Last few lectures Formal Methods Specification and Documentation Techniques: Formal methods. Discrete Mathematics and Predicate Logic. CS/SE 3RA3 Ryszard Janicki Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 1/30
30
Embed
Speci cation and Documentation Techniques: Formal methods ...se3ra3/2016/LN18-2016.pdf · Last few lectures Formal Methods Speci cation and Documentation Techniques: Formal methods.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Last few lecturesFormal Methods
Specification and Documentation Techniques:Formal methods. Discrete Mathematics and
Predicate Logic.CS/SE 3RA3
Ryszard Janicki
Department of Computing and Software, McMaster University, Hamilton,Ontario, Canada
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 1/30
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 14/30
Last few lecturesFormal Methods
Discrete Mathematics and Predicate Logic
Clean Form of Communication
Every mathematical notation has a precise semantic definition.
New constructs can be added defined in terms of oldconstructs.
Math does not need language skills and can be easilyunderstood in an international context.
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 15/30
Last few lecturesFormal Methods
Discrete Mathematics and Predicate Logic
Tiny Example Problem: Temperature control
“The software should control the temperature of the room. It canread the current temperature from a thermometer. Should thetemperature fall below a lower limit, then the heater should beswitched on to raise the temperature. Should it rise above anupper limit, then the cooling system should be switched on tolower the temperature.”[...]“Safety concern: the heater and the cooler should never beswitched on at the same time.”
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 16/30
Last few lecturesFormal Methods
Discrete Mathematics and Predicate Logic
Formal Specification: Temperature control
currentTemparature : INTEGER ←do you remember theconcept of type in discrete math?
lowerLimit : INTEGERupperLimit : INTEGERcoolingSystem : {on, off }heatingSystem : {on, off }
(coolingSystem = on) =⇒ (heatingSystem = off )(heatingSystem = on) =⇒ (coolingSystem = off )
(coolingSystem = off ∧ currentTemperature > upperLimit) =⇒coolingSystem = oncurrentTemperature ≤ upperLimit =⇒ coolingSystem = off
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 17/30
Train movement and door problem: from the textbook
measuredSpeed : Reals (or Integers? what precision?)doorState : {closed , open, closing , opening , almost closed , . . .}TrainSpeed : Reals (or Integers? what precision)DoorClosed : {true, false}TrainMoving : {true, false}, and much more...
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 19/30
Elevator: Some Functional Requirements
Requirement:Pressing a floor number button on the elevator will setthe elevator to move in that direction to the indicatedfloor after the doors close.Notes:
The hold direction does not need to be included because it isencompassed by the floorsPressed set being empty.There are two predicates from this requirement.
1 The first is if a button is pressed, and that floor is abovewhere they currently are, doors close, and the elevator beginsto move up.
2 The second is parallel to it, but if the floor is below thecurrent floor, then the elevator goes down.
The requirement doesn’t state that the elevator had to bemoving in that direction originally (if the elevator is going up,in practice, it should only service floors pressed that are abovethe current floor), so those conditions were not added.Instead, whatever is pressed, it will go to, regardless ofprevious direction.
Elevator: Some Functional Requirements
Formal Specification:Domain and Notation.
FLOOR : set of all floors served by elevatorsELEVATOR : set of all elevators in the buildingelevatorDirection : ELEVATOR → {up, down, hold}floorsPressed : set(MAX FLOORS)isPressed : FLOOR → {true, false}curFloor : → FLOOR
In Requirements Engineering, Predicate Calculus is moreoften used for describing requirements than to prove thedesired properties.
Proving properties in formal way is usually done forsafety critical systems or safety critical parts of systems.
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 22/30
Last few lecturesFormal Methods
Discrete Mathematics and Predicate Logic
Elevator movement and door problem: An example of aproof
Requirement: ”For safety reasons, in any passenger lift, ifthe lift is moving, not responding to a request, or out ofservice, then the doors must be closed.”
Looking at all three individual components of the LHS, we willshow all imply doorClosed.
It will be derived through the axioms listed in SOFREQ, ASM,and DOM, which, when the premises are presumed to be true,will guarantee validity.
Because the theorem can be proven deductively, it is complete.
The validity of the solution indicates that when the elevator ismoving, or the emergency button has been pressed, or theelevator does not have a request, it will have it’s doors closed.
The completeness of the solution deductively shows that thesepremises must actually be true (and not assumed to be true).
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 28/30
Last few lecturesFormal Methods
Discrete Mathematics and Predicate Logic
Problem with Predicate Logic
First Order Predicate Logic is undecidable
In particular P =⇒ Q is undecidable
Hence SOFTREQ,ASM,DOM |= SESREQ is undecidable
This means that a ’push button’ universal automatic theoremprover will never be built!
Propositional logic (i.e. no ∃, ∀) is decidable
But expressive power of propositional logic (i.e. only∨,∧,¬, =⇒ , ⇐⇒ ) is rather weak!
Are there other logics that are decidable, but with strongerexpressive power?
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 29/30
Last few lecturesFormal Methods
Discrete Mathematics and Predicate Logic
Predicate Calculus: Final Comments
After some training, most users do not have much problemswith describing system properties with Predicate Calculus,however proving is another story.
Undecidability of First Order Predicate Calculus makesautomatic theorem proving problematic and difficult.
In Requirements Engineering it is mainly used to describedesired properties of crucial and critical parts of systems, andto prove crucial parts of safety critical systemes.
Ryszard Janicki Formal Methods. Discrete Math. and Predicate Logic. 30/30