Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Slide 2 H. Schlingloff, Logical Specification A first example A new video camcorder (“DCR-PC330”)  owner's manual almost incomprehensible  can be found in the internet  typical for such devices off memorytapeplay dn up

Slide 3 H. Schlingloff, Logical Specification Such models can help in the development of complex systems ("model-driven design") The more concrete the formalism, the closer it is to an implementation  executable code may be generated from state diagrams  We might add additional information such as timing, communication, variables and such. Specification as opposed to modeling describes properties of the targeted system  not aiming at a complete description of the system  not aiming at the generation of executable code

Slide 4 H. Schlingloff, Logical Specification Screen menu The power-switch by itself is not a "complex system“ (Even I didn't need long to understand it). Let's look at the screen menu.

Slide 5 H. Schlingloff, Logical Specification Screen menu (contd.) greyed out invisible

Slide 6 H. Schlingloff, Logical Specification There are menus, items and settings  menus: Camera Set,...  items: Volume, LCD Brightness,...  settings: on/off, 0-100%,... Items may be nested in two levels Setting screen allows to choose the value of a particular variable  only the relevant variables may be accessed

Slide 7 H. Schlingloff, Logical Specification Modelling as a tree Menu-off MemorySet Pict.Appli.StandardSetCameraSet... VolumeLCD/VFSetRemoteCtrlLCDBrightLCD Color... Menu

Slide 8 H. Schlingloff, Logical Specification Modelling as a tree Menu-off MemorySet Pict.Appli.StandardSetCameraSet... VolumeLCD/VFSetRemoteCtrlLCDBrightLCD Color... Menu

Slide 9 H. Schlingloff, Logical Specification Menus are mode-dependent  As a consequence, the up- and down-relations in the graph are mode-dependent  Since the first line is not uniform, also the menu-relation is mode- dependent Formalization shows weakness in the design (usability)  what is hard to formalize is hard to understand and likely to contain or cause errors How to describe such a structure?  homework (consider cases that an item disappears and that it is greyed out) Camera /Tape Camera /Memory Play /Edit Camera Set Memory Set Pict.Appl Edit/Play Standard Set Time/Langu + + +

Slide 10 H. Schlingloff, Logical Specification Propositional Logic A formal specification method consists of three parts  syntax, i.e., what are well-formed specifications  semantics, i.e., what is the meaning of a specification  calculus, i.e., what are transformations or deductions of a specification Propositional logic: probably the first and most widely used specification method  dates back to Aristotle, Chrysippus, Boole, Frege, …  base of most modern logics  fundamental for computer science

Slide 11 H. Schlingloff, Logical Specification Syntax of Propositional Logic Let Ρ be a finite set {p 1,…,p n } of propositions and assume that ,  and (, ) are not in  Syntax PL ::= Ρ |  | (PL  PL)  every p  is a wff   is a wff („falsum“)  if  and  are wffs, then (  ) is a wff  nothing else is a wff

Slide 12 H. Schlingloff, Logical Specification Remarks Ρ may be empty  still a meaningful logic! Minimalistic approach  infix-operator  necessitates parentheses  other connectives can be defined as usual ¬  ≙ (    )(linear blowup!) Τ ≙ ¬  (  ) ≙ (¬  ) (  ) ≙ ¬(¬  ¬  ) ≙ ¬(  ¬  ) (  ) ≙ ((  )  (  )) (exponential blowup!)  operator precedence as usual  literal = a proposition or a negated proposition

Slide 13 H. Schlingloff, Logical Specification Semantics of Propositional Logic Propositional Model  Truth value universe U: {true, false}  Interpretation I: assignment Ρ ↦ U  Model M: (U,I) Validation relation ⊨ between model M and formula   M ⊨ p if I(p)=true  M ⊭   M ⊨ (  ) if M ⊨  implies M ⊨  M validates or satisfies  iff M ⊨    is valid ( ⊨  ) iff every model M validates    is satisfiable (SAT(  )) iff some model M satisfies 

Slide 14 H. Schlingloff, Logical Specification Propositional Calculus Various calculi have been proposed  boolean satisfiability (SAT) algorithms  tableau systems, natural deduction,  enumeration of valid formulæ Hilbert-style axiom system ⊢ (  (  )) (weakening) ⊢ ((  (  ))  ((  )  (  ))) (distribution) ⊢ (¬¬  ) (excluded middle) , (  ) ⊢  (modus ponens) Derivability  All substitution instances of axioms are derivable  If all antecedents of a rule are derivable, so is the consequent

Slide 15 H. Schlingloff, Logical Specification An Example Derivation Show ⊢ (p  p) (1) ⊢ (p  ((p  p)  p))  ((p  (p  p))  (p  p)) (dis) (2) ⊢ (p  ((p  p)  p)) (wea) (3) ⊢ ((p  (p  p))  (p  p)) (1,2,mp) (4) ⊢ (p  (p  p)) (wea) (5) ⊢ (p  p) (3,4,mp)

Slide 16 H. Schlingloff, Logical Specification Correctness and Completeness Correctness: ⊢   ⊨  Only valid formulæ can be derived  Induction on the length of the derivation  Show that all axiom instances are valid, and that the consequent of (mp) is valid if both antecedents are Completeness: ⊨   ⊢  All valid formulæ can be derived  Show that consistent formulæ are satisfiable ~ ⊢ ¬   ~ ⊨ ¬ 

Slide 17 H. Schlingloff, Logical Specification Consistency and Satisfiability A finite set Φ of formulæ is consistent, if ~ ⊢ ¬Λ  Φ  Extension lemma: If Φ is a finite consistent set of formulæ and  is any formula, then Φ  {  } or Φ  {¬  } is consistent  Assume ⊢ ¬(Φ  ) and ⊢ ¬(Φ  ¬  ). Then ⊢ (Φ  ¬  ) and ⊢ (Φ  ¬¬  ). Therefore ⊢ ¬Φ, acontradiction. Let SF(  ) be the set of all subformulæ of  For any consistent , let  # be a maximal consistent extension of  (i.e.,  # and for every  SF(  ), either  # or  #. (Existence guaranteed by extension lemma)

Slide 18 H. Schlingloff, Logical Specification Canonical models For a maximal consistent set  #, the canonical model CM(  # ) is defined by I(p)=true iff p  #. Truth lemma: For any  SF(  ), I(  )=true iff   #  Case  =p: by construction  Case  =  : Φ  {  } cannot be consistent  Case  =(  1   2 ): by induction hypothesis and derivation Therefore, if  is consistent, then for any maximal consistent set  #, CM(  # ) ⊨   any consistent formula is satisfiable  any unsatisfiable formula is inconsistent  any valid formula is derivable

Slide 19 H. Schlingloff, Logical Specification Example: Combinational Circuits Multiplexer  S selects whether I 0 or I 1 is output to Y  Y = if S then I 1 else I 0 end  (Y  ((S  I 1 )  (¬S  I 0 ))) Pictures taken from: I0I0 I1I1 SY

Slide 20 H. Schlingloff, Logical Specification Boolean Specifications Evaluator (output is 1 if input matches a certain binary value) Encoder (output i is set if binary number i is on input lines) Majority function (output is 1 if half or more of the inputs are 1) Comparator (output is 1 if input0 > input1) Half-Adder, Full-Adder, …

Slide 21 H. Schlingloff, Logical Specification Software Example Code generator optimization  if (p and q) then if (r) then x else y else if (q or r) then y else if (p and not r) then x else y Loop optimization

Slide 22 H. Schlingloff, Logical Specification Verification of Boolean Functions Latch-Up: can a certain line go up?  does (  ¬L 0 ) hold?  is (  L 0 ) satisfiable? Given ,  ; does (  ) hold?  usually reduced to SAT: is ((  ¬  )  (¬  )) satisfiable?  efficient SAT-solver exist (annual competition)  partitioning techniques any output depends only on some inputs  find which ones  generate test patterns (BIST: built-in-self-test)

Slide 23 H. Schlingloff, Logical Specification Optimizing Boolean Functions Given  ; find  such that (  ) holds and  is „optimal“  much harder question  optimal wrt. speed / size / power /…  translation to normal form (e.g., OBDD)