Embed Size (px)
Citation preview
22.4.2008
Formal Methods of Systems SpecificationLogical Specification of Hard- and Software
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
and
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
22.4.2008 Slide 2H. Schlingloff, Logical Specification
A first example
A new video camcorder (“DCR-PC330”) owner's manual almost incomprehensible can be found in the internet typical for such devices
off
memorytape play
dn
dn dn
dn
up up up
22.4.2008 Slide 3H. Schlingloff, Logical Specification
• Such models can help in the development of complex systems ("model-driven design")
• The more concrete the formalism, the closer it is to an implementation executable code may be generated from state
diagrams We might add additional information such as
timing, communication, variables and such.
• Specification as opposed to modeling describes properties of the targeted system not aiming at a complete description of the system not aiming at the generation of executable code
22.4.2008 Slide 4H. Schlingloff, Logical Specification
Screen menu
• The power-switch by itself is not a "complex system“ (Even I didn't need long to understand it).
• Let's look at the screen menu.
22.4.2008 Slide 5H. Schlingloff, Logical Specification
Screen menu (contd.)
greyed out
invisible
22.4.2008 Slide 6H. Schlingloff, Logical Specification
• There are menus, items and settings menus: Camera Set,... items: Volume, LCD
Brightness, ... settings: on/off, 0-100%, ...
• Items may be nested in two levels
• Setting screen allows to choose the value of a particular variable only the relevant variables
may be accessed
22.4.2008 Slide 7H. Schlingloff, Logical Specification
Modelling as a tree
Menu-off
MemorySet Pict.Appli. StandardSet CameraSet...
Volume LCD/VFSet RemoteCtrl
LCDBright LCD Color
... ...
...
Menu
22.4.2008 Slide 8H. Schlingloff, Logical Specification
Modelling as a tree
Menu-off
MemorySet Pict.Appli. StandardSet CameraSet...
Volume LCD/VFSet RemoteCtrl
LCDBright LCD Color
... ...
...
Menu
22.4.2008 Slide 9H. Schlingloff, Logical Specification
• Menus are mode-dependent As a consequence, the up- and
down-relations in the graph aremode-dependent
Since the first line is not uniform,also the menu-relation is mode-dependent
• Formalization shows weaknessin the design (usability) what is hard to formalize is hard to
understand and likely to contain orcause errors
• How to describe such a structure? homework
(consider cases that an item disappears and that it is greyed out)
Camera /Tape
Camera /Memory
Play /Edit
Camera Set + + -Memory Set - + +Pict.Appl. + + +Edit/Play + - +Standard Set + + +Time/Langu + + +
22.4.2008 Slide 10H. Schlingloff, Logical Specification
Propositional Logic
• A formal specification method consists of three parts syntax, i.e., what are well-formed specifications semantics, i.e., what is the meaning of a specification calculus, i.e., what are transformations or deductions
of a specification
• Propositional logic: probably the first and most widely used specification method dates back to Aristotle, Chrysippus, Boole, Frege, … base of most modern logics fundamental for computer science
22.4.2008 Slide 11H. Schlingloff, Logical Specification
Syntax of Propositional Logic
•Let Ρ be a finite set {p1,…,pn} of propositionsand assume that , and (, ) are not in
•SyntaxPL ::= Ρ | | (PL PL)
every p is a wff is a wff („falsum“) if and are wffs, then () is a wff nothing else is a wff
22.4.2008 Slide 12H. Schlingloff, Logical Specification
Remarks
• Ρ may be empty still a meaningful logic!
• Minimalistic approach infix-operator necessitates parentheses other connectives can be defined as usual
¬ ≙ ( ) (linear blowup!)Τ ≙ ¬() ≙ (¬)() ≙ ¬(¬¬) ≙ ¬(¬)() ≙ (()()) (exponential blowup!)
operator precedence as usual literal = a proposition or a negated proposition
22.4.2008 Slide 13H. Schlingloff, Logical Specification
Semantics of Propositional Logic
• Propositional Model Truth value universe U: {true, false} Interpretation I: assignment Ρ ↦ U Model M: (U,I)
• Validation relation ⊨ between model M and formula M ⊨ p if I(p)=true M ⊭ M ⊨ () if M ⊨ implies M ⊨
• M validates or satisfies iff M ⊨ is valid (⊨) iff every model M validates is satisfiable (SAT()) iff some model M satisfies
22.4.2008 Slide 14H. Schlingloff, Logical Specification
Propositional Calculus
• Various calculi have been proposed boolean satisfiability (SAT) algorithms tableau systems, natural deduction, enumeration of valid formulæ
• Hilbert-style axiom system⊢ (()) (weakening)
⊢ ((()) (()())) (distribution)
⊢ (¬¬) (excluded middle)
, () ⊢ (modus ponens)
• Derivability All substitution instances of axioms are derivable If all antecedents of a rule are derivable, so is the
consequent
22.4.2008 Slide 15H. Schlingloff, Logical Specification
An Example Derivation
Show ⊢ (pp)
(1)⊢(p((pp)p))((p(pp))(pp)) (dis)
(2)⊢(p((pp)p)) (wea)
(3)⊢((p(pp))(pp)) (1,2,mp)
(4)⊢(p(pp)) (wea)
(5)⊢(pp) (3,4,mp)
22.4.2008 Slide 16H. Schlingloff, Logical Specification
Correctness and Completeness
•Correctness: ⊢ ⊨Only valid formulæ can be derived Induction on the length of the derivation Show that all axiom instances are valid, and
thatthe consequent of (mp) is valid if both antecedents are
•Completeness: ⊨ ⊢All valid formulæ can be derived Show that consistent formulæ are satisfiable
~⊢¬ ~⊨¬
22.4.2008 Slide 17H. Schlingloff, Logical Specification
Consistency and Satisfiability
• A finite set Φ of formulæ is consistent, if ~⊢¬ΛΦ• Extension lemma: If Φ is a finite consistent set of formulæ
and is any formula, then Φ{} or Φ{¬} is consistent Assume ⊢¬(Φ) and ⊢¬(Φ¬). Then ⊢(Φ¬) and ⊢(Φ¬¬).
Therefore ⊢¬Φ, acontradiction.
• Let SF() be the set of all subformulæ of • For any consistent , let #
be a maximal consistent extension of (i.e., # and for every SF(), either #or #. (Existence guaranteed by extension lemma)
22.4.2008 Slide 18H. Schlingloff, Logical Specification
Canonical models
• For a maximal consistent set #, the canonical model CM(#) is defined by I(p)=true iff p#.
• Truth lemma: For any SF(), I()=true iff #
Case =p: by construction Case =: Φ{} cannot be consistent Case =(12): by induction hypothesis and derivation
• Therefore, if is consistent, then for any maximal consistent set #, CM(#)⊨ any consistent formula is satisfiable any unsatisfiable formula is inconsistent any valid formula is derivable
22.4.2008 Slide 19H. Schlingloff, Logical Specification
Example: Combinational Circuits
•Multiplexer
S selects whether I0 or I1 is output to Y
Y = if S then I1 else I0 end
(Y((SI1)(¬SI0)))
Pictures taken from: http://www.scs.ryerson.ca/~aabhari/cps213Chapter4.ppt
I0 I1 S Y
0 0 0 0
1 0 0 1
0 1 0 0
22.4.2008 Slide 20H. Schlingloff, Logical Specification
Boolean Specifications
•Evaluator (output is 1 if input matches a certain binary value)
•Encoder (output i is set if binary number i is on input lines)
•Majority function (output is 1 if half or more of the inputs are 1)
•Comparator (output is 1 if input0 > input1)
•Half-Adder, Full-Adder, …
22.4.2008 Slide 21H. Schlingloff, Logical Specification
Software Example
•Code generator optimization if (p and q) then if (r) then x else y else if (q
or r) then y else if (p and not r) then x else y
•Loop optimization
22.4.2008 Slide 22H. Schlingloff, Logical Specification
Verification of Boolean Functions
• Latch-Up: can a certain line go up? does (¬L0) hold? is (L0) satisfiable?
• Given , ; does () hold? usually reduced to SAT:
is ((¬)(¬)) satisfiable? efficient SAT-solver exist (annual competition) partitioning techniques
• any output depends only on some inputs find which ones generate test patterns (BIST: built-in-self-test)
22.4.2008 Slide 23H. Schlingloff, Logical Specification
Optimizing Boolean Functions
•Given ; find such that () holds and is „optimal“ much harder question optimal wrt. speed / size / power /… translation to normal form (e.g., OBDD)
