
can be done algorithmically by verifying
L(B(S) ∩ B(¬ϕ)) = ∅
where B(S) is the Buchi automaton (a finite automaton that acceptsinfinite words) for the system S , B(ψ) is the Buchi automaton for anLTL formula ψ, and L(A) is the language accepted by automaton A.
• Counterexamples (words in L(B(S) ∩ B(¬ϕ))) are always of the formuvω, where u and v are finite words.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 132 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Model checking LTL
Buchi automaton:
• A = (Σ,Q,∆,Q0,F ), ∆ ⊆ Q × Σ× Q, Q0 ⊆ Q, F ⊆ Q.
• Recognizes words from Σω.
• A run ρ : N → Q over v ∈ Σω in A is such that ρ(0) ∈ Q0 and
∀i ≥ 0, (ρ(i), v(i), ρ(i + 1)) ∈ ∆.
• Acceptance: runs over infinite words.• Let inf (ρ) be the set of states that appear infinitely often on a run ρ:
inf (ρ) = q | ∀i ∈ N,∃j ≥ i , ρ(j) = q.
• A run ρ is accepting iff inf (ρ) ∩ F 6= ∅.• Buchi-recognizable languages are closed under complement and
intersection.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 133 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Labeled Kripke Structures as a Rewrite Theory
• Given a computable deadlock-free rewrite theory R, and an LTLRformula ϕ with set of atomic propositions P and set of actionpatterns W ,
R, (π, γ) |= ϕ⇔ KP,W (R)π(0), (π, α) |= ϕ,
where for each computation (π, γ) of R, there is a path (π, α) ofKP,W (R)π(0) with α(i) = δ ∈W : [γ(i) |= δ]E = [true]E for eachi ∈ N.
• A path in a Labeled Kripke Structures K is such that
π(i)α(i)π(i + 1) for each i ≥ 0.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 134 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Union traces and Buchi automata for LTLR
• If the set of atomic propositions in a Labeled Kripke Structure and itsset of actions are disjoint,
(L(π), α)⇔ L(π) ∪ α,
where (L(π) ∪ α)(i) = L(π)(i) ∪ α(i) for each i ≥ 0.
• In union traces there is no distinction between event and statepropositions.
• Therefore, we can check whether a union trace L(π) ∪ α is acceptedby a Buchi automaton for a formula ¬ϕ using the same Buchiautomata construction as in the LTL case.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 135 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Model checking LTLR
Given an LTLR formula ϕ with set of atomic propositions P and set ofspatial action patterns W , a computable deadlock-free rewrite theory R,and an initial state [t]E ,
R, [t]E |= ϕ⇔ L(KP,W (R)[t]E ⊗ B(¬ϕ)) = ∅.
where M ⊗ B(¬ϕ) is a special product which advances to the next stateonly if both state labels and event labels are accepted by the currenttransition of B(¬ϕ).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 136 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting
Model checking LTLR
Let’s take a look at the client-server example code!
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 137 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Reflection
Reflective tower:
R ` t → t ′ ⇔ U ` 〈R, t〉 → 〈R, t ′〉 ⇔ U ` 〈U , 〈R, t〉〉 → 〈U , 〈R, t ′〉〉 . . .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 138 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Maude’s metalevel
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 139 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Maude’s metalevel
• Terms and modules have a metarepresentation.
• Comprehensive API to move between representation levels, with upand down functions, and perform rewrites at the metalevel:metaReduce, metaRewrite, metaApply, metaMatch, their extendedversions to consider structural axioms, metaSearch, metaSearchPath,parsing, and pretty-printing.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 140 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Representing terms
1 s o r t s Constant V a r i a b l e Term .2 s u b s o r t s Constant V a r i a b l e < Qid Term .3 op <Qids> : −> Constant [ s p e c i a l ( . . . ) ] .4 op <Qids> : −> V a r i a b l e [ s p e c i a l ( . . . ) ] .5 s o r t TermList .6 sub so r t Term < TermList .7 op , : TermList TermList −> TermList8 [ c t o r a s s o c g a t h e r ( e E) p r e c 1 2 0 ] .9 op [ ] : Qid TermList −> Term [ c t o r ] .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 141 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Representing modules
1 s o r t s FModule SModule FTheory STheory Module .2 s u b s o r t s FModule < SModule < Module .3 s u b s o r t s FTheory < STheory < Module .4 s o r t Header .5 sub so r t Qid < Header .6 op : Qid P a r a m e t e r D e c l L i s t −> Header [ c t o r ] .7 op f m o d i s s o r t s . e n d f m : Header I m p o r t L i s t S o r t S e t8 S u b s o r t D e c l S e t OpDeclSet MembAxSet E q u a t i o n S e t −>
FModule9 [ c t o r g a t h e r (& & & & & & &) ] .
10 op m o d i s s o r t s . e n d m : Header I m p o r t L i s t S o r t S e t11 S u b s o r t D e c l S e t OpDeclSet MembAxSet E q u a t i o n S e t R u l e S e t12 −> SModule [ c t o r g a t h e r (& & & & & & & &) ] .13 op f t h i s s o r t s . e n d f t h : Qid I m p o r t L i s t S o r t S e t
S u b s o r t D e c l S e t14 OpDeclSet MembAxSet E q u a t i o n S e t −> FTheory15 [ c t o r g a t h e r (& & & & & & &) ] .16 op t h i s s o r t s . e n d t h : Qid I m p o r t L i s t S o r t S e t
S u b s o r t D e c l S e t17 OpDeclSet MembAxSet E q u a t i o n S e t R u l e S e t −> STheory18 [ c t o r g a t h e r (& & & & & & & &) ] .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 142 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Moving between levels
1 op upModule : Qid Bool ˜> Module [ s p e c i a l ( . . . ) ] .2 op u p S o r t s : Qid Bool ˜> S o r t S e t [ s p e c i a l ( . . . ) ] .3 op u p S u b s o r t D e c l s : Qid Bool ˜> S u b s o r t D e c l S e t [ s p e c i a l ( . . . ) ] .4 op upOpDecls : Qid Bool ˜> OpDeclSet [ s p e c i a l ( . . . ) ] .5 op upMbs : Qid Bool ˜> MembAxSet [ s p e c i a l ( . . . ) ] .6 op upEqs : Qid Bool ˜> E q u a t i o n S e t [ s p e c i a l ( . . . ) ] .7 op upRls : Qid Bool ˜> R u l e S e t [ s p e c i a l ( . . . ) ] .
In all these (partial) operations:
• The first argument is expected to be a module name.
• The second argument is a Boolean, indicating whether we areinterested also in the imported modules or not.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 143 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Moving between levels
1 op upTerm : U n i v e r s a l −> Term .2 op downTerm : Term U n i v e r s a l −> U n i v e r s a l .
• upTerm takes a term t and returns the metarepresentation of itscanonical form.
• downTerm takes the metarepresentation of a term t and a term t ′,and returns the canonical form of t, if t is a term in the same kind ast ′; otherwise, it returns the canonical form of t ′.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 144 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
metaSearch
• metaSearch takes as arguments:• the metarepresentation of a module,• the metarepresentation of the starting term for search,• the metarepresentation of the pattern to search for,• the metarepresentation of a condition to be satisfied,• the metarepresentation of the type of search to carry on,• a Bound value that indicates the maximum depth of the search, and• a natural number, to enumerate solutions.
• The searching strategy used by metaSearch coincides with that ofthe object level search command.
• The possible types of search are:• ’* for a search involving zero or more rewrites (corresponding =>* in
the search command),• ’+ for a search consisting in one or more rewrites (=>+),• ’ ! for a search that only matches canonical forms (=>!).
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 145 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Exercise!
• Move back to Section 1 and study how the narrowing searchcommand was used at the metalevel.
• Open Maude’s online manual, study the metalevel documentation,and execute a metaApply command in the mutex system.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 146 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Some Pie
• Towards Reasoning in Dynamic Logics with Rewriting Logic: thePetri-PDL Case.
• Joint work with Bruno Lopes.
• SBMF 2015
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 147 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri nets
R1 S2 P1 R2 S1 P2
W1W2
D
G1 G2
C
Petri Net for “Rock-Paper-Scissors” game
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 148 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Reasoning on Petri nets
R1 S2 P1 R2 S1 P2
W1W2
D
G1 G2
C
Petri Net for “Rock-Paper-Scissors”game
• Will it always have a winner?
• Which would be a suitable logicto reason about Petri nets’properties?
• How to automate reasoning insuch a logic?
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 149 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Reasoning on Petri nets
R1 S2 P1 R2 S1 P2
W1W2
D
G1 G2
C
Petri Net for “Rock-Paper-Scissors”game
• Will it always have a winner?
• Which would be a suitable logicto reason about Petri nets’properties?
• How to automate reasoning insuch a logic?
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 149 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Reasoning on Petri nets
R1 S2 P1 R2 S1 P2
W1W2
D
G1 G2
C
Petri Net for “Rock-Paper-Scissors”game
• Will it always have a winner?
• Which would be a suitable logicto reason about Petri nets’properties?
• How to automate reasoning insuch a logic?
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 149 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri-PDL
• There are many logical approaches to reason about Petri nets.(Please see a discussion in the paper.)
• We choose Propositional Dynamic Logic (PDL), a simple and yetexpressive modal logic that appears to be suitable to reason aboutPetri nets.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 150 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PDL
• Syntax: Let p be an atomic proposition and α a basic program,
• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ• π ::= α | π;π | π ∪ π | π?.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 151 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PDL
• Syntax: Let p be an atomic proposition and α a basic program,
• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ “modality generator”
• π ::= α | π;π | π ∪ π | π?.
• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction. Kripke structure
• Satisfaction: Let w ∈ W,• M,w p iff w ∈ V(p),• M,w > always,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈π〉ϕ iff there is w ′ ∈ W such that wRπw
′ and M,w ′ ϕ.
• PDL may be extended. Petri-PDL is one such extension.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 152 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PDL
• Syntax: Let p be an atomic proposition and α a basic program,
• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ “modality generator”
• π ::= α | π;π | π ∪ π | π?.• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction.
Kripke structure
• Satisfaction: Let w ∈ W,• M,w p iff w ∈ V(p),• M,w > always,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈π〉ϕ iff there is w ′ ∈ W such that wRπw
′ and M,w ′ ϕ.
• PDL may be extended. Petri-PDL is one such extension.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 152 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PDL
• Syntax: Let p be an atomic proposition and α a basic program,
• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ “modality generator”
• π ::= α | π;π | π ∪ π | π?.• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction. Kripke structure
• Satisfaction: Let w ∈ W,• M,w p iff w ∈ V(p),• M,w > always,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈π〉ϕ iff there is w ′ ∈ W such that wRπw
′ and M,w ′ ϕ.
• PDL may be extended. Petri-PDL is one such extension.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 152 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PDL
• Syntax: Let p be an atomic proposition and α a basic program,
• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ “modality generator”
• π ::= α | π;π | π ∪ π | π?.• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction. Kripke structure
• Satisfaction: Let w ∈ W,• M,w p iff w ∈ V(p),• M,w > always,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈π〉ϕ iff there is w ′ ∈ W such that wRπw
′ and M,w ′ ϕ.
• PDL may be extended. Petri-PDL is one such extension.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 152 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PDL
• Syntax: Let p be an atomic proposition and α a basic program,
• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ “modality generator”
• π ::= α | π;π | π ∪ π | π?.• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction. Kripke structure
• Satisfaction: Let w ∈ W,• M,w p iff w ∈ V(p),• M,w > always,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈π〉ϕ iff there is w ′ ∈ W such that wRπw
′ and M,w ′ ϕ.
• PDL may be extended. Petri-PDL is one such extension.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 152 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri-PDL
Petri-PDL extends PDL with a new set of programs π which are essentiallya combination of 3 basic ones:
X Y
(a) Type 1 : t1
X
Y
Z
(b) Type 2 : t2
X
Y
Z
(c) Type 3 : t3
Basic Petri nets
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 153 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri-PDL
• Syntax:• πb ::= a t1 b | ab t2 c | a t3 bc, where a, b, and c are place names,• π ::= πb | π π,• πm ::= (s, π), where s is a multiset of names.
• Model: M = 〈W,Rπ,V,M〉 where 〈W,Rπ,V〉 is a Kripke structureand M : W → S is a function assigning places to worlds.
• Satisfaction:• M,w p iff w ∈ V(p),• M,w >,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈s, η〉ϕ iff there exists
v ∈ W,wRηv , s ⊆ M(w), and M,v ϕ.
• In a nutshell: Petri-PDL is a PDL where programs are marked netswhose models are Kripke structures with an assignment of places toworlds.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 154 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri-PDL
• Syntax:• πb ::= a t1 b | ab t2 c | a t3 bc, where a, b, and c are place names,• π ::= πb | π π,• πm ::= (s, π), where s is a multiset of names.
• Model: M = 〈W,Rπ,V,M〉 where 〈W,Rπ,V〉 is a Kripke structureand M : W → S is a function assigning places to worlds.
• Satisfaction:• M,w p iff w ∈ V(p),• M,w >,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈s, η〉ϕ iff there exists
v ∈ W,wRηv , s ⊆ M(w), and M,v ϕ.
• In a nutshell: Petri-PDL is a PDL where programs are marked netswhose models are Kripke structures with an assignment of places toworlds.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 154 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Rock-Paper-Scissors in Petri-PDL
R1 S2 P1 R2 S1 P2
W1W2
D
G1 G2
C
Petri Net for “Rock-Paper-Sicissors”game
In Petri-PDL:π = ct3g1g2 g1t1r1 g1t1s1 g1t1p1 g2t1r2 g2t1s2 g2t1p2 r1s2t2w1 r1p2t2w2 r1r2t2d s1r2t2w2 s1s2t2d s1p2t2w1 p1r2t2w1 p1s2t2w2 p1p2t2d .
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 155 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Kripke structures as rewrite theories
Let’s recall from Slide 87 how Kripke structures are represented asRewriting Logic theories!
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 156 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PETRI-PDL Maude module1 mod PETRI−PDL i s2 s o r t P l a c e P l a c e s B a s i c P r o g Prog Net .3 sub so r t P l a c e < P l a c e s .4 sub so r t B a s i c P r o g < Prog .5
6 op : P l a c e s P l a c e s −> P l a c e s [ p r e c 20 a s s o c comm i d : e p s i l o n ].
7 op t 1 : P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .8 op t 2 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .9 op t 3 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .
10 op + : Prog Prog −> Prog [ a s s o c comm p r e c 4 0 ] .11 op , : P l a c e s Prog −> Net .12
13 va r s A B C : P l a c e . var W : P l a c e s . var P : Prog .14
15 r l [ t1 ] : A W , A t1 B => B W , A t1 B .16 r l [ t2 ] : A B W , A B t2 C => C W , A B t2 C .17 r l [ t3 ] : A W , A t3 B C => B C W , A t3 B C .18
19 r l [ t1 ] : A W , A t1 B + P => B W , A t1 B + P .20 r l [ t2 ] : A B W , A B t2 C + P => C W , A B t2 C + P .21 r l [ t3 ] : A W , A t3 B C + P => B C W , A t3 B C + P .22 endm
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 157 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
PETRI-PDL Maude module
1 mod PETRI−PDL i s2 s o r t P l a c e P l a c e s B a s i c P r o g Prog Net .3 sub so r t P l a c e < P l a c e s .4 sub so r t B a s i c P r o g < Prog .5
6 op : P l a c e s P l a c e s −> P l a c e s [ p r e c 20 a s s o ccomm i d : e p s i l o n ] .
7 op t 1 : P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .8 op t 2 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c
3 0 ] .9 op t 3 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c
3 0 ] .10 op + : Prog Prog −> Prog [ a s s o c comm p r e c 4 0 ]
.11 op , : P l a c e s Prog −> Net .12
13 va r s A B C : P l a c e . var W : P l a c e s . var P :Prog .
14
15 r l [ t1 ] : A W , A t1 B => B W , A t1 B .16 r l [ t2 ] : A B W , A B t2 C => C W , A B t2 C .17 r l [ t3 ] : A W , A t3 B C => B C W , A t3 B C .18
19 r l [ t1 ] : A W , A t1 B + P => B W , A t1 B + P .20 r l [ t2 ] : A B W , A B t2 C + P => C W , A B t2
C + P .21 r l [ t3 ] : A W , A t3 B C + P => B C W , A t3 B C
+ P .22 endm
Specifies thebehavior ofPetri-PDL basicprograms.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 158 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Maude reflective API in module META-LEVEL
• Allows for the representation and handling of modules as terms andterms as meta-terms.
• Includes functions:• metaSearch: given a meta-module and a meta-term produces the terms
reachable from the given meta-term according to the givenmeta-module.
• upModule: produces the meta-representation of a module.• upTerm: produces the meta-representation of a term.• downTerm: produces the object representation of a meta-term.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 159 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri-PDL Maude model checker
• Given a Petri-PDL model•M= 〈
•W,Rπ,V〉, with
•W= (S × π), we
associate it with a rewrite theory R = 〈ΣNet ,Evaluation,RNet〉 where
Net =•W and valuation : S → FormulaSet such that
K(R, [Net]) = (TΣNet, (→1
RNet)•,Evaluation) =
•M.
• Module PETRI-PDL-MODEL-CHECKER includes modulesPETRI-PDL and META-LEVEL.
• Sort Places represents set S .• Relation Rπ is implemented by meta-function ppdlNStepRew, which
encapsulates a call to metaSeach from Maude META-LEVEL..• Meta-function modelCheck is responsible for the implementation of
Petri-PDL’ satisfaction predicate (which includes the “modalitygenerator”).
• Module VALUATION, that includes PETRI-PDL-MODEL-CHECKER,provides equations for operation valuation defining which atomicpropositions hold on each place.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 160 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Petri-PDL Maude model checker code
Let’s take a look at the code!
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 161 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Model checking “Rock-Paper-Scissors”
1 mod VALUATION i s2 i n c PETRI−PDL−MODEL−CHECKER .3 ops c g1 g2 s1 s2 r 1 r 2 p1 p2 w1 w2 d : −> P l a c e .4 ops p q : −> Formula .5 eq v a l u a t i o n (w1) = p . eq v a l u a t i o n (w2) = q . eq v a l u a t i o n ( d ) =
( (¬ p ) (¬ q ) ) .6 endm
1 reduce i n VALUATION : modelCheck (¬ < c , ( g1 t1 r 1 + g1 t1 p1 + g1 t1s1 + g2 t1 r 2 +
2 g2 t1 p2 + g2 t1 s2 + ( ( ( ( ( ( (3 s1 s2 t2 d + s1 p2 t2 w1) + s1 r 2 t2 w2) + p1 s2 t2 w2) + p1 p2
t2 d ) + p1 r2 t2 w1) + r 1 s2 t2 w1) + r 1 p24 t2 w2) + r 1 r 2 t2 d ) + c t3 g1 g2 > (¬ ( p \/ q ) ) , 4 , mt−
p l a c e s l i s t s e t ) .5 r e w r i t e s : 1139 i n 24ms cpu (25ms r e a l ) (45942 r e w r i t e s / second )6 r e s u l t PPDLModel : ppdlModel ( f a l s e , c −> g1 g2 −> g1 s2 −> s1 s2 −>
d )
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 162 / 163
Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming
Bibliography
• Kyungmin Bae and Jose Meseguer, A Rewriting-Based Model Checker forthe Linear Temporal Logic of Rewriting.
• Kyungmin Bae and Jose Meseguer, The Maude LTLR Model checker.
• Steven Eker et al, The Maude LTL model checker.
• Santiago Escobar et al., Built-in Variant Generation and Unification, andTheir Applications in Maude 2.7
• Narciso Martı-Oliet and Jose Meseguer, Rewriting Logic as a logical andsemantic framework.
• Narciso Martı-Oliet, Specifying, Programming and Verifying in Maude,Lecture notes.
• Jose Meseguer, Conditional rewriting logic as a unified model of concurrency.
• Jose Meseguer, The Temporal Logic of Rewriting: A Gentle Introduction.
• Jose Meseguer, Twenty years of Rewriting Logic.
C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 163 / 163