Formal Methods in software development a.y.2017/2018 Prof. Anna Labella 1/14/2019

The predicate calculus [H-R ch.2] The need for a richer language Terms and formulas quantifiers 1/14/2019

Syntax Inductive term definition BNF t::= x | c | f(t1,t2,…,tn) 1/14/2019

Syntax Inductive definition of wff BNF ::= p(t1,t2,…,tn) | t1=t2 | () | () | () | () | x | x 1/14/2019

Semantics syntactical data F functional symbols- constants P predicate symbols An interpretation M a non empty set (domain) A F  a set of functions fM on A (An) P  a set of relations PM on A (An) 1/14/2019

Semantics A subset is the interpretation of a 1-ary predicate A n-ary relation is the interpretation of a n-ary predicate 1/14/2019

An example: arithmetics syntactical data F: f1(-,-), f2(-,-), f0(-), c P: - = -, P1(-,-) An interpretation M Natural numbers (domain) Functions : - + -, - . -, s(-), 0 Predicates: - = -, - ≤ - 1/14/2019

Semantics environments Assigning values l: var  elements of A 1/14/2019

Semantics Summing up, we are given with 1/14/2019

An example: arithmetics 2 f1(c,x)=x always true in the interpretation f2(c,x)=x sometimes true sometimes false in the interpretation depending on the assignment x(f1(c,x)=x) true in the interpretation x(f2(c,x)=x) true in the interpretation x(f2(c,x)=x) false in the interpretation x(f1(c,x)=f1(c,x)) valid 1/14/2019

Semantics An interpretation M is a model of  M |=l  : 1/14/2019

Semantics: satisfiability 1/14/2019

Exercises 1/14/2019

Semantics: validity is valid if for every intepretation and for every environment M |=  1/14/2019

Properties Soundness  |-   M |=  Completeness M |=    |-  Indecidability Compactness Expressivity 1/14/2019

Second order logic Existential second order logic Universal second order logic Peano’s arithmetics 1/14/2019

Specification, verification and logics [H-R ch.3] Logic provides: A framework for modelling systems A specification language for describing properties to be verified A verification method to ascertain whether the description of the system satisfies the properties 1/14/2019

Possibilities of approaching model verification Proof-based Γ |-- φ Γ is the description while φ is the property to be satisfied Degree of automation: Fully automatic Full behaviour Sequential Reactive …. A priori Model based M |= φ M is a finite model (only one) Manual One property Concurrent Terminating ….. A posteriori 1/14/2019

We are possibly dealing with Γ |-- φ proof theory Γ |= φ semantic entailment M |= φ satifiability 1/14/2019

We are possibly dealing with Γ |-- φ Γ |= φ M |= φ 1/14/2019

We are possibly dealing with Γ |-- φ Γ |= φ M |= φ 1/14/2019

Model Checking Concurrent systems Reactive systems Temporal aspects Automatic Based on a builded model Verifying satisfiability of properties A posteriori Provides a counterexample Concurrent systems Reactive systems Temporal aspects 1/14/2019

A formula can change its truth value We build a model M We model our system using the description language of the model checker We code the property to be verified in the same language and the model checker should say whether M |= φ or not Time could change the truth value of a formula M,s |= φ or not for a given state s In this last case it is often possible using the model checker to have a counterexample 1/14/2019

Models and states A model M is an abstraction: it can describe very different things and omits lot of particulars A model M is a transition system We have states and and transitions between them. An assignment statement can make the model move from one state to another one We can think of a transition system as a set S of states together with a binary relation    S ✕ S and a labeling function L: S  P(atoms) 1/14/2019

A transition system 1 1/14/2019

A transition system 2 unwinding 1/14/2019

Linear and branching time 1/14/2019

Exercises 1/14/2019