PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor •...
Transcript of PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor •...
![Page 1: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/1.jpg)
PETRI NETSPRESENTED BYJUSTIN ROTH
Friday, March 11, 2011
![Page 2: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/2.jpg)
OUTLINE• INTRODUCTION
• SIMPLE EXAMPLE
• LANGUAGE OF PETRI NETS
• PROPERTIES OF PETRI NETS
•MORE ADVANCED EXAMPLE
• ADVANTAGES OF PETRI NETS
•QUESTIONS
• PN TOOLS
• VARIATIONS ON PNFriday, March 11, 2011
![Page 3: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/3.jpg)
INTRODUCTION
•Discovery by Carl Adam Petri at the age of 13 for the purpose of describing chemical reactions.
• Later formalized in his PHD
• Petri Nets have huge application scope
• Feel free to ask questions
Friday, March 11, 2011
![Page 4: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/4.jpg)
SIMPLE EXAMPLE
• http://www.informatik.uni-hamburg.de/TGI/PetriNets/introductions/aalst/trafficlight1.swf [2]
Friday, March 11, 2011
![Page 5: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/5.jpg)
LANGUAGE• Symbols
squarecirclearrowdot
Friday, March 11, 2011
![Page 6: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/6.jpg)
LANGUAGE
• Symbols
• Places P={P1,P2,,...Pn)
• Transitions T = {T1,T2,...Tn}
• Arcs A={(Px,Ty),(Ty,Px)} Forall 0<x<#places 0<y<#transitions
• Token u = {u1(P),u2(P),...un(P)}
Friday, March 11, 2011
![Page 7: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/7.jpg)
LANGUAGE
Places to Transitions Transition to Places
•Arcs can be between places and transitions or transitions and place•Never between places and places or transitions and transitions
t1
Friday, March 11, 2011
![Page 8: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/8.jpg)
LANGUAGE• Functions
Fire(transition, input_p1...m, output_p 1...n, )HasToken(place) AddToken (place) RemoveToken (place)
arity = m+n+1arity = 1arity = 1arity = 1
Friday, March 11, 2011
![Page 9: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/9.jpg)
LANGUAGE• Functions
Fire(transition, input_place 1...n, output_place 1...m)
if HasToken(input_place 1...n)AddToken(output_place 1...m)
HasToken(place)
AddToken (place)
RemoveToken (place)
Friday, March 11, 2011
![Page 10: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/10.jpg)
LANGUAGE• Relators
input_transitions(place)
output_ transitions(place)
input_places(transition)
out_places(transition)
Friday, March 11, 2011
![Page 11: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/11.jpg)
LANGUAGE•Other representation
• Vector (input + output)
[6]
Friday, March 11, 2011
![Page 12: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/12.jpg)
PROPERTIES OF PETRI NETS• Sequential
• Synchronization
•Merging
Friday, March 11, 2011
![Page 13: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/13.jpg)
PROPERTIES OF PETRI NETS• Concurrency
• Conflict
Friday, March 11, 2011
![Page 14: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/14.jpg)
MORE ADVANCED EXAMPLE
• Concurrency http://cs.adelaide.edu.au/~esser/forkjoin.html [3]
• Assembly Line http://www.informatik.uni-hamburg.de/TGI/PetriNets/introductions/aalst/assembly.swf [4]
• Invariant http://www.informatik.uni-hamburg.de/TGI/PetriNets/introductions/aalst/trafficlight2_PI.swf [5]
Friday, March 11, 2011
![Page 15: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/15.jpg)
ADVANTAGES OF PETRI NETS
• Elegance of design
•Not implementation based
• Power tools
• Formal method
•Many proofs and theorems
• Visual learning\thinking
• Simplicity allows for huge application scope
Friday, March 11, 2011
![Page 16: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/16.jpg)
PETRI NET TOOLS
• Graphical editor
• Interchange file format
• Simplification
• Fast simulation
• Automated transition and invariant calculations
• Support for extensions to Petri nets
Friday, March 11, 2011
![Page 17: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/17.jpg)
VARIATIONS ON PETRI NETS
• Coloured petri nets (places have unique colour)
• Fuzzi petri nets (if A & if B then C)
• Timed nets (tmax & tmin for firing)
•Object oriented Petri Nets (modularity, reusability, maintainability)
• Stochastic Petri Nets (probability of firing)
Friday, March 11, 2011
![Page 18: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/18.jpg)
QUESTIONS ?
Friday, March 11, 2011
![Page 19: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/19.jpg)
REFERENCES• [1] http://www.scholarpedia.org/article/Petri_net
• [2] http://www.informatik.uni-hamburg.de/TGI/PetriNets/introductions/aalst/trafficlight1.swf
• [3] http://cs.adelaide.edu.au/~esser/forkjoin.html
• [4] http://www.informatik.uni-hamburg.de/TGI/PetriNets/introductions/aalst/assembly.swf
• [5] http://www.informatik.uni-hamburg.de/TGI/PetriNets/f
• [6]http://en.wikipedia.org/wiki/Petri_netFriday, March 11, 2011
![Page 20: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/20.jpg)
The TLA+ Specification LanguageTemporal Logic of Actions
Mohammed Alabbad and Lucas Beyak
McMaster University
March 29th, 2011
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 1 / 33
![Page 21: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/21.jpg)
Outline
1 Introduction
2 Mathematical Foundations
3 Specifying in TLA+
4 Model Checking Tool - TLC
5 Language Assessment
6 Extensions
7 Conclusion
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 2 / 33
![Page 22: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/22.jpg)
Introduction
TLA+ was designed by Leslie Lamport (currently working forMicrosoft Research)
Lamport’s research has laid the foundation for the theory ofdistributed systems
Lamport designed TLA+ in order to formally describe and reasonabout distributed algorithms
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 3 / 33
![Page 23: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/23.jpg)
Introductory Example
Example (General Specification)SomeSpec , Init ∧�[Next]v ∧ L
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 4 / 33
![Page 24: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/24.jpg)
TLA - Temporal Logic of Actions
The logic of time has its origins in philosophy and linguistics.
Temporal logic offered a framework for describing safety and livenessproperties of reactive systems.
Linear-time temporal logic includes the theory TLA
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 5 / 33
![Page 25: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/25.jpg)
Transition Formulas - Syntax
Transition formulas describe states and state transitions.
They are ordinary formula of untyped first-order logic, plus moreconventions and notations.
The signature is: (LF ,LP ,V)LF Function symbolsLP Predicate symbolsV set of variables; VF flexible variables and VR rigid variables.VF ′ the set of primed flexible variablesVE the union V ∪ VF ′
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 6 / 33
![Page 26: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/26.jpg)
Transition Formulas - Syntax - Continued
Example (Action (transition predicate))x ′ = x + 1
Example (State predicate)y = x + 1
Constant Formulas: are transition formulas whose free variables arerigid variables.
Transition formula E’ obtained from state formula E by replacing v byv’.
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 7 / 33
![Page 27: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/27.jpg)
Transition Formulas - Semantics
Interpretation I defines a universe |I|
State; s : VF → |I|, t : VF ′ → |I|
Valuation; ξ : VR → |I|
Combined valuation; αs,t,ξ for the variables in VE
Semantics of a transition formula E written [[E ]]I,ξs,t
Transition predicate A; valid vs. satisfiable.
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 8 / 33
![Page 28: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/28.jpg)
Transition Formulas - Semantics - Continued
Example (Action)[[x ′ = x + 1]]ξs,t , [[x ′]]t = [[x ]]s + 1
Example (State Formula)[[y = x + 1]]ξs , [[y ]]s = [[x ]]s + 1
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 9 / 33
![Page 29: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/29.jpg)
Transition Formulas - Semantics - Continued
Definition (ENABLED)[[ENABLED A]]s , ∃t : [[A]]s,t
Definition (Stuttering)[A]t , A ∨ (t ′ = t)
Definition (Necessity)〈A〉t , A ∧ ¬(t ′ = t)
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 10 / 33
![Page 30: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/30.jpg)
Temporal Formulas - Syntax
Temporal formulas to describe behaviours (sequences of states)
Definition (Temporal Formulas)F , P
| ¬F |F ∧ F |F ∨ F | . . .| �F| �[A]t where A is an action and t is a state function| ∃(x | x ∈ VR : F )| ∃(v | v ∈ VF : F )
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 11 / 33
![Page 31: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/31.jpg)
Temporal Formulas - Semantics
Temporal formulas are evaluated with respect toσ = s0s1 . . . of states si : VF → |I| and valuation ξ : VR → |I|
Definition[[P]]I,ξσ = [[P]]I,ξσ0
The semantic of the Boolean operators
[[�F ]]I,ξσ = t iff [[F ]]I,ξσ|i= t for all i ∈ N
[[�[A]t ]]I,ξσ = t iff for all i ∈ N, either [[t]]I,ξσi= [[t]]I,ξσi+1
or [[A]]I,ξσi ,σi+1= t
[[∃ x : F ]]I,ξσ = t iff [[F ]]I,ησ = t for some valuation η : VR → |I| such thatη(y) = ξ(y) for all y ∈ VR\{x}
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 12 / 33
![Page 32: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/32.jpg)
Temporal Formulas - Derived temporal formulas
Definition
�F always F♦F eventually F ¬�¬F♦〈A〉t eventually angle A sub t ¬�[¬A]tF G F leads to G �(F ⇒ ♦G)�♦F infinitely often♦�F always from some time onward
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 13 / 33
![Page 33: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/33.jpg)
Temporal Formulas - Fairness
Fairness conditions assert that an action should eventually happen ifit is often enabled.
Definition (Weak fairness)WFt(A) , �(�ENABLED〈A〉t =⇒ ♦〈A〉t)
Definition (Strong fairness)SFt(A) , �(�♦ENABLED〈A〉t =⇒ ♦〈A〉t)
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 14 / 33
![Page 34: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/34.jpg)
Building TLA+ from TLA
TLA is defined using predicate logic and an arbitrary interpretation
TLA+ “instantiates” the generic definition of TLA with the ZFC(Zermelo-Fraenkel set theory with choice) interpretation of first-orderlogic
Using a standard interpretation ensures unambiguous specifications
Every TLA+ value is a set
TLA+ introduces a module hierarchy, allowing declaration ofparameters and operators
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 15 / 33
![Page 35: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/35.jpg)
TLA+ - Operators
Boolean operatorsChoose operatorConditionalsLet/In constructSet theory operatorsFunctionsRecordsTuplesStringsNumbers
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 16 / 33
![Page 36: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/36.jpg)
TLA+ - Operators - Choose operator
Definition (Interpretation of a term CHOOSE x : P)[[CHOOSE x : P]]ξs,t , ε({d | [[P]]αs,t,ξ[d/x ] = t})
x ∈ VE is a variable and P is an action
Occurrences of x in CHOOSE x : P are bound
The TLA+ CHOOSE operator is analogous to mathematician’sHilbert’s choice operator
Example (Real number division)a/b , CHOOSE c ∈ Real : a = b ∗ c
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 17 / 33
![Page 37: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/37.jpg)
TLA+ - Operators - Set theory operators
Definition (Enumerable sets){e1, ..., en} , CHOOSE S : ∀(x | : x ∈ S ≡ ∃(i | (1 ≤ i)∧ (i ≤ n) : x = ei))
Definition (Basic set-theoretic operators)UNION S , CHOOSE M : ∀(x | : x ∈ M ≡ ∃(T | T ∈ S : x ∈ T ))S ∪ T , UNION{S,T}S ⊆ T , ∀(x | : x ∈ S ⇒ x ∈ T )SUBSET S , CHOOSE M : ∀(x | : x ∈ M ≡ x ⊆ S)
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 18 / 33
![Page 38: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/38.jpg)
TLA+ - Operators - Functions
The application of a function f to an expression e is written as f [e]
[x ∈ S 7→ e] denotes a function with a domain S that maps anyx ∈ S to e
The above is the TLA+ syntax for a lambda expression λx ∈ S : e
Example (Anonymous function)[n ∈ Nat 7→ 1/(n + 1)]
Example (Named function - factorial)factorial [n ∈ Nat] , IF n = 0 THEN 1 ELSE n ∗ factorial [n − 1]
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 19 / 33
![Page 39: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/39.jpg)
TLA+ - Operators - Functions and Tuples
Definition (Function Update)[f EXCEPT! [t] = u] , [x ∈ DOMAIN f 7→ IF x = t THEN u ELSE f [x ]]
Tuples are represented as functions
Definition (Tuple)〈t1, ..., tn〉 , [i ∈ {j ∈ Nat : (1 ≤ j) ∧ (j ≤ n)} 7→ ei ]
i does not occur in any of the expressions ej
The update operation can be applied to tuples
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 20 / 33
![Page 40: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/40.jpg)
Properties and Specifications
In TLA+ there is no formal distinction between properties and systemspecifications, both are represented using temporal formulas
Example (General Specification)SomeSpec , Init ∧�[Next]v ∧ L
Init is a state predicate to represent the initial condition
Next is an action that represents a next-state relation
L is a conjunction of formulas WFv (A) or SFv (A) that assert fairnessassumptions
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 21 / 33
![Page 41: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/41.jpg)
Refinement
First a system is specified using a high level of abstraction
A series of intermediate models introduce details
Refinements must preserve system properties
Correctness properties can be proven early, and do not need to bereproved in a later refinement
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 22 / 33
![Page 42: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/42.jpg)
Refinement - Continued
Definition (Refinement)A TLA formula C , refines an abstract specification A⇔∀(F |F is a formula : (A⇒ F )⇒ (C ⇒ F ))⇔C ⇒ A
Implementation is implication
C will typically contain transitions that are transparent to A(transitions that act on state variables not present in A)
Concept of stuttering steps is essential here
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 23 / 33
![Page 43: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/43.jpg)
Composition of Specifications
A system that is composed of specifications A and B must satisfyboth A and B
Composition is conjunction
State transition of A will be the stuttering step of B and vice versa
If some synchronization is required, both A and B will have anon-stuttering state transition
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 24 / 33
![Page 44: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/44.jpg)
Invariants
Invariants characterize the set of states that the system reaches.They are the basic form of safety properties.
Definition (INV1)I ∧ [N]t ⇒ I ′
I ∧�[N]t ⇒ �I
Definition (INV)Init ⇒ I I ∧ [Next]t ⇒ I ′ I ⇒ J
Init ∧�[Next]t ⇒ �J
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 25 / 33
![Page 45: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/45.jpg)
Step Simulation
To prove the refinement between two TLA specifications.
Definition (TLA21)I ∧ I ′ ∧ [M]t ⇒ [N]u�I ∧�[M]t ⇒ �[N]u
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 26 / 33
![Page 46: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/46.jpg)
Liveness Properties
Liveness properties assert that something good eventually happens
The following inference rule proves a “leads-to” formula for a weakfairness assumption
Definition (WF1)I ∧ I ′ ∧ P ∧ [N]t ⇒ P ′ ∨ Q′
I ∧ I ′ ∧ P ∧ 〈N ∧ A〉t ⇒ Q′
I ∧ P ⇒ ENABLED〈A〉t�I ∧�[N]t ∧WFt(A)⇒ (P Q)
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 27 / 33
![Page 47: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/47.jpg)
Illustrative Example
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 28 / 33
![Page 48: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/48.jpg)
Model Checking Tool - TLC
To find errors in a specification, properties that should hold must beverified
By default, TLC check’s a specification for deadlock
The goal in using TLC is NOT to verify a specification is correct, it isto find errors
TLC generates behaviors that satisfy a specification
The next-state relation can be computed when given values to thespecification’s constant parameters
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 29 / 33
![Page 49: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/49.jpg)
TLC - Example
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 30 / 33
![Page 50: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/50.jpg)
Usefullness and Limitations
UsefullnessAllows one to start abstractly and add details while retaining thetruthfullness of properties (refinement)
Provides the means to simply design concurrent, usually distributed,systems (composition)
LimitationsExpressing some algorithmic details might be difficult
May be impossible to discover a violation of a liveness property with afinite model
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 31 / 33
![Page 51: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/51.jpg)
Extension - PlusCal (formerly +CAL)
Lamport designed an algorithm language PlusCal
PlusCal introduces standard programming constructsassignmentsequencingloopsconditionalsnon-deterministic choiceprocedures
PlusCal algorithms are translated to TLA+ specifications, and can bechecked with TLC
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 32 / 33
![Page 52: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/52.jpg)
Conclusion
“A distributed system is one in which the failure of a computer youdidn’t even know existed can render your own computer unusable”- Leslie Lamport
Designing (correct) distributed systems is hard
The formalisms offered by TLA+ assists us in the difficult task ofanalyzing formal models
Expressiveness of TLA+ is helpful when new classes of systems areintroduced (real-time systems, for example)
Mohammed and Lucas (McMaster) The TLA+ Specification Language March 29th, 2011 33 / 33
![Page 53: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/53.jpg)
Z Language, Z Logic and Its Applications
Ehsan Mohammad Kazemi
Department of Computing and SoftwareMcMaster University
April 8th, 2011
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 1 / 40
![Page 54: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/54.jpg)
Outline
1 Introduction to Z Language
2 Z Specification
3 Review of An Example in Z
4 Z Specification Language from A Logical Perspective
5 The Specification of Logic ZC
6 Conservative Extensions
7 More Advanced Materials
8 Language Assessment
9 Conclusion
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 2 / 40
![Page 55: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/55.jpg)
Introduction
Z language is a model-based specification language making it easierto write mathematical description
Inspired by Jean-Raymond Abrial’s seminal work(1970’s), developedthrough the 1980’s in collaborative projects between Oxford andindustrial partners(IBM)
Is a set of conventions for presenting mathematical text, chosen tomake it more convenient
Based on Zermelo-Fraenkel set theory and first order predicate logic
Not a programming language and is intended to faciliate formalverification
Decompose specification into small pieces (Schemas)
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 3 / 40
![Page 56: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/56.jpg)
Z Language
The main steps for the specification:
Create a model of the system using discrete mathematical structures(primarily sets), together with predicate logic
Using logic showing that how the model will be changed for eachoperation that the system can perform
The process is repeated to gradually refine the specification
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 4 / 40
![Page 57: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/57.jpg)
Basic elements
There are three basic elements in Z:
SetsCollection of elements in which no sense of ordering of elements isinvolvedIn Z, there are some pre-defined set types such as Z and NUser may specify own set typesConvention is to use upper case italic letters for set types [AIRCRAFT]
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 5 / 40
![Page 58: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/58.jpg)
Basic elements(continue)
Set of operationsSet membership operator ∈Cardinality(Prefix the set name with the # symbol)Equality =Subset ⊂ or ⊆Powerset PUnion ∪Intersection ∩Difference \Definition =̂Cross ×Function →Domain domRange ran
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 6 / 40
![Page 59: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/59.jpg)
Basic elements(continue)
Logic: The operations and relations in a system are usually expressedusing the standard operators of
Not ¬And ∧Or ∨Implies ⇒Equivalence (if and only if) ⇔For all (universal quantifier) ∀There exists (existential quantifier) ∃There exists exactly one ∃1Precondition preSuch that |
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 7 / 40
![Page 60: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/60.jpg)
Z specification
A Z description consists of a collection of structures called schemas.
A schema describes the static (states, invariant relationships) anddynamic (operations, relationships between input and output, statechanges that can happen) features of a system
The schema consists of:
Schema nameGroup of variable declarations(Declaration part)List of predicates that constrain values of variables(Predicate part)
NameDeclarations
Predicates
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 8 / 40
![Page 61: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/61.jpg)
Schema Declaration part
Contains local declarations (types and variables)
Can import other types by listing their names
Status indicates if state space is changed or not
NameDeclaration{status}State space nameVariable DeclarationFunction Declaration
PredicatesOptional pre − conditionOptional post − condition
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 9 / 40
![Page 62: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/62.jpg)
Schema Predicate part
Includes statements about the entities defined in the declaration partof the schema
These statements are assumed to be implicitly connected by a logicaland
Other logical connectives can be used explicitly in compoundstatements
NameDeclaration{status}State space nameVariable DeclarationFunction Declaration
PredicatesOptional pre − conditionOptional post − condition
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 10 / 40
![Page 63: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/63.jpg)
Z specification(continue)
Creating New Schemas from Existing SchemasThe prefix ∆ (Delta) is used to create a new schema from an existingone
Is obtained by combining the before and after specifications of a state.Describes state space changes after operation
The prefix Ξ (Xi) is also used to create a new schema from anexisting one.
Is also obtained by combining the before and after specifications of astate.However, this schema is used to define specifications of operations thatdo not change the state space of a structure.
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 11 / 40
![Page 64: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/64.jpg)
Z specification sections
Z specification consists of four sections:
A Z Specification begins with a list of given sets, data types, andconstants
State definition (shown as Z schema)
Operations (shown as Z schema)
Initial state: when the system is first turned on
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 12 / 40
![Page 65: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/65.jpg)
Z specification example
Example (A class manager’s assistant)A specification that provides support for a class manaegr to admitstudents to a class, and to record who has done the midweek exercises.
The given sets for the specification:The notion of a student is represented by a given set Student [Student]The user of the system needs to specify a maximum class size| Size: NThe type definition for the responses to the operations is asResponse ::= success | notenrolled | nocert | cert | alreadyenrolled |alreadytested | noroom
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 13 / 40
![Page 66: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/66.jpg)
Z specification example
State definition and related operations for the specification:
Classenrolled , tested : P Student
#enrolled ≤ sizetested ⊆ enrolled
The operations required are enrolling, testing, leaving and finallyenquiring a student respectively shown in Enrolok, Testok, Leaveokand Enquire schemas.
Initial states for the specification:ClassInit =̂ [ Class’ | enrolled’ = ∅ ]
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 14 / 40
![Page 67: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/67.jpg)
Z specification example(continue)
Enrolling a student:
Enrolok∆Classs? : Studentr ! : Response
s? /∈ enrolled#enrolled ≤ sizeenrolled ′ = enrolled ∪ {s?}tested ′ = testedr ! = success
Note: The input names end with a question(?) mark and output namesend with an exclamation(!) mark
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 15 / 40
![Page 68: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/68.jpg)
Z specification example(continue)
Testing a student:
Testok∆Classs? : Studentr ! : Response
s? ∈ enrolleds? /∈ testedtested ′ = tested ∪ {s?}enrolled ′ = enrolledr ! = success
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 16 / 40
![Page 69: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/69.jpg)
Z specification example(continue)
Discharging a student:
Leaveok∆Classs? : Studentr ! : Response
s? ∈ enrolledenrolled ′ = enrolled \ {s?}((s? ∈ tested ∧ tested ′ = tested \ {s?} ∧ r ! = cert)∨ (s? /∈ tested ∧ tested ′ = tested ∧ r ! = nocert))
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 17 / 40
![Page 70: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/70.jpg)
Z specification example(continue)Enquiring a student:
EnquireΞClasss? : Studentr ! : Response
((s? /∈ enrolled ∧ r ! = notenrolled)∨ (s? ∈ (enroled \ tested) ∧ r ! = alreadyenrolled)∨ (s? ∈ tetsed ∧ r ! = alreadytested))
NoRoomΞClassr ! : Response
#enrolled = sizer ! = noroom
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 18 / 40
![Page 71: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/71.jpg)
Z In A Logical Perspective
The work is structured into three parts:
The least formal and most accessible one which explores initialconsiderations concerning the formalization of Vernacular Zconcerning Schema types and Bindings
A more formally presented account of Z logic that discuss how thatlogic may be extended by means of a series of conservative extensions
Contains the most advanced material by looking beyond Z as aspecification langauge and ZC as a logic for reasoning aboutspecification
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 19 / 40
![Page 72: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/72.jpg)
Z Schemas and Bindings
At the heart of Z is the schema. Schemas are usuallay used in two ways:Describing the state space of a system
Describing operations which the system may be perform
Example (A jug of water)The informal state space is a jug of water of capacity 250ml having acurrent volume and a current temperature which can be written as:
JugVolume : Ntemp : N
Volume ≤ 250temp ≤ 100
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 20 / 40
![Page 73: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/73.jpg)
Z Schemas and BindingsBindings:
The states which comprise a schema are called bindings
Each binding belonging to a schema is a legitimate state of the system
The schema describes a state space, that is, a set of legitimatesystem states
A schema does not describe a particular stateBindings are written like:
(| volume V n, temp V m |)
where n,m ∈ NPossiblity to extract the values assoiciated with observations from bindingsis called binding selection, like
(| volume V n, temp V m |).volume = n
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 21 / 40
![Page 74: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/74.jpg)
Schema and Schema Type
Here is an unordered sequence of typed(indicated by superscripts)observations(the Zi )
[... zTii ...]
Then schemas are either schema sets:
[... zi : CP Tii ...]
or atomic schemas
[S | P]
where the Ci are sets, S is a schema and P is a predicate.
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 22 / 40
![Page 75: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/75.jpg)
Schema and Schema Type
Since schemas are sets of bindings, so the logic of schema can be obtainedfrom the logic of sets and bindings. Hence, in ZC , for sets, we have
P[z/t][ {}+ ]
t ∈ {z | P}
t ∈ {z | P}[ {}− ]
P[z/t]
Note that ZC is strongly typed, and these typed set comprehensionsrepresent no technical difficulties.
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 23 / 40
![Page 76: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/76.jpg)
Schema and Schema Type
And for bindings, ZC has
[V=0 ]
(| ...zi V ti ... |).zi = ti
[V=1 ]
(| ...zi V t.zi ... |) = t [...zTii ...]
The logical rules for schemas flow the following ZC definitions:
[... zi : Ci ...] =df {x | ... ∧ x .zi ∈ Ci ∧ ...}
and
[S | P] =df {z ∈ S | z .P}
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 24 / 40
![Page 77: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/77.jpg)
Rules for Schema Derived in ZC
Rules for schema sets in ZC are:
... ti ∈ Ci ...
(| ...zi V ti ... |) ∈ [...zi : Ci ...]([]+)
t ∈ [...zi : Ci ...]
t.zi ∈ Ci([]−)
Rules for atomic schemas in ZC are:
t ∈ S t.Pt ∈ [S | P]
(S+)t ∈ [S | P]
t ∈ S (S−0 )t ∈ [S | P]
t.P (S−1 )
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 25 / 40
![Page 78: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/78.jpg)
Schema Algebra and Filtered Bindings
Time to consider an operation from the schema calculus: SchemaConjunction (∧).
Filtering: the type restriction of a binding. We write as z � T
Roughly, the bindings we expect in the schema S0 ∧ S1 are thosecommon to S0 and S1.
But the story is more complicated: the types of S0 and S1 (say T0and T1) need not necessarily be the same.
In order for S0 ∧ S1 to be well-defined, these types must agree ontheir overlap.
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 26 / 40
![Page 79: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/79.jpg)
Schema Algebra and Filtered Bindings
We write T0 g T1 (in the meta-theory) for the compatible type union(it is not defined if they are incompatible) of T0 and T1.
Note that when the types are disjoint, this is effectively a unionoperation.
Hence, the schema conjunction definition in ZC will be
SPT00 ∧ SPT1
1 =df {zT0gT1 | z � T0 ∈ S0 ∧ z � T1 ∈ S1}
t ∈ S0 t ∈ S1t ∈ S0 ∧ S1
(S+∧ )
t ∈ S0 ∧ S1t ∈ S0
(S−∧0)t ∈ S0 ∧ S1
t ∈ S1(S−∧1)
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 27 / 40
![Page 80: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/80.jpg)
The Types of ZC Logic
ZC is an extension of higher order logic with the addition of the schematypes.We begin with the language of types
T ::= Υ | PT | T × T | [...zT ...]
whereTypes of the form Υ are the names of free types
Types of the form [...zT ...] are called schema types
No observation {...zi ...} may occur more than once in such a type
The symbols �,f,gand− denote the relation and operations.
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 28 / 40
![Page 81: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/81.jpg)
The Types of ZC Logic(continue)
Since these relations and operations are defined only for schematypes, so any use of them is well defined only when the types inquestion are schema types.
Schema type union imposes an additional constraint, since it is onlydefined when its schema type arguments are compatible
Types are indicated by superscripting and can be omitted wheneverpossible
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 29 / 40
![Page 82: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/82.jpg)
The Terms of ZC LogicFirst we have variables, bindings, pairs and their projections
tT ::= xT | t [...zT ...].z | tT×T1 .1 | tT0×T .2tT0×T1 ::= (tT0 , tT1)
t [...zT ...] ::= (| ...z V tT ... |)
Second, we have the filtered (restricted) bindings
tT0 ::= tT1 � T0 where T0 � T1
Third, the values of free type are
tΥ ::= ... tΥij ...
Finally, We have sets
tPT ::= {zT | P}
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 30 / 40
![Page 83: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/83.jpg)
The Formulae of ZC Logic
The formulae of ZC delineate a typed bounded predicate logic:
P ::= false | tT = tT | tT ∈ CPT | ¬P | P ∨ P | ∃ zT ∈ CPT • P
The judgements of ZC have the form Γ ` P, where Γ is a set offormulae
The logic of ZC is classical, so the remaining logical operations areavailable by definition
A crucial observation is the unicity of types: every term of ZC has aunique type
A term of type T always belong to the carrier set of T: tT ∈ T
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 31 / 40
![Page 84: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/84.jpg)
The Formulae of ZC Logic(example)
Example (Specialisation for N)As an example of the rules for free types, we can give the followingspecialisation for N,
zero ∈ Nn ∈ N
succ n ∈ Nn ∈ N
zero 6= succ n
succ n = succ mn = m
P[n/zero] m ∈ N, P[n/m] ` P[n/succ/m]
n ∈ N ` P
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 32 / 40
![Page 85: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/85.jpg)
Conservative ExtensionsThe base logic ZC contains only rudimentary features of Z. We havealready indicated in overview how ZC can host more advanced features bymeans of conservative extensions
Schema Sets and Atomic Schemas:
SPT ::= [...zi : CPTii ...] | [SPT | P]
Schema Disjunction:
SPT00 ∨ SPT1
1 =df {zT0gT1 | z ∈ S0 ∨ z ∈ S1}
Schema Conjunction:
SPT00 ∧ SPT1
1 =df {zT0gT1 | z ∈ S0 ∧ z ∈ S1}
Schema Negation:
¬SPT =df {zT | z /∈ S}
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 33 / 40
![Page 86: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/86.jpg)
Conservative Extensions(continue)
Schema Inclusion: Interpreting the separation of declarations in aschema as schema conjunction, like
[z : T ; S | P] is just [z : T ∧ S | P]
Schema Composition: considering operation schemas.Those schemas whose type is PT where T has the form T in g T out′
T in contains declarations of all before observations and T out′ containsdeclarations of all after observations
Note that the types T in and T out′ are always disjoint.
UP(T in0 gT out′
0 )0
o9 UP(T in
1 gT out′1 )
1 =df {(z0 ∗ z ′1)T in0 gT out′
1 |∃ yT out′
0 • z0 ∗ y ′ ∈ U0 ∧ y ∗ z ′1 ∈ U1}
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 34 / 40
![Page 87: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/87.jpg)
Conservative Extensions(continue)
Schema Preconditions: The precondition of an operation schema isessentially the domain of the partial relation that the schema denotes.Let T in � V , then
pre U xV =df ∃ z ∈ U • x =T in z
In vernacular Z, the precondition is a schema(a set of bindings)
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 35 / 40
![Page 88: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/88.jpg)
Equational Logic
It is interesting to note that the fundamental relation of Z is, in fact,equality.
In the absence of a logic, the informal explanation of schemaoperators has often been given in terms of certain equalities, like
[T0 | P0] ∧ [T1 | P1] = [T0 g T1 | P0 ∧ P1]
and
¬[T | P] = [T | ¬P]
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 36 / 40
![Page 89: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/89.jpg)
Operation Refinment
One of the refinements that can be formalized in the core theory ZC isS-Refinement. There are two basic observations regarding the propertiesone expect in a refinement:
Postconditions do not weaken
Preconditions do not strengthenwritten as U0 ws U1 and is given by the definition which leads directly tothe following rules,
pre U1 z ` pre U0 z pre U1 z0, z0 ∗ z ′1 ∈ U0 ` z0 ∗ z ′1 ∈ U1U0 ws U1
(w+s )
U0 ws U1 pre U1tpre U0 t (w−s0)
U0 ws U1 pre U1 t0 t0 ∗ t ′1 ∈ U0t0 ∗ t ′1 ∈ U1
(w−s1)
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 37 / 40
![Page 90: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/90.jpg)
Assesment
Makes use of a graphical construction known as a schema which canbe understood fairly easily
Easy to find faults in Z specification and Can prove correctness
Capability to express modular specifications using schema operators incomparison with B
Only high-school math needed to read Z
Decreases development time
In Model based Specification, system state is not hidden like it is inalgebraic specification
State changes are straight forward to define
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 38 / 40
![Page 91: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/91.jpg)
Conclusion
Z is a general purpose specification language
VDM and Z are the most widely used model-based specificationlanguages
Z may be used to produce readable specifications and has beendesigned to be read by humans rather than computers.
Large specifications are manageable in Z
Z can be used to specify a more special purpose language whichmaybe designed to handle concurrency.
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 39 / 40
![Page 92: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/92.jpg)
References
Dines Bjorner, Martin Henson, Logics of Specification Languages
J. B. Wordsworth, Software Development with Z
Ehsan M.Kazemi (McMaster) Z Language, Z Logic and Its Applications April 8th, 2011 40 / 40
![Page 93: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/93.jpg)
Abstract State Machine
Morteza Yousef Sanati
McMaster University
March 8, 2011
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 1 / 27
![Page 94: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/94.jpg)
1 ASM Basic Idea and the Definition
2 Some Concepts
3 Example: Set Extension
4 Sequential Small-Step ASM Programs
5 Extensions
6 ASM Verification and Validation
7 ASM Advantages
8 ASM vs Others
9 Applications
10 Tools
11 Conclusion
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 2 / 27
![Page 95: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/95.jpg)
ASM Basic Idea and the Definition
ASM is a technique for describing algorithms or, in general, discretesystems. In the basic form ASM is a set of conditional statements.
ASM can be considered as a formal basis for pseudocode.
Conventional computation concentrates on the transformation ofsymbols, not dwelling too deeply on what they stand for.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 3 / 27
![Page 96: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/96.jpg)
Some Important Concepts
Σ-SignitureΣ = (f1, ..., fl , a1, ..., al)
Type ≡ set of arities of functions(n1, ..., nn)
Ground Term ≡ Closed Formula
Σ-StructureS = (U, φ1, ..., φn)
Homomorphism and Isomorphismh : R → S
h(ψi (u1, ..., uni )) = φi (h(u1), ..., h(uni ))
A Point
Basic version of ASM have no variables.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 4 / 27
![Page 97: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/97.jpg)
Example: Set Extension
Formal Definition of Problem
Augment is a binary function to extend a set by an item:Augment(M,m) =def M ∪ {m}
P: beginX = +(X , x)X = +(X , y)
end.P has finite set Σ = < {X , x , y ,+}, {(X , 0), (x , 0), (y , 0), (+, 2)} >S =< dom(S),X S = M, xS = m, yS = n,+S = Augment >
S′
=< dom(S′),X S
′= M ∪ {m, n}, xS
′= m, yS
′= n,+S
′=
Augment >
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 5 / 27
![Page 98: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/98.jpg)
Sequential Small-Step ASM Programs
Simple Assignment Statements
Sf :=t−−−→ S
′
fS ′ = tS
Example
Σ = (c , f , 0, 1)S = (N, 0, suc)
Sc:=f (c)−−−−−→ S
′
cS = 0, fS = suc → cS ′ = 1, fS ′ = suc
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 6 / 27
![Page 99: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/99.jpg)
Sequential Small-Step ASM Programs
Updates of Functions
Sf (t1,...,tn):=t−−−−−−−−→ S
′
fS ′ (t1, ..., tn) = tSfS ′ (u1, ..., un) = fS(u1, ..., un)
(u1, ..., un) 6= (t1, ..., tn)⇒ ∀(g ∈ Σ|g 6= f : gS ′ = gS)
Example
Sf (c):=c−−−−−→ S
′
cS = 0⇒ fS ′ (0) = fS ′ (cS) = 0 ∧ fS = 0 + 1 = 1∀i ≥ 1, fS ′ (i) = fS(i) = suc(i) = i + 1
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 7 / 27
![Page 100: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/100.jpg)
Sequential Small-Step ASM Programs
Assignment Consistencyf (t1, ..., fn) := t and f (u1, ..., un) := u are consistent at a state S:(u1S , ..., unS) 6= (t1S , ..., tnS)⇒ tS = uS
Generally, a set Z of assignment statements is consistent at a state Sif the elements of Z are pairwise consistent at S.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 8 / 27
![Page 101: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/101.jpg)
Sequential Small-Step ASM Programs
Formal Definition of AssignmentZ is set of Assignments i.e. have f (t1, ..., tn) := tu = (t1S , ..., tnS)v = tS
Assignment
fS ′ (u) =
{v if Z at S updates fS(u) by v
fS(u) Otherwise
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 9 / 27
![Page 102: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/102.jpg)
Sequential Small-Step ASM Programs
Guards and Conditional Assignment Statements
if α then r∀t, u ∈ Σ, t = u is a guard over Σ andif α and β are guards over Σ, so are α ∧ β and ¬αTrue and False have been definedαS ∈ {True,False}r is f (t1, ..., tn) := t and f ∈ Σ and t1, .., tn, t ∈ TΣ
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 10 / 27
![Page 103: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/103.jpg)
Sequential Small-Step ASM Programs and Sematics
A sequential small-step ASM program P over a signature Σ is a set ofconditional assignment statements over Σ
Formal Definition
For each Σ− structure S , the program P defines a successor structure S′,
usually written P(S), by a step
SP−→ S
′
To Define S′, let Z =def { r | ”if α then r” and αS = True}
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 11 / 27
![Page 104: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/104.jpg)
Sequential Small-Step ASM Programs
Some Definitions
Static Constants and Functions
Never updated.As program Input
Constant Symbols as ”Program Variables ”
Non-static constantsUpdated at Initial State
Output Variables
Never on right hand side of assignment.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 12 / 27
![Page 105: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/105.jpg)
Sequential Large-Step ASM Algorithms
An Example: Node Reachability in a Graph
∀(x , y |(x , y) ∈ E ∧ R(x) ∧ ¬R(y) : extend R by y)
The amount of work executed in one step is unbounded.
Small-Step does not have quantifier
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 13 / 27
![Page 106: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/106.jpg)
Sequential Large-Step ASM Algorithms
Quantified Varibales
Node Reachability in a Graph with Large-Step
∀(x , y |(x , y) ∈ E ∧ R(x) ∧ ¬R(y) : R(y) := True)
Large-Step ASM
An algorithm is large-step not only if the amount of change fails to bebounded. A step is also large if the number of items involved isbounded.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 14 / 27
![Page 107: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/107.jpg)
Non-deterministic Semantics
In a state where more than one assignment statement’s guard isevaluated as true, one may select one or a subset of them forexecution.
The Operator ”choose ”.
Example: Choose Operator
choose i,j in I with i< j and a[i]>a[j]do in-parallel
a[i]:=a[j]a[j]:=a[i]
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 15 / 27
![Page 108: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/108.jpg)
Distributed ASM Programs
A distributed ASM is just a non-empty, finite set of ASM programs,all over the same signature Σ.
The programs are called components of the distributed ASM, andevery Σ− structure forms a state of the distributed ASM.
The components may be executed concurrently if they involve storeswith separate locations.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 16 / 27
![Page 109: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/109.jpg)
Some Other Extensions
Turbo ASMAtomicity of steps
Reactive ASMEnvironment updates constant or function
Hybrid ASM
Table ASM
Dynamic Systems
Large Typed ASM
Message-Passing Interacting ASM
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 17 / 27
![Page 110: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/110.jpg)
ASM Verification and Validation
Code reviews
Using domain’s terms to describe system.Domain experts don’t have to be expert programmersMinimum the notational overhead in order to make easier analysis
Various forms of testing
Variety of tools available for such purposes (e.g. AsmL, XASM)Ability to test at almost any point in the development process
Formal proof
By hand in some situationsBy Theorem prover or Model checker
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 18 / 27
![Page 111: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/111.jpg)
ASM Advantages
Precision
Use classical mathematical structures
Scalability (layers of abstraction)
Proving properties about systems also can be made easier
Generality
Wide variety of domains: sequential, parallel, and distributed systems
Faithfulness
Domain’s terms and conceptsMinimum of notational coding
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 19 / 27
![Page 112: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/112.jpg)
ASM Advantages Cont.
Understandability
ASM programs use an extremely simple syntaxReadable even by novices as a form of pseudocode
Executability
Execute the specification directlyAllows one to test for errors in the specification
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 20 / 27
![Page 113: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/113.jpg)
ASM Vs. VDM, Z
Executability
Methods such as VDM, Z, or process algebras are not directlyexecutable.
Faithfulness
Use of the terms and concepts of the problem domain immediately,with a minimum of notational coding.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 21 / 27
![Page 114: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/114.jpg)
What are ASMs good for?
Any situation where you need a precise, non-ambiguous way tospecify a computer system, either software or hardware.
Program managers, developers, and testers can all use an ASMtool(e.g. AsmL) specification to achieve a single, unifiedunderstanding.
Can execute it!
You wish you could have played with your design before coding.
By exploring your design, you can answer the following questions:Does it do everything you intended it to? How do the featuresinteract? Are there any unintended behaviors?
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 22 / 27
![Page 115: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/115.jpg)
Applications
UML> Statechart and Activity Diagrams
Java> Bytecode Verification
Compiler Correctness> Test Suite Generation
Security> Abstract Encryption
Real-Time Systems> Group Membership Protocol
Software Engineering> Runtime Verification of .NET
Distributed Systems> Grid Computing
...
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 23 / 27
![Page 116: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/116.jpg)
Tools
AsmL: The Abstract State Machine LanguageAsmL is an advanced ASM-based language taking advantage of the .NET
runtime. It is an executable specification language based on the theory of
Abstract State Machines, developed originally by Yuri Gurevich. AsmL
supports classes and interfaces in the same way as C# or Java do. In fact all
.NET structuring mechanisms are supported: enumerations, delegates,
methods, events, properties and exceptions. As AsmL is primarily a
specification language, it naturally support structures and features, like sets,
sequences, maps, pattern matching, bounded quantification, and set
comprehension.
CoreASMThe CoreASM project focuses on the design of a lean executable ASM
(Abstract State Machines) language, in combination with a supporting tool
environment for high-level design, experimental validation and formal
verification of abstract system models. This tool can be installed as a plugin
for Eclipse IDE.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 24 / 27
![Page 117: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/117.jpg)
Tools
XASM: The Open Source ASM LanguageXasm is an implementation of sequential ASMs focusing on the generation
of efficient executable programs simulating the run of the specified ASM.
Time ASM ToolsetThe Timed Abstract State Machine (TASM) toolset is a graphical
integrated development environment for real-time system engineering. The
toolset implements the features of the TASM language. The non-functional
properties that can be specified in TASM are time and resource
consumption. The toolset provides facilities to write, edit, simulate, and
analyze TASM specification. The simulation of specifications can be
achieved in a step-by-step fashion, with graphical depictions of time and
resource consumption.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 25 / 27
![Page 118: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/118.jpg)
Tools
ASM WorkbenckThe ASM Workbench provides a framework for the systematic development
of ASM tools. It is based on a specification language called ASM-SL (ASM
based Specification Language), which includes a typed version of the
language of Abstract State Machines.
Michigan Interpreter
ASM Gofer
AsmM: Abstract State Machine Meta model
ATGT: ASM Tests Generation Tool
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 26 / 27
![Page 119: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/119.jpg)
Conclusion
The ASM method offers no fool-proof button-pushing, completelymechanical design and verification procedure, but it directly supportsthe concepts like ”building models for change”, stepwise detailingthem to compilable code and maintaining models and code in acost-effective and reliable way.
Morteza Yousef Sanati (2011) Abstract State Machine March 8, 2011 27 / 27
![Page 120: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/120.jpg)
CafeOBJ Logic
Jamil Ahmed Khan
![Page 121: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/121.jpg)
Outline
IntroductionBasic Specifcation Module declaration Signatures AxiomsReductionTransitionsBehavioural SpecifcationConclusion
![Page 122: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/122.jpg)
Introduction
-CafeOBJ is developed under the direction of Prof. Kokichi Futatsugi
- Developed in Japan in Japan Advanced Inst of Science and Technology (JAIST)
-CafeOBJ is mainly for system specification, formal verification of specifications, rapid prototyping, and even programming
-CafeOBJ is a modern successor of OBJ.
![Page 123: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/123.jpg)
Equational Specification - Equational specification and programming is inherited from OBJ
- It constitutes the basis of the language
- CafeOBJ is executable (by term rewriting).
Introduction
![Page 124: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/124.jpg)
Behavioural Specification
-Provides a generalization of ordinary algebraic specification.
-It characterizes how objects (and systems) behave, not how they are implemented
- Achieved by using specification with hidden sorts and a behavioural concept of satisfaction.
-Is reflected at the execution level by the concept of behavioural rewriting
Introduction
![Page 125: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/125.jpg)
Behavioural Specification
CafeOBJ directly supports behavioural specification and its proof theory through special language constructs, such as
-hidden sorts (for states of systems),
-behavioural operations (for direct “actions” and “observations” on states of systems),
-behavioural coherence declarations for non-behavioural operations
-behavioural axioms (stating behavioural satisfaction).
The main behavioural proof method is based on coinduction principle.
Introduction
![Page 126: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/126.jpg)
Preorder Algebra
-The logic of CafeOBJ transition is called Preorder algebra.
-Provides proof support for reasoning about the existence of transitions between states
-A preordered algebra is a set P together with a preorder “⊑” on P and a collection of operations on P (e.g. o) which are compatible with the preorder
-For all p, q ∈P, if p ⊑q, then o(p) ⊑o(q) (preorder-preserving)orFor all p, q ∈P, if p ⊑q, then o(q) ⊑o(p) (preorder-reversing)
Introduction
![Page 127: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/127.jpg)
Hidden Algebra
-Hidden Algebra is designed to handle changeable "abstract machines"
-The hidden algebra approach takes as basic the notion of behavioural abstraction.
-Hidden algebra uses sorts in two distinct ways:
• visible sorts are used for data values• hidden sorts are used for states.
Introduction
![Page 128: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/128.jpg)
Order-sorted Algebra
-Allows subtypes
-The main concept is all items of one sort are necessarily also items of some other sort
Example: Every natural number is an integer and every integer is a rational: Natural ≤ Integer ≤ Rational
Introduction
![Page 129: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/129.jpg)
CafeOBJ Cube
Introduction
![Page 130: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/130.jpg)
Basic Specification
mod!SIMPLE-NAT { [ Nat ]
op 0 : -> Natop s_ : Nat -> Natop _+_ : Nat Nat -> Natvars M N : Nateq N + (s M) = s(N + M) .eq N + 0 = N .
}
Signature
Axiom
Module Declaration
Basic Specification
![Page 131: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/131.jpg)
Module Declaration
mod <module_name> {<module_element> * }-A module name is an arbitrary character string.
-A module element is either
(1) import declaration
(2) sort declaration (with ordering)
(3) operator declaration
(4) record declaration
(5) variable declaration
(6) equation declaration
(7) transition declaration
Basic Specification
![Page 132: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/132.jpg)
Signatures
-The operation name
-Position of the argument defined by '_'
-The arity of the operation, which is a string of (declared) sorts. an empty string (as in the case of 0); such operations
are called constants only one sort (such as “Nat” in the case of s ), several sorts (such as “Nat Nat” in the case of + );
*Sorts may also be different.
-The sort of the operation, which is a declared sort.
Basic Specification
![Page 133: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/133.jpg)
Operator Declaration
op <operator_symbol> : <list_of_sort_names>-> <sort_name>
op _+_ : Nat Nat -> Nat
ops (_+_) (_*_) : Nat Nat -> Nat
which means the same as
op _+_ : Nat Nat -> Nat
op _*_ : Nat Nat -> Nat
Operator overloading
op _+_ : Nat Nat -> Nat
op _+_ : NzNat Nat -> NzNat
Basic Specification
![Page 134: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/134.jpg)
Behavioural Operator Declaration
bop <operator_symbol> : <list_of_sort_names>-> <sort_name>*[ Account ]*
bop deposit : Account Nat -> Account bop withdraw : Account Nat -> Account bop balance : Account -> Nat
The arity of behavioural operator contain at least one hidden sort.
Predicate Declaration
pred <operator_symbol> : <list_of_sort_names>pred _<_ : Nat Nat
has the same meaning as op _<_ : Nat Nat -> Bool
Basic Specification
![Page 135: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/135.jpg)
Variable Declaration
var<variable_name> : <sort_name> vars<list_of_variable_names> : <sort_name>
-var N : Nat-vars A B C : Nat
Basic Specification
![Page 136: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/136.jpg)
Equation Declaration
Unconditional:
eq[ <label> ] <term> = <term> .
Var X : Nateq X + 0 = X .
Conditional:
ceq[ <label> ] <term> = <term> if <boolean_term> .
op max : Nat Nat -> Natceq max(M:Nat, N:Nat) = M if (M > N) or (M == N).
Basic Specification
![Page 137: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/137.jpg)
Behavioural Equation Declaration
beq [label ] term “=” term “.”bceq [label ] term “=” term if boolean term “.”
Transition Declarationtrans [ <label>] <term> => <term> . ctrans [<label> ] <term> => <term> if <boolean_term> .
module CHOICE {[ State ] ops a b : -> State op _|_ : State State -> State vars X Y : State
trans X | Y => X . trans X | Y => Y . }
Basic Specification
![Page 138: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/138.jpg)
Equational Inference and Reduction
mod* GROUP {[ G ]op 0 : -> Gop + : G G -> G {assoc}op - : G -> GVar X : Geq 0 + X = X .eq (-X) + X = 0 .
}
In CafeOBJ reduction is done by rewriting of equations.
Reduction
![Page 139: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/139.jpg)
Equational Inference and Reduction
GROUP> reduce (--a) + (-a) + a + (-a) .
gives the result 0 : G after three rewriting.
This reduction process can be visualized as follows:
(−−a) + (−a) + a + (−a)├ (−−a) + 0 + (−a) First rewrite, 2nd Axiom(−−a) + 0 + (−a)├ (−−a) + (−a) Second rewrite, 1st Axiom(−−a) + (−a)├ 0 Third rewrite, 2nd Axiom
A term can be at most rewritten to its normal form.
Reduction
mod* GROUP { [ G ] op 0 : -> G op + : G G -> G {assoc} op - : G -> G
var X : G eq 0 + X = X . eq (-X) + X = 0 .}
![Page 140: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/140.jpg)
Transitions
Algorithm Specification
Rewriting rules can be used to specify algorithms by showing transitions between various states of the algorithm.
A crude version of bubble sort algorithm specification.
mod! SORTING-NAT {protecting(STRG-NAT)vars N N' : Natctrans (N . N') => (N' . N) if N' < N .
}
Transition
![Page 141: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/141.jpg)
Transitions
Algorithm Verification
All reasoning about algorithm properties is done as the usual datatypereasoning.
s ==> s’ if and only if there exists at least one transition betweenthe state s and the state s’
SORTING-NAT> red (2 . 3 . 1) ==> (1 . 2 . 3) .gives true, while,SORTING-NAT> red (2 . 2 . 1) ==> (1 . 2 . 3) .gives false.
Transition
![Page 142: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/142.jpg)
Behavioural Specification
Sorts (types):• hidden , for the states of abstract machines (or objects), and• visible , for (ordinary) data types.
-Equality relation between “visible” (data type) elements is strict equality
-Equality between “hidden” elements is the (loose) behavioural (observational) equality.
-“Observations” are made via successive applications of behavioural operations ending with a visible sort.
Behavioural Specificaton
![Page 143: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/143.jpg)
Specification of Bank Account
mod* ACCOUNT {protecting(INT)*[ Account ]*op init : -> Accountbop balance : Account -> Natbop deposit : Account Nat -> Accountbop withdraw : Account Nat -> Accountvar N : Natvar A : Accounteq balance(init) = 0 .eq balance(A deposit N) = balance(A) + N .cq balance(A withdraw N) = balance(A) -N if N <= balance(A) .cq balance(A withdraw N) = balance(A) if balance(A) < N .
}-Behavioural operations are required to have at least one hidden sort in
their arity. -Behavioural modules usually have loose denotations.
Hidden Sort
Behavioural Specificaton
![Page 144: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/144.jpg)
ACCOUNT : Model 1
eq init = 0
Here function minus is specified asop minus : Nat Nat -> Natcq minus(M:Nat,N:Nat) = M - N if N <= M .cq minus(M:Nat,N:Nat) = M if M < N .
Behavioural Specificaton
![Page 145: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/145.jpg)
ACCOUNT : Model 2
Here, p1 is the projection on the first component,eq init = < 0, 0 >
and the specification of d and w are as follows:op d : NatxNat Nat -> NatxNat .
op w : NatxNat Nat -> NatxNat .eq d(< N1:Nat, N2:Nat >, M:Nat) = < M + N1, N2 + 1 > .cq w(< N1:Nat, N2:Nat >, M:Nat) = < N1 - M, N2 + 1 > if M <= N1 .cq w(< N1:Nat, N2:Nat >, M:Nat) = < N1, N2 + 1 > if N1 < M .
Behavioural Specificaton
![Page 146: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/146.jpg)
Behavioural Equivalence
In the case of the states of an abstract machine, the meaningful equality is behavioural equality , denoted ∼ .
-Two states s and s'� (of the same hidden sort) are behaviourally equal (equivalent ) if and only if c (s ) = c (s' ) for all visible sorted behavioural contexts c .
-(a deposit 10 withdraw 5) ∼(a deposit 5)
Behavioural proof (Coinduction Principle)
-Define an equivalence relation R for each hidden sort.
-Prove that R is a hidden congruence.
-Prove that sRs' for the states s and s' which have to be proved behaviourally equivalent.
Behavioural Specificaton
![Page 147: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/147.jpg)
1. Definition of an equivalence relation _ R _
open ACCOUNT .pred _R_ : Account Account .
eq (A1:Account R A2:Account) = (balance(A1) == balance(A2)) .
2. Proof that _R_ is a hidden congruenceops a a’ : -> Account .ops n n’ : -> Nat .
Our hypothesis eq balance(a) = balance(a’) .
The preservation of _R_ by deposit,red (a deposit n) R (a’ deposit n) . gives true.
The preservation of _R_ by withdraw Case-1:case n <= balance(a):eq n <= balance(a) = true .eq n <= balance(a’) = true .red (a withdraw n) R (a’ withdraw n) . gives true.Case-2:.case balance(a) < n’:eq balance(a) < n’ = true .eq balance(a’) < n’ = true .red (a withdraw n’) R (a’ withdraw n’) . also gives true.
3. Proof of s R s'red (a deposit 10 withdraw 5) R (a deposit 5) .which gives true.
Prove: (a deposit 10 withdraw 5) ∼(a deposit 5)
Behavioural Specificaton
![Page 148: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/148.jpg)
Behavioural Coherence
-a ∼ a'� if and only if balance( a) = balance( a�)For all states a and a' of the object.
(a deposit n) ∼ (a'� deposit n) if a ∼ a'�and
(a withdraw n) ∼ (a'� withdraw n) if a ∼ a'�
Define deposit and withdraw as ordinary operation.
The signature of account object can be: *[ Account ]*op init : -> Accountbop balance : Account -> Natop _deposit_ : Account Nat -> Account { coherent }op _withdraw_ : Account Nat -> Account { coherent }
Behavioural Specificaton
![Page 149: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/149.jpg)
mod* BLIST { [ Elt ]
op err : -> ?Elt*[ List ]*op nil : -> Listbop cons : Elt List -> Listbop car : List -> ?Eltbop cdr : List -> Listvar E : Eltvar L : Listeq car(nil) = err .eq car(cons(E, L)) = E .beq cdr(nil) = nil .beq cdr(cons(E, L)) = L .
}
mod* BSET (X :: TRIV) { *[ Set ]*
op empty : -> Setop : Elt Set -> Set { coherent }
op U : Set Set -> Set { coherent } op & : Set Set -> Set { coherent } op - : Set Set -> Set { coherent } bop in : Elt Set -> Bool
vars E E’ : Eltvars S S1 S2 : Seteq E in empty = false .eq E in (E’ S) = (E == E’) or (E in S) .eq E in (S1 U S2) = (E in S1) or (E in S2) .eq E in (S1 & S2) = (E in S1) and (E in S2) eq E in (S1 - S2) = (E in S1) and not (E in
S2) .}
Behavioural Refinement
Behavioural Specificaton
![Page 150: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/150.jpg)
In our example, the behavioural sets are the “abstract” object and the behavioural lists are the “refined” object.
- extend BLIST with refinements of all operations of BSET
Refinement of behavioural sets to behavioural lists:• Hidden sort Set to the hidden sort List• Hidden constructor _ _ to the hidden constructor cons• The membership observation (E in L) to the derived observation (E ==car(L)) or-else (car(L) =/= err) and-also (E in cdr(L)) .
Behavioural Specificaton
![Page 151: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/151.jpg)
Proof of Refinement
To prove that BLIST’ refines BASIC-BSET, we have only to show that the equations
eq E in empty = false .eq E in (E’ S) = (E == E’) or (E in S) . are actually consequences of BLIST’:
open LIST’ .ops e e1 e2 : -> Elt .op l : -> List .
-For the first equation, we have the following proof score:red (e in nil) == false .which gives true. -For the second equation, the basic cases are as follows:eq e1 in l = true .eq e2 in l = false .
The proof score by case analysis is as follows:red e1 in cons(e,l) == true .red e2 in cons(e,l) == false .red e in cons(e,l) == true .All these proof scores evaluate to true.close
![Page 152: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/152.jpg)
Thank You
![Page 153: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/153.jpg)
Formal Specification Techniques
CASL
Common Algebraic Specification Language
Presented by : Prem Ramanujam
![Page 154: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/154.jpg)
• CASL has been designed as a general-purpose algebraic specification language,
subsuming many existing languages.
• CASL is at the center of a family of languages.
![Page 155: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/155.jpg)
• 1. Basic specifications provide the means to write specifications in a particular
institution, and provide a proof calculus for reasoning within such unstructured
specifications.
• 2. Structured specifications express how more complex specifications are built
from simpler ones . The semantics and proof calculus are given in a way that is
parameterized over the particular institution and proof calculus for basic
specifications.
![Page 156: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/156.jpg)
• basic specifications: declarations, definitions, axioms
• structured specifications: translations, reductions, unions, extensions, freeness,
named specifications, generic specifications, views
• architectural specifications: implementation units, composition
• specification libraries: local, distributed
![Page 157: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/157.jpg)
Basic Specification
• The semantics of a basic specification is a signature and a
class of models.
• CASL specifications may declare
Sorts
Subsorts
operations
predicates
![Page 158: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/158.jpg)
Sorts
• A sort is a symbol which is interpreted as a set, called a carrier set
• The Elements of carrier sets are abstract representations of data: numbers, characters,
lists, trees, etc.
• A sort is approx. a type in a programming language
• CASL allows compound sort symbols, i.e. List[Int]
![Page 159: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/159.jpg)
Subsorts
• Subsort declarations are interpreted as embeddings
• Set inclusion would be sufficient for, e.g. Nat < Int
• Embedding is necessary for, e.g. Char < String (Char and String are disjoint)
• An embedding is a 1-1 function
![Page 160: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/160.jpg)
Operations
• Operations may be declared as total or partial
• An operation symbol consists of its name together with its profile
• Profile: number and sort of arguments, and result sort
• An operations is interpreted as a total or a partial function from the Cartesian product
of the carrier sets of the arguments to the carrier set of the result sort
• The result of applying an operation is undefined if any of the arguments is undefined
• Constant: operation with no arguments, interpreted as an element of the carrier set of
the result sort
![Page 161: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/161.jpg)
Predicates
• A predicate symbol consists of a name and its profile
• Profile: number and sorts of the arguments, but no result sort
• Predicates are different from Boolean valued operations!!!
• Predicates are used to form atomic formulas, rather than terms
• A predicate symbol is interpreted as a relation on (i.e., a subset of) the Cartesian
product of the carrier sets of the argument sorts
• Predicates are never undefined, they just do not hold if any of the arguments is
undefined (two valued logic)
• For Boolean valued operations: three valued logic (true, false, undefined)
![Page 162: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/162.jpg)
Atomic Formulas
• predicate applications
• equations (strong or existential)
• existential: both sides are defined and equal
• Strong: hold as well, if both sides are undefined
• defines assertions
• Subsort membership assertions
![Page 163: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/163.jpg)
Axioms
• Axioms are formulas of first-order logic
• Logical connectors have usual interpretation
• Quantification: universal, existential, unique existential
• Interpretation of quantification: completely standard!
• Variables in formulas range over the carrier sets of specified sorts
• An axiom either holds or does not hold in a particular model: there is no “maybe” or
undefined about holding (regardless of whether the values of terms occurring in the
axioms are defined)
![Page 164: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/164.jpg)
Semantic Concepts
The essential semantic concepts for basic specifications are well-known: signatures
(of declared symbols), models (interpreting the declared symbols), and sentences
(asserting properties of the interpretation), with a satisfaction relation between models
and sets of sentences. Defining these (together with some categorical structure, and
such that translation of symbols preserves satisfaction) provides a so-called institution.
A well-formed basic specification in Casl determines a signature and a set of sentences,
and hence the class of all models over that signature which satisfy all the sentences.
![Page 165: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/165.jpg)
Institution
• A specification formalism is usually based on some notion of signature, model,
sentence and satisfaction.
• The theory of institutions assumes nothing about signatures except that they form a
class and that there are signature morphisms, which can be composed in some way.
• This amounts to stating that signatures form a category.
![Page 166: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/166.jpg)
The CASL logic (institution)
• Signatures: a signature provides the vocabulary
• Signature morphisms: for extending and renaming
signatures
• Models: interpret the vocabulary of a signature with
mathematical objects (sets, functions, relations)
• Sentences (formulae): for axiomatizing models denote true
or false in a given model.
• Terms: parts of sentences, denote data values
• Satisfaction of sentences in models
![Page 167: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/167.jpg)
![Page 168: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/168.jpg)
![Page 169: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/169.jpg)
CASL many-sorted signatures
![Page 170: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/170.jpg)
CASL many-sorted models
![Page 171: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/171.jpg)
CASL formulae
![Page 172: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/172.jpg)
Satisfaction of atomic formulae
![Page 173: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/173.jpg)
Satisfaction of compound formulae
![Page 174: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/174.jpg)
Satisfaction of closed formulae
![Page 175: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/175.jpg)
![Page 176: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/176.jpg)
Language Construct
![Page 177: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/177.jpg)
CASL syntax for declarations and axioms involves familiar
notation, and is mostly self-explanatory.
![Page 178: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/178.jpg)
Specifications can easily be extended by new declarations and
axioms.
![Page 179: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/179.jpg)
In simple cases, an operation (or a predicate) symbol may be declared and its
intended interpretation defined at the same time.
![Page 180: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/180.jpg)
![Page 181: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/181.jpg)
Symbols may be conveniently displayed as usual mathematical symbols by
means of %display annotations.
![Page 182: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/182.jpg)
The %implies annotation is used to indicate that some axioms are supposedly
redundant, being consequences of others.
![Page 183: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/183.jpg)
Attributes may be used to abbreviate axioms for associativity, commutativity,
idempotence, and unit properties.
![Page 184: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/184.jpg)
Genericity of specifications can be made explicit using parameters.
![Page 185: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/185.jpg)
Datatype declarations may be used to abbreviate declarations of sorts and
constructors.
![Page 186: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/186.jpg)
Loose datatype declarations are appropriate when further constructors may be
added in extensions.
![Page 187: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/187.jpg)
Sorts may be specified as generated by their constructors.
![Page 188: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/188.jpg)
Generated specifications are in general loose.
![Page 189: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/189.jpg)
Free datatype declarations are particularly convenient for defining enumerated
datatypes.
![Page 190: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/190.jpg)
Partial functions are declared differently from total functions.
• Terms containing partial functions may be undefined, i.e., they may fail to denote any value.
• Functions, even total ones, propagate undefinedness.
• Predicates do not hold on undefined arguments.
• Equations hold when both terms are undefined.
• Special care is needed in specifications involving partial functions.
![Page 191: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/191.jpg)
Domains of definition can be specified more or less explicitly.
![Page 192: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/192.jpg)
Loosely specified domains of definition may be useful.
![Page 193: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/193.jpg)
Subsorted Basic Specifications
![Page 194: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/194.jpg)
Subsorted Signature
![Page 195: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/195.jpg)
Models
![Page 196: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/196.jpg)
Sentences
![Page 197: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/197.jpg)
Satisfaction
![Page 198: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/198.jpg)
Translation from subsorted to many-sorted signatures
![Page 199: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/199.jpg)
Subsort declarations directly express relationships between carrier sets.
![Page 200: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/200.jpg)
Operations declared on a sort are automatically inherited by its subsorts.
![Page 201: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/201.jpg)
Subsort membership can be checked or asserted.
![Page 202: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/202.jpg)
Datatype declarations can involve subsort declarations.
![Page 203: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/203.jpg)
CASL Structured Specifications
![Page 204: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/204.jpg)
![Page 205: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/205.jpg)
![Page 206: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/206.jpg)
![Page 207: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/207.jpg)
Named and Parameterized Specifications and Views
Structured specifications may be named, so that a reuse of a specification may be
replaced by a reference to it through its name. A named specification may declare some
parameters, the union of which is extended by a body; it is then called generic. This is
written as spec SpName[ParSp] = BodySp, where BodySp is an extension of ParSp.
A reference to a generic specification should instantiate it by providing, for each
parameter, an argument specification together with a fitting morphisms from the
parameter to the argument specification.
![Page 208: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/208.jpg)
Union and extension can be used to structure specifications.
![Page 209: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/209.jpg)
Renaming may be used to avoid unintended name clashes, or to adjust names of sorts and change
notations for operations and predicates
![Page 210: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/210.jpg)
Auxiliary symbols used in structured specifications can be hidden.
![Page 211: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/211.jpg)
Parameters and Instantiation
• There must be no shared symbols between the argument specification and the body
of the instantiated generic
spec spec This_Is_Wrong = Generic_Monoid [Monoid] end
• The intended fitting of the parameter symbols to the argument symbols may have to
be specified explicitely.
spec Nat_Word_2 = Generic_Monoid [Natural_Subsorts fit Elem |-> Nat]
end
![Page 212: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/212.jpg)
Architectural Specifications
![Page 213: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/213.jpg)
• Architectural specifications in Casl provide a means for stating how implementation
units are used as building blocks for larger components.
• Units are represented as names with which a specification is associated.
• Units may be parameterized, whereby specifications are associated with both the
parameters and the result.
• The result specification is required to extend the parameter specifications.
• A parameterized unit is to be understood as a function which, given models of the
parameter specifications, outputs a model of the result specification; this function is
required to be persistent in the sense that reducing the result to the parameter
signatures reproduces the parameters.
• Units can be assembled via unit expressions, which may contain operations such as
renaming or hiding of symbols, amalgamation of units, and application of a
parameterized unit.
• for example, by renaming them to the same symbol or by amalgamating units that
have symbols in common, are also interpreted in the same way in all “collective”
models of the units defined so far.
• An architectural specification consists of declarations and/or definitions of a number
of units, together with a way of assembling them to yield a result unit.
![Page 214: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/214.jpg)
![Page 215: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/215.jpg)
The semantics of architectural specifications introduced above is split into static and model
semantics, in very much the same way as was done for structured specifications.
Unit terms are statically elaborated in a static context Cst = (Pst ,Bst ),where Pst maps
parameterized unit names to signature morphisms and Bst maps non-parametrized unit names
to their signatures.
We require the domains of Pst and Bst to be disjoint. The empty static context that consists of
two empty maps will be written as C∅ st .
Given an initial static context, the static semantics for unit declarations produces a static
context by adding the signature for a newly introduced unit, and the static semantics for unit
terms determines the signature for the resulting unit.
In terms of the model semantics, a (non-parametrized) unit M over a signature Σ is just a
model M ∈ Mod(Σ). A parameterized unit F over a parametrized unit signature τ : Σ1 → Σ2 is
a persistent partial function F : Mod(Σ1) Mod(Σ2) (i.e. F(M) τ = M for each M ∈ Dom(F)).
![Page 216: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/216.jpg)
Architectural Models: An architectural
specification denotes a class of architectural
models which consist of:
a collection of named units, together with
the unit resulting from a particular composition
of those units.
As mentioned above, units are either Casl
models, or functions from Casl models to Casl
models. The unit functions are always persistent,
so that the results extend the unmodified
arguments When unit functions have more than
one argument, the arguments must be compatible,
in particular implementing any common symbols
in exactly the same way this follows immediately
from the requirement that a function should
extend each argument separately.
![Page 217: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/217.jpg)
Verification
• The basic idea behind verification for architectural specifications is that we want to extend the static information about
units to capture their properties by an additional specification.
• However, we must also take into account sharing between various unit components, resulting from inheritance of some
parts of units via, for instance, parameterized unit applications.
• To capture this, we accumulate information about non-parameterized units into a single global signature ΣG, and
represent non-parameterized unit signatures as morphisms into this global signature, assigning them to unit names by a
map Bv .
• The additional information resulting from the unit specifications is then accumulated into a single global specification
SPG over this signature (i.e. we always have
• Finally, of course, we store the entire specification for each parameterized unit, assigning these specifications to
parameterized unit names by a map Pv . This results in the concept of a verification context Cv = (Pv ,Bv , SPG).
![Page 218: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/218.jpg)
![Page 219: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/219.jpg)
![Page 220: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/220.jpg)
![Page 221: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/221.jpg)
Refinement The standard development paradigm of algebraic specification postulates that formal software
development begins with a formal requirement specification (extracted from a software project’s
informal requirements) that fixes only some expected properties but, ideally, says nothing about
implementation issues; this is to be followed by a number of refinement steps that fix more and
more details of the design, so that one finally arrives at what is often termed the design
specification. The last refinement step then results in an actual implementation in a programming
language.
which expresses that the model class of Sp3 is included in that of Sp2, which is in turn included in the
model class of Sp1. On the other hand, it is possible to refine structured specifications into
architectural specifications, introducing a branching into the development:
![Page 222: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/222.jpg)
Conclusions
• CASL is a complex specification language that provides both a complete formal semantics and a proof
calculus for all of its constructs.
• A central property of the design of CASL is the orthogonally between basic specifications and structured
and architectural specifications.
• Basic Specifications provide means to write theories in a specific logic, whereas Structured and
architectural specifications have a logic independent semantics.
• Logic for basic specifications can easily be changed while keeping the rest of CASL unchanged.
• CASL is the central language in a whole family of languages.
• CASL concentrates on specifications of abstract data types and functional requirements.
• Some extensions of CASL also consider the specification of higher order functions and of reactive and
object-oriented behaviour.
• Programming Languages are being integrated into CASL leading to a framework and environment for
formal software development.
![Page 223: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/223.jpg)
•The Heterogeneous Tool Set (HETS) is the main analysis tool for CASL.
• CASL specifications can also be checked for well-formedness using a form-based webpage.
• HETS can be used for parsing and checking static well-formedness of specifications.
• HETS also displays and manages proof obligations, using development graphs.
• Nodes in a development graph correspond to CASL specifications.
Arrows show how specifications are related by the structuring constructs.
• Internal nodes in a development graph correspond to unnamed parts of a structured
specification.
•Currently, Hets integrates the following provers:
* Interactive higher-order provers
o Isabelle
* Automated first-order provers
o SPASS
o Vampire
o MathServe
Other tools
* CASL consistency checker (a prototype)
* CASL to PVS (a prototype)
* CATS, the CASL tool set (now out-dated and superseded by Hets)
* HOL-CASL (now out-dated and superseded by Hets)
Tools
![Page 224: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/224.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
The Logic of RAISE Specification LanguageChris George and Anne E. Haxthausen
Hamid Mohammad-GholizadehSupervised by: Dr. Khedri
Department of Computing and softwareMcMaster University
April 2011
1 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 225: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/225.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Outline1 Introduction
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
2 The RSL LogicEquivalence and EqualityDefinednesslogical ConectivesAxioms
3 Reasoning in RAISEReasoning Styleproof theoryThe Justification Editor
4 CASE StudyIntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
5 Conclusion and Bibliography
2 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 226: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/226.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
What is RAISE?Rigorous Approach to Industrial Software Engineering
Rigorous Approach to Industrial Software Engineering
A method for software development
A formal specification language: RSL
A set of supporting tools
3 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 227: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/227.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
RAISE HistoryWhen, Why and How Invented
Esprit I project: 1985-1990 �→ Formal specificationlanguage RSL and its tool set
Esprit II project: 1989-1992�→ RAISE successor project,concentrated on applying the RAISE method
ESPRIT (European Strategic Program on Research inInformation Technology)
4 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 228: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/228.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
The RAISE Specification Language(RSL)
RSL is a formal, wide-spectrum specification language
It is inspired by and unifies features of severalspecifications languages
Z, VDM → model based specification language.CLEAR, OBJ → algebraic specification language.CSP, CCS → laguage for describing cuncurreny.
Typical applications could be: system software,embedded system or safety critical software.
5 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 229: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/229.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
Refinment in RAISE
6 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 230: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/230.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
Refinment in RAISE
typeAccount, Transaction
valueadd : Transaction × Account ∼→ Account
. . .⇓type
Account = {� trl: Transaction* ● is_ordered(trl) �}Transaction ::
date : Date,amount : Amountinfo : Info
valueadd : Transaction × Account ∼→ Accountadd(tr, ac) ≡ �tr �̂ acpre can_add(tr,ac),
. . .
7 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 231: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/231.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
Refinement in RSL
class expression B′ refines class expression B provided
The signature of B′ includes that of B→ ensures that substituting B′ for B in some context will notgenerate type errors.
All the properties of B hold in B′→ anything that can be proved about a class can be provedabout a class that refines it.
8 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 232: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/232.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
What is RAISE?The RAISE Specification Language(RSL)Refinment in RAISE
Refinment in RAISEExample
problematic refinementtype T = Int-set Refinement ⇒ type T = Int∗ � Type error
solutiontype Tvalue setof: T → Int-set
Refined To:type T=Int∗value
setof: T → Int-setsetof(t) ≡ elems t
9 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 233: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/233.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Equivalence and EqualityDefinednesslogical ConectivesAxioms
Equivalence≡(equivalence) VS =(equality)
A ≡ B
A and B has same effect and same result.
is reflexive, transitive and commutative and allow substitution
always defined i.e always returns true or false
A = B → just like any other infix operator, such as +
Evaluate A. If it is undefined so is the whole expression.
Otherwise, evaluate B. If it is undefined, so is the wholeexpression.
Otherwise, compare the results of evaluating A and B and return"true" if they are the same value, "false" otherwise.
10 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 234: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/234.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Equivalence and EqualityDefinednesslogical ConectivesAxioms
Equivalence . . .
ExampleVariable
v : Intvalue
increment : Unit → write v Intincrement ≡ v ∶= v + 1; v
Now consider the two expressionsincrement() ≡ increment() ≡ trueincrement() = increment() ≡ false
11 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 235: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/235.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Equivalence and EqualityDefinednesslogical ConectivesAxioms
Definedness
problematic expressions likewhile true do skip end
Possible approaches:All expressions denote(like Z and B languages)RSL, like VDM, allows in its logic for expressions that mightnot denote values in their types �→ you should provedefineness.
There are three basic undefined expressions in RSL:chaos �→ while true do skip end,stop, swap �→ specify a kind of deadlock in concurrency
12 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 236: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/236.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Equivalence and EqualityDefinednesslogical ConectivesAxioms
logical Conectives
How to define ∧,∨,∼,⇒A ∧ B ≡ if A then B else false endA ∨ B ≡ if A then true else B endA⇒ B ≡ if A then B else true end∼ A ≡ if A then false else true end
All the laws of classical logic hold when expressions areconvergent → defined and having a unique value
13 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 237: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/237.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Equivalence and EqualityDefinednesslogical ConectivesAxioms
logical Conectives . . .
Not commutative in some cases!
chaos ∧ false ≡ chaosbutfalse ∧ chaos ≡ false
� true false chaostrue true false chaosfalse false false falsechaos chaos chaos chaos
14 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 238: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/238.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Equivalence and EqualityDefinednesslogical ConectivesAxioms
The RSL LogicAxioms
valuefactorial : Nat →̃ Natfactorial(n) ≡
if n = 1 then 1 else n ∗ factorial(n-1) endpre n ≥ 1
Above Spec. is a short form for:
valuefactorial : Nat →̃ Nat
axiom∀n ∶ Nat ●factorial(n) ≡
if n = 1 then 1 else n ∗ factorial(n-1) endpre n ≥ 1
15 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 239: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/239.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Reasoning Styleproof theoryThe Justification Editor
Reasoning Style
Some methods use reasoning based on:Hoare logic or weakest preconditions (wp) for sequentialimperative descriptionsTemporal logic for concurrent descriptions
RSL use an axiomatic "equational" style.
16 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 240: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/240.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Reasoning Styleproof theoryThe Justification Editor
proof theory
Purpose of the proof theoryprovide formation rules for determining whether aspecification is well-formed (type correct etc.)proof rules for reasoning about specifications, forexample:
deciding whether two RSL terms are equivalentdeciding whether an RSL specification is a refinement ofanother RSL specification.
The Form of the Definition of the Axiomatic Semantics
premise1...premisenconclusion
17 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 241: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/241.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Reasoning Styleproof theoryThe Justification Editor
proof theory . . .
Formation Rulesprovide a decidable test for whether terms are well-formed.
context�true ∶�Bool
Context-independent Equivalence Ruleslike commutativity of the concurrency operator or Shorthandterms
�expr1∥exp2≅expr2∥exp1
�value_expr1∧value_expr2≅if value_expr1 then value_expr2 else false end
18 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 242: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/242.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Reasoning Styleproof theoryThe Justification Editor
The Justification Editor
Type-checking, Simplifying rule language.Allow proof rules to be applied to the sub-expressions of agoal.
select a sub-expressionshow the applicable proof rulesselect and apply a rule
Not all steps to be proved formally: Accept informalassertion that is true or replace an expression by anotherasserted as equivalent.
19 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 243: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/243.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Reasoning Styleproof theoryThe Justification Editor
The Justification EditorProof Rule Language
term1 � term2 when term3
[if_annihilation1]if eb then eb else true end � true
when convergent(eb) ∧ readonly(eb)
[let_int_choice]let b=e � e’ in e1 end �
let b=e in e1 end � let b=e’ in e1 end
20 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 244: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/244.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
CASE StudyHarbour System
21 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 245: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/245.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Structure of Specification
Identify Objects:Ships, Berths, Pool
Identify Operations on Objects:arrive: to register the arrival of a ship;dock: to register a ship docking in a berth;leave: to register a ship leaving a berth.
22 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 246: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/246.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Structure of Specification . . .
scheme TYPES = class ... end→ defining types and static properties for the basic objects.
object T : TYPES→ instantiation of TYPES.
scheme HARBOUR = class ... end→ the state of the harbour and the required top-level functions.
23 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 247: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/247.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Schema TYPES
typeShip, Berth (leave it open whether ships and berths should have additional attributes.)
Index = {�i ∶ Int ● i ≥min ∧max ≥ i �}value
fits : Ship × Berth → Bool. (a ship may or may not fit a berth)
indx : Berth → Index (a function that observes the index of a berth)
min, max: Intaxiom
[berths indexable]∀b1,b2 ∶ Berth ● indx(b1) = indx(b2)⇒ b1 = b2[index not empty]max ≥min
24 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 248: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/248.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Schema HARBOUR
typeHarbour ::
pool:T.Ship-setberths: T.Index m→ T.Ship
value/* observer (query) functions */
waiting:T.Ship × Harbour → Boolwaiting(s, h) ≡ s ∈ pool(h)is_docked : T.Ship × Harbour → Boolis_docked(s, h) ≡ s ∈ rng berths(h)...
25 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 249: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/249.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Schema HARBOUR . . .
value /*generator functions */
empty : Harbour = mk_Harbour({}, [ ])
arrive: T.Ship × Harbour ∼→ Harbourarrive(s, h) ≡ mk_Harbour(pool(h) ∪ {s}, berths(h))pre can_arrive(s,h). . . /*guards*/
can_arrive : T.Ship × Harbour → Boolcan_arrive(s, h) ≡ ∼ waiting(s, h) ∧ ∼ is_docked(s,h)...
26 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 250: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/250.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Invariants in HARBOUR Specification
at most one ship can be in any one berth.
a ship cannot be in two places at once.
a ship can only be in a berth that it fits.
consistent: Harbour → Boolconsistent(h) ≡
( ∀s ∶ T .Ship●∼ (waiting(s,h) ∧ is_docked(s,h)) ∧( ∀b1,b2 ∶ T .Berth●
is_occupied_by(b1,s,h) ∧is_occupied_by(b2,s,h)⇒ b1 = b2) ∧
( ∀b ∶ T .Berth●is_occupied_by(b,s,h)⇒ T.fits(s,b)) )
27 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 251: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/251.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
CASE studyProof Obligations
consistent(empty)
OR
∀h ∶ Harbour, s: T.Ship ●consistent(h) ∧ can_arrive(s,h)⇒ consistent(arrive(s,h))
28 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 252: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/252.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Prove Using eden
we may use the definitions of that specification in the proof.�∀h : Harbour, s :T.Ship ●consistent(h) ∧ can_arrive(s,h)⇒ consistent(arrive(s,h)) �
all_assumption_inf, imply_deduction_inf1 :[gen_131] consitent(h) ∧ can_arrive(s, h) �� consistent(arrives(s,h)) �. . .[ imply deduction inf1 ]
[id]ro_eb�ro_eb′ro_eb⇒ro_eb′
when convergent(ro_eb) ∧ pure(ro_eb)
29 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 253: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/253.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Proof via Translation
This new tool provides support for proof via translation toPVS.can provide only a limited proof system because PVS isapplicative.PVS also has a different logic from RSL → excludesundefinedness and nondeterminism.prove done in half the number of proof steps requiredwith edenRSL maps are like partial functions: we model a map asa total function that returns nil when applied to values notin the domain.An alternative for translating proof obligations into PVS isto translate them into Isabelle/HOL
30 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 254: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/254.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
IntroductionStructure of SpecificationProof ObligationsOther techniques to proof properties
Model Checking and Testing
Proof is ideal method but Expensive.model checking
a property such as maintenance of consistency being Truein every possible state of the system.translator from RSL to the language of the symbolic modelchecker SALFor harbour → 1015 nodes and 24 Boolean variableshave to reduce the problem to a finite model before we canuse model checking
Testingerrors such as incorrect implementation or wrongassumptions about the environment.The RAISE tools have translators to SML and to C++test_case [t1] empty(); arrive(s3); pool=s3 ∧ berths = [ ],. . .
31 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 255: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/255.jpg)
IntroductionThe RSL Logic
Reasoning in RAISECASE Study
Conclusion and Bibliography
Bibliography
C. Henson and Dines Bjorner (editors), "Logics of Specification Languages,"EATCS Monographs in Theoretical Computer Science, Springer, 2008.
H. Dang Van, C. George, T. Janowski, and R. Moore (Eds), Specification CaseStudies in RAISE, UNU-IIST, 2002.
C. George, "Lecture notes in Formal Software Development Using RAISE."
Soren Prehn,"From VDM to RAISE," Lecture Notes in Computer Science, 1987,Volume 252/1987, 141-150
Chris George. "A RAISE Tutorial," Technical Report, UNU-IIST, December 1998.
32 / 32 Hamid Mohammad-Gholizadeh The Logic of RAISE Specification Language
![Page 256: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/256.jpg)
Duration Calculus
Vitalii Fedorenko McMaster University
![Page 257: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/257.jpg)
Table of Contents
Buridan's LogicInterval LogicDuration CalculusExtensions
![Page 258: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/258.jpg)
Buridan's Logic
![Page 259: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/259.jpg)
T(I, p) : p is true wrt. the interval I given(I, p) : The truth of p is given for the interval I included(I', I) : The interval I' is included in I
Formalization
![Page 260: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/260.jpg)
T(I, p) : p is true wrt. the interval I given(I, p) : The truth of p is given for the interval I included(I', I) : The interval I' is included in I
Formalization
![Page 261: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/261.jpg)
T(I, p) : p is true wrt. the interval I given(I, p) : The truth of p is given for the interval I included(I', I) : The interval I' is included in I
Formalization
![Page 262: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/262.jpg)
Truth
The truth of a proposition p wrt. an interval I:
T(I, p) = ∃I'.(included(I', I) ∧ given(I', p))
![Page 263: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/263.jpg)
Given
given(I, p) ⇒ ∀I'.(included(I', I) ⇒ given(I', p))
![Page 264: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/264.jpg)
Socrates is Alive
The present (now)
![Page 265: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/265.jpg)
Contradiction?
T(I, p) ∧ T(I, ¬p) = ?
![Page 266: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/266.jpg)
Interval Logic
![Page 267: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/267.jpg)
Interval Logic
Predicates describes the set of times when the formula is true
![Page 268: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/268.jpg)
Interval
An interval �ntv is the set of time intervals:
�ntv ≙ { [b,e] | b,e ∈ �ime ⋀ b ≤ e }
![Page 269: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/269.jpg)
Syntax
� ::= x � ℓ � ƒn (�1,...,�n)
ϕ ::= X � Gn (�1,...,�n) �¬ϕ � ϕ ⋁ ψ � ϕ ◠ ψ � (∃x)ϕ
![Page 270: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/270.jpg)
Semantics
Val ≙ GVar → ℝ
� �θ� : (Val x �ntv) → ℝ � �ϕ� : (Val x �ntv) → {tt,ff }
![Page 271: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/271.jpg)
Semantics
Val ≙ GVar → ℝ
� �θ� : (Val x �ntv) → ℝ � �ϕ� : (Val x �ntv) → {tt,ff }
![Page 272: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/272.jpg)
Semantics
Val ≙ GVar → ℝ
� �θ� : (Val x �ntv) → ℝ � �ϕ� : (Val x �ntv) → {tt,ff }
![Page 273: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/273.jpg)
Example
(ℓ < x) ⋁ (ℓ > 5)
![Page 274: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/274.jpg)
Chop
φ ◠ ψ (read as “φ chop ψ”) holds on [b, e] iff there exists an m, where b ≤ m ≤ e, φ holds on [b,m] and ψ holds on [m, e]
ϕ ψ
b m e
![Page 275: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/275.jpg)
Possible-World Semantics
R ⊆ W x W x W
([t1, t'1],[t2, t'
2],[b, e]) ∈ R iff b = t1 ⋀ t'1 = t2 ⋀ t'
2 = e
![Page 276: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/276.jpg)
Possible-World Semantics
R ⊆ W x W x W
([t1, t'1],[t2, t'
2],[b, e]) ∈ R iff b = t1 ⋀ t'1 = t2 ⋀ t'
2 = e
(W,R), �, V,w |= ϕ ◠ ψ
iff, for some w1, w2 ∈ W, where (w1, w2,w) ∈ R:
|(W, R), � , V, w1 |= ϕ and (W,R), �, V, w2 |= ψ
![Page 277: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/277.jpg)
Dual-chop
ϕ ◡ ψ - dual-chop, for all m φ holds on [b,m] or ψ holds on [m,e]
ϕ ◡ ϕ ≙ ¬((¬ϕ) ◠ (¬ψ))
![Page 278: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/278.jpg)
Derived Propositional Connectives
ϕ ⋀ ψ = ¬((¬ϕ) ⋁ (¬ψ))
ϕ ⇒ ψ = ((¬ϕ) ⋁ ψ) ϕ ⇔ ψ = (ϕ ⇒ ψ) ⋀ (ψ ⇒ ϕ) (∀x)ϕ = ¬((∃x)¬ϕ)
![Page 279: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/279.jpg)
Interval Logic Axioms
ℓ ≥ 0
((ϕ ◠ ψ) ⋀ (¬ϕ ◡ φ)) ⇒ (ϕ ◠ (ψ ⋀ φ))
((ϕ ◠ ψ) ⋀ (φ ◡ ¬ψ)) ⇒ ((ϕ ⋀ φ) ◠ ψ)
((ϕ ◠ ψ) ◠ φ) ⇔ (ϕ ◠ (ψ ◠ φ))
![Page 280: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/280.jpg)
Interval Logic Axioms
ℓ ≥ 0
((ϕ ◠ ψ) ⋀ (¬ϕ ◡ φ)) ⇒ (ϕ ◠ (ψ ⋀ φ))
((ϕ ◠ ψ) ⋀ (φ ◡ ¬ψ)) ⇒ ((ϕ ⋀ φ) ◠ ψ)
((ϕ ◠ ψ) ◠ φ) ⇔ (ϕ ◠ (ψ ◠ φ))
![Page 281: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/281.jpg)
Interval Logic Axioms
ℓ ≥ 0
((ϕ ◠ ψ) ⋀ (¬ϕ ◡ φ)) ⇒ (ϕ ◠ (ψ ⋀ φ))
((ϕ ◠ ψ) ⋀ (φ ◡ ¬ψ)) ⇒ ((ϕ ⋀ φ) ◠ ψ)
((ϕ ◠ ψ) ◠ φ) ⇔ (ϕ ◠ (ψ ◠ φ))
![Page 282: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/282.jpg)
Interval Logic Axioms
ℓ ≥ 0
((ϕ ◠ ψ) ⋀ (¬ϕ ◡ φ)) ⇒ (ϕ ◠ (ψ ⋀ φ))
((ϕ ◠ ψ) ⋀ (φ ◡ ¬ψ)) ⇒ ((ϕ ⋀ φ) ◠ ψ)
((ϕ ◠ ψ) ◠ φ) ⇔ (ϕ ◠ (ψ ◠ φ))
![Page 283: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/283.jpg)
Example
∃x, y > 0. (ϕ ◠ (ℓ = y ⋀ ψ) ◠ (ℓ = x + y ⋀ ϕ))
![Page 284: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/284.jpg)
Inference Rules
if ϕ and ϕ ⇒ ψ then ψ if ϕ then (∀x)ϕ if ϕ then ϕ ◡ false if ϕ then false ◡ ϕ if ϕ ⇒ ψ then (ϕ◠φ) ⇒ (ψ◠φ) if ϕ ⇒ ψ then (φ◠ϕ) ⇒ (φ◠ψ)
(Modus ponens) (Generalization) (Necessity) (Monotonicity)
![Page 285: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/285.jpg)
Inference Rules
if ϕ and ϕ ⇒ ψ then ψ if ϕ then (∀x)ϕ if ϕ then ϕ ◡ false if ϕ then false ◡ ϕ if ϕ ⇒ ψ then (ϕ◠φ) ⇒ (ψ◠φ) if ϕ ⇒ ψ then (φ◠ϕ) ⇒ (φ◠ψ)
(Modus ponens) (Generalization) (Necessity) (Monotonicity)
![Page 286: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/286.jpg)
Inference Rules
if ϕ and ϕ ⇒ ψ then ψ if ϕ then (∀x)ϕ if ϕ then ϕ ◡ false if ϕ then false ◡ ϕ if ϕ ⇒ ψ then (ϕ◠φ) ⇒ (ψ◠φ) if ϕ ⇒ ψ then (φ◠ϕ) ⇒ (φ◠ψ)
(Modus ponens) (Generalization) (Necessity) (Monotonicity)
![Page 287: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/287.jpg)
Inference Rules
if ϕ and ϕ ⇒ ψ then ψ if ϕ then (∀x)ϕ if ϕ then ϕ ◡ false if ϕ then false ◡ ϕ if ϕ ⇒ ψ then (ϕ◠φ) ⇒ (ψ◠φ) if ϕ ⇒ ψ then (φ◠ϕ) ⇒ (φ◠ψ)
(Modus ponens) (Generalization) (Necessity) (Monotonicity)
![Page 288: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/288.jpg)
Rigid Expressions
Terms and formulas which do not depend on time intervals are called rigid
![Page 289: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/289.jpg)
Predicate Logic Axiom
if θ is free for x in φ(x), and either θ is rigid or φ(x) is chop-free:
∀x.φ(x) ⇒ φ(θ)φ(θ) ⇒ ∃x.φ(x)
∀x.(((ℓ = x) ◠ (ℓ = x)) ⇒ ℓ = 2x)
((ℓ = ℓ) ◠ (ℓ = ℓ)) ⇒ ℓ = 2ℓ)
![Page 290: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/290.jpg)
Predicate Logic Axiom
if θ is free for x in φ(x), and either θ is rigid or φ(x) is chop-free:
∀x.φ(x) ⇒ φ(θ)φ(θ) ⇒ ∃x.φ(x)
∀x.(((ℓ = x) ◠ (ℓ = x)) ⇒ ℓ = 2x)
((ℓ = ℓ) ◠ (ℓ = ℓ)) ⇒ ℓ = 2ℓ)
![Page 291: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/291.jpg)
Deduction and Proof
ϕ ⇒ ψ ⊢ (ϕ ◡ φ) ⇒ (ψ ◡ φ) ϕ ⇒ ψ ⊢ (φ ◡ ϕ) ⇒ (φ ◡ ψ)
![Page 292: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/292.jpg)
Deduction and Proof
ϕ ⇒ ψ ⊢ (ϕ ◡ φ) ⇒ (ψ ◡ φ) ϕ ⇒ ψ ⊢ (φ ◡ ϕ) ⇒ (φ ◡ ψ)
![Page 293: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/293.jpg)
Other Modalities
◇ϕ ≙ true ◠ (ϕ ◠ true) - for some subinterval
![Page 294: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/294.jpg)
Other Modalities
◇ϕ ≙ true ◠ (ϕ ◠ true) - for some subinterval
▢ϕ ≙ ¬◇(¬ϕ) - for all subintervals
![Page 295: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/295.jpg)
Example
◇A = ¬▢¬ A
![Page 296: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/296.jpg)
Theorems
▢(ϕ ⇒ ψ) ⇒ (▢ϕ ⇒ ▢ψ)
ϕ ⊢ ▢ϕ
▢ϕ⇒ ϕ
▢ϕ⇒ ▢▢ϕ
![Page 297: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/297.jpg)
Theorems
▢(ϕ ⇒ ψ) ⇒ (▢ϕ ⇒ ▢ψ)
ϕ ⊢ ▢ϕ
▢ϕ⇒ ϕ
▢ϕ⇒ ▢▢ϕ
![Page 298: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/298.jpg)
Theorems
▢(ϕ ⇒ ψ) ⇒ (▢ϕ ⇒ ▢ψ)
ϕ ⊢ ▢ϕ
▢ϕ⇒ ϕ
▢ϕ⇒ ▢▢ϕ
![Page 299: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/299.jpg)
Theorems
▢(ϕ ⇒ ψ) ⇒ (▢ϕ ⇒ ▢ψ)
ϕ ⊢ ▢ϕ
▢ϕ⇒ ϕ
▢ϕ⇒ ▢▢ϕ
![Page 300: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/300.jpg)
Duration Calculus
![Page 301: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/301.jpg)
Boolean-value Function
true ↝ 1
false ↝ 0
![Page 302: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/302.jpg)
Real Time System
A real-time system is a computing system with real-time constraints.
�ime → {0,1}
�ime ≙ ℝ
![Page 303: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/303.jpg)
Example
Rdyi : �ime → {0,1}
Runi : �ime → {0,1}
Runi (t) ⇒ Rdyi (t)
Runi (t) ⇒ Λj≠i¬Runj (t)
![Page 304: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/304.jpg)
Syntax
S ::= 0 �1� P �¬S1� S1 ⋁ S2
� ::= x � ℓ � ∫S � ƒn (�1,...,�n)
ϕ ::= X � Gn (�1,...,�n) �¬ϕ � ϕ ⋁ ψ � ϕ ◠ ψ � (∃x)
ϕ
![Page 305: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/305.jpg)
Semantics
![Page 306: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/306.jpg)
Duration
Duration of the state Runi in the interval [a, b]:
![Page 307: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/307.jpg)
Requirements
∫(Rdyi Λ Runi) > 0
![Page 308: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/308.jpg)
Requirements
k1 + k2 +... + kn ≤ 1
∫(Rdyi Λ Runi) > 0
![Page 309: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/309.jpg)
Process Scheduler
![Page 310: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/310.jpg)
Boolean State Model
Given(I,S): S - state expression ℓ - length of the current interval
|�S�| = ∫S = ℓ Λ ℓ > 0
![Page 311: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/311.jpg)
Boolean State Model
Given(I,S): S - state expression ℓ - length of the current interval
|�S�| = ∫S = ℓ Λ ℓ > 0
▢(ℓ ≥ 1 ⇒ ◇(∫Runi = ki Λ |�Rdyi�|))
![Page 312: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/312.jpg)
Socrates Again
◇ |�A�| Λ ◇ |�¬A�|
![Page 313: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/313.jpg)
DC Axioms
∫0 = 0 ∫1 = ℓ ∫S ≥ 0 ∫S1 + ∫S2 = ∫(S1 ⋁ S2) + ∫(S1 Λ S2)
((∫S = x) ◠ (∫S = y)) ⇒ (∫S = x +y)
![Page 314: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/314.jpg)
DC Axioms
∫0 = 0 ∫1 = ℓ ∫S ≥ 0 ∫S1 + ∫S2 = ∫(S1 ⋁ S2) + ∫(S1 Λ S2)
((∫S = x) ◠ (∫S = y)) ⇒ (∫S = x +y)
![Page 315: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/315.jpg)
DC Axioms
∫0 = 0 ∫1 = ℓ ∫S ≥ 0 ∫S1 + ∫S2 = ∫(S1 ⋁ S2) + ∫(S1 Λ S2)
((∫S = x) ◠ (∫S = y)) ⇒ (∫S = x +y)
![Page 316: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/316.jpg)
Theorems
∫S ≤ ℓ ∫S +∫¬S = ℓ
∫S1 ≥ ∫S2, if S2⇒ S1
![Page 317: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/317.jpg)
Theorems
∫S ≤ ℓ ∫S +∫¬S = ℓ
∫S1 ≥ ∫S2, if S2⇒ S1
![Page 318: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/318.jpg)
Theorems
∫S ≤ ℓ ∫S +∫¬S = ℓ
∫S1 ≥ ∫S2, if S2⇒ S1
![Page 319: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/319.jpg)
Gas Burner
Requirement: GbReq ≙ ℓ ≥ 60 ⇒ 20 ∫Leak ≤ ℓ Design decisions: Des1 ≙ ▢(|�Leak�| ⇒ ℓ ≤ 1)
Des2 ≙ ▢((|�Leak�| ◠ |�¬Leak�| ◠ |�Leak�|) ⇒ ℓ
≥ 30)
![Page 320: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/320.jpg)
Extensions
![Page 321: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/321.jpg)
Allen's Interval Algebra
∀i1, i2, i3.(MEETS(i1, i2) ∧ DURING(i2, i3)
⇒ (OVERLAPS(i1, i3) ∨ DURING(i1, i3) ∨ MEETS(i1, i3)))
![Page 322: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/322.jpg)
Neighbourhood Logic
![Page 323: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/323.jpg)
Neighbourhood Logic
◇cl ϕ ≙ ◇r◇l ϕ read "for some left neighborhood of the
end point: ϕ" ◇c
r ψ ≙ ◇l◇r ψ read "for some right neighborhood of the
start point: ψ"
![Page 324: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/324.jpg)
Liveness
inf(S) ≙ ▢r◇r ◇r |�S�|
inf(S) Λ inf(¬S)
![Page 325: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/325.jpg)
Liveness
inf(S) ≙ ▢r◇r ◇r |�S�|
inf(S) Λ inf(¬S)
![Page 326: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/326.jpg)
Fairness
inf(¬|�Leak�|) ⇒ inf(|�Leak�|)
![Page 327: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/327.jpg)
Justice
stabilize(S) ≙ ◇r ▢r|�S�|*
|�S�|* ≙ |��| v |�S�|
stabilize (S1) ⇒ inf(S2)
![Page 328: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/328.jpg)
Justice
stabilize(S) ≙ ◇r ▢r|�S�|*
|�S�|* ≙ |��| v |�S�|
stabilize (S1) ⇒ inf(S2)
![Page 329: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/329.jpg)
Justice
stabilize(S) ≙ ◇r ▢r|�S�|*
|�S�|* ≙ |��| v |�S�| stabilize (S1) ⇒ inf(S2)
![Page 330: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/330.jpg)
Equal Distribution
∀e > 0. ∃T. ▢r(ℓ > T ⇒ |∫S1 - ∫S2| < e)
![Page 331: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/331.jpg)
Signed Interval
![Page 332: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/332.jpg)
Refined Models for Reactive Real-time Systems
e1 e2 ... en ∈ Event*
![Page 333: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/333.jpg)
Refined Models for Reactive Real-time Systems
For a given interval [b, e], the trace variable gives the trace which is observed at the right end point e of the interval
e1 e2 ... en ∈ Event*
Tr : �ntv → Event*
![Page 334: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/334.jpg)
Bibliography
1. Interval Temporal Logichttp://www.cse.dmu.ac.uk/STRL/ITL/
2. Logics of Specification LanguagesBjorner, Dines; Henson, Martin C., 2008
3. Neighborhood logic and Interval Algebra, the United Nations University, 1997
4. MIT OpenCourseWare | Electrical Engineering and Computer Science | 6.033 Computer System Engineering, Spring 2009
![Page 335: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/335.jpg)
1
![Page 336: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/336.jpg)
Outline
• Introduc/on – Defini/on of the event-‐B Modeling Method
• The event-‐B model Components • Rela/onships in event-‐B • Guards and Events • Invariants • Proofs • Example
2
![Page 337: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/337.jpg)
Introduc/on
• The classical B-‐Method is a mathema/cal method for formal system specifica/on, design and implementa/on of soGware based on refinement.
• Event-‐B is derived from classical B. It keeps the concepts of classical B-‐ Method but adds the concept of event. It is used model of discrete transi+on systems.
3
![Page 338: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/338.jpg)
Classical B vs. event-‐B structures
4
CLASSICAL B MCHINE SETS sASSERTIONS A(x) CONSTANTS c PROPERTIES P(s,c) VARIABLES x INVARIANTS I(x) INITIALIZATION <sub.> OPERATIONS <list of op.>
EVENT B MCHINE SETS sCONSTANTS c PROPERTIES P(s,c) VARIABLES x INVARIANTS I(x) INITIALIZATION <sub.> EVENTS <list of events>Variant V(x)
Operation: has input/output parameters, only operation can change state variables. Precondition check for every operation. !
![Page 339: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/339.jpg)
The event-‐B Model Components
• Model has two kinds of components: Machine and Context.
5
Machine: name • SEES context_name • variables v • INITIALISATION T • invariants I(c,v) • theorems • events E(c,v) event_name = name_predicates (guards) then subsitu/on (S) E = WHEN G(c,v) THEN S(v) END!
• variants V(c,w)!
Context: name • Extends: context • carries sets s • constants c • axioms A(c)!• theorems
Dynamic part
Sta/c Part
![Page 340: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/340.jpg)
The event-‐B Model Components
• Carrier SETS (s) define sets and are represented by their name e.g. COLORS
• CONSTANTS (c) are defined by a number of AXIOMS A(s,c) • THEOREMS are required asser/ons for proving. • VARIABLES define machine variables, which are used to
maintain state informa/on while performing events. • INVARIANTS are used to define a property over the states
and context of the system that must be sa/sfied by all events.
• INITIALISATION is used to specify the ini/al values of variables.
• EVENTS define the units of behaviour that include possible state changes.
6
![Page 341: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/341.jpg)
Machines and Contexts Rela/ons
• Machines see contexts
• Contexts can be extended • Machines can be refined
• A machine implicitly sees all contexts extended by a seen context.
• A machine only sees a context either
explicitly or implicitly. • No cycle in the "refines" or "extends" rela/onships. • Machine and Context can be abstract or concert
7
M
M C
C sees
0-m!
sees
0-m!
0-1!refines
refines 0-1!
0-m! extends
extends 0-m!
![Page 342: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/342.jpg)
Machines and Contexts Rela/ons
8
M0
M1
C01
C1
C02 sees
sees
sees
sees extends
refines
M0 sees C01 and C01 explicitly M1 sees C01 and C1 explicitly M1 sees C02 implicitly
![Page 343: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/343.jpg)
Generalized Subs/tu/ons
• GSL provides a way to express transforma/ons of the state variables of a
given model.
9
Name GSL S [S]P
Assignment x:=E P(E/x)
Skip Skip P
Parallel composi/on x:= E||y:=F [x,y:=E]P
Non-‐determinis/c choice x:∈S ∀v.(v∈ S ⇒ P(v/x))
Precondi/on pre G then T end G ⋀ [T]P
Sequen/al composi/on S;T [S][T]P
![Page 344: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/344.jpg)
Guards and Event
• Guards iden/fy lists of condi/ons for the event to occur. E = when G(v) then S(v) end!
• Three types of Events: – A Simple structure declares an event that does not have a guard but ac/ons S(s, c, v)!
– A Guarded structure is used to iden/fy an event with guards G(s, c, v) and ac/ons S(s, c, v)
– A Non determinis/c structure is the general form of an event and used when the event has local variables l with guards G(l, s, c, v) and ac/ons S(l, s, c, v).
• The guard of the skip event is true. 10
![Page 345: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/345.jpg)
Guards and Event
• Simple – x:= E(v), e.g. x’=x+1
• Determinis/c – E=When G(v) then S(v) end, e.g. when x<10 then x=x+1 end
• Non-‐determinis/c – any t where P(t,v) then x := F(t,v) e.g. n’∈ {n+1,n+2}
• Skip no change – n’=n
11
![Page 346: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/346.jpg)
Guard and Events
12
Event: E Guard: grd(E)
begin S end TRUE
When G(x) then T end G(x)
any t where G(t,x) then T end ∃t.G(t,x)
![Page 347: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/347.jpg)
Before AGer Predicates
• It describes the rela/on between the values of the variable(s) just before and just aGer the event occurrence. e.g. v’ = v +1
13
SubsOtuOon Before AQer Predicates
Determinis/c G(x) ⋀ P(x,x’)
skip P(x,x’)
Non-‐determinis/c ∃t . ( G(t,x) ⋀ P(x,x’,t) )
Event:E Before AQer Predicates
Begin x : P(x,x’) end P(x,x’)
When G(x) then x: P(x,x’) end G(x) ⋀ P(x,x’)
Any t where G(t,x) then T end ∃t . ( G(t,x) ⋀ P(x,x’,t) )
![Page 348: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/348.jpg)
The Gluing invariant
• A gluing invariant links the state of the concrete model to the states of its abstract model.
• J(s,c,v,w) w is the variable of concert model, while v is in the abstract model.
14
![Page 349: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/349.jpg)
Consistency Proofs
• Event-‐B model has to perform consistency proofs to ensure the correctness of the model.
15
P (s, c) ∧ I(s, c, v) ∧ G(s, c, v) ∧ R(s, c, v, v’ ) ⇒ I(s, c, v’ ) invariant preservaOon statement (INV)
P (s, c) ∧ I(s, c, v) ∧ G(s, c, v) ⇒ ∃v’·∙ R(s, c, v, v’ ) feasibility statement (FIS)
P(s,c): proper/es of constants I(s,c,v): Invariant G(s,c,v): guard R(s,c,v,v’): before-‐aGer predicate
Other proofs: INC increments, DEC decrements
Different INV and FIS in the ini/aliza/on event. Don’t have to check invariants and guards
Event:E Feasibility: fis(E)
x: Init(x) ∃x .Init(x)
Begin x:P(x,x’) end I(x) =>∃x’.P(x,x’)
![Page 350: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/350.jpg)
Refinement
• The concept of refinement in Event-‐B allows more detail, and the expression of some design decisions, to be added, in a stepwise manner, into the model. – Feature augmentaOon: a feature augmenta/on is a refinement in which exis/ng model features are maintained and addi/onal features are added, such as variables, invariant, events, addi/onal guards and ac/ons.
– Structural refinement: this refinement is adding detailed design to the implementa/on. Examples of structural refinements are refining the algorithm of an event’s operators, event decomposi/on, and replacing an exis/ng event’s variable with new variables. Must use gluing invariant.
16
![Page 351: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/351.jpg)
Deadlock free
• A model is deadlook free if can run forever. • The disjunc/on of the event guards always hold under the proper/es of constants.
17
P (s, c) ∧ I(s, c, v) ⇒ G1 (s, c, v) ∨ . . . ∨ Gn (s, c, v) DLF
![Page 352: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/352.jpg)
Rela/ve Deadlock Freedom
• There a no new deadlocks in the concrete model, that is, all dead-‐ locks of the concrete model are already present in the abstract model.
18
P (s, c) ∧ I(s, c, v) ∧ J(s, c, v, w) ∧ Gi (s, c, v) ⇒ H1 (s, c, w) ∨ . . . ∨ Hm (s, c, w) ∨ N1 (s, c, w) ∨ . . . ∨ Nn (s, c, w)
DLF
![Page 353: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/353.jpg)
New Event
• New Event may be introduced in refinement: – new event refines an implicit skip
– Should not run forever, variant is used. Each new event decreases the variant which is well founded structured e.g. (N,≤) .
19
P (s, c) ⇒∃ v’ ·∙ RI(s, c, v’ ) INI_FIS
P (s, c) ∧ RI(s,c,v’) ⇒ I(s, c, v’) INI_INV
RI(s,c,v’): the aGer predicate of the generalized subs/tu/on with ini/aliza/on INI_FIS: feasibility statement for ini/aliza/on INI_INV: invariant preserva/on statement for ini/aliza/on.
![Page 354: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/354.jpg)
An/cipa/ng New Events
• Skip and variant are used. • Try to select a variant that check range of events. e.g. n = 2*(a+b)
20
![Page 355: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/355.jpg)
Complexity of Systems
• techniques can be used to master this complexity – Refinement allows us to build model gradually – Decomposi/on: Refinement does not solve alone the problem of complexity, A large model can be decomposed into smaller ones.
– generic instan/a/on: Models can be parameterized with carrier sets and constants, Constants are specified by means of proper/es, Analogy with algebraic theories.
21
![Page 356: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/356.jpg)
Example
The system is controlling cars on a bridge between the mainland and an island
FUN-‐1
The system has two traffic lights with two colors: green and red EQP-‐1
The traffic lights control the entrance to the bridge at both ends of it EQP-‐2
Cars are not supposed to pass on a red traffic light, only on a green one EQP-‐3
The system is equipped with four car sensors each with two states: on or off EQP-‐4
The sensors are used to detect the presence of cars entering or leaving the bridge
EQP-‐5
The number of cars on the bridge and the island is limited FUN-‐2
The bridge is one way or the other, not both at the same /me FUN-‐3
22
![Page 357: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/357.jpg)
Example: Refinement Strategy
• Ini/al model: Limi/ng the number of cars (FUN-‐2)
• First refinement: Introducing the one way bridge (FUN-‐3)
• Second refinement: Introducing the traffic lights (EQP-‐1,2,3)
• Third refinement: Introducing the sensors (EQP-‐4,5)
23
![Page 358: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/358.jpg)
Example: Ini/al Model
24
Bridge and island
Mainland
ML-‐out
ML-‐in
ML-‐out: leave mainland ML-‐in: enter mainland
![Page 359: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/359.jpg)
Example: Constants and Axioms
• Context: constant d with axiom axm01 – d is the maximum number of cars allowed on the Island-‐Bridge.
– axm01 states that d ∈ N is a natural number
• Machine: variable v with invariants inv01 and inv02. – n is the effec/ve number of cars on the Island-‐Bridge.
– n is a natural number (inv0 1). – n is always smaller than or equal to d (inv0 2).
25
![Page 360: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/360.jpg)
Example: Events
• Event ML out increments the number of cars – ML_out n := n + 1
• Event ML in decrements the number of cars. – ML_in n := n − 1
• two invariants: – inv01: n∈N
– inv02: n≤d • Thus, we need to prove four proof obliga/ons
26
![Page 361: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/361.jpg)
PO for ML out and inv01 and inv02
• ML_out n := n + 1 , (n′ = n + 1) – d∈N ∧ n∈N ∧ n ≤ d ⊢ n+1∈ N inv01
• ML_out n := n + 1, (n′ = n + 1) – d∈N ∧ n∈N ∧ n≤d ⊢ n+1 ≤ d inv02
• Proof fails: n ≤ d ⊢ n+1 ≤ d we cannot conclude with rule INC (n < d needed)
27
![Page 362: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/362.jpg)
Reasons for Proof Failure
• We needed hypothesis n<d to prove MLout /inv02/INV
• We needed hypothesis 0<n to prove MLin /inv01/INV
• We are going to add n < d as a guard to event ML_out
• We are going to add 0 < n as a guard to event ML_in
28
![Page 363: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/363.jpg)
Introducing Guards
• ML out when n<d then n := n + 1 end • ML in when 0<n then n := n − 1 end
29
![Page 364: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/364.jpg)
RODIN
• Run example in RODIN
30
![Page 365: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/365.jpg)
References
1 Logic of Specification Languages, Dines Bjorner and Martin C. Henson, Springer 2008
2 Modeling in Event-BSystem and Software Engineering, Jean-Raymond Abrial, Cambridge University Press, 2010
3 Event-‐B Language, C. Métayer (ClearSy) J.-‐R. Abrial, L. Voisin (ETH Zürich), 2005
4 The event-B website. http://www.event-b.org/
31
![Page 366: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/366.jpg)
McMaster University Department of Computing and Software
CAS707: Formal Specification Techniques The Typed Logic of Partial Functions
and VDM
Samir Al-Janabi April 5th, 2011
![Page 367: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/367.jpg)
2
Outline
Introduction Big Picture of VDM Method VDM-SL: Biased Queue Example-Introductory Example VDM-SL Motivation for Formal Proof Formal Proof in VDM A Proof Framework for VDM-Mural Big Picture of Typed Logic of Partial Functions The Typed Logic of Partial Functions Theories Supporting VDM-SL VDMTools VDMTools of VDM-SL Conclusion
![Page 368: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/368.jpg)
3
Introduction
VDM (Vienna Development Method) is a collection of techniques for the modeling, specification, and design of computer-based systems.
It is one of the longest-established Formal Methods. Originating in work done at IBM's Vienna Laboratory in the 1970s.
VDM’s roots lie in work on programming language definition, notably the attempt to give a formal definition of the semantics of the PL/I language using a notation that came to be known as the Vienna Definition Language (VDL).
![Page 369: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/369.jpg)
4
Introduction (Continued)
It has grown to include a group of techniques and tools based on a formal specification language - the VDM Specification Language (VDM-SL).
VDM-SL is a model-oriented language. It has an extended form, VDM++, which supports the
modeling of object-oriented and concurrent system.
![Page 370: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/370.jpg)
5
Big Picture of VDM Method
![Page 371: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/371.jpg)
6
VDM-SL: Biased Queue Example- Introductory Example
![Page 372: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/372.jpg)
7
VDM-SL
A model in VDM-SL consists of: Data types States Functions:
Implicit, i.e. specified in terms of pre- and post-conditions.
Explicit: i.e. functions are expressions of input as in functional programming.
Operations: change states of the model
![Page 373: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/373.jpg)
8
VDM-SL: Basic Types
bool Boolean datatype nat natural numbers (including zero) nat1 natural numbers (excluding zero) int integers rat Rational numbers real Real numbers char characters token structureless tokens <A> the quote type containing the value <A>
![Page 374: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/374.jpg)
9
VDM-SL: Type Constructors
T1 | T2 | ... | Tn Union of types T1,...,Tn
T1*T2*...*Tn Cartesian product of types T1,...,Tn
T :: f1:T1 ... fn:Tn Composite (Record) type
Example: The previous example. QUEUEB is a composite type
![Page 375: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/375.jpg)
10
VDM-SL: Collections
Sets The set type constructor (written set of T
where T is a predefined type) constructs the type composed of all finite sets of values drawn from the type T.
Example: UGroup = set of UserId
![Page 376: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/376.jpg)
11
VDM-SL: Collections (Continued)
Sequences The finite sequence type constructor
(written seq of T where T is a predefined type) constructs the type composed of all finite lists of values drawn from the type T.
Example: String = seq of char
![Page 377: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/377.jpg)
12
VDM-SL: Collections (Continued)
Mapping The mapping type constructor in VDM-SL
(written map T1 to T2) whereT1 and T2 are predefined types) constructs the type composed of all finite mappings from sets of T1 values to sets of T2 values.
Example: Birthdays = map String to Date
![Page 378: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/378.jpg)
13
VDM-SL: Functions
Implicit Functions Instead of a formula computing a result, the
precondition and postcondition together form a contract that to be satisfied by any program claiming to implement the function.
Example: SQRT(x:nat) r : real post r*r = n
![Page 379: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/379.jpg)
14
VDM-SL: Functions
Explicit Functions The result is defined by means of an
expression over the inputs.
Example: SqList: seq of nat -> seq of nat SqList(s) == if s = [ ] then [ ] else [(hd s)**2] ^ SqList(tl s)
![Page 380: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/380.jpg)
15
VDM-SL: Operations
Functions do not change the state of a persistent global variable.
Operations are used to change state variables.
Example: ENQUEUE(e:Qel) ext wr s : seq of Qel post s = s~ ^ [e];
![Page 381: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/381.jpg)
16
Motivation for Formal Proof
The aspect of model consistency that cannot be checked give rise to proof obligations.
Example: There is a satisfiability obligation on implicit operations
specifications.
We also want to prove properties about our model, e.g. safety, liveness, etc.
Formal proofs provide greater confidence because proofs are verified by machine.
![Page 382: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/382.jpg)
17
Formal Proof in VDM
In formal proof of Statisfiability, the inference is done, for example, at line 5 by appealing to a specific lemma.
....
![Page 383: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/383.jpg)
18
A Proof Framework for VDM-Mural
The mural system consists of two parts, a VDM support tool and a proof assistant.
The mural interface is based around a series of tools. Each tool occupies a separate window and provides a means of creating, inspecting and interacting with the different types of object within the system.
![Page 384: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/384.jpg)
19
A Proof Framework for VDM-Mural (continued)
Symbols Three kinds of symbols
1. Variables 2. Constants: represent value and type
constructors. Examples: singleton sequence [ _ ], empty set { }
3. Binders Examples: ∀, ∃
![Page 385: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/385.jpg)
20
A Proof Framework for VDM-Mural (continued)
Expressions 1. Variable symbol 2. Constant symbol with the correct number
of argument instantiated 3. Binder binding a variable in another
expression
![Page 386: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/386.jpg)
21
A Proof Framework for VDM-Mural (continued)
Rules of Inference An inference rule consists of a set of
hypotheses, shown above a horizontal line, and a conclusion shown below the line. A name for the rule may be given in a box to the left of the line.
Example:
![Page 387: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/387.jpg)
22
A Proof Framework for VDM-Mural (continued)
Proofs Proofs are represented as arguments from
hypotheses to the conclusion. Each proof is organized into blocks bounded
by from and infer lines. Each justification is an appeal to an
inference rule or a folding/unfolding of a syntactic definition.
![Page 388: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/388.jpg)
23
A Proof Framework for VDM-Mural (continued)
The proof might have the following form:
Example: Consider the following Conjecture:
![Page 389: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/389.jpg)
24
A Proof Framework for VDM-Mural (continued)
Theories A theory is a collection of constant and binder
definitions, axioms and derived results and their proofs.
![Page 390: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/390.jpg)
Big Picture of Typed Logic of Partial Functions
25
![Page 391: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/391.jpg)
26
The Typed Logic of Partial Functions
The Logic of Partial Functions (LPF) is a first-order predicate logic which admits undefined terms resulting from the application of partial functions.
Partial functions are commonplace in computing.
Example: Partial Function. pop( ): e:elem If pop( ) on empty stack? then the result is undefined.
![Page 392: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/392.jpg)
27
The Typed Logic of Partial Functions: Propositional LPF
Aside from the logical values true and false, LPF admits undefined terms, denoted by . Example: The expression A \/ B evaluates to true if either
disjunct evaluates to true, even if the other disjunct is undefined.
![Page 393: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/393.jpg)
28
The Typed Logic of Partial Functions: Propositional LPF (Continued)
True, \/ and ¬ are built-in logical constants. False, /\, etc. are defined by syntactic definitions
![Page 394: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/394.jpg)
29
The Typed Logic of Partial Functions: Propositional LPF (Continued)
The axioms are similar to those of classical propositional logic except for the absence of the law of the excluded middle:
In order to recover the full power of classical logic for propositions and predicates that are well defined, a definedness judgment is added.
![Page 395: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/395.jpg)
30
The Typed Logic of Partial Functions: Propositional LPF (Continued)
This allow the derivation of the qualified version of the Deduction Theorem that holds in LPF:
In general, theorems of classical logic can be formed into theorems of LPF by adding the necessary δ hypotheses.
![Page 396: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/396.jpg)
The Typed Logic of Partial Functions: Predicate LPF with Equality
The logical framework treats quantifiers as binders, with a type restricting the bound variable.
31
Universal Quantification is defined by syntactic definition.
![Page 397: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/397.jpg)
32
The Typed Logic of Partial Functions: Predicate LPF with Equality (Continued)
LPF equality is weak in that it is only defined over denoting terms.
![Page 398: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/398.jpg)
33
Theories Supporting VDM-SL
Theories are necessary to reason about constructs in VDM-SL. For example, when we want to reason about naturals and sets in a VDM-SL model, we need a theories of nat and sets respectively.
Two types: Generic: General theories are provided for type
constructors which are used to build collection types including finite sets, sequences and mappings.
Model-specific: Certain other constructors, such as records, are better handled on a per-model basis, translated into definitions and axiom sets in terms of the constructs in the VDM theories.
![Page 399: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/399.jpg)
34
Theories Supporting VDM-SL: Generic Theories
Example: Theory of finite sets.
The axiomatisation is given in terms of constructors introduced as constants. In the case of sets these are the empty set ({ }) and an add operator.
![Page 400: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/400.jpg)
35
Theories Supporting VDM-SL: Model-Specific Theories
Example: VDM type definition from Queueb example:
The formation axiom for the selector .s is:
![Page 401: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/401.jpg)
36
VDMTools
VDMTools is a set of tools that provide supports for: Syntax checker Type checker Integrity Examiner Interpreter and debugger Test coverage statistics tool Rose - VDM++ link Pretty Printer VDM++ to C++ code generator (Optional) VDM++ to Java code generator (Optional) Java to VDM++ generator (Optional) CORBA Compliant API (Optional)
The models are expressed either in the VDM-SL standard language or in the object-oriented formal specification language VDM++.
![Page 402: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/402.jpg)
37
VDMTools of VDM-SL: An Overview of the Functionality
![Page 403: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/403.jpg)
38
VDMTools of VDM-SL : Example - Syntax Checking of VDM Specifications
![Page 404: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/404.jpg)
39
Conclusion
VDM has a VDM-SL specification language, supports formal proof based on Typed Logic of Partial Functions, and tools support, e.g VDMTools.
VDM-SL is a Model-oriented Specification Language. Typed Logic of Partial Functions is used to support
reasoning about models in VDM-SL. The VDMTools supports software development based
on the specification which is written by formal specification language, VDM-SL or VDM++.
![Page 405: PETRI NETS - McMaster University · 2017. 3. 8. · PETRI NET TOOLS • Graphical editor • Interchange file format • Simplification • Fast simulation • Automated transition](https://reader035.fdocuments.in/reader035/viewer/2022071410/6103ce4249a8ed101d65fbc6/html5/thumbnails/405.jpg)
40
References
Bjorner, D, Henson, M, Logics of Specification Languages, 2008 Springer-Verlag Berlin Heidelberg
Muller, A, VDM - The Vienna Development Method, April 20, 2009, http://www.risc.jku.at/publications/download/risc_3820/main.pdf
Wikipedia, http://en.wikipedia.org/wiki/VDM_specification_language
VDMTools User Manual, (VDM-SL) http://www.vdmtools.jp/uploads/manuals/usermansl_a4E.pdf