1. 6.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

2. Slide 2 H. Schlingloff, Logical Specification 6.5.2008 First-Order Predicate Logic In contrast to propositional logic, first-order logic adds  structure to basic propositions  quantification on (infinite) domains New syntactic elements  Let R be a set of relation symbols, where each p  R has an arity n  N 0  Let V be a denumerable set of (first-order or individual) variables  An atomic formula is p(x 1,…,x n ), where p  R is n- ary and (x 1,…,x n )  V n.

3. Slide 3 H. Schlingloff, Logical Specification 6.5.2008 FOL: Syntax Syntax of first-order logic FOL ::= R ( V n ) |  | (FOL  FOL) |  V FOL Of course,  x  = ¬  x ¬  Examples   x  x  y ¬ p(x)   x  y (p(x,y)  p(y,x))  (  x  y p(x,y)   y  x p(x,y))

4. Slide 4 H. Schlingloff, Logical Specification 6.5.2008 Typed FOL Often, types/sorts are used to differentiate domains Signature  =( D, F, R ), where  D is a (finite) set of domains  F is a set of function symbols, where each f  F has an arity n  N 0 and a type D  D n+1 - 0-ary functions are called constants  R is a set of relation symbols, where each p  R has an arity n  N 0 and a type D  D n - unary relations are called predicates - propositions can be seen as 0-ary relations Remark: domains and types are for ease of use only (can be simulated in an untyped setting by additional predicates)

5. Slide 5 H. Schlingloff, Logical Specification 6.5.2008 Terms and Formulas Let again V be a (denumerable) set of (first-order) variables, where each variable has a type D  D (written as x:D) (for any type, there is an unlimited supply of variables of that type) The notions Term and Atomic Formula AtF are defined recursively:  each variable of type D is a term of type D  if f is an n-ary function symbol of type (D 1,…D n,D n+1 ) and t 1, …, t n are terms of type D 1, …, D n, then f(t 1,…,t n ) is a term of type D n+1  if p is an n-ary relation symbol of type (D 1,…D n ) and t 1, …, t n are terms of type D 1, …, D n, then p(t 1,…,t n ) is an atomic formula Revised syntax of first-order logic FOL ::= AtF |  | (FOL  FOL) |  V : D FOL

6. Slide 6 H. Schlingloff, Logical Specification 6.5.2008 Examples  x:Boy  y:Girl loves(x,y)  x:Human  y:Human (needs(x,y)  loves(y,x))  x,y:Int equals(plus(x,y), plus(y,x))  x:Int ¬ equals(zero(), succ(x)) …

7. Slide 7 H. Schlingloff, Logical Specification 6.5.2008 FOL: Models (We give the typed semantics only) First-Order Model  Let universe U be some nonempty set, and let  D U  U for every D  D  Interpretation I: assignment F ↦ U n+1 R ↦ U n  Valuation V: assignment V ↦ U interpretations and valuations must respect typing  Model M: (U,I,V)

8. Slide 8 H. Schlingloff, Logical Specification 6.5.2008 FOL: Semantics Given a model M: (U,I,V), the value t M of term t (of type D) can be defined inductively  if t=x  V, then t M =V(x)  if t=f(t 1,…,t n ), then t M =I(f)(t 1 M,…,t n M ) Likewise, the validation relation ⊨ between model M and formula   M ⊨ p(t 1,…,t n ) if (t 1 M,…,t n M )  I(p)  M ⊭  ; M ⊨ (  ) if M ⊨  implies M ⊨   M ⊨  x  if M‘ ⊨  for some M‘ which differs at most in V(x) from M Validity and satisfiability defined as in the propositional case

9. Slide 9 H. Schlingloff, Logical Specification 6.5.2008 FOL: Calculus A sound and complete axiom system for FOL:  all substitution instances of axioms of PL  modus ponens: , (  ) ⊢   ⊢ (  (x:=t)  x  ) instantiation  (  ) ⊢ (  x  ) if x doesnt occur in  particularization Relaxation: particularization may be applied if there is no free occurrence of x in  ; i.e., x may occur in  inside the scope of a quantification

10. Slide 10 H. Schlingloff, Logical Specification 6.5.2008 FOL = Equality is not definable in FOL First order logic with equality contains an additional (binary) relation = which is always interpreted as equality of domain elements Written in infix notation, i.e. (x=y) for =(x,y) Axioms  (x=x) reflexivity  (x=y  (y=z  x=z)) transitivity  (x=y  y=x) symmetry  (x=y  (    (y:=x))) substitution

11. Slide 11 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z A specification language based on FOL = and set theory  allows formal reasoning Specification structured into schemas  allows comprehensible description  allows iterative refinement Strong typing  type-checking tools

12. Slide 12 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: logic properties described in FOL  Q x : a | p q - [quanitifer][variable]:[type]|[constraint] [predicate]  p is optional constraint  (  x : a | p q) ⇔ (  x : a p ∧ q)  (  x : a | p q) ⇔ (  x : a p ⇒ q)

13. Slide 13 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: sets specifications are operations upon sets  set by extension: s == {1, 2, 7}, t == {a, b}  set by comprehension: {x: s | x is even}  power set: ℙ t = { , {a}, {b}, {a,b}}  cartesian product: s × t = {(1,a), (1,b), (2,a),...} types are maximal sets  each value in specification has exactly one type  built-in type - ℤ

14. Slide 14 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: definitions by declaration by axiomatic definition

15. Slide 15 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: relations relationships between objects composition of compatible relations  functions  lambda notation: ( λ declaration|constraintresult)

16. Slide 16 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: schemas - states description of variables with restricted values another way of type definition

17. Slide 17 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: schemas - state changes description of operations delta abbreviation

18. Slide 18 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: example Specification of phonebook  basic types  list of numbers

19. Slide 19 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: example change of state is it sufficient?

20. Slide 20 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: example what if record is already present?

21. Slide 21 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: example alternative state change schema composition

22. Slide 22 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: tools Community Z tools (CZT)  editing and type-checking Z specifications  czt.sourceforge.net czt.sourceforge.net  Java (1.6) plugin for jEdit and Eclipse (please check installation instructions) “Homework”  write down Phonebook example in CZT  send.tex or.pdf file to calta@informatik.hu- berlin.de with subject [LS ex.3] until 27.5.2008calta@informatik.hu- berlin.de

23. Slide 23 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z: references Z notation  J. Mike Spivey (1992). The Z Notation: a reference manualThe Z Notation: a reference manual  Jim Davies and Jim Woodcock (1996). Using Z: Specification, Refinement and ProofUsing Z: Specification, Refinement and Proof Z tools  czt.sourceforge.net/jedit/index.html czt.sourceforge.net/jedit/index.html  www.jedit.org/index.php?page=download www.jedit.org/index.php?page=download  www.cs.waikato.ac.nz/~marku/czt/eclipse.html www.cs.waikato.ac.nz/~marku/czt/eclipse.html

24. Slide 24 H. Schlingloff, Logical Specification 6.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Block Course Algebraic Specifications by Dr. Markus Roggenbach 23.5. - 25.5., Fraunhofer FIRST, Room D006  First lecture 23.5., 15.00 - 16.30 Exercises  groups of 3-4 students, laptops recommended  work with Hets tool  www.informatik.uni- bremen.de/agbkb/forschung/formal_methods/CoF I/hets/index_e.htm www.informatik.uni- bremen.de/agbkb/forschung/formal_methods/CoF I/hets/index_e.htm