Speci cation and Documentation Techniques: Formal methods ...se3ra3/2016/LN18-2016.pdf · Last few...

Last few lecturesFormal Methods

Specification and Documentation Techniques:Formal methods. Discrete Mathematics and

Predicate Logic.CS/SE 3RA3

Ryszard Janicki

Department of Computing and Software, McMaster University, Hamilton,Ontario, Canada

Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 1/30


Most important graphical notations

Conceptual structures: entity-relationship diagrams

Information flows: context diagrams and dataflowdiagrams

System behaviors: state machine diagrams

System operations: use case diagrams

Modeling scenarios and workflows : activity diagrams

You will have to use all of them in Assignment 2, some ofthem for the midterm and all of them for the exam.



Discrete Mathematics and Predicate Logic

What are Formal Methods?

Formal = Mathematical

Methods = Structured Approaches, Strategies

Using mathematics in a structured way to analyze anddescribe a problem.




What kind of Formal Methods?

Standard Discrete Mathematics and Predicate Logic

Temporal Logic

Tabular Expressions




Useful Mathematics

Set theory

Functions and Relations

First-order predicate logic

Before-After predicates, this is the only thing you might notknow!




Sets




Functions and Relations




Predicate Logic


Before-After Predicates

“People can enter the building if they have their ID with them.When entering, they have to leave their ID card at the registrationdesk.”

hasAuthorization : PEOPLE → {true, false}carriesPassport : PEOPLE → {true, false}passportOf : PEOPLE → PASSPORTSinBuilding : PEOPLE → {true, false}peopleInBuilding : P(PEOPLE ) (or set(PEOPLE ))passportsAtDesk : P(PASSPORTS) (or set(PASSPORTS))

hasAuthorization(p) ∧ carriesPassport(p) ∧ ¬inBuilding(p) =⇒peopleInBuilding ′ = peopleInBuilding ∪ {p} ∧passportsAtDesk ′ = passportsAtDesk ∪ {passportOf (p)} ∧inBuilding(p) ∧ ¬carriesPassport(p)

¬(hasAuthorization(p)∧ carriesPassport(p)∧¬inBuilding(p)) =⇒peopleInBuilding ′ = peopleInBuilding ∧passportsAtDesk ′ = passportsAtDesk



The advantages of using math for any analytical problem

Short notation

Forces you to be precise

Identifies ambiguity

Clean form of communication

Makes you ask the right questions




Short Notation

Compare:

“For every ticket that is issued, there has to be a single person thatis allowed to enter. This person is called the owner of the ticket.”

with

TicketOwner : IssuedTickets → Person




Forced Precision

“On red traffic lights, people normally stop their cars.”

What does “normally” mean? How should we build a system basedon this statement? What are the consequences? What happens inthe exceptional case?

Formalization Fails! We cannot formalize until the abovequestions are answered!




Identified Ambiguity

“When the temperature is too high, the ventilation has to beswitched on or the maintenance staff has to be informed.”

May we do both? (standard logical “or”)

TemperatureIsHigh =⇒ (NotifyStaff ∨ VentilationOn)

or (exclusive “or”, i.e. “xor”, often denoted as ⊕ or Y)

TemperatureIsHigh =⇒(NotifyStaff ∨ VentilationOn) ∧ ¬(NotifyStaff ∧ VentilationOn)or equivalentlyTemperatureIsHigh =⇒ (NotifyStaff Y VentilationOn)




Asking the Right Questions

“Every customer has is either trusted or untrusted.”

∀c ∈ CUSTOMER : trusted(c) Y untrusted(c)

“Upon internet purchase, a person is automatically registered as anew customer.”

InternetPurchase : CUSTOMER × CMS→ CMS, whereCMS = P(CUSTOMER) and P denotes the powerset.

InternetPurchase(c) : customers ′ = customers ∪ {c}

Is the new customer trusted or untrusted ?!




Clean Form of Communication

Every mathematical notation has a precise semantic definition.

New constructs can be added defined in terms of oldconstructs.

Math does not need language skills and can be easilyunderstood in an international context.




Tiny Example Problem: Temperature control

“The software should control the temperature of the room. It canread the current temperature from a thermometer. Should thetemperature fall below a lower limit, then the heater should beswitched on to raise the temperature. Should it rise above anupper limit, then the cooling system should be switched on tolower the temperature.”[...]“Safety concern: the heater and the cooler should never beswitched on at the same time.”




Formal Specification: Temperature control

currentTemparature : INTEGER ←do you remember theconcept of type in discrete math?

lowerLimit : INTEGERupperLimit : INTEGERcoolingSystem : {on, off }heatingSystem : {on, off }

(coolingSystem = on) =⇒ (heatingSystem = off )(heatingSystem = on) =⇒ (coolingSystem = off )

(coolingSystem = off ∧ currentTemperature > upperLimit) =⇒coolingSystem = oncurrentTemperature ≤ upperLimit =⇒ coolingSystem = off


Train movement and door problem: from the textbook

measuredSpeed : Reals (or Integers? what precision?)doorState : {closed , open, closing , opening , almost closed , . . .}TrainSpeed : Reals (or Integers? what precision)DoorClosed : {true, false}TrainMoving : {true, false}, and much more...

measuredSpeed 6= 0 =⇒ doorState = closedmeasuredSpeed = 0 =⇒ doorState ∈ {open, closing , opening}, ...measuredSpeed 6= 0 ⇐⇒ trainSpeed 6= 0,|measuredSpeed − trainSpeed | < 2km/hDoorClosed ⇐⇒ doorState = ‘closed’TrainMoving ⇐⇒ trainSpeed 6= 0, and much more...

From the above we can derive that for exampleTrainMoving =⇒ DoorClosed

and many more...



Elevator: Some Functional Requirements

Requirement:The doors must not open when the elevator is moving.

Formal Specification:Domain and Notation.

ELEVATOR : set of all elevators in the buildingelevatorMoving : {true, false}doorState : ELEVATOR → {closed , open}

e ∈ ELEVATOR

Statement.

elevatorMoving(e) = true ⇒ doorState(e) = closeddoorState(e) = open⇒ elevatorMoving(e) = false



Requirement:Pressing a floor number button on the elevator will setthe elevator to move in that direction to the indicatedfloor after the doors close.Notes:

The hold direction does not need to be included because it isencompassed by the floorsPressed set being empty.There are two predicates from this requirement.

1 The first is if a button is pressed, and that floor is abovewhere they currently are, doors close, and the elevator beginsto move up.

2 The second is parallel to it, but if the floor is below thecurrent floor, then the elevator goes down.

The requirement doesn’t state that the elevator had to bemoving in that direction originally (if the elevator is going up,in practice, it should only service floors pressed that are abovethe current floor), so those conditions were not added.Instead, whatever is pressed, it will go to, regardless ofprevious direction.


Formal Specification:Domain and Notation.

FLOOR : set of all floors served by elevatorsELEVATOR : set of all elevators in the buildingelevatorDirection : ELEVATOR → {up, down, hold}floorsPressed : set(MAX FLOORS)isPressed : FLOOR → {true, false}curFloor : → FLOOR

f ∈ FLOOR;e ∈ ELEVATOR

Statement.

(isPressed(f ) ∧ (f > curFloor))⇒(floorsPressed ′ = floorsPressed ∪ {f } ∧ doorState(e) =closed ∧ elevatorMoving = true ∧ elevatorDirection = up)

(isPressed(f ) ∧ (f < curFloor))⇒(floorsPressed ′ = floorsPressed ∪ {f } ∧ doorState(e) =closed ∧ elevatorMoving = true ∧ elevatorDirection = down)



Predicate Calculus in Requirements Engineering

In Requirements Engineering, Predicate Calculus is moreoften used for describing requirements than to prove thedesired properties.

Proving properties in formal way is usually done forsafety critical systems or safety critical parts of systems.




Elevator movement and door problem: An example of aproof

Requirement: ”For safety reasons, in any passenger lift, ifthe lift is moving, not responding to a request, or out ofservice, then the doors must be closed.”

Mathematical Domains:

measuredSpeed : R (Real numbers)doorState : {closed, open}elevatorSpeed : R (Real numbers)doorClosed : {true, false}elevatorMoving : {true, false}elevatorDirection : {up, down, holding}elevatorState : {active, outService}emergButton : {pressed, notPressed}hasRequest : {true, false}


Elevator movement and door problem: SFOREQ, ASM,DOM, SYSREQ

SOFREQ:measuredSpeed 6= 0⇒ doorState = closed ∨elevatorDirection = holding ⇒ doorState = closed ∨elevatorState = outService ⇒ doorState = closedASM:measuredSpeed 6= 0⇔ elevatorSpeed 6= 0 ∨doorClosed ⇔ doorState = closed∨emergButton = pressed ⇒ elevatorState = outService ∨hasRequest = false ⇔ elevatorDirection = holdingDOM:elevatorMoving = true ⇔ elevatorSpeed 6= 0 ∨measuredSpeed 6= 0⇔ elevatorDirection ∈ {up, down} ∨elevatorDirection = holding ⇒ elevatorMoving = false ∨SYSREQ:(elevatorMoving ∨ emergButton = pressed ∨ hasRequest = false)⇒doorClosed

Proof of (SOFREQ, ASM, DOM |= SYSREQ)

Looking at all three individual components of the LHS, we willshow all imply doorClosed.

It will be derived through the axioms listed in SOFREQ, ASM,and DOM, which, when the premises are presumed to be true,will guarantee validity.

Because the theorem can be proven deductively, it is complete.

The validity of the solution indicates that when the elevator ismoving, or the emergency button has been pressed, or theelevator does not have a request, it will have it’s doors closed.

The completeness of the solution deductively shows that thesepremises must actually be true (and not assumed to be true).




(a) elevatorMoving ⇒ doorClosed

elevatorMoving⇔ 〈DOM : elevatorMoving = true ⇔ elevatorSpeed 6= 0〉elevatorSpeed 6= 0⇔ 〈ASM : measuredSpeed 6= 0⇔ elevatorSpeed 6= 0〉measuredSpeed 6= 0⇒ 〈SOFREQ : measuredSpeed 6= 0⇒ doorState = closed〉doorState = closed⇔ 〈ASM : doorClosed ⇔ doorState = closed〉doorClosed





(b) emergButton = pressed ⇒ doorClosed

emergButton = pressed⇒ 〈ASM : emergyButton = pressed ⇒ elevatorState =outService〉elevatorState = outService⇒ 〈SOFREQ : elevatorState = outService ⇒ doorState =closed〉doorState = closed⇔ 〈ASM : doorClosed ⇔ doorState = closed〉doorClosed





(c) hasRequest = false ⇒ doorClosed

hasRequest = false⇔ 〈ASM : hasRequest = false ⇔ elevatorDirection =holding〉elevatorDirection = holding⇒ 〈SOFREQ : elevatorDirection = holding ⇒ doorState =closed〉doorState = closed⇔ 〈ASM : doorClosed ⇔ doorState = closed〉doorClosed




Problem with Predicate Logic

First Order Predicate Logic is undecidable

In particular P =⇒ Q is undecidable

Hence SOFTREQ,ASM,DOM |= SESREQ is undecidable

This means that a ’push button’ universal automatic theoremprover will never be built!

Propositional logic (i.e. no ∃, ∀) is decidable

But expressive power of propositional logic (i.e. only∨,∧,¬, =⇒ , ⇐⇒ ) is rather weak!

Are there other logics that are decidable, but with strongerexpressive power?




Predicate Calculus: Final Comments

After some training, most users do not have much problemswith describing system properties with Predicate Calculus,however proving is another story.

Undecidability of First Order Predicate Calculus makesautomatic theorem proving problematic and difficult.

In Requirements Engineering it is mainly used to describedesired properties of crucial and critical parts of systems, andto prove crucial parts of safety critical systemes.


Speci cation and Documentation Techniques: Formal methods ...se3ra3/2016/LN18-2016.pdf · Last few...

Documents

Transcript of Speci cation and Documentation Techniques: Formal methods ...se3ra3/2016/LN18-2016.pdf · Last few...