Semantic embedding of Albert-CORE within PVS
|
|
- Geoffrey Arnold
- 5 years ago
- Views:
Transcription
1 Semantic embedding of Albert-CORE within PVS François Chabot Computer Science Department, University of Namur Rue Grandgagnage, 21, B-5000 Namur (Belgium) Professor Eric Dubois Computer Science Department, University of Namur Rue Grandgagnage, 21, B-5000 Namur Abstract Requirements engineering specifications can greatly benefit from formal methods when concerned with justifying the correctness of specifications and proofs. Albert II is a formal specification language for capturing functional requirements inherent to real-time, distributed systems. Targeted to requirements engineering activities, Albert II exhibits a high expressiveness through a large range of constructs. Their interactions being however very intricate, these constructs may hamper the reasoning capabilities. Formal reasoning is nevertheless still possible because the language is grounded on a real-time core logic. We motivate our approach to the construction of a formal verification system for this core logic. 1 Statement of the problem 1.1 Requirements specifications verification Formal Methods are the use of mathematical techniques in Computer Science; in particular, formal methods allow properties of a computer system to be predicted from a mathematical model of the system by a process akin to calculation[11]. Requirements engineering specifications can greatly benefit from formal methods when the correctness of specifications and proofs needs to be justified. Several formal specification languages were devised with this vision in mind; Albert II[4] is one of them. Albert II is based on an ontology of concepts useful when capturing functional requirements inherent to realtime, distributed and composite (agent-oriented) systems. Specially tailored to support requirements engineering activities, Albert II harbors a high degree of expressiveness, and consequently exhibits a large range of constructions. The language is semantically defined in terms of a core logic, Albert-CORE[3] whose notation is as close as possible, for traceability concerns, to the Albert II one. Albert-CORE is an object-oriented variant of real-time temporal logic where the concept of actions has been introduced, a.o. to solve the frame problem[2]. In the context of our research, justifying the correctness of specifications and proofs should be done at the core semantic level, that is, at the Albert-CORE level. To be productive and efficient such a task should be computeraided, we are presently constructing such an aid on the basis of a general-purpose theorem prover, namely the Prototype Verification System[9]. Beside the computer-aided verification system that should result, the extra-advantage and challenge of this logic embedding are that we will also be able to mechanically check the soundness and consistency of Albert-CORE.
2 1.2 An overview of Albert-CORE Albert-CORE is a logic based on a strongly-typed, objectoriented variant of a dense and linear real-time temporal logic. It has been augmented with the concept of actions, which may have a non-null duration, and it thus distinguishes observation from action symbols. Albert-CORE has also inherited from TRIO[8] a series of temporal connectives that ease real-time modeling and reasoning. The underlying time structure being dense, a formula can be evaluated at any point in time, giving this way a continuous perspective of a behavior. However, because observations can only change through action occurrences, we can also have a discrete perspective of a behavior observations keeping the same value between two action occurrences. Behaviors are infinite alternate sequences of states and actions. States denote a set of observation symbols and have a duration corresponding to the elapsed time between the two action occurrences delimiting it. 1.3 An overview of Albert II Because a logic is a too low level formalism, writing requirements engineering specifications at the Albert-CORE level would not be practical: real-world modeling needs concepts closer to it. These concepts are offered by Albert II, which provides an abstraction layer above Albert- CORE in such a way that every Albert II construct can be unambiguously mapped to Albert-CORE. In other words, Albert II offers a practical user language whose semantics is formally defined in terms of Albert-CORE. In practice, this user language offers several structuring mechanisms. Basically, observations and actions proper to one object are grouped together into agents. On their turn, agents can also be grouped into societies; together, agent and society aggregates allow to hierarchically organize specifications. The agent aggregate also allows to structure one agent s constraints into templates. A template is a typical sort of constraints we usually express on an agent s behavior. For instance, we can specify how actions can be decomposed into smaller ones under the Action Composition template. Or we can specify how agents can influence each other s behavior under the related Perception and Information templates. It should be clear that these structuring mechanisms are intended to help the requirements engineer in his specification task, but they are not intended to ease formal reasoning. Responsible of their individual behaviors, agents are moreover interacting, by nature, with each other. They are thus strongly dependent on their environment, and cannot therefore be considered individually. For instance, one agent s actions may depend on the fulfillment of some other s actions, which are not under its responsibility. It cannot therefore be demanded to the engineer to master the whole complexity of his specification. That is why computer-aided verification systems can help. But, still because of its strongly environmental dependence making Albert II non-compositional (mechanized) formal reasoning may be flawed. If we postulate that Albert II is inadequate for performing formal reasoning, there exists a way out: Albert-CORE. This unavoidable reasoning flaw may eventually question the relevance and utility of Albert II. Jackson and Zave[6] advocate that requirements engineering specifications are concerned with the description of an environmental artifact. The central point of any Albert II specification is precisely the interaction between agents and their environment. Albert II and Albert-CORE should deliver a framework offering a very expressive specification language coupled with a verification system that draws on the soundness of logic. Thanks to its constructs, Albert II offers to the requirements engineer an expressive specification language particularly relevant to real-time distributed systems modeling. Whereas the verification system will help the engineer to formally verify and justify the correctness of some critical properties. 2 Importance of the problem Non-constructive, high-level specification languages lend themselves better to the capture of real-time systems requirements. The intrinsically non-constructive nature of these languages, however, make them less amenable to mechanical verification and validation, unless they are grounded on formal foundations. That is where formal methods come into play: Formal methods provide for the construction of specifications whose interpretation is less reliant on human intuition by using techniques based,
3 mainly, on the axiomatic method of mathematics, and by requiring that all assumptions and all reasoning steps be made explicit, and furthermore that each reasoning step be an instance of a very small number of allowed rules of inference[11]. Specifications particularly requirements specifications need to be validated against informal expectations, which is generally done by human review and inspection. (If we were programming, we might run a couple of test cases; some people advocate something similar, often called animation, for specifications.) But with formal specifications, it is possible to do more, because the distinctive feature of formal specifications is indeed that they support formal deduction; thus reviews and inspections can be supplemented by formal analyses, which moreover, can be mechanically checked. When therefore faced with verification and validation problems of formal specifications, supporting the requirements engineering language with a tool, that should render the formal checks more productive and efficient, can prove very convenient and practical. Much more, the overall methodology that often comes with a requirement engineering language will probably benefit from the tool, and any technology transfer attempt will surely get more chances to be successful... 3 The proposed solution The challenge in developing languages and support tools for formal methods is to create systems that draw on the soundness and other properties and techniques of logic, while recasting them in a manner that allows them to be used productively in a practical setting[11]. 3.1 Semantic logical embedding According to Skakkebæk[13], there are several ways to mechanize special-purpose logics such as Albert-CORE. The most obvious, but so naive, approach would be to build a dedicated tool, tailored to this particular logic. The effort involved in the development would be considerable... A more clever way would be to rely on an existing tool, and to somehow embed the logic within it so that the development effort keeps the best of both the logic and the tool. There are basically two ways of embedding a source logic, which in this case is Albert-CORE, within the base logic used by the tool: we have the choice between either a syntactic or a semantic embedding. In the former case, the base logic is used as a meta-logic in which the source logic is defined by introducing its syntax and proof rules as entities in the base logic. Whereas in the latter case, the semantics of the source logic is described using the base logic and the desired proof rules are derived by means of lemmas in the base logic. According also to Skakkebæk[13], semantic logical frameworks, such as PVS, are to be preferred to syntactic logical ones, such as Isabelle[10], because they can potentially deliver faster results, in the sense that development time is usually shorter. To what concerns a direct syntactic support of the source logic, syntactic logical frameworks are obviously more powerful than semantic logical ones, which often demand quite a bit of work to provide the syntactic convenience available in syntactical frameworks. Consequently, semantical frameworks often require the user to understand the details of the encoding, having him to directly work in the base logic with the encoded form of the source logic. To what concerns, however, correctness of the embedding, semantic logical frameworks are superior, for ensuring correctness of the encoding is done once for all by demonstrating that it is faithful to the semantics stated on paper. Furthermore, all axioms and proof rules are simply derived from the semantic description. Similarly, for incomplete logics and logics of unknown completeness such as Albert-CORE if new proof rules are needed, they can simply be derived from the semantic encoding and separate proofs of soundness are not needed, nor do they need to be extended or checked. Whereas in syntactic logical frameworks, ensuring correctness of the embedding has to be completed through the proofs of soundness, which may need to be extended and checked in case new axioms are to be added when the logic is incomplete, or not known to be complete. A further advantage of the semantical frameworks is that the encoded logic can benefit from the capabilities of the underlying logic and proof checking system, for in syntactical frameworks, the base logic is usually quite
4 weak to make the tools widely applicable, and offers little help in achieving the degree of mechanization that is given, for instance, by decision procedures. What might, however, still be an obstacle to the use of semantic logical frameworks is that they are only convenient when the semantics of the source logic can simply be defined within the base logic. But, as many typical logics have semantics that can be defined within a sufficiently expressive classical logic and so is Albert-CORE this is no more, at least in our case, a significant obstacle. 3.2 PVS as a semantic framework PVS is an interactive verification system for writing formal specifications and checking formal proofs. PVS is targeted at early-lifecycle application of formal methods: it has sharply focused design goals that emphasize early error detection as much as full verification, and it is moreover a tightly integrated and coherent system. Technically, PVS supports classical higher order logic, and has a type system based on Church s simple theory of types augmented with convenient extensions for predicate subtypes and dependent types, and with parameterized theories and a mechanism for defining abstract data-types. This combination of features in the type-system achieves a high-level of convenience for constructing formal specifications, in the form of definitional or axiomatic theories. Furthermore, the deductive capabilities of PVS are based on the Gentzen s sequent semantic, and are supported by arithmetical and logical decision procedures, tightly integrated with the underlying theorem prover; what makes PVS particularly relevant to calculate real-time behaviors. What makes PVS also relevant to our needs, is that various real-time logics and formalisms have been previously embedded within it. Shankar[12] has encoded a real-time program logic in the higher order specification logic of PVS; this encoding has been used to prove Fischer s mutual exclusion problem and the safety properties of a railway crossing[5]. PVS has also been used to provide an embedding for the Duration Calculus[13] and for the timed automata model[1]; both these latter embeddings have also been used to prove the safety properties of a railway crossing. And finally, Jeffords[7] has provided a semantic embedding of the TRIO[8] real-time specification language. 4 Contributions of the research As mentioned, the semantics of various real-time logics and formalisms has been previously embedded within PVS, but none of these approaches dealt with all the combined features of Albert-CORE recall that Albert-CORE is a real-time temporal logic augmented with actions. The Duration Calculus[13] is a dense-time interval temporal logic that can be used to reason about timevarying quantities, but not about point values of signals; it instead requires the signal to have a, maybe very small, duration. This calculus introduces the concept of a duration operator, but the concept of action is absent. TRIO[7] is a first order temporal logic, with the current time implicitly bound to every formula; the concept of action is missing. Its semantic embedding can be characterized as a shallow one, for the proofs are to be carried out at the PVS level. The soundness of the encoding is, on its hand, easily achieved by proving the encoded proof rules in PVS. Notice that when the interpretation domains for the variables and the temporal domain are all finite, then the satisfiability of TRIO formulas is decidable[8]. The Timed Automata model[1] has also been embedded within PVS. This model is a generalization of!- automata, accepting infinite languages, and features the ability to express lower and upper bounds on occurrences of transitions, i.e. events, in the automata using explicit clock variables. Finally, the real-time encoding of Shankar[12] was an approach to the verification of real-time behaviors of concurrent programs; it can handle finite, as well as infinite state systems. The shallow embedding introduced only one basic real-time operator, since, for reasoning about absolute time. A program behavior was defined as a sequence of states, interleaved with atomic actions, or state changes. The concept of actions presents in this real-time logic is quite different from the Albert-CORE one, since only a single atomic and instantaneous action can occur at any point in time. After having demonstrated that several distinctive features of real-time logics have been individually embedded within PVS, we can clearly state that the embedding of Albert-CORE will result in a verification system combining, for the first time, most of these particular features.
5 5 The progress made As this project research is at the intersection of requirements engineering and computer-aided formal verification, we first tried to make out what was the state of the art in requirements engineering practices, formal requirements engineering languages, and computer-aided verification systems for formal languages in general. Much was to be learnt on the verification systems side, and more particularly on the PVS side. Let us also mention that we considered two other alternative approaches to semantic embedding, Abstract Interpretation and Model Checking. We found out that no research at least to our knowledge had ever tackled all of the problems encountered when faced with a fully-fledged, formal specification language dedicated to requirements engineering activities. Because similar research had been conducted with PVS, it seemed to us to be the most attractive way to start with. That is why we decided to spend some time studying both the tool and the different realizations that have been carried out within it. Once this was done, we started recently to encode Albert-CORE in the higher order specification language of PVS. References [1] Myla Archer and Constance Heitmeyer. Mechanical verification of timed automata: A case study. In Second IEEE Real-Time Technology and Applications Symposium (RTAS 96), Boston, MA, June 10 12, [2] A. Borgida, J. Mylopoulos, and R. Reiter.... and nothing else changes : The frame problem in procedure specifications. Technical Report DCS-TR-281, Dept. of Computer Science, Rutgers University, [3] Philippe Du Bois. The Albert II Language: On the Design and the Use of a Formal Specification Language for Requirements Analysis. PhD thesis, Computer Science Department, University of Namur, Namur (Belgique), September Available at [4] Eric Dubois, Philippe Du Bois, Frédéric Dubru, and Michaël Petit. Agent-oriented requirements engineering: A case study using the Albert language. In A. Verbraeck, H.G. Sol, and P.W.G. Bots, editors, Proc. of the Fourth International Working Conference on Dynamic Modelling and Information System DYNMOD-IV, Noordwijkerhoud (The Netherlands), September 28-30, Delft University Press. Available at ftp://ftp.info.fundp.ac.be/publications/rp/rp ps.z. [5] C.L. Heitmeyer, R.D. Jeffords, and B.G. Labaw. A benchmark for comparing different approaches for specifying and verifying real-time systems. In Proc. of the 10th International Workshop on Real-Time Operating Systems and Software, May [6] Michael Jackson and Pamela Zave. Four dark corners of requirements engineering. ACM Transactions on Software Engineering and Methodology, To appear in TOSEM. [7] Ralph D. Jeffords. An approach to encoding the TRIO logic in PVS. Technical report, Naval Research Laboratory, November 22, [8] Angelo Morzenti, Dino Mandrioli, and Carlo Ghezzi. A model parametric real-time logic. ACM Transactions on Programming Languages and Systems, 14(4): , October [9] Sam Owre, John M. Rushby, and Natarajan Shankar. PVS: A prototype verification system. In Deepak Kapur, editor, 11th Intenational Conference on Automated Deduction (CADE 92), volume 607 of Lecture Notes in Artificial Intelligence, pages , Saratoga, NY, June Springer-Verlag. [10] Lawrence C. Paulson. Isabelle: a generic theorem prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, New York, NY, USA, [11] John Rushby. Formal methods and the certification of critical systems. Technical Report CSL-93-7, Computer Science Laboratory, SRI International, Menlo Park CA USA, December [12] Natarajan Shankar. Mechanized verification of real-time systems using PVS. Technical Report CSL-92-12, Computer Science Laboratory SRI International, Menlo Park, CA, March 2, [13] Jens Ulrik Skakkebæk. A Verification Assistant for a Real- Time Logic. PhD thesis, Department of Computer Science, Technical University of Denmark, Building 344, DK-2800 Lyngby, Denmark, November 1994.
Distributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationLeslie Lamport: The Specification Language TLA +
Leslie Lamport: The Specification Language TLA + This is an addendum to a chapter by Stephan Merz in the book Logics of Specification Languages by Dines Bjørner and Martin C. Henson (Springer, 2008). It
More information3.4 Deduction and Evaluation: Tools Conditional-Equational Logic
3.4 Deduction and Evaluation: Tools 3.4.1 Conditional-Equational Logic The general definition of a formal specification from above was based on the existence of a precisely defined semantics for the syntax
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationAn LCF-Style Interface between HOL and First-Order Logic
An LCF-Style Interface between HOL and First-Order Logic Joe Hurd Computer Laboratory University of Cambridge, joe.hurd@cl.cam.ac.uk 1 Introduction Performing interactive proof in the HOL theorem prover
More informationTopic 1: What is HoTT and why?
Topic 1: What is HoTT and why? May 5, 2014 Introduction Homotopy type theory (HoTT) is a newly emerging field of mathematics which is currently being developed as a foundation of mathematics which is in
More informationHow useful is the UML profile SPT without Semantics? 1
How useful is the UML profile SPT without Semantics? 1 Susanne Graf, Ileana Ober VERIMAG 2, avenue de Vignate - F-38610 Gières - France e-mail:{susanne.graf, Ileana.Ober}@imag.fr http://www-verimag.imag.fr/~{graf,iober}
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationRequirements Specifications
ACM Transactions on Software Engineering and Methodology, 1996. Automated Consistency Checking of Requirements Specifications CONSTANCE L. HEITMEYER, RALPH D. JEFFORDS, BRUCE G. LABAW JUNBEOM YOO Dependable
More informationRule Formats for Nominal Modal Transition Systems
Rule Formats for Nominal Modal Transition Systems Anke Stüber Universitet Uppsala, Uppsala, Sweden anke.stuber@it.uu.se Abstract. Modal transition systems are specification languages that allow the expression
More informationLecture 7: Requirements Modeling III. Formal Methods in RE
Lecture 7: Requirements Modeling III Last Last Week: Week: Modeling Modeling and and (II) (II) Modeling Modeling Functionality Functionality Structured Structured Object Object Oriented Oriented This This
More informationVerification of Concurrent Programs, Part I: The Temporal Framework
June 1981 Report. No. ~ 1 AN-U-81-836 Verification of Concurrent Programs, Part I: The Temporal Framework by Zohar MilnIla Amir Ynucli Office of Navitl Rcscarch Department of Computer Science Stanford
More informationtempo2hsal: Converting Tempo Models into HybridSal Tool Description
tempo2hsal: Converting Tempo Models into HybridSal Tool Description Ashish Tiwari Bruno Dutertre Computer Science Laboratory SRI International Menlo Park CA 94025 USA Report submitted under Honeywell subcontract
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2002 Vol. 1, No. 2, July-August 2002 The Theory of Classification Part 2: The Scratch-Built
More informationAppendix G: Some questions concerning the representation of theorems
Appendix G: Some questions concerning the representation of theorems Specific discussion points 1. What should the meta-structure to represent mathematics, in which theorems naturally fall, be? There obviously
More informationTowards a Logical Reconstruction of Relational Database Theory
Towards a Logical Reconstruction of Relational Database Theory On Conceptual Modelling, Lecture Notes in Computer Science. 1984 Raymond Reiter Summary by C. Rey November 27, 2008-1 / 63 Foreword DB: 2
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More informationFrom Types to Sets in Isabelle/HOL
From Types to Sets in Isabelle/HOL Extented Abstract Ondřej Kunčar 1 and Andrei Popescu 1,2 1 Fakultät für Informatik, Technische Universität München, Germany 2 Institute of Mathematics Simion Stoilow
More informationChapter 2 Overview of the Design Methodology
Chapter 2 Overview of the Design Methodology This chapter presents an overview of the design methodology which is developed in this thesis, by identifying global abstraction levels at which a distributed
More informationFirst Order Logic in Practice 1 First Order Logic in Practice John Harrison University of Cambridge Background: int
First Order Logic in Practice 1 First Order Logic in Practice John Harrison University of Cambridge http://www.cl.cam.ac.uk/users/jrh/ Background: interaction and automation Why do we need rst order automation?
More information3.7 Denotational Semantics
3.7 Denotational Semantics Denotational semantics, also known as fixed-point semantics, associates to each programming language construct a well-defined and rigorously understood mathematical object. These
More informationRandom Testing in PVS
Random Testing in PVS Sam Owre SRI International, Computer Science Laboratory 333 Ravenswood Avenue, Menlo Park, CA 94025, USA owre@csl.sri.com Abstract. Formulas are difficult to formulate and to prove,
More informationOperational Semantics
15-819K: Logic Programming Lecture 4 Operational Semantics Frank Pfenning September 7, 2006 In this lecture we begin in the quest to formally capture the operational semantics in order to prove properties
More informationcapture cumulative changes over an interval, while in the HIOA model, the evolution of the continuous state variables over time is modeled using traje
Developing Strategies for Specialized Theorem Proving about Untimed, Timed, and Hybrid I/O Automata? Sayan Mitra 1 and Myla Archer 2 1 MIT Laboratory for Computer Science, 200 Technology Square, Cambridge,
More informationInductive Proof Outlines for Multithreaded Java with Exceptions
Inductive Proof Outlines for Multithreaded Java with Exceptions Extended Abstract 30. April, 2004 Erika Ábrahám1, Frank S. de Boer 2, Willem-Paul de Roever 1, and Martin Steffen 1 1 Christian-Albrechts-University
More informationUsing formal methods for quality assurance of interlocking systems L.-H. Eriksson* & K. Johansson^
Using formal methods for quality assurance of interlocking systems L.-H. Eriksson* & K. Johansson^ Email: lhe@l4i.se *6W%#jA AWm^^ Sweden. Email: kjell.johansson@hk. banverket.se Abstract "Formal methods"
More informationA Tabular Expression Toolbox for Matlab/Simulink
A Tabular Expression Toolbox for Matlab/Simulink Colin Eles and Mark Lawford McMaster Centre for Software Certification McMaster University, Hamilton, Ontario, Canada L8S 4K1 {elesc,lawford}@mcmaster.ca
More informationXI International PhD Workshop OWD 2009, October Fuzzy Sets as Metasets
XI International PhD Workshop OWD 2009, 17 20 October 2009 Fuzzy Sets as Metasets Bartłomiej Starosta, Polsko-Japońska WyŜsza Szkoła Technik Komputerowych (24.01.2008, prof. Witold Kosiński, Polsko-Japońska
More informationAn Introduction to ProofPower
An Introduction to ProofPower Roger Bishop Jones Date: 2006/10/21 16:53:33 Abstract An introductory illustrated description of ProofPower (not progressed far enough to be useful). Contents http://www.rbjones.com/rbjpub/pp/doc/t015.pdf
More informationHYBRID PETRI NET MODEL BASED DECISION SUPPORT SYSTEM. Janetta Culita, Simona Caramihai, Calin Munteanu
HYBRID PETRI NET MODEL BASED DECISION SUPPORT SYSTEM Janetta Culita, Simona Caramihai, Calin Munteanu Politehnica University of Bucharest Dept. of Automatic Control and Computer Science E-mail: jculita@yahoo.com,
More informationKnowledge Representation and Reasoning Logics for Artificial Intelligence
Knowledge Representation and Reasoning Logics for Artificial Intelligence Stuart C. Shapiro Department of Computer Science and Engineering and Center for Cognitive Science University at Buffalo, The State
More informationThe Maude LTL Model Checker and Its Implementation
The Maude LTL Model Checker and Its Implementation Steven Eker 1,José Meseguer 2, and Ambarish Sridharanarayanan 2 1 Computer Science Laboratory, SRI International Menlo Park, CA 94025 eker@csl.sri.com
More informationHow to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor
How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor Leslie Lamport 1 Digital Equipment Corporation February 14, 1993 Minor revisions January 18, 1996 and September 14, 1996
More informationSpecification and Analysis of Real-Time Systems Using Real-Time Maude
Specification and Analysis of Real-Time Systems Using Real-Time Maude Peter Csaba Ölveczky1,2 and José Meseguer 1 1 Department of Computer Science, University of Illinois at Urbana-Champaign 2 Department
More informationKnowledge Representation and Reasoning Logics for Artificial Intelligence
Knowledge Representation and Reasoning Logics for Artificial Intelligence Stuart C. Shapiro Department of Computer Science and Engineering and Center for Cognitive Science University at Buffalo, The State
More informationTopic Formal Methods. ICS 121 Lecture Notes. What are Formal Methods? What are Formal Methods? Formal Specification in Software Development
Lecture Notes What are? 1 Formal Method (FM) = specification language + formal reasoning Body of techniques supported by precise mathematics powerful analysis tools Rigorous effective mechanisms for system
More informationAutomatic synthesis of switching controllers for linear hybrid systems: Reachability control
Automatic synthesis of switching controllers for linear hybrid systems: Reachability control Massimo Benerecetti and Marco Faella Università di Napoli Federico II, Italy Abstract. We consider the problem
More informationComputing Fundamentals 2 Introduction to CafeOBJ
Computing Fundamentals 2 Introduction to CafeOBJ Lecturer: Patrick Browne Lecture Room: K408 Lab Room: A308 Based on work by: Nakamura Masaki, João Pascoal Faria, Prof. Heinrich Hußmann. See notes on slides
More informationThe Event-B Modelling Notation
The Event-B Modelling Notation J.-R. Abrial October 2007 Version 1.5 The Event-B Modelling Notation Contents 1 Machines and Contexts 1 2 Events 2 3 Variant 3 4 Actions 3 5 Witnesses 4 6 Syntax of the Event-B
More informationChapter 3. Describing Syntax and Semantics
Chapter 3 Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings of Programs:
More informationIncompatibility Dimensions and Integration of Atomic Commit Protocols
The International Arab Journal of Information Technology, Vol. 5, No. 4, October 2008 381 Incompatibility Dimensions and Integration of Atomic Commit Protocols Yousef Al-Houmaily Department of Computer
More informationStatic verification of program running time
Static verification of program running time CIS 673 course project report Caleb Stanford December 2016 Contents 1 Introduction 2 1.1 Total Correctness is Not Enough.................................. 2
More informationExtracting the Range of cps from Affine Typing
Extracting the Range of cps from Affine Typing Extended Abstract Josh Berdine, Peter W. O Hearn Queen Mary, University of London {berdine, ohearn}@dcs.qmul.ac.uk Hayo Thielecke The University of Birmingham
More informationCS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011
CS152: Programming Languages Lecture 11 STLC Extensions and Related Topics Dan Grossman Spring 2011 Review e ::= λx. e x e e c v ::= λx. e c τ ::= int τ τ Γ ::= Γ, x : τ (λx. e) v e[v/x] e 1 e 1 e 1 e
More informationState Identification In The Hybrid Automata Description Of Dynamical Systems
State Identification In The Hybrid Automata Description Of Dynamical Systems ISABELLA KOTINI, GEORGE HASSAPIS Dept. of Electrical and Computer Engineering Aristotle University of Thessaloniki 54006, Thessaloniki
More informationTest and Evaluation of Autonomous Systems in a Model Based Engineering Context
Test and Evaluation of Autonomous Systems in a Model Based Engineering Context Raytheon Michael Nolan USAF AFRL Aaron Fifarek Jonathan Hoffman 3 March 2016 Copyright 2016. Unpublished Work. Raytheon Company.
More informationFormal Structural Requirements. Functional Requirements: Why Formal? Revisiting SADT. A Formalization of RML/Telos. A Survey of Formal Methods
Functional Requirements: Formal Structural Requirements Why Formal? Revisiting SADT RML/Telos Essentials A Formalization of RML/Telos A Survey of Formal Methods 1 2 RML/Telos Essentials [S. Greenspan,
More informationAn Approach to the Generation of High-Assurance Java Card Applets
An Approach to the Generation of High-Assurance Java Card Applets Alessandro Coglio Kestrel Institute 3260 Hillview Avenue, Palo Alto, CA 94304, USA Ph. +1-650-493-6871 Fax +1-650-424-1807 http://www.kestrel.edu/
More informationCompositional Schedulability Analysis of Hierarchical Real-Time Systems
Compositional Schedulability Analysis of Hierarchical Real-Time Systems Arvind Easwaran, Insup Lee, Insik Shin, and Oleg Sokolsky Department of Computer and Information Science University of Pennsylvania,
More informationQ Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.
Introduction to Formal Methods 1 Introduction to Formal Methods 2 Formal Specification Requirements specification R notational statement of system services Software specification R formal abstract depiction
More informationA Brief Introduction to TRIO
A Brief Introduction to TRIO Abstract This document introduces the main characteristics of the TRIO specification language. First, the basic logic features of the language are described; then, its object-oriented
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationInterpretations and Models. Chapter Axiomatic Systems and Incidence Geometry
Interpretations and Models Chapter 2.1-2.4 - Axiomatic Systems and Incidence Geometry Axiomatic Systems in Mathematics The gold standard for rigor in an area of mathematics Not fully achieved in most areas
More informationSpecification Centered Testing
Specification Centered Testing Mats P. E. Heimdahl University of Minnesota 4-192 EE/CS Building Minneapolis, Minnesota 55455 heimdahl@cs.umn.edu Sanjai Rayadurgam University of Minnesota 4-192 EE/CS Building
More informationReading 1 : Introduction
CS/Math 240: Introduction to Discrete Mathematics Fall 2015 Instructors: Beck Hasti and Gautam Prakriya Reading 1 : Introduction Welcome to CS 240, an introduction to discrete mathematics. This reading
More informationType raising, continuations, and classical logic
Type raising, continuations, and classical logic Philippe de Groote Inria-Lorraine Abstract. There is a striking analogy between type raising, as introduced by Montague (973), and the notion of continuation
More informationJoint Entity Resolution
Joint Entity Resolution Steven Euijong Whang, Hector Garcia-Molina Computer Science Department, Stanford University 353 Serra Mall, Stanford, CA 94305, USA {swhang, hector}@cs.stanford.edu No Institute
More informationSpecification of Behavioural Requirements within Compositional Multi-Agent System Design
Specification of Behavioural Requirements within Compositional Multi-Agent System Design Daniela E. Herlea 1, Catholijn M. Jonker 2, Jan Treur 2, Niek J.E. Wijngaards 1,2 1 University of Calgary, Software
More informationWhat if current foundations of mathematics are inconsistent? Vladimir Voevodsky September 25, 2010
What if current foundations of mathematics are inconsistent? Vladimir Voevodsky September 25, 2010 1 Goedel s second incompleteness theorem Theorem (Goedel) It is impossible to prove the consistency of
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationRewriting Needs Constraints and Constraints Need Rewriting
Rewriting Needs Constraints and Constraints Need Rewriting José Meseguer Department of Computer Science, UIUC ints 14 November 2008 Motivation Symbolic Computation, Rewriting, and Constraints Rewriting
More informationFinding Deadlocks of Event-B Models by Constraint Solving
B 2011 June 21st, 2011, Limerick, Ireland Finding Deadlocks of Event-B Models by Constraint Solving Stefan Hallerstede, Michael Leuschel Institut für Informatik, Universität Düsseldorf Universitätsstr.
More information6.001 Notes: Section 8.1
6.001 Notes: Section 8.1 Slide 8.1.1 In this lecture we are going to introduce a new data type, specifically to deal with symbols. This may sound a bit odd, but if you step back, you may realize that everything
More information1 Introduction. 3 Syntax
CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,
More informationThis is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS
1 THE FORMALIZATION OF MATHEMATICS by Harvey M. Friedman Ohio State University Department of Mathematics friedman@math.ohio-state.edu www.math.ohio-state.edu/~friedman/ May 21, 1997 Can mathematics be
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationSTABILITY AND PARADOX IN ALGORITHMIC LOGIC
STABILITY AND PARADOX IN ALGORITHMIC LOGIC WAYNE AITKEN, JEFFREY A. BARRETT Abstract. Algorithmic logic is the logic of basic statements concerning algorithms and the algorithmic rules of deduction between
More informationModule 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur
Module 3 Requirements Analysis and Specification Lesson 6 Formal Requirements Specification Specific Instructional Objectives At the end of this lesson the student will be able to: Explain what a formal
More informationCS 6110 S14 Lecture 1 Introduction 24 January 2014
CS 6110 S14 Lecture 1 Introduction 24 January 2014 1 Introduction What is a program? Is it just something that tells the computer what to do? Yes, but there is much more to it than that. The basic expressions
More informationFlight Systems are Cyber-Physical Systems
Flight Systems are Cyber-Physical Systems Dr. Christopher Landauer Software Systems Analysis Department The Aerospace Corporation Computer Science Division / Software Engineering Subdivision 08 November
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationBatch Proving and Proof Scripting in PVS
Batch Proving and Proof Scripting in PVS César A. Muñoz National Institute of Aerospace 144 Research Drive, Hampton VA 23666, USA munoz@nianet.org Abstract. The batch execution modes of PVS are powerful,
More informationA Formal V&V Framework for UML Models Based on Model Transformation Techniques
A Formal V&V Framework for UML Models Based on Model Transformation Techniques Soon-Kyeong Kim and David Carrington Information Technology and Electrical Engineering The University of Queensland, St. Lucia,
More informationLecture 2 - Graph Theory Fundamentals - Reachability and Exploration 1
CME 305: Discrete Mathematics and Algorithms Instructor: Professor Aaron Sidford (sidford@stanford.edu) January 11, 2018 Lecture 2 - Graph Theory Fundamentals - Reachability and Exploration 1 In this lecture
More informationOn the Definition of Sequential Consistency
On the Definition of Sequential Consistency Ali Sezgin Ganesh Gopalakrishnan Abstract The definition of sequential consistency is compared with an intuitive notion of correctness. A relation between what
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationA General Method for the Analysis and the Logical Generation of Discrete Mathematical Systems in Programmable Logical Controller
A General Method for the Analysis and the Logical Generation of Discrete Mathematical Systems in Programmable Logical Controller Daniel M. Dubois * Department of Applied Informatics and Artificial Intelligence,
More informationNote that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.
CS 6110 S18 Lecture 8 Structural Operational Semantics and IMP Today we introduce a very simple imperative language, IMP, along with two systems of rules for evaluation called small-step and big-step semantics.
More informationA Typed Calculus Supporting Shallow Embeddings of Abstract Machines
A Typed Calculus Supporting Shallow Embeddings of Abstract Machines Aaron Bohannon Zena M. Ariola Amr Sabry April 23, 2005 1 Overview The goal of this work is to draw a formal connection between steps
More informationINDEPENDENT POSTULATES FOR THE "INFORMAL" PART OF PRINCIPIA MATHEMATICA*
9- "INFORMAL" PART OF PRINCIPIA 7 INDEPENDENT POSTULATES FOR THE "INFORMAL" PART OF PRINCIPIA MATHEMATICA* BY E. V. HUNTINGTON. Introduction. It has long been recognized that Section A of Whitehead and
More informationFormal Systems and their Applications
Formal Systems and their Applications Dave Clarke (Dave.Clarke@cs.kuleuven.be) Acknowledgment: these slides are based in part on slides from Benjamin Pierce and Frank Piessens 1 Course Overview Introduction
More informationPetri-net-based Workflow Management Software
Petri-net-based Workflow Management Software W.M.P. van der Aalst Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, NL-5600 MB, Eindhoven, The Netherlands,
More informationHow to Conduct a Heuristic Evaluation
Page 1 of 9 useit.com Papers and Essays Heuristic Evaluation How to conduct a heuristic evaluation How to Conduct a Heuristic Evaluation by Jakob Nielsen Heuristic evaluation (Nielsen and Molich, 1990;
More informationAXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop
AXIOMS OF AN IMPERATIVE LANGUAGE We will use the same language, with the same abstract syntax that we used for operational semantics. However, we will only be concerned with the commands, since the language
More informationSimulink/Stateflow. June 2008
Simulink/Stateflow Paul Caspi http://www-verimag.imag.fr/ Pieter Mosterman http://www.mathworks.com/ June 2008 1 Introduction Probably, the early designers of Simulink in the late eighties would have been
More informationA Boolean Expression. Reachability Analysis or Bisimulation. Equation Solver. Boolean. equations.
A Framework for Embedded Real-time System Design? Jin-Young Choi 1, Hee-Hwan Kwak 2, and Insup Lee 2 1 Department of Computer Science and Engineering, Korea Univerity choi@formal.korea.ac.kr 2 Department
More informationDeveloping Safety-Critical Systems: The Role of Formal Methods and Tools
Developing Safety-Critical Systems: The Role of Formal Methods and Tools Constance Heitmeyer Center for High Assurance Computer Systems Naval Research Laboratory Washington, DC 20375 Email: heitmeyer@itd.nrl.navy.mil
More informationHoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré
Hoare Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 (Slides courtesy of Ranald Clouston) COMP 2600 Hoare Logic 1 Australian Capital
More information14.1 Encoding for different models of computation
Lecture 14 Decidable languages In the previous lecture we discussed some examples of encoding schemes, through which various objects can be represented by strings over a given alphabet. We will begin this
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationProgram Design in PVS. Eindhoven University of Technology. Abstract. Hoare triples (precondition, program, postcondition) have
Program Design in PVS Jozef Hooman Dept. of Computing Science Eindhoven University of Technology P.O. Box 513, 5600 MB Eindhoven, The Netherlands e-mail: wsinjh@win.tue.nl Abstract. Hoare triples (precondition,
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationLiveness and Fairness Properties in Multi-Agent Systems
Liveness and Fairness Properties in Multi-Agent Systems Hans-Dieter Burkhard FB Informatik Humboldt-University Berlin PF 1297, 1086 Berlin, Germany e-mail: hdb@informatik.hu-berlin.de Abstract Problems
More informationSemantical Aspects of an Architecture for Distributed Embedded Systems
Semantical Aspects of an Architecture for Distributed Embedded Systems Roel Bloo Eindhoven University of Technology Eindhoven, The Netherlands bloo@win.tue.nl Jozef Hooman University of Nijmegen Nijmegen,
More informationDefinition and Instantiation of a Reference Model for Problem Specifications
Definition and Instantiation of a Reference Model for Problem Specifications Martin Kronenburg Christian Peper University of Kaiserslautern, Erwin Schrödinger Straße, D-67663 Kaiserslautern, Germany E-mail:
More informationFormal Methods in Describing Architectures
Presented at the 1995 Monterey Workshop on Formal Methods and Architecture Introduction Formal Methods in Describing Architectures Dr. Paul C. Clements Software Engineering Institute 1 Carnegie Mellon
More informationChapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction
Topics Chapter 3 Semantics Introduction Static Semantics Attribute Grammars Dynamic Semantics Operational Semantics Axiomatic Semantics Denotational Semantics 2 Introduction Introduction Language implementors
More information