Formal Speciﬁcation and Veriﬁcation Techniques

(1)

Prof. Dr. K. Madlener

31. Januar 2012

(2)

Course of Studies „Informatics“, „Applied Informatics“ and

„Master-Inf.“ WS11/12 Prof. Dr. Madlener TU- Kaiserslautern Lecture:

Mo 08.30–10.00 34-420 We 08.30–10.00 34-420

Exercises:??

Fr. 11.45–13.15 32-439 Mo 13.45–15.45 32-439

I Informationhttp://www-madlener.informatik.uni-kl.de/

teaching/ws2011-2012/fsvt/fsvt

I Evaluation method:

Exercises (efficiency statement) + Final Exam (Credits)

I First final exam: (Written or Oral)

I Exercises (Dates and Registration): See WWW-Site

(3)

Bibliography

M. O’Donnell.

Computing in Systems described by Equations, LNCS 58, 1977.

Equational Logic as a Programming language.

J. Avenhaus.

Reduktionssysteme, (Skript), Springer 1995.

Cohen et.al.

The Specification of Complex Systems.

Bergstra et.al.

Algebraic Specification.

Barendregt.

Functional Programming and Lambda Calculus. Handbook of TCS, 321-363, 1990.

(4)

Bibliography

Gehani et.al.

Software Specification Techniques.

Huet.

Confluent Reductions: Abstract Properties and Applications to TRS, JACM, 27, 1980.

Nivat, Reynolds.

Algebraic Methods in Semantics.

Loeckx, Ehrich, Wolf.

Specification of Abstract Data Types, Wyley-Teubner, 1996.

J.W. Klop.

Term Rewriting System. Handbook of Logic, INCS, Vol. 2, Abransky, Gabbay, Maibaum.

(5)

Bibliography

Ehrig, Mahr.

Fundamentals of Algebraic Specification.

Peyton-Jones.

The Implementation of Functional Programming Language.

Plasmeister, Eekelen.

Functional Programming and Parallel Graph Rewriting.

Astesiano, Kreowski, Krieg-Brückner.

Algebraic Foundations of Systems Specification (IFIP).

N. Nissanke.

Formal Specification Techniques and Applications (Z , VDM, algebraic), Springer 1999.

(6)

Bibliography

Turner, McCluskey.

The construction of formal specifications. (Model based (VDM) + Algebraic (OBJ)).

Goguen, Malcom.

Algebraic Semantics of Imperative Programs.

H. Dörr.

Efficient Graph Rewriting and its Implementation.

B. Potter, J. Sinclair, D. Till.

An introduction to Formal Specification and Z. Prentice Hall, 1996.

(7)

Bibliography

J. Woodcok, J. Davis.

Using Z : Specification, Refinement and Proof, Prentice Hall 1996.

J.R. Abrial.

The B-Book; Assigning Programs to Meanings. Cambridge U. Press, 1996.

E. Börger, R. Stärk

Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, 2003.

F. Baader, T. Nipkow

Term Rewriting and All That. Cambridge, 1999.

H. Habrias, M. Frappier

Software Specification Methods. ISTE, 2006.

(8)

Goals - Contents

General Goals:

Formal foundations of Methods

for Specification, Verification and Implementation

Summary

I The Role of formal Specifications

I Abstract State Machines: ASM-Specification methods

I Algebraic Specification, Equational Systems

I Reduction systems, Term Rewriting Systems

I Equational - Calculus and - Programming

I Related Calculi:λ-Calculus, Combinator- Calculus

I Implementation, Reduction Strategies, Graph Rewriting

(9)

Lecture’s Contents

Role of formal Specifications . Motivation

Properties of Specifications Formal Specifications Examples

(10)

Abstract State Machines (ASMs)

Abstract State Machines: ASM- Specification’s method Fundamentals

Sequential algorithms

Basic-ASM: Main Model of ASM’s

Distributed ASM: Concurrency, reactivity, time Fundamentals: Orders, CPO’s, proof techniques Induction

DASM

Reactive and time-depending systems Refinement

Lecture Börger’s ASM-Buch

(11)

Algebraic Specification

Algebraic Specification - Equational Calculus Fundamentals

Introduction Algebrae

Algebraic Fundamentals Signature - Terms

Strictness - Positions- Subterms Interpretations: sig-algebras Canonical homomorphisms Equational specifications Substitution

Loose semantics

Connection between|=,=E,`E

Birkhoff’s Theorem

(12)

Algebraic Specification: Initial Semantics

Initial semantics Basic properties

Correctness and implementation Structuring mechanisms

Signature morphisms - Parameter passing Semantics parameter passing

Specification morphisms

(13)

Algebraic Specification: operationalization

Reduction Systems

Abstract Reduction Systems

Principle of the Noetherian Induction Important relations

Sufficient conditions for confluence

Equivalence relations and reduction relations Transformation with the inference system Construction of the proof ordering

Term Rewriting Systems .

Principles

Critical pairs, unification Local confluence

Confluence without Termination Knuth-Bendix Completion

(14)

Computability and Implementation

Equational calculus and Computability Implementations

Primitive Recursive Functions

Recursive and partially recursive functions Partial recursive functions and register machines Computable algebrae

Reduction strategies .

Generalities

Orthogonal systems

Strategies and length of derivations Sequential Orthogonal TES: Call by Need Applications

Formal specification techniques Case Study: Invoice System Case Study: CASL Specification Case Study: ASM-Specification

(15)

Role of formal Specifications

I Software and hardware systems must accomplishwell defined tasks (requirements).

I Software Engineering has as goal

I Definition of criteria for the evaluation of SW-Systems

I Methods and techniques for the development of SW-Systems, that accomplish such criteria

I Characterization of SW-Systems

I Development processes for SW-Systems

I Measures and Supporting Tools

I Simplified view of a SD-Process:

Definition of a sequence of actions and descriptions for the SW-System to be developed. Process- and Product-Models

Goal: The group of documents that includes an executable program.

(16)

Models for SW-Development

I

Waterfall model, Spiral model,. . .

Phases≡Activities + Product Parts (partial descriptions) In each stage of the DP

Description: a SW specification, that is, a stipulation of what must be achieved, but not always how it is done.

(17)

Installation Verification

Generation

last formal Specification Verification of the program correctness (Test)

Final System

Programs Specification

formal Specification

Temporary specification Temporary specification

Verification Validation

informal actual needs Specifications

(Test) Validation

Verification (Test)

Maintenance

Coding Refinement

(18)

Comment

I First Specification:Global Specification Fundamentfor the Development

“Contract or Agreement” between Developers and Client

I Intermediate (partial) specifications:

Base of the Communication between Developers.

I Programs: Final products.

Development paradigms

I Structured Programming

I Design + Program

I Transformation Methods

I . . .

(19)

Properties of Specifications

Consistency Completeness

I Validationof the global specification regarding the requirements.

I Verificationof intermediate specifications regarding the previous one.

I Verificationof the programs regarding the specification.

I Verificationof the integrated final system with respect to the global specification.

I Activities: Validation, Verification, Testing Consistency- and Completeness-Check

I Tool supportneeded!

(20)

Requirements

Functional - - non functional

what time aspects

... robustness

how stability

security adaptability ergonomics maintainability Properties

Correctness: Does the implemented System fulfill the Requirements?

Test Validate Verify

(21)

Validation - Verification

From Wikipedia, the free encyclopedia

In common usage,validationis the process of checking if something satisfies a certain criterion. Examples would include checking if a statement is true (validity), if an appliance works as intended, if a computer system is secure, or if computer data are compliant with an open standard. Validation implies one is able to document that a solution or process is correct or is suited for its intended use.

In engineering or as part of a quality management system,validation confirms that the needs of an external customer or user of a product, service, or system are met.Verificationis usually an internal quality process of determining compliance with a regulation, standard, or specification. An easy way of recalling the difference between validation and verification is that

validation is ensuring “you built the right product”and verification is ensuring “you built the product right.”

Validation is testing to confirm that it satisfies user’s needs.

(22)

Requirements

I The global specification describes, as exact as possible, what must be done.

I Abstraction of the how Advantages

I apriori: Reference document, compact and legible.

I aposteriori: Possibility to follow and document design decisions traceability, reusability, maintenance.

I Problem:Size and complexity of the systems.

Principles to be supported

I Refinement principle: Abstraction levels

I Structuring mechanisms

Decomposition and modularization principles

I Object orientation

I Verification and validation concepts

(23)

Requirements Description Specification Language

I Choice of the specification technique depends on the System.

Frequently more than a single specification technique is needed.

(What – How).

I Type of Systems:

Pure function oriented (I/O), reactive- embedded- real time- systems.

I Problem :Universal Specification Technique (UST) difficult to understand, ambiguities, tools, size . . . e.g. UML

I Desired: Compact, legible and exact specifications

Here:formal specification techniques

(24)

Formal Specifications

I A specification in a formal specification language defines all the possible behaviors of the specified system.

I 3 Aspects:Syntax, Semantics, Inference System

I Syntax:What’s allowed to write: Text with structure, Properties often described by formulas from a logic.

I Semantics:Which models are associated with the specification, specification models.

I Inference System:Consequences (Derivation) of properties of the system. Notion of consequence.

(25)

Formal Specifications

I Two mainclasses:

Model oriented - - Property oriented

(constructive) (declarative)

e.g.VDM, Z, ASM signature(functions, predicates)

Construction of a Properties

non-ambiguous model (formulas, axioms)

from available

data structures and models

construction rules algebraic specification

Concept of correctness AFFIRM, OBJ, ASF,. . .

I Operational specifications:

Petri nets, process algebras, automata based (SDL).

(26)

Specifications: What for?

I The concept of correctness is not well defined without a formal specification.

I A verification task is not possible without a formal specification.

I Other concepts, like the concept of refinement, simulation become well defined.

Wish List

I Small gap between specification and program:

Generators,Transformators.

I Not too many different formalisms/notations.

I Tool support.

I Rapid prototyping.

I Rules for “constructing” specifications, that guarantee certain properties (e.g. consistency + completeness).

(27)

Formal Specifications

I Advantages:

I The concepts of correctness, equivalence, completeness, consistency, refinement, composition, etc. are treated in a mathematical way (based on the logic)

I Tool support is possible and often available

I The application and interconnection of different tools are possible.

I Disadvantages:

(28)

Refinements

Abstraction mechanisms

I Data abstraction (representation)

I Control abstraction (Sequence)

I Procedural abstraction (only I/O description) Refinement mechanisms

I Choose a data representation (sets by lists)

I Choose a sequence of computation steps

I Develop algorithm (Sorting algorithm) Concept:Correctness of the implementation

I Observable equivalences

I Behavioral equivalences

(29)

Structuring

Problems: Structuring mechanisms

I Horizontal:

Decomposition/Aggregation/Combination/Extension/

Parameterization/Instantiation (Components)

Goal:Reduction of complexity, Completeness

I Vertical:

Realization of Behavior Information Hiding/Refinement Goal:Efficiency and Correctness

(30)

Tool support

I Syntactic support (grammars, parser,...)

I Verification: theorem proving (proof obligations)

I Prototyping (executable specifications)

I Code generation (out of the specifications generate C code)

I Testing (from the specification generate test cases for the program)

Desired:

To generate the tools out of the syntax and semantics of the specification language

(31)

Example: declarative

Example2.1. Restricted logic: e.g. equational logic

I Axioms:∀X t1=t2 t1,t2terms.

I Rules: Equals are replaced with equals. (directed).

I Terms ≈names for objects (identifier), structuring, construction of the object.

I Abstraction: Terms as elements of an algebra, term algebra.

(32)

Example: declarative

Foundations for the algebraic specification method:

I Axioms induce acongruenceon a term algebra

I Independent subtasks

I Description of properties with equality axioms

I Representation of the terms

I Operationalization

I spec,tterm give out the „value“ oft, i.e.

t⁰∈Value(spec)with spec|=t=t⁰.

I Functional programming: LISP, CAML,. . . F(t1, . . . ,tn) eval( ) value.

(33)

Example: Model-based constructive: VDM

Unambiguous(Unique model),standard(notations),

Independent of the implementation,formally manipulable,abstract, structured,expressive,consistency by construction

Example2.2. Model(state)-based specification technique VDM

I Based on naive set theory, PL 1, preconditions and postconditions.

Primitive types: BBoolean{true,false}

Nnatural{0,1,2,3, . . .} ,Z,R

I Sets: B-Set: Sets ofB-’s.

I Operations on sets:∈: Element, Element-Set→B, ∪,∩,\

I Sequences:Z^∗: Sequences of integer numbers.

I Sequence operations:_: Sequences, Sequences→Sequences.

„Concatenation“

e.g. [ ]_[true,false,true] = [true,false,true]

len: sequences →N, hd: sequences elem (partial).

tl: sequences sequences, elem: sequences→Elem-Set.

(34)

Operations in VDM

See e.g.: http://www.vdmportal.org/twiki/bin/view VDM-SL:System State,Specification of operations

Format:

Operation-Identifier (Input parameters) Output parameters Pre-Condition

Post-Condition e.g.

Int_SQR(x :N)z :N pre x≥1

post (z²≤x)∧(x <(z+1)²)

(35)

Example VDM: Bounded stack

Example2.3. I Operations:·Init ·Push · Pop ·Empty ·

Full 23

45 78 29 56 78 45

78 29 56 78

45 78 29 56 Push (23) 78

Newstack Pop output:23

Contents=N^∗ Max_Stack_Size=N

I STATE STACK OF s:Contents

n:Max_Stack_Size

inv :mk-STACK(s,n),lens≤n END

(36)

Bounded stack

Init(size:N) Full( )b:B

ext wr s:Contents ext rd s:Contents

wr n:Max _ Stack _ Size rd n:Max _ Stack _ Size

pre true pre true

post s= [ ]∧n=size post b⇔(lens=n)

Push(c:N) Pop( )c:N

ext wr s:Contens ext wr s:Contens

rd n:Max _ Stack _ Size pre lens>0 pre lens<n post ←−s = [c]_s post s= [c]_←−s

Proof-Obligations

(37)

General format for VDM-operations

output parameter value and/or output state with

Satisfy postcondition Input

Value

false Operation can’t

true

Operation is not satisfiable

Output parameter Output state State

Input parameters

Precondition Evaluation

be executed for this Input

value

(38)

General form VDM-operations

Proof obligations:

For each acceptable input there’s (at least) one acceptable output.

∀si,i·(pre-op(i,si)⇒ ∃so,o·post-op(i,si,o,so)) When there are state-invariants at hand:

∀si,i·(inv(si)∧pre-op(i,si)⇒ ∃so,o·(inv(so)∧post-op(i,si,o,so))) alternatively

∀si,i,s_o,o·(inv(s_i)∧pre-op(i,s_i)∧post-op(i,s_i,o,s_o)⇒inv(s_o)) See e.g. Turner, McCluskey The Construction of Formal Specifications or Jones C.B. Systematic SW Development using VDM Prentice Hall.

(39)

Stack: algebraic specification

Example2.4. Elements of an algebraic specification:Signature(sorts, operation names with the arity),Axioms (often only equations) SPEC STACK

USING NATURAL, BOOLEAN “Names of known SPECs”

SORT stack “Principal type”

OPS init : →stack “Constant of the type stack, empty stack”

push : stack nat→stack pop : stack→stack top : stack→nat is_empty? : stack→bool stack_error : →stack nat_error : →nat (Signaturefixed)

(40)

Axioms for Stack

FORALL s : stack n : nat AXIOMS

is_empty? (init) = true is_empty? (push (s, n)) = false pop (init) = stack_error pop (push (s, n)) = s top (init) = nat_error top (push (s,n)) = n Termsor expressions:

top (push (push (init, 2), 3)) “means” 3

How is the “bounded stack” specified algebraically?

Semantics? Operationalization?

(41)

Variant: Z and B- Methods:

Specification-Development-Programs.

I Covering: Technical specification (what), development through refinement, architecture (layers’ architecture), generation of executable code.

I Proofs: Program construction≡Proof construction.

Abstraction, instantiation, decomposition.

I Abstract machines: Encapsulation of information (Modules, Classes, ADT).

I Data and operations: SWS is composed of abstract machines.

Abstract machines „get “ data and „offer“ operations.

Data can only be accessed through operations.

(42)

Z- and B- Methods: Specification-Development-Programs.

I Data specification: Sets, relations, functions, sequences, trees. Rules (static) with help of invariants.

I Operator specification: not executable „pseudocode“.

Without loops:

Precondition + atomic action

PL1 generalized substitution

I Refinement ( implementation).

I Refinement (as specification technique).

I Refinement techniques:

Elimination of not executable parts, introduction of control structures (cycles).

Transformation of abstract mathematical structures.

(43)

Z- and B- Methods: Specification-Development-Programs.

I Refinement steps: Refinement is done in several steps.

Abstract machines are newly constructed. Operations for users remain the same, only internal changes.

In-between steps: Mix code.

I Nested architecture:

Rule: not too many refinement steps, better apply decomposition.

I Library: Predefined abstract machines, encapsulation of classical DS.

I Reusability

I Code generation: Last abstract machine can be easily translated into a program in an imperative Language.

(44)

Z- and B- Methods: Specification-Development-Programs.

Important here:

I Notation: Theory of sets + PL1, standard set operations, Cartesian product, power sets, set restrictions{x |x∈s∧P},P predicate.

I Schemata(Schemes) in Z Models for declaration and constraint {state descriptions}.

I Types.

I Natural Language: Connection Math objects→objects of the modeled world.

I See Abrial: The B-Book,

Potter, Sinclair, Till: An Introduction to Formal Specification and Z, Woodcock, Davis: Using Z Specification, Refinement, and Proof Literature

(45)

Introduction to ASM: Fundamentals

Adaptable and flexible specification’s technique

Modeling in the correct abstraction level

Natural and easy understandable semantics.

Material: Seehttp://www.di.unipi.it/AsmBook/

(46)

Theoretical fundaments: ASM Theses

Abstract state machines as computation models

Turing Machines (RAM, part.rec. Fct,..) serve as computation model, e.g. fixing the notion of computable functions. In principle is possible to simulate every algorithmic solution with an appropriate TM.

Problem: Simulation is not easy, because there are different abstraction levels of the manipulated objects and different granularity of the steps.

Question:Is it possible to generalize the TM in such a way that every algorithm, independent from it’s abstraction level, can be naturally and faithfully simulated with such generalized machine?

How would thestatesandinstructionsof such a machine look like?

Easy: If ConditionThen Action

(47)

ASM Thesis

ASM ThesisThe concept of abstract state machine provides a universal computation model with the ability to simulate arbitrary algorithms on their natural levels of abstraction. Yuri Gurevich

Deterministic ASM Sequential ASM

Parallel ASM Real Time ASM

Synchronous calculations Distributed ASM

Basic Model

Asynchronous calculations

(48)

Sequential ASM Thesis

I The model of the sequential ASM’s is universal for all the sequential algorithms.

I Each sequential algorithm, independent from its abstraction level, can be simulated step by step by a sequential ASM.

To confirm this thesis we need definitions for sequential algorithms and for sequential ASM‘s.

Postulates for sequentiality

(49)

Sequentiality Postulates

I Sequential time:

Computations are linearly arranged.

I Abstract states:

Each kind of static mathematical reality can be represented by a structure of the first order logic (PL 1). (Tarski)

I Bounded exploration:

Each computation step depends only on a finite (depending only on the algorithm) bounded state information.

Y. Gurevich:: Sequential Abstract State Machines Capture

Sequential Algorithms, ACM Transactions on Computational Logic, 1, 2000, 77-111.

(50)

The postulates in detail: Sequential time

LetAbe a sequential algorithm. ToAbelongs:

I A set (Set of states)S(A)ofStatesofA.

I A subsetI(A)ofS(A)which elements are calledinitial statesofA.

I A mapping τA:S(A)→S(A), theone-step-functionofA.

Anrun(or acomputation) ofAis a finite or infinite sequence of states of A

X₀,X₁,X₂, . . .

in whichX₀is an initial state andτ_A(X_i) =X_i+1holds for eachi.

Logical timeand not physical time.

(51)

Equivalence of Algorithms

Definition3.1(Equivalent algorithms). The sequential algorithms A and B areequivalentif S(A) =S(B), I(A) =I(B)and τA =τB.

In particular equivalent algorithms have the “same” runs.

What are the right conditions for sets of states?

(52)

Abstract States

LetAbe a sequential algorithm:

I States ofAarefirst order (PL1) structures.

I All the states ofAhave the same vocabulary(signature).

I The one-step-function doesn’t change the base set (universe)B(X) of a state.

I S(A)andI(A)areclosed under isomorphismsand each isomorphism from state X to state Y is also an isomorphism of stateτ_A(X)to τ_A(Y).

(53)

Exercises

States: Signatures, interpretations, universe, terms, ground terms, value ...

Signatures (vocabulary): function- and relation-names, arity (n≥0) Assumption:true,false,undef (constants),Boole (monadic) and = are contained in every signature.

The interpretation oftrue is different from the one forfalse,undef. Relations are considered as functions with the value oftrue,false in the interpretations.

Monadic relations are seen as subsets of the base set of the interpretations.

LetVal(t,X)be the value in stateX for a ground termt that is in the vocabulary.

Functions are divided indynamicandstatic, according whether they can change or not, when a state transition occurs.

Exercise:Model the states of a TM as an abstract state.

Model the states of the standard Euclidean algorithm.

(54)

Bounded exploration

I Unbounded-Parallelism:Consider the following graph-reachability algorithm that iterates the following step. ( It is assumed that at the beginning only one node satisfies the unary relationR.)

do for all x,y withEdge(x,y)∧R(x)∧ ¬R(y) R(y) :=true In each computation step an unbounded number of local changes is made on a global state.

I Unbounded-Step-Information:

Test for isolated nodes in a graph:

if ∀x∃y Edge(x,y)then Output := falseelseOutput := true In one step only bounded local changes are made, though an unbounded part of the state is considered in one step.

How can these properties be formalized? Atomic actions

(55)

Update Sets

Consider the structureX (state) as memory:

Iff is a function name of arityj andaa j-tuple of base elements fromX, then the pair(f,a)is called alocation andContent_X(f,a)is the value of the interpretation off forain X.

Is(f,a)a location ofX andban element ofX, then(f,a,b)is called an updateofX at location(f,a)with valueb. The update is trivial when b=ContentX(f,a).

Tomake (fire)an update, the actual content of the location is replaced byb.

A set of updates ofX is consistentwhen in the set there is no pair of updates with the same location and different values.

A set∆ of updates isexecuted by making all updates in the set simultaneously (in case the set is consistent, in other case nothing is done). The result is denoted byX+ ∆.

(56)

Update sets of algorithms, Reachable elements

Lemma3.2. If X,Y are structures over the same signature and with the same base set, then there is a unique consistent set∆ of non-trivial updates of X with Y =X+ ∆. Let∆Y −X.

Definition3.3. Let X be a state of algorithm A. According to the definition, X andτA(X)have the same signature and base set. Set:

∆(A,X)τA(X)−X i.e.τA(X) =X+ ∆(A,X) How can we bring up the elements of the base set in the description of the algorithm at all? Using the ground terms of the signature.

Definition3.4(Reachable element). An element a of a structure X is reachablewhen a=Val(t,X)for a ground term t in the vocabulary of X . A location(f,a)of X isreachable when each element in the tuple a is reachable.

An update(f,a,b)of X isreachable when(f,a)and b are reachable.

(57)

Bounded exploration postulate

Two structuresX andY with the same vocabularySig coincideon a set T ofSig- terms, whenVal(t,X) =Val(t,Y)for allt ∈T . The vocabulary (signature) of an algorithm is the vocabulary of his states.

LetAbe a sequential algorithm.

I There exist a finite setT of ground terms in the vocabulary ofA, so that:

∆(A,X) = ∆(A,Y), for all statesX,Y ofA, that coincide onT. Intuition:AlgorithmAexamines only the part of a state that is reachable with the set of termsT. If two states coincide on this term-set, then the update-sets of the algorithm for both states should be the same.

The setT is abounded-exploration witness forA.

(58)

Example

Example3.5. Consider algorithm A:

if P(f) then f := S(f)

States with interpretations with base setN, P subset of the natural numbers, for S the successor function and f a constant.

Evidently A fulfills the postulates of sequential time and abstract states.

One could believe that

T₀={f,P(f),S(f)}is a bounded-exploration witness for A.

(59)

Example: Continued

LetX be the canonical state ofAwithf =0 andP(0)holding.

SetaVal(true,X)andbVal(false,X), so that Val(P(0),X) =Val(true,X) =a.

LetY be the state that is obtained out ofX through reinterpretation of trueasbandfalse asa, i.e.Val(true,Y) =bandVal(false,Y) =a.

The values off andP(0)are left unchanged:

Val(P(0),Y) =a, thusP(0)is not valid inY.

ConsequentlyX,Y coincide onT₀ but∆(A,X)6=∅= ∆(A,Y).

The setT =T0∪ {true} is a bounded-exploration witness forA.

(60)

Sequential algorithms

Definition3.6(Sequential algorithm). Asequential algorithmis an object A, which fulfills the three postulates.

In particular A has a vocabulary and a bounded-exploration witness T . Without loss of generality (w.l.o.g.) T is subterm-closed and contains true,false,undef . The terms of T are calledcriticaland their

interpretations in a state X are calledcritical valuesin X .

Lemma3.7. If(f,a1, ...,aj,a0)is an update in∆(A,X), then all the elements a0,a1, ...,aj are critical values in X .

Proof: exercise (Proof by contradiction).

The set of the critical terms does not depend ofX, thus there is a fixed upper bound for the size of∆(A,X)andAchanges in every step a bounded number of locations. Each one of the updates in∆(A,X)is an atomic action ofA. I.e.∆(A,X)is a bounded set of atomic actions ofA.

(61)

Sequential ASM-programs: Rules

Definition3.8(Update rule). Anupdate ruleover the signature Sig has the form

f(t₁, ...,t_j) :=t₀

in which f is a function and ti are (ground) terms in Sig . To fire the rule in the Sig -structure X , compute the values ai=Val(ti,X)and execute update((f,a1, ...,aj),a0)over X .

Parallel update ruleover Sig : Let R_i be update rules over Sig , then par

R₁ R₂

. Notation:Block (when empty skip) .

. Rk

endpar fires through simultaneously firing of Ri.

(62)

Sequential ASM-programs

Definition3.9(Semantics of update rules). If R is an update rule f(t1, ...,tj) :=t0and ai=Val(ti,X)then set

∆(R,X){(f,(a1, ...,aj),a0)}

If R is a par-update rule with components R1, ...Rk then set

∆(R,X)∆(R1,X)∪ · · · ∪∆(Rk,X).

Consequence3.10. There exists in particular for each state X of a sequential algorithm A a rule R^X that uses only critical terms with

∆(R^X,X) = ∆(A,X).

Notice:IfX,Y coincide on the critical terms, then∆(R^X,Y) = ∆(A,Y) holds. IfX,Y are states and ∆(R^X,Z) = ∆(A,Z)for a stateZ, that is isomorphic toY, then also∆(R^X,Y) = ∆(A,Y)holds.

Consider the equivalence relationE_X(t1,t2)Val(t1,X) =Val(t2,X) onT.

X,Y areT-similar, when E_X =E_Y ∆(R^X,Y) = ∆(A,Y).Exercise

(63)

Sequential ASM-programs

Definition3.11 (Conditional rules). Letϕbe a boolean term over Sig (i.e. containing ground equations, not, and, or) and R1,R2rules over Sig , then

if ϕ then R1

else R2

endif is a conditional rule

Semantics::To fire the rule in state X evaluateϕin X . If the result is true, then∆(R,X) = ∆(R1,X), if not∆(R,X) = ∆(R2,X).

Definition3.12 (Sequential ASM program). A

sequential ASM programΠover the signature Sig is a rule over Sig . According to this∆(Π,X)is well defined for each Sig -structure X . Let τ_Π(X)X+ ∆(Π,X).

(64)

Sequential ASM-machines

Lemma3.13. Basic result:For each sequential algorithm A over Sig there’s a sequential ASM-programmΠover Sig with∆(Π,X) = ∆(A,X) for all the states X of A.

Definition3.14 (A sequential abstract-state-machine (seq-ASM)). A seq-ASM B over the signatureΣis given through:

I A sequential ASM-programmΠoverΣ.

I A set S(B)of interpretations ofΣthat is closed under isomorphisms and under the mapping τ_Π .

I A subset I(B)⊂S(B), that is closed under isomorphisms.

Theorem3.15. For each sequential algorithm A there is an equivalent sequential ASM.

(65)

Example

Example3.16. Maximal interval-sum.[Gries 1990]. Let A be a function from{0,1, ...,n−1} →Rand i,j,k∈ {0,1, ...,n}.

For i≤j: S(i,j)P

i≤k<jA(k). In particular S(i,i) =0.

Problem:Compute S max_i≤jS(i,j).

Definey(k)maxi≤j≤kS(i,j). Then y(0) =0,y(n) =S and

y(k+1) =max{max_i≤j≤kS(i,j),max_i≤k+1S(i,k+1)}=max{y(k),x(k+1)}

wherex(k)max_i≤kS(i,k), thusx(0) =0 and

x(k+1) =max{max_i≤kS(i,k+1),S(k+1,k+1)}

=max{maxi≤k(S(i,k) +A(k)),0}

=max{(maxi≤kS(i,k)) +A(k),0}

=max{x(k) +A(k),0}

(66)

Continuation of the example

Due toy(k)≥0, we have

y(k+1) =max{y(k),x(k+1)}=max{y(k),x(k) +A(k)}

Assumption:The 0-ary dynamic functionsk,x,y are 0 in the initial state. The required algorithm is then

if k6=n then par

x:=max{x+A(k),0}

y:=max{y,x+A(k)}

k:=k+1 else S:=y

Exercise 3.17. Simulation

Define an ASM, that implements Markov’s Normal-algorithms.

e.g. for ab→A, ba→B, c→C

(67)

Detailed definition of ASMs

Part 1: Abstract states and update sets Part 2: Mathematical Logic

Part 3: Transition rules and runs of ASMs Part 4: The reserve of ASMs

Copyright c2002 Robert F. St¨ark, Computer Science Department, ETH Z¨urich, Switzerland. 1

(68)

Part 1

Abstract states and update sets

(69)

Signatures

Definition.AsignatureΣis a ﬁnite collection of function names.

Each function namef has anarity, a non-negative integer.

Nullary function names are calledconstants.

Function names can bestatic ordynamic.

Every ASM signature contains the static constants undef,true,false.

Signatures are also calledvocabularies.

(70)

Classification of functions

controlled out

derived

(monitored) in

(interaction) static

shared dynamic basic

function/relation/location

(71)

States

Definition.AstateAfor the signatureΣis a non-empty setX, the superuniverseofA, together with aninterpre- tationf^Aof each function namef ofΣ.

Iff is ann-ary function name ofΣ, thenf^A:Xⁿ→X. Ifc is a constant ofΣ, thenc^A∈X.

The superuniverseX of the stateAis denoted by|A|.

The superuniverse is also called thebase setof the state.

Theelements of a state are the elements of the superuniverse.

(72)

States (continued)

The interpretations ofundef,true,false are pairwise diﬀerent.

The constantundef represents an undetermined object.

Thedomainof ann-ary function namef inAis the set of alln-tuples (a₁, . . . ,a_n)∈ |A|ⁿsuch thatf^A(a₁, . . . ,a_n)=undef^A.

Arelationis a function that has the valuestrue,false orundef. We writea∈R as an abbreviation forR(a) =true.

The superuniverse can be divided intosubuniversesrepresented by unary relations.

(73)

Locations

Definition.AlocationofAis a pair (f,(a1, . . . ,a_n))

wheref is an n-ary function name anda₁, . . . ,a_n are elements ofA.

The valuef^A(a₁, . . . ,a_n)is thecontentof the location inA. The elements of the location are the elements of the set {a₁, . . . ,a_n}.

We writeA(l)for the content of the locationlinA.

Notation.Ifl= (f,(a₁, . . . ,a_n))is a location ofAandαis a function deﬁned on|A|, thenα(l) = (f,(α(a₁), . . . , α(a_n))).

(74)

Updates and update sets

Definition.Anupdate forAis a pair(l,v), wherelis a location ofAandv is an element ofA.

The update istrivial, ifv =A(l). Anupdate setis a set of updates.

Definition.An update set U isconsistent, if it has no clashing updates, i.e., if for any locationland all elementsv,w,

if(l,v)∈U and(l,w)∈U, thenv =w.

(75)

Firing of updates

Definition. The result of firing a consistent update setU in a stateAis a new stateA+U with the same superuniverse asA such that for every locationlofA:

(A+U)(l) =

v, if(l,v)∈U;

A(l), if there is nov with(l,v)∈U. The stateA+U is called thesequel ofAwith respect toU.

(76)

Homomorphisms and isomorphisms LetAandBbe two states over the same signature.

Definition. A homomorphism from A to B is a function α from |A| into|B|such that α(A(l)) = B(α(l)) for each loca- tionl ofA.

Definition. An isomorphism from A toB is a homomorphism fromAtoBwhich is a ono-to-one function from|A|onto|B|.

Lemma (Isomorphism).Letαbe an isomorphism fromAtoB.

IfU is a consistent update set forA, then α(U)is a consistent update set forBandαis an isomorphism fromA+U toB+α(U).

(77)

Composition of update sets

U ⊕V =V ∪ {(l,v)∈U |there is now with(l,w)∈V}

Lemma.LetU,V,W be update sets.

(U ⊕V)⊕W =U ⊕(V ⊕W)

IfU andV are consistent, thenU ⊕V is consistent.

IfU andV are consistent, thenA+ (U⊕V) = (A+U) +V.

(78)

Part 2

Mathematical Logic

(79)

Terms

LetΣbe a signature.

Definition.The terms ofΣ are syntactic expressions generated as follows:

Variablesx,y,z, . . . are terms.

Constantsc ofΣ are terms.

Iff is ann-ary function name ofΣ,n>0, andt₁, . . . ,t_n are terms, thenf(t₁, . . . ,t_n)is a term.

A term which does not contain variables is called aground term.

A term is calledstatic, if it contains static function names only.

Byt_x^s we denote the result of replacing the variablex in termt everywhere by the terms(substitutionofsforx int).

(80)

Variable assignments LetAbe a state.

Definition. A variable assignment for A is a ﬁnite function ζ which assigns elements of|A|to a ﬁnite number of variables.

We writeζ[x →a]for the variable assignment which coincides withζ except that it assigns the elementato the variablex:

ζ[x →a](y) =

a, ify=x; ζ(y), otherwise.

Variable assignments are also calledenvironments.

(81)

Evaluation of terms

Definition.LetAbe a state ofΣ. Letζbe a variable assignment forA.

Lettbe a term ofΣsuch that all variables oft are deﬁned inζ.

Thevalue[[t]]^A_ζ is deﬁned as follows:

[[x]]^A_ζ =ζ(x)

[[c]]^A_ζ =c^A

[[f(t₁, . . . ,t_n)]]Â_ζ =fÂ([[t₁]]Â_ζ, . . . ,[[t_n]]Â_ζ)

(82)

Evaluation of terms (continued)

Lemma (Coincidence).Ifζandηare two variable assignments fortsuch thatζ(x) =η(x)for all variablesx oft, then[[t]]^A_ζ =[[t]]^Aη.

Lemma (Homomorphism). If α is a homomorphism fromAtoB, thenα([[t]]^A_ζ) =[[t]]^B_α◦ζ for each termt.

Lemma (Substitution).Leta =[[s]]Â_ζ. Then[[t_x^s]]Â_ζ =[[t]]Â_ζ[x_→a].

(83)

Formulas

LetΣbe a signature.

Definition.Theformulas ofΣare generated as follows:

Ifsandtare terms ofΣ, thens=t is a formula.

Ifϕis a formula, then¬ϕis a formula.

Ifϕand ψare formulas, then(ϕ∧ψ),(ϕ∨ψ)and(ϕ→ψ) are formulas.

Ifϕis a formula and x a variable, then(∀xϕ)and(∃xϕ)are formulas.

A formulas=t is called anequation.

The expressions=t is an abbreviation for¬(s=t).

(84)

Formulas (continued)

symbol name meaning

¬ negation not

∧ conjunction and

∨ disjunction or (inclusive)

→ implication if-then

∀ universal quantiﬁcation for all

∃ existential quantiﬁcation there is

(85)

Formulas (continued)

ϕ∧ψ∧χ stands for ((ϕ∧ψ)∧χ), ϕ∨ψ∨χ stands for ((ϕ∨ψ)∨χ), ϕ∧ψ→χ stands for ((ϕ∧ψ)→χ), etc.

The variablex isboundby the quantiﬁer∀(∃) in∀xϕ(∃xϕ).

Thescope ofx in∀xϕ(∃xϕ) is the formulaϕ.

A variablex occursfreein a formula, if it is not in the scope of a quantiﬁer∀x or∃x.

Byϕ_x^t we denote the result of replacing all free occurrences of the variablex inϕby the termt. (Bound variables are renamed.)

(86)

Semantics of formulas

[[s=t]]^Aζ =

true, if[[s]]^A_ζ=[[t]]^A_ζ; false, otherwise.

[[¬ϕ]]^A_ζ =

true, if[[ϕ]]^A_ζ=false;

false, otherwise.

[[ϕ∧ψ]]^A_ζ =

true, if[[ϕ]]^Aζ=trueand[[ψ]]^Aζ=true;

false, otherwise.

[[ϕ∨ψ]]^A_ζ =

true, if[[ϕ]]^Aζ=trueor[[ψ]]^Aζ=true;

false, otherwise.

[[ϕ→ψ]]^A_ζ=

true, if[[ϕ]]^Aζ=falseor[[ψ]]^Aζ=true;

false, otherwise.

[[∀xϕ]]^A_ζ =

true, if[[ϕ]]^A_ζ[x→a]=truefor everya∈ |A|;

false, otherwise.

[[∃xϕ]]^Aζ =

true, if there exists ana∈ |A|with[[ϕ]]^A_ζ[x→a]=true;

false, otherwise.

(87)

Coincidence, Substitution, Isomorphism

Lemma (Coincidence).Ifζandηare two variable assignments forϕsuch thatζ(x) =η(x)for all free variablesx ofϕ, then[[ϕ]]^A_ζ =[[ϕ]]^A_η.

Lemma (Substitution).Lett be a term anda=[[t]]Â_ζ. Then[[ϕ^t_x]]Â_ζ =[[ϕ]]Â_ζ[x_→a].

Lemma (Isomorphism). Let α be an isomorphism fromAtoB. Then[[ϕ]]^A_ζ =[[ϕ]]^B_α◦ζ.

(88)

Models

Definition.A stateAis amodel ofϕ(writtenA|=ϕ),

if[[ϕ]]^A_ζ =true for all variable assignmentsζ forϕ.

(89)

Part 3

Transition rules and runs of ASMs

(90)

Transition rules

Skip Rule: skip

Meaning: Do nothing

Update Rule: f(s1, . . . ,s_n) :=t Meaning: Update the value off at(s1, . . . ,s_n)tot.

Block Rule: PparQ

Meaning:P andQare executed in parallel.

Conditional Rule: ifϕthenP elseQ Meaning: Ifϕis true, then executeP, otherwise executeQ.

Let Rule: letx =tinP

Meaning: Assign the value ofttox and then executeP.

(91)

Transition rules (continued)

Forall Rule: forallx withϕdoP

Meaning: ExecuteP in parallel for eachx satisfyingϕ.

Choose Rule: choosex withϕdoP

Meaning: Choose anx satisfyingϕand then executeP.

Sequence Rule: PseqQ

Meaning:P andQare executed sequentially, ﬁrstP and thenQ.

Call Rule: r(t₁, . . . ,t_n)

Meaning: Call transition ruler with parameterst₁, . . . ,t_n.

(92)

Variations of the syntax

ifϕthen P else Q endif

ifϕthenP elseQ

[do in-parallel]

P₁ ...

P_n [enddo]

P₁par . . . parP_n

{P1, . . . ,P_n} P₁par . . . parP_n

(93)

Variations of the syntax (continued)

do forallx:ϕ P

enddo

forallx withϕdoP

choosex:ϕ P endchoose

choosex withϕdoP

step P step

Q

P seqQ

(94)

Example

Example3.18. Sorting of linear data structures in-place, one-swap-a-time.

Let a:Index →Value

choose x,y∈Index :x<y∧a(x)>a(y) do in−parallel

a(x) :=a(y) a(y) :=a(x)

Two kinds of non-determinisms:

“Don‘t-care” non-determinism: random choice choose x ∈ {x1,x2, ...,xn}with ϕ(x) do

R(x)

“Don‘t-know” indeterminism

Extern controlled actions and events (e.g. input actions) monitored f :X→Y

(95)

Free and bound variables

Definition. An occurrence of a variablex isfree in a transition rule, if it is not in the scope of aletx,forallx orchoosex.

letx =t inP

scope ofx

forallxwith ϕdoP

scope ofx

choosexwith ϕdoP

scope ofx

(96)

Rule declarations

Definition. A rule declaration for a rule namer of aritynis an expression

r(x1, . . . ,x_n) =P where

P is a transition rule and

the free variables ofPare contained in the listx₁, . . . ,x_n.

Remark:Recursive rule declarations are allowed.

(97)

Abstract State Machines

Definition.Anabstract state machineM consists of a signatureΣ,

a set of initial states forΣ, a set of rule declarations,

a distinguished rule name of arity zero called the main rule nameof the machine.