Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Slide 2 H. Schlingloff, Logical Specification Temporal logic Description of the dynamics of systems  Model checking of hardware  “Software model checking”: research Linear and branching time logic Temporal assertions languages  SPL, ForSpec, PSL (IEEE Standard)

Slide 3 H. Schlingloff, Logical Specification Example: Coffee Machine

Slide 4 H. Schlingloff, Logical Specification SDL Description

Slide 5 H. Schlingloff, Logical Specification SPL Properties

Slide 6 H. Schlingloff, Logical Specification Towards Temporal Logic

Slide 7 H. Schlingloff, Logical Specification Definability F+ can define F* X and F* can define F+ F* without X can not define F+ Similarly, interval properties can not be expressed

Slide 8 H. Schlingloff, Logical Specification Temporal logic “Modal logic with ‘until’”

Slide 9 H. Schlingloff, Logical Specification Examples

Slide 10 H. Schlingloff, Logical Specification Other connectives

Slide 11 H. Schlingloff, Logical Specification Definability U + can define U*  similar as above, U* can not define U + Unless- or Weak-until- operator In natural models it holds that

Slide 12 H. Schlingloff, Logical Specification The Glory of the Past First order logic can use inverse relations: R -1 (x,y) iff R(y,x) In temporal logic, use past-operators

Slide 13 H. Schlingloff, Logical Specification Declarative Past and Imperative Future Gabbay argues for the following normal form (φ  ψ) where φ is a pure past or present declarative formula, and ψ is a pure future imperative formula Executable temporal logic Tempura programming language (Mostowsky)  TLA Temporal logic of actions (Lamport)

Slide 14 H. Schlingloff, Logical Specification Temporal Logic and First Order Logic Standard Translation

Slide 15 H. Schlingloff, Logical Specification Two- and Three Variable Fragment FOL gives for each temporal formula a first order formula with exactly one free variable For modal logic, FOL can be refined such that the resulting formula uses only two bound variables (reuse variables inside). For the until-operator, three variables are needed and sufficient. Certain first-order theories (e.g. the theory of complete linear orders) are also in the three-variable fragment. Translation from first order formulas of these theories into temporal logic?

Slide 16 H. Schlingloff, Logical Specification Expressive completeness TL is called expressively complete for a certain class of models, if for every first order formula there is an equivalent temporal one  Natural model: isomorphic to the integers  Linear model: all points linearly ordered  Complete linear order: limits exist Kamp’s theorem: TL is expressively complete for complete linear orders

Slide 17 H. Schlingloff, Logical Specification Wrap-Up What has been achieved  logics: propositional logic, first-order logic, Z, B, OCL, Spec#  methods: normalization, model checking, theorem proving, assertional reasoning, test generation  tools: COQ, NuSMV, CZT, Octopus, SpecExplorer What remains to be done  other logics: ZFC (set theory), HOL (higher-order logic), VDM, OZ (object-Z), LTL/CTL, TLA+, ForSpec, Sugar/PSL  other methods: static analysis, handling of pointers, worst case execution time (WCET) estimation, run-time monitoring, …  more tools: integrated proof assistants (e.g. proof general, ACE assertion checking environment, Frama-C, …)

Slide 18 H. Schlingloff, Logical Specification Questions?

Slide 19 H. Schlingloff, Logical Specification Examination sample dialog?