Semantic embedding of Albert-CORE within PVS

Transcription

1 Semantic embedding of Albert-CORE within PVS François Chabot Computer Science Department, University of Namur Rue Grandgagnage, 21, B-5000 Namur (Belgium) Professor Eric Dubois Computer Science Department, University of Namur Rue Grandgagnage, 21, B-5000 Namur Abstract Requirements engineering specifications can greatly benefit from formal methods when concerned with justifying the correctness of specifications and proofs. Albert II is a formal specification language for capturing functional requirements inherent to real-time, distributed systems. Targeted to requirements engineering activities, Albert II exhibits a high expressiveness through a large range of constructs. Their interactions being however very intricate, these constructs may hamper the reasoning capabilities. Formal reasoning is nevertheless still possible because the language is grounded on a real-time core logic. We motivate our approach to the construction of a formal verification system for this core logic. 1 Statement of the problem 1.1 Requirements specifications verification Formal Methods are the use of mathematical techniques in Computer Science; in particular, formal methods allow properties of a computer system to be predicted from a mathematical model of the system by a process akin to calculation[11]. Requirements engineering specifications can greatly benefit from formal methods when the correctness of specifications and proofs needs to be justified. Several formal specification languages were devised with this vision in mind; Albert II[4] is one of them. Albert II is based on an ontology of concepts useful when capturing functional requirements inherent to realtime, distributed and composite (agent-oriented) systems. Specially tailored to support requirements engineering activities, Albert II harbors a high degree of expressiveness, and consequently exhibits a large range of constructions. The language is semantically defined in terms of a core logic, Albert-CORE[3] whose notation is as close as possible, for traceability concerns, to the Albert II one. Albert-CORE is an object-oriented variant of real-time temporal logic where the concept of actions has been introduced, a.o. to solve the frame problem[2]. In the context of our research, justifying the correctness of specifications and proofs should be done at the core semantic level, that is, at the Albert-CORE level. To be productive and efficient such a task should be computeraided, we are presently constructing such an aid on the basis of a general-purpose theorem prover, namely the Prototype Verification System[9]. Beside the computer-aided verification system that should result, the extra-advantage and challenge of this logic embedding are that we will also be able to mechanically check the soundness and consistency of Albert-CORE.

2 1.2 An overview of Albert-CORE Albert-CORE is a logic based on a strongly-typed, objectoriented variant of a dense and linear real-time temporal logic. It has been augmented with the concept of actions, which may have a non-null duration, and it thus distinguishes observation from action symbols. Albert-CORE has also inherited from TRIO[8] a series of temporal connectives that ease real-time modeling and reasoning. The underlying time structure being dense, a formula can be evaluated at any point in time, giving this way a continuous perspective of a behavior. However, because observations can only change through action occurrences, we can also have a discrete perspective of a behavior observations keeping the same value between two action occurrences. Behaviors are infinite alternate sequences of states and actions. States denote a set of observation symbols and have a duration corresponding to the elapsed time between the two action occurrences delimiting it. 1.3 An overview of Albert II Because a logic is a too low level formalism, writing requirements engineering specifications at the Albert-CORE level would not be practical: real-world modeling needs concepts closer to it. These concepts are offered by Albert II, which provides an abstraction layer above Albert- CORE in such a way that every Albert II construct can be unambiguously mapped to Albert-CORE. In other words, Albert II offers a practical user language whose semantics is formally defined in terms of Albert-CORE. In practice, this user language offers several structuring mechanisms. Basically, observations and actions proper to one object are grouped together into agents. On their turn, agents can also be grouped into societies; together, agent and society aggregates allow to hierarchically organize specifications. The agent aggregate also allows to structure one agent s constraints into templates. A template is a typical sort of constraints we usually express on an agent s behavior. For instance, we can specify how actions can be decomposed into smaller ones under the Action Composition template. Or we can specify how agents can influence each other s behavior under the related Perception and Information templates. It should be clear that these structuring mechanisms are intended to help the requirements engineer in his specification task, but they are not intended to ease formal reasoning. Responsible of their individual behaviors, agents are moreover interacting, by nature, with each other. They are thus strongly dependent on their environment, and cannot therefore be considered individually. For instance, one agent s actions may depend on the fulfillment of some other s actions, which are not under its responsibility. It cannot therefore be demanded to the engineer to master the whole complexity of his specification. That is why computer-aided verification systems can help. But, still because of its strongly environmental dependence making Albert II non-compositional (mechanized) formal reasoning may be flawed. If we postulate that Albert II is inadequate for performing formal reasoning, there exists a way out: Albert-CORE. This unavoidable reasoning flaw may eventually question the relevance and utility of Albert II. Jackson and Zave[6] advocate that requirements engineering specifications are concerned with the description of an environmental artifact. The central point of any Albert II specification is precisely the interaction between agents and their environment. Albert II and Albert-CORE should deliver a framework offering a very expressive specification language coupled with a verification system that draws on the soundness of logic. Thanks to its constructs, Albert II offers to the requirements engineer an expressive specification language particularly relevant to real-time distributed systems modeling. Whereas the verification system will help the engineer to formally verify and justify the correctness of some critical properties. 2 Importance of the problem Non-constructive, high-level specification languages lend themselves better to the capture of real-time systems requirements. The intrinsically non-constructive nature of these languages, however, make them less amenable to mechanical verification and validation, unless they are grounded on formal foundations. That is where formal methods come into play: Formal methods provide for the construction of specifications whose interpretation is less reliant on human intuition by using techniques based,

3 mainly, on the axiomatic method of mathematics, and by requiring that all assumptions and all reasoning steps be made explicit, and furthermore that each reasoning step be an instance of a very small number of allowed rules of inference[11]. Specifications particularly requirements specifications need to be validated against informal expectations, which is generally done by human review and inspection. (If we were programming, we might run a couple of test cases; some people advocate something similar, often called animation, for specifications.) But with formal specifications, it is possible to do more, because the distinctive feature of formal specifications is indeed that they support formal deduction; thus reviews and inspections can be supplemented by formal analyses, which moreover, can be mechanically checked. When therefore faced with verification and validation problems of formal specifications, supporting the requirements engineering language with a tool, that should render the formal checks more productive and efficient, can prove very convenient and practical. Much more, the overall methodology that often comes with a requirement engineering language will probably benefit from the tool, and any technology transfer attempt will surely get more chances to be successful... 3 The proposed solution The challenge in developing languages and support tools for formal methods is to create systems that draw on the soundness and other properties and techniques of logic, while recasting them in a manner that allows them to be used productively in a practical setting[11]. 3.1 Semantic logical embedding According to Skakkebæk[13], there are several ways to mechanize special-purpose logics such as Albert-CORE. The most obvious, but so naive, approach would be to build a dedicated tool, tailored to this particular logic. The effort involved in the development would be considerable... A more clever way would be to rely on an existing tool, and to somehow embed the logic within it so that the development effort keeps the best of both the logic and the tool. There are basically two ways of embedding a source logic, which in this case is Albert-CORE, within the base logic used by the tool: we have the choice between either a syntactic or a semantic embedding. In the former case, the base logic is used as a meta-logic in which the source logic is defined by introducing its syntax and proof rules as entities in the base logic. Whereas in the latter case, the semantics of the source logic is described using the base logic and the desired proof rules are derived by means of lemmas in the base logic. According also to Skakkebæk[13], semantic logical frameworks, such as PVS, are to be preferred to syntactic logical ones, such as Isabelle[10], because they can potentially deliver faster results, in the sense that development time is usually shorter. To what concerns a direct syntactic support of the source logic, syntactic logical frameworks are obviously more powerful than semantic logical ones, which often demand quite a bit of work to provide the syntactic convenience available in syntactical frameworks. Consequently, semantical frameworks often require the user to understand the details of the encoding, having him to directly work in the base logic with the encoded form of the source logic. To what concerns, however, correctness of the embedding, semantic logical frameworks are superior, for ensuring correctness of the encoding is done once for all by demonstrating that it is faithful to the semantics stated on paper. Furthermore, all axioms and proof rules are simply derived from the semantic description. Similarly, for incomplete logics and logics of unknown completeness such as Albert-CORE if new proof rules are needed, they can simply be derived from the semantic encoding and separate proofs of soundness are not needed, nor do they need to be extended or checked. Whereas in syntactic logical frameworks, ensuring correctness of the embedding has to be completed through the proofs of soundness, which may need to be extended and checked in case new axioms are to be added when the logic is incomplete, or not known to be complete. A further advantage of the semantical frameworks is that the encoded logic can benefit from the capabilities of the underlying logic and proof checking system, for in syntactical frameworks, the base logic is usually quite

4 weak to make the tools widely applicable, and offers little help in achieving the degree of mechanization that is given, for instance, by decision procedures. What might, however, still be an obstacle to the use of semantic logical frameworks is that they are only convenient when the semantics of the source logic can simply be defined within the base logic. But, as many typical logics have semantics that can be defined within a sufficiently expressive classical logic and so is Albert-CORE this is no more, at least in our case, a significant obstacle. 3.2 PVS as a semantic framework PVS is an interactive verification system for writing formal specifications and checking formal proofs. PVS is targeted at early-lifecycle application of formal methods: it has sharply focused design goals that emphasize early error detection as much as full verification, and it is moreover a tightly integrated and coherent system. Technically, PVS supports classical higher order logic, and has a type system based on Church s simple theory of types augmented with convenient extensions for predicate subtypes and dependent types, and with parameterized theories and a mechanism for defining abstract data-types. This combination of features in the type-system achieves a high-level of convenience for constructing formal specifications, in the form of definitional or axiomatic theories. Furthermore, the deductive capabilities of PVS are based on the Gentzen s sequent semantic, and are supported by arithmetical and logical decision procedures, tightly integrated with the underlying theorem prover; what makes PVS particularly relevant to calculate real-time behaviors. What makes PVS also relevant to our needs, is that various real-time logics and formalisms have been previously embedded within it. Shankar[12] has encoded a real-time program logic in the higher order specification logic of PVS; this encoding has been used to prove Fischer s mutual exclusion problem and the safety properties of a railway crossing[5]. PVS has also been used to provide an embedding for the Duration Calculus[13] and for the timed automata model[1]; both these latter embeddings have also been used to prove the safety properties of a railway crossing. And finally, Jeffords[7] has provided a semantic embedding of the TRIO[8] real-time specification language. 4 Contributions of the research As mentioned, the semantics of various real-time logics and formalisms has been previously embedded within PVS, but none of these approaches dealt with all the combined features of Albert-CORE recall that Albert-CORE is a real-time temporal logic augmented with actions. The Duration Calculus[13] is a dense-time interval temporal logic that can be used to reason about timevarying quantities, but not about point values of signals; it instead requires the signal to have a, maybe very small, duration. This calculus introduces the concept of a duration operator, but the concept of action is absent. TRIO[7] is a first order temporal logic, with the current time implicitly bound to every formula; the concept of action is missing. Its semantic embedding can be characterized as a shallow one, for the proofs are to be carried out at the PVS level. The soundness of the encoding is, on its hand, easily achieved by proving the encoded proof rules in PVS. Notice that when the interpretation domains for the variables and the temporal domain are all finite, then the satisfiability of TRIO formulas is decidable[8]. The Timed Automata model[1] has also been embedded within PVS. This model is a generalization of!- automata, accepting infinite languages, and features the ability to express lower and upper bounds on occurrences of transitions, i.e. events, in the automata using explicit clock variables. Finally, the real-time encoding of Shankar[12] was an approach to the verification of real-time behaviors of concurrent programs; it can handle finite, as well as infinite state systems. The shallow embedding introduced only one basic real-time operator, since, for reasoning about absolute time. A program behavior was defined as a sequence of states, interleaved with atomic actions, or state changes. The concept of actions presents in this real-time logic is quite different from the Albert-CORE one, since only a single atomic and instantaneous action can occur at any point in time. After having demonstrated that several distinctive features of real-time logics have been individually embedded within PVS, we can clearly state that the embedding of Albert-CORE will result in a verification system combining, for the first time, most of these particular features.

5 5 The progress made As this project research is at the intersection of requirements engineering and computer-aided formal verification, we first tried to make out what was the state of the art in requirements engineering practices, formal requirements engineering languages, and computer-aided verification systems for formal languages in general. Much was to be learnt on the verification systems side, and more particularly on the PVS side. Let us also mention that we considered two other alternative approaches to semantic embedding, Abstract Interpretation and Model Checking. We found out that no research at least to our knowledge had ever tackled all of the problems encountered when faced with a fully-fledged, formal specification language dedicated to requirements engineering activities. Because similar research had been conducted with PVS, it seemed to us to be the most attractive way to start with. That is why we decided to spend some time studying both the tool and the different realizations that have been carried out within it. Once this was done, we started recently to encode Albert-CORE in the higher order specification language of PVS. References [1] Myla Archer and Constance Heitmeyer. Mechanical verification of timed automata: A case study. In Second IEEE Real-Time Technology and Applications Symposium (RTAS 96), Boston, MA, June 10 12, [2] A. Borgida, J. Mylopoulos, and R. Reiter.... and nothing else changes : The frame problem in procedure specifications. Technical Report DCS-TR-281, Dept. of Computer Science, Rutgers University, [3] Philippe Du Bois. The Albert II Language: On the Design and the Use of a Formal Specification Language for Requirements Analysis. PhD thesis, Computer Science Department, University of Namur, Namur (Belgique), September Available at [4] Eric Dubois, Philippe Du Bois, Frédéric Dubru, and Michaël Petit. Agent-oriented requirements engineering: A case study using the Albert language. In A. Verbraeck, H.G. Sol, and P.W.G. Bots, editors, Proc. of the Fourth International Working Conference on Dynamic Modelling and Information System DYNMOD-IV, Noordwijkerhoud (The Netherlands), September 28-30, Delft University Press. Available at ftp://ftp.info.fundp.ac.be/publications/rp/rp ps.z. [5] C.L. Heitmeyer, R.D. Jeffords, and B.G. Labaw. A benchmark for comparing different approaches for specifying and verifying real-time systems. In Proc. of the 10th International Workshop on Real-Time Operating Systems and Software, May [6] Michael Jackson and Pamela Zave. Four dark corners of requirements engineering. ACM Transactions on Software Engineering and Methodology, To appear in TOSEM. [7] Ralph D. Jeffords. An approach to encoding the TRIO logic in PVS. Technical report, Naval Research Laboratory, November 22, [8] Angelo Morzenti, Dino Mandrioli, and Carlo Ghezzi. A model parametric real-time logic. ACM Transactions on Programming Languages and Systems, 14(4): , October [9] Sam Owre, John M. Rushby, and Natarajan Shankar. PVS: A prototype verification system. In Deepak Kapur, editor, 11th Intenational Conference on Automated Deduction (CADE 92), volume 607 of Lecture Notes in Artificial Intelligence, pages , Saratoga, NY, June Springer-Verlag. [10] Lawrence C. Paulson. Isabelle: a generic theorem prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, New York, NY, USA, [11] John Rushby. Formal methods and the certification of critical systems. Technical Report CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park CA USA, December [12] Natarajan Shankar. Mechanized verification of real-time systems using PVS. Technical Report CSL-92-12, Computer Science Laboratory SRI International, Menlo Park, CA, March 2, [13] Jens Ulrik Skakkebæk. A Verification Assistant for a Real- Time Logic. PhD thesis, Department of Computer Science, Technical University of Denmark, Building 344, DK-2800 Lyngby, Denmark, November 1994.