maude in a nutshell - universidade federal fluminensecbraga/maude-in-a-nutshell/unb.pdfthis course...

Maude in a Nutshellwith Pecan Pie

Christiano Braga

Instituto de Computacao,Universidade Federal Fluminense, Niteroi, Brazil

Feb. 13-17, 2016

IX Workshop de Verao em MatematicaDepartamento de Matematica

Universidade de Brasılia

Acknowledgments

• Daniele Nantes Sobrinho, for the invitation.

• Narciso Martı-Oliet, for sharing his notes on Maude and RewritingLogic and for comments on a previous version of this talk.

C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 2 / 163

This course

Essentially:

• specification,

• automated reasoning, and

• metaprogramming in Maude,

always discussing their theoretical foundations.


Outline

1 Overview

2 Equational logics and Rewriting LogicMany-sorted Equational LogicOrder-sorted specificationsMembership Equational LogicRewriting modulo axiomsRewriting Logic

3 Search, LTL model checking and narrowingSearchLTL model checkingNarrowing

4 Linear Temporal Logic of Rewriting and MetaprogrammingLinear Temporal Logic of RewritingMetaprogramming


Schedule

Part I Part II Part IIIOverview Search and Temporal Logic

LTL model checking of Rewriting

Equational logics and Narrowing MetaprogrammingRewriting Logic Some Pie


Overview

OVERVIEW


Overview

What is Maude?

http://maude.cs.uiuc.edu

A specification language and system whose descriptions denote theories inRewriting Logic (RWL).


http://maude.cs.uiuc.edu

Overview

What is RWL?

• A logic to reason about concurrent systems.

• The state of a system is denoted by a term in a suitable rewrite theory.

• Computations are deductions in the given rewrite theory.


Overview

RWL rules of deduction, graphically

(Reflexivity)

t t

(Transitivity)

t1

t2

t3


Overview

RWL rules of deduction, graphically

(Equality)

u

=

u′

v

=

v ′


Overview

Rules of deduction, graphically

(Congruence)

f

t2t1 t3 t4

f

t ′2t ′1 t ′3 t ′4


Overview

RWL rules of deduction, graphically(Replacement)

t

t2t1 t3 t4

t ′

t ′2t ′1 t ′3 t ′4


Overview

What is Maude?

• RWL has some incarnations: Maude, in this course.

• Deductions in RWL correspond to rewrites in Maude.


Overview

State-transition systems in MaudeSpecification

n1n2start

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2

s3

n1c2 s6

c1t2s4 t1c2 s7

Verification

M |= ϕ?C. Braga (IC/UFF) Maude in a Nutshell Feb. 13-17, 2016 14 / 163

Overview

Maude language: Specification

1 ( fmod SYSTEM i s2 s o r t s StateNum Conf P r o c S t a t e .3 ops 0 1 2 3 4 5 6 7 8 : −> StateNum .4 ops n1 n2 t1 t2 c1 c2 : −> P r o c S t a t e .5 op s < ‘ , > : StateNum P r o c S t a t e P r o c S t a t e −> Conf .6 op i n i t i a l : −> Conf .7 eq i n i t i a l = s 0 < n1 , n2 > .8 endfm )9 (mod MUTEX−SYSTEM i s i n c SYSTEM .

10 r l [ s0−>s1 ] : s 0 < n1 , n2 > => s 1 < t1 , n2 > .11 r l [ s0−>s5 ] : s 0 < n1 , n2 > => s 5 < n1 , t2 > .12 r l [ s1−>s2 ] : s 1 < t1 , n2 > => s 2 < c1 , n2 > .13 r l [ s1−>s3 ] : s 1 < t1 , n2 > => s 3 < t1 , t2 > .

. . .

1 r l [ s7−>s1 ] : s 7 < t1 , c2 > => s 1 < t1 , n2 > .2 endm)


Overview


n1n2start

s0 s 0 < n1, n2 >

t1n2s1 n1t2 s5

c1n2s2 t1t2

s3

n1c2 s6

c1t2s4 t1c2 s7


Overview


n1n2start

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2

s3

n1c2 s6

c1t2s4 t1c2 s7

rl [s0→s1] : s 0 < n1, n2 > => s 1 < t1, n2 >


Overview

Simulation with term rewriting

M ∼ Rsi → sj ∼ si ⇒ sj

1 ( r ew r i t e [ 3 ] i n i t i a l . )

1 r ew r i t e i n MUTEX−SYSTEM :2 i n i t i a l3 r e s u l t Conf :4 s 0 < n1 , n2 >


Overview

State-space exploration with search

M ∼ Rsi → sj ∼ si ⇒ sj

1 sea rch [ 3 ] i n MUTEX−SYSTEM : i n i t i a l =>∗ C : Conf .2

3 So l u t i on 14 C : Conf −−> s 0 < n1 , n2 >5

6 So l u t i on 27 C : Conf −−> s 1 < t1 , n2 >8

9 So l u t i on 310 C : Conf −−> s 5 < n1 , t2 >


Overview

Model checking Linear Temporal Logic

M, s0 |= ϕ

Safety: G¬(c1 ∧ c2)

Liveness: G(t1 → Fc1)


Overview

LTL model checking in RWL

M, s |= ϕ ∼ K(R, k)Π, [t] |= ϕ


Overview

Maude language: VerificationProperties in LTL

1 (mod MUTEX−PROP i s i n c MODEL−CHECKER . i n c SYSTEM .2 sub so r t Conf < S t a t e .3 sub so r t P r o c S t a t e < Prop .4 op s a f e t y : −> Prop .5 op l i v e n e s s : −> Prop .6 va r s N : StateNum . va r s P1 P2 : P r o c S t a t e .7

8 eq s N < P1 , P2 > |= P1 = t r u e .9 eq s N < P1 , P2 > |= P2 = t r u e .

10

11 −−− S a f e t y : G \neg ( c1 \ l a n d c2 )12

13 eq s a f e t y = [ ] ˜ ( c1 /\ c2 ) .14

15 −−− L i v e n e s s : G ( t1 −> F c1 )16

17 eq l i v e n e s s = [ ] ( t1 −> <> c1 ) .18 endm)


Overview

Maude language: VerificationRunning the model checker

1 (mod MODEL−CHECK−MUTEX i s i n c MUTEX−SYSTEM . i n c MUTEX−PROP . endm)

1 reduce i n MODEL−CHECK−MUTEX :2 modelCheck ( i n i t i a l , s a f e t y )3 r e s u l t Bool :4 t r u e5

6 reduce i n MODEL−CHECK−MUTEX :7 modelCheck ( i n i t i a l , l i v e n e s s )8 r e s u l t ModelCheckResu l t :9 c o u n t e r e x a m p l e (

10 s 0 < n1 , n2 > , ’s0→ s1 , s 1 < t1 , n2 > , ’s1→ s311 s 3 < t1 , t2 > , ’s3→ s7 s 7 < t1 , c2 > , ’s7→ s1)


Overview

Liveness problem

n1n2start

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2

s3

n1c2 s6

c1t2s4 t1c2 s7


Overview

Fixing the liveness problem

n1n2start

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2s3 n1c2 s6

c1t2s4

t1t2 s8

t1c2 s7


Overview

Maude language: VerificationFixing the liveness problem in Maude. . .

1 (mod MUTEX−SYSTEM−LIVE i s i n c SYSTEM .2 r l [ s0−>s1 ] : s 0 < n1 , n2 > => s 1 < t1 , n2 > .3 r l [ s0−>s5 ] : s 0 < n1 , n2 > => s 5 < n1 , t2 > .4 r l [ s1−>s2 ] : s 1 < t1 , n2 > => s 2 < c1 , n2 > .5 r l [ s1−>s3 ] : s 1 < t1 , n2 > => s 3 < t1 , t2 > .6 r l [ s2−>s0 ] : s 2 < c1 , n2 > => s 0 < n1 , n2 > .7 r l [ s2−>s4 ] : s 2 < c1 , n2 > => s 4 < c1 , t2 > .8 r l [ s3−>s4 ] : s 3 < t1 , t2 > => s 4 < c1 , t2 > .9 r l [ s4−>s5 ] : s 4 < c1 , t2 > => s 5 < n1 , t2 > .

10 r l [ s5−>s3 ] : s 5 < n1 , t2 > => s 8 < t1 , t2 > .11 r l [ s5−>s6 ] : s 5 < n1 , t2 > => s 6 < n1 , c2 > .12 r l [ s6−>s0 ] : s 6 < n1 , c2 > => s 0 < n1 , n2 > .13 r l [ s6−>s7 ] : s 6 < n1 , c2 > => s 7 < t1 , c2 > .14 r l [ s7−>s1 ] : s 7 < t1 , c2 > => s 1 < t1 , n2 > .15 r l [ s9−>s7 ] : s 8 < t1 , t2 > => s 7 < t1 , c2 > .16 endm)


Overview

Maude language: Verification. . .and model checking it

1 reduce i n MODEL−CHECK−MUTEX−LIVE :2 modelCheck ( i n i t i a l , s a f e t y )3 r e s u l t Bool :4 t r u e5

6 reduce i n MODEL−CHECK−MUTEX−LIVE :7 modelCheck ( i n i t i a l , l i v e n e s s )8 r e s u l t Bool :9 t r u e


Overview

Narrowing

Rewriting : t( #»x )→∗ t ′( #»x )Narrowing : ∃ #»x t( #»x ) ∗ t ′( #»x )


Overview

Maude language: VerificationNarrowing search

1 sea rch [ , 6 ] i n MUTEX−SYSTEM−LIVE :2 s N1 : StateNum < t1 , P : P r o c S t a t e > ˜>∗ s 2 < c1 , n2 > .3 So l u t i on 14 N1:StateNum −−> 1 ;5 P : P r o c S t a t e −−> n26 So l u t i on 27 N1 : StateNum −−> 3 ;8 P : P r o c S t a t e −−> t29 So l u t i on 3

10 N1 : StateNum −−> 7 ;11 P : P r o c S t a t e −−> c212 So l u t i on 413 N1 : StateNum −−> 8 ;14 P : P r o c S t a t e −−> t215 No more s o l u t i o n s .


Overview

Maude language: VerificationNarrowing search

n1n2start

s0

t1n2s1 n1t2 s5

c1n2s2 t1t2s3 n1c2 s6

c1t2s4

t1t2 s8

t1c2 s7


Overview

Temporal Logic of Rewriting

• Linear Temporal Logic (LTL): state formulae — interpreted overKripke structures (transitions are pairs)

• Computation Tree Logic (CTL*): state formulae with pathquantification

• Action CTL (ATL*): action formulae — interpreted over labeledtransition systems (transitions are triples)

(s, a, s ′)(s ′, b, s ′′) . . . |= Xaϕ

• Temporal Logic of Rewriting (TLR*): CTL* with action patterns


Overview


Example: a fault-tolerant communication protocol

req : [C ,S ,N, nil ]→ [C ,S ,N, nil ] S . (C ,N)reply : S . (C ,N)[S ]→ [S ] C . (S , f (S ,C ,N))rec : C . (S ,M) [C , S ,N,W ]→ [C , S ,N,M]dupl : I . CNT → I . CNT I . CNTloss : I . CNT → null


Overview




Properties

• Under fairness assumptions, after sending a message, a client willeventually receive an answer from the queried server.

• However, messages may arrive out-of-order, be duplicated or even getlost.


Overview




Rule req

Rule specifying that a client [C ,S ,N, nil ] may send a message S . (C ,N)requesting an information N to a server S .


Overview




One can not tell, from a sequence ρ of states, which rule was applied:

1 [a][b, a, 7, f (a, b, 7)]a . (b, 7)[c , a, 17, nil ]2 [a][b, a, 7, f (a, b, 7)][c , a, 17, nil ]

. . .

From step 1 to 2 either req(b) was applied and ρ |= φ or loss was appliedand ρ 6|= φ.


Overview


• The model for a TLR* formula is not a sequence of states π but ofpairs (π, γ) where π is a sequence of states and γ a sequence ofrewrite proofs between them.

• In computations of the form (ρ, γ), (ρ, γ′) . . ., γ could be an infinitesequence of req(b) actions; and γ′ could be an infinite sequence ofdupl actions.

• Therefore, (ρ, γ) |= req(b) and (ρ, γ) 6|= dupl , together with(ρ, γ′) |= dupl and (ρ, γ′) 6|= req(b).


Overview

Reflection in Rewriting Logic

R ` t → t ′ ⇔ U ` 〈R, t〉 → 〈R, t ′〉 ⇔ U ` 〈U , 〈R, t〉〉 → 〈U , 〈R, t ′〉〉 . . .


Overview

Reflection in Maude

1 (mod META−MUTEX−SYSTEM−LIVE i s i n c FULL−MAUDE . i n c MUTEX−SYSTEM−LIVE . endm)

2

3 ( reduce upModule (MUTEX−SYSTEM−LIVE ) . )

1 r e s u l t SModule :2 mod ’MUTEX−SYSTEM−LIVE i s3 . . .4 s o r t s ’ Bool ; ’ Conf ; ’ P r o c S t a t e ; ’ StateNum .5 op ’0 : n i l −> ’ StateNum [ none ] .6 . . .7 eq ’ i n i t i a l . Conf = ’ s < ‘ , > [ ’ 0 . StateNum , ’ n1 . ProcState , ’ n2 .

P r o c S t a t e ] [ none ] .8 . . .9 r l ’ s < ‘ , > [ ’ 0 . StateNum , ’ n1 . ProcState , ’ n2 . P r o c S t a t e ] =>

10 ’ s < ‘ , > [ ’ 1 . StateNum , ’ t1 . ProcState , ’ n2 . P r o c S t a t e ]11 [ l a b e l ( ’ s0−>s1 ) ] .12 . . .13 endm


Overview

Reflection in Maude

1 ( reduce upTerm (MUTEX−SYSTEM−LIVE , s 0 < n1 , n2 >) . )

1 r e s u l t GroundTerm :2 ’ s < ‘ , > [ ’ 0 . StateNum , ’ n1 . ProcState , ’ n2 . P r o c S t a t e ]


Overview

Reflection in MaudeMeta-Level narrowing search

1 ( reduce metaNarrowSearch ( axCohComplete (2 upModule (MUTEX−SYSTEM−LIVE ) ) ,3 upTerm ( s N1 : StateNum < t1 , P : P r o c S t a t e >) ,4 upTerm ( s 2 < c1 , n2 >) ,5 none , ’∗ , unbounded , 6 , unbounded ) . )

1 r e s u l t R e s u l t T r i p l e S e t :2 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,3 ’N1:StateNum <− ’1.StateNum ;4 ’P : P r o c S t a t e <− ’ n2 . P r o c S t a t e |5 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,6 ’N1 : StateNum <− ’3.StateNum ;7 ’P : P r o c S t a t e <− ’ t2 . P r o c S t a t e |8 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,9 ’N1 : StateNum <− ’7.StateNum ;

10 ’P : P r o c S t a t e <− ’ c2 . P r o c S t a t e |11 ’ s < ‘ , > [ ’ 2 . StateNum , ’ c1 . ProcState , ’ n2 . P r o c S t a t e ] , ’ Conf ,12 ’N1 : StateNum <− ’8.StateNum ;13 ’P : P r o c S t a t e <− ’ t2 . P r o c S t a t e


Equational logics and Rewriting Logic

EQUATIONAL LOGICS AND REWRITING LOGIC


Equational logics and Rewriting Logic

Choice of Equational Logic

Rewriting Logic is parameterized by a choice of Equational Logics:

• Many-sorted equational logic

• Order-sorted equational logic

• Membership equational logic


Equational logics and Rewriting Logic Many-sorted Equational Logic

Many-sorted signatures

• A many-sorted signature is a pair (S ,Σ) where S is a set of sorts andΣ a family of operation symbols f : s1 . . . sn → s.

• The set of terms with (sorted) variables of a given many-sortedsignature (S ,Σ) is denoted

TΣ(X ) = TΣ,s | s ∈ S

where X = Xs | s ∈ S.



Many-sorted equations

• A Σ-equation is a universally quantified expression

(x : s)l = r

where x : s is a finite set of variables and l and r ∈ TΣ,s(x : s) forsome sort s.

• A conditional Σ-equation is a universally quantified expression

(x : s)l = r if∧

1≤i≤mui = vi

where (x : s)l = r and ui = vi are Σ-equations.



Many-sorted specifications

A many-sorted specification is a triple

(S ,Σ,E )

where (S ,Σ) is a many-sorted signature and E is a set of Σ-equations.



Matching

Given a many-sorted signature (S ,Σ) and X a set of S-sorted variables,

• Ground substitution: σ : X → TΣ

• Term substitution: σ : TΣ(X )→ TΣ

• t matches u iff ∃σ.[σ(t) ≡ u], where t, u ∈ TΣ(X )



Equational rewriting

• t →E t ′ by the application of (x : s)l = r if• l matches a subterm t|p of t with substitution σ and• t ′ = t[σ(r)]p, that is, t|p ≡ σ(l) is replaced by σ(r).

• Only admissible equations: vars(r) ⊆ vars(l).



Equational rewriting - Properties

• Confluencet

E

∗

∗E

t1

E∗

t2

∗E

t ′

• Termination: no infinite rewritings



Equational rewriting - Properties

• Confluence + termination ⇒ canonical form: t ↓E , t ∈ TΣ(X )

• To check t = t ′ means to check the syntactic equivalencet ↓E≡ t ′ ↓E .

• Equations in conditions are checked this way.



Example

(Thanks to Fabricio Chalub)

Schonfinkel’s combinatory logic

1 fmod CL i s2 s o r t Exp .3 ops S K : −> Exp [ c t o r ] .4 op : Exp Exp −> Exp [ g a t h e r (E e ) ] .5 va r s x y z : Exp .6 eq K x y = x .7 eq S x y z = x z ( y z ) .8 endfm



ExampleCurry combinators & Natural numbers in S B K I

1 ≡ ((SB)(KI ))2 ≡ ((SB)((SB)(KI )))3 ≡ ((SB)((SB)((SB)(KI ))))

. . .

1 fmod CL−EXT i s i n c CL .2 ops B C I : −> Exp .3 eq B = ( ( S (K S ) )K) .4 eq C = ( ( S (K( ( S S ) (K K) ) ) ) ( ( S (K K) ) S ) ) .5 eq I = ( ( S K)K) .6 endfm7 fmod CL−NATURALS i s i n c l u d i n g CL−EXT . i n c NAT .8 op $ : Nat −> Exp .9 var n : Nat .

10 eq $ ( s ( n ) ) = ( S B) $ ( n ) .11 eq $ ( 0 ) = (K I ) .12 op p l : −> Exp . op t i : −> Exp . op ex : −> Exp .13

14 eq p l = ( ( C I ) ( S B) ) .15 eq t i = ( (B( ( C C) (K I ) ) ) ( ( C B) p l ) ) .16 eq ex = (C ( (B(C ( ( C C) ( ( S B) (K I ) ) ) ) ) t i ) ) .17 endfm



ExampleFrom combinator expressions to Nat: let e1, e2 be expressions and n be thecombinatorial expression of number n.

1e1e2 = e1e22e1e2 = e1e1e23e1e2 = . . .

1 fmod NATURALS−CL i s i n c l u d i n g CL−NATURALS .2 va r s x y : Exp .3 ops eqv eqv−aux : Exp −> Nat .4 ops i j : −> Exp .5

6 eq eqv ( x ) = eqv−aux ( x i j ) .7 eq eqv−aux ( x y ) = eqv−aux ( x ) + eqv−aux ( y ) .8 eq eqv−aux ( i ) = 1 .9 eq eqv−aux ( j ) = 0 .

10 endfm



Example

Let’s execute CL!(You may need to resize the stack size before executing it: in MacOsX the

command is ulimit -s hard.)


Equational logics and Rewriting Logic Order-sorted specifications

Order-sorted specifications

• Allows for the specification of partiality by means of sort inclusion.• A sort for natural numbers without 0 allows for a total operation

specification of division, such as

op div : Nat NzNat→ Nat .

• Subsorts: defined by means of constructors and interpreted as setinclusion.

• Allows for operation overloading.

• Preregularity: a term must have a least sort.

• Sort-decreasing equations: a conical term should have the leastpossible sort among the sorts of all the terms equivalent to it by E ,using only operator declarations.


Equational logics and Rewriting Logic Order-sorted specifications

Properties of Maude functional modules

• Preregularity

• Equations are assumed admissible, sort-decreasing, confluent andterminating.


Equational logics and Rewriting Logic Membership Equational Logic

Membership equational logic specifications

• MEL generalizes order-sorted equational logic by allowing thesubsorting relation to be specified by a general property and not onlyby constructors.




• Signature in MEL: (K ,Σ, S) where K is a set of kinds, (K ,Σ) is amany-kinded signature and S = SK |k ∈ K is a K -kinded set ofsorts.

• Atomic formuae: Σ-equations or membership assertions t : s where thas kind k and s ∈ SK .

• General sentences, where X is a set of K -kinded variables:

(∀X ) t = t ′ if (∧

i ui = vi ) ∧ (∧

j wj : sj)

(∀X ) t : s if (∧

i ui = vi ) ∧ (∧

j wj : sj)




Declarationop div : Nat NzNat→ Nat .

can be understood as

op div : [Nat] [NzNat]→ [Nat] .

cmb N div M : Nat if N : Nat and M : NzNat .


Equational logics and Rewriting Logic Rewriting modulo axioms

Rewriting modulo axioms

Given an equational theory A,

t matches u modulo A if ∃σ(σ(t) =A u)



Rewriting modulo axioms in Maude

• Binary operators may be declared with attributes denoting structuralaxioms:

• associativity,• commutativity,• idempotency,• id: t where t is the identity element.• left or right identity

• Given a set of attributes A in a signature, Maude synthesizes amatching algorithm for A and equationally rewrites modulo A.



Rewriting modulo axioms in Maude

Structural axioms give rise to rewriting on:

• binary trees (A = ∅)• nonempty lists (A = associative attribute)

• lists (A = assoc and id)

• multiset (A = assoc + comm)

• set (A = assoc + comm + idem)



Exercise!

Move back to Section 1 and study how the different equational logics wereused in the specifications there.


Equational logics and Rewriting Logic Rewriting Logic

Rewriting Logic

• A logic of change where (computationally) a rewrite t → t ′ isunderstood as local concurrent transition.

• The structure of a concurrent system is represented in RewritingLogic by an equational theory and the behavioral part by rewrite rules.

State ↔ TermTransition ↔ Rewriting

Distributed structure ↔ Algebraic structure



Rewriting Logic specification

• R = (Ω,E , L,R) where the equational specification (Ω,E ) is itssignature, L is a set of labels, and R is a set of labeled (conditional)rewrite rules of the general form

r : t → t ′ if (∧i

ui = vi ) ∧ (∧

wj : sj) ∧ (∧k

pk → qk).

• Sentences are rewrites of the form

[t]E → [t ′]E

where [t]E , [t′]E ∈ TΩ,E (X ).



Mixing equations and rules

Coherence

t

!E/A

1

R/A// t ′

!

E/A w

u1

R/A// u′

!

E/A

>>



Maude system modules

• Code Rewriting Logic specifications: mod (Σ, E ∪ A, R) endm, wherefmod (Σ, E ∪ A) enfm is a functional module, with A the set ofstructural axioms, and R is coherent with respect to E .

• Strategy: to reduce terms to canonical form before applying rules.

• Effect of rewriting modulo E ∪ A with just an algorithm for A.



Example — Lambda calculus(Thanks to Narciso Martı Oliet.)Modeling variables

1 f t h VAR i s p r o t e c t i n g BOOL .2 s o r t s Var VarSet .3 sub so r t Var < VarSet .4

5 op empty−s e t : −> VarSet .6 op U : VarSet VarSet −> VarSet [ a s s o c comm i d : empty−s e t ] .7 op i n : Var VarSet −> Bool .8 op \ : VarSet VarSet −> VarSet .9 op new : VarSet −> Var .

10

11 va r s E E ’ : Var . va r s S S ’ : VarSet .12

13 eq E U E = E .14 eq E i n empty−s e t = f a l s e .15 eq E i n E ’ U S = (E == E ’ ) o r (E i n S ) .16 eq empty−s e t \ S = empty−s e t .17 eq (E U S ) \ S ’ = i f E i n S ’ then S \ S ’ e l s e E U ( S \ S ’ ) f i .18 eq new ( S ) i n S = f a l s e [ nonexec ] .19 e n d f t h



Example — Lambda calculus

Syntax, substitutions and free variables

1 fmod LAMBDAX : : VAR i s2 s o r t LambdaX .3 sub so r t X$Var < LambdaX .4

5 −−− Lambda a b s t r a c t i o n s6 op \ . : X$Var LambdaX −> LambdaX [ c t o r ] .7

8 −−− A p p l i c a t i o n9 op : LambdaX LambdaX −> LambdaX [ c t o r ] .

10

11 −−− S u b s t i t u t i o n12 op [ / ] : LambdaX LambdaX X$Var −> LambdaX .13

14 −−− F r e e v a r i a b l e s15 op f v : LambdaX −> X$VarSet .



Example — Lambda calculusSyntax, substitutions and free variables

1 va r s X Y : X$Var . va r s M N P : LambdaX .2

3 −−− F r e e v a r i a b l e s e q u a t i o n s4 eq f v (X) = X .5 eq f v (\ X . M) = f v (M) \ X .6 eq f v (M N) = f v (M) U f v (N) .7 eq f v (M [N / X ] ) = ( f v (M) \ X) U f v (N) .8

9 −−− S u b s t i t u t i o n e q u a t i o n s10 eq X [N / X ] = N .11 ceq Y [N / X ] = Y i f X =/= Y .12 eq (M N) [ P / X ] = (M [ P / X ] ) (N [ P / X ] ) .13 eq (\ X . M) [N / X ] = \ X . M .14 ceq (\ Y . M) [N / X ] = \ Y . (M [N / X ] )15 i f X =/= Y and ( not (Y i n f v (N) ) o r not (X i n f v (M) ) ) .16 ceq (\ Y . M) [N / X ]17 = \ ( new ( f v (M N) ) ) . ( (M [ new ( f v (M N) ) / Y ] ) [N / X ] )18 i f X =/= Y /\ (Y i n f v (N) ) /\ (X i n f v (M) ) .19

20 −−− Alpha c o n v e r s i o n21 ceq \ X . M = \ Y . (M [ Y / X ] ) i f not (Y i n f v (M) ) [ nonexec ] .22 endfm




β and η reductions

1 mod BETA−ETAX : : VAR i s2 i n c l u d i n g LAMBDAX .3

4 var X : X$Var .5 va r s M N : LambdaX .6

7 r l [ b e t a ] : (\ X . M) N => M [N / X ] .8 c r l [ e t a ] : \ X . (M X) => M i f not (X i n f v (M) ) .9 endm



Example — Lambda calculusVariables as natural numbers

1 view Nat from TRIV to NAT i s2 s o r t E l t to Nat .3 endv4

5 fmod NAT−SET−MAX i s6 p r o t e c t i n g (SET ∗ ( op , to U ) ) Nat .7 op max : Set Nat −> Nat .8

9 var N : Nat . var S : Set Nat .10

11 eq max ( empty ) = 0 .12 eq max (N U S ) = i f N > max ( S ) then N e l s e max ( S ) f i .13 endfm14

15 view VarNat from VAR to NAT−SET−MAX i s16 s o r t Var to Nat .17 s o r t VarSet to Set Nat .18

19 var S : VarSet .20 op empty−s e t to empty .21 op new ( S ) to term max ( S ) + 1 .22 endv




Untyped lambda calculus with natural numbers as variables

1 mod UNTYPED−LAMBDA−CALCULUS i s2 p r o t e c t i n g BETA−ETAVarNat .3 endm




Let’s execute lambda calculus!



Exercise!

Move back to Section 1 and study how rewrite rules were used to modelthe behavior of the concurrent system.


Search, LTL model checking and narrowing

SEARCH, LTL MODEL CHECKING AND NARROWING


Search, LTL model checking and narrowing Search

Search

• Rewriting logic specifications are non-deterministic.

• Maude may animate such specifications with the rewrite t

command, where t is a term.

• If one wants to explore all computations the search t =>? t’

command must be used where t is a ground term, t’ is term withvariables (a pattern) and =>? is one of possible rewrite relations =>*,=>+ or =>!, denoting zero-or-more computations, one-or-morecomputations, and a search for canonical terms, respectively.



DPLL

• Davis-Putnam-Logemann-Loveland is a procedure for SAT solving.

• It can be formalized by a sequent-based inference system withsequents ∆ ` Γ where ∆ is a set of literals (p or ¬p) and Γ a set ofclauses. The symbol denotes the empty clause.

• A formula ϕ must be in conjunctive normal form (conjunction ofdisjunction of literals)

• Γ is satisfiable if ∆ ` ∅ is derivable from ∅ ` Γ.



DPLL sequent calculus

∆ ` Γ, l ∨ C(subsume) if l ∈ ∆

∆ ` Γ

∆ ` Γ, l ∨ C(resolve) if ¬l ∈ ∆

∆ ` Γ,C

∆ ` Γ, l(assert) if l 6∈ ∆,¬l 6∈ ∆

∆, l ` Γ

∆ ` Γ,(close) if ∆ 6= ∅ ∨ Γ 6= ∅∅ `

∆ ` Γ, l ∨ C(split) if l 6∈ ∆,¬l 6∈ ∆, C 6=

∆, l ` Γ ∆,¬l ` Γ,C



DPLL sequent calculus in Maude

1 mod DPLL i s p r o t e c t i n g QID .2 s o r t s L i t e r a l Context C l a u s e C l a u s e S e t Sequent .3 s u b s o r t s Qid < L i t e r a l < Context C l a u s e < C l a u s e S e t .4

5 op ˜ : L i t e r a l −> L i t e r a l .6 op n u l l : −> Context .7 op , : Context Context −> Context [ a s s o c comm i d : n u l l ] .8 op , : C l a u s e S e t C l a u s e S e t −> C l a u s e S e t [ a s s o c comm i d : n u l l ]

.9 op [ ] : −> C l a u s e .

10 op \/ : C l a u s e C l a u s e −> C l a u s e [ a s s o c comm i d : ( [ ] ) ] .11 op |− : Context C l a u s e S e t −> Sequent .12 op i n : L i t e r a l Context −> [ Bool ] .13

14 var p : Qid .15 var l : L i t e r a l .16 var CTX : Context .17 var C : C l a u s e .18 var CS : C l a u s e S e t .



DPLL sequent calculus in Maude1 eq ˜ ( ˜ ( l ) ) = l .2 eq l i n l ,CTX = t r u e .3

4 eq [ c o n t r a c t i o n ] : C , C = C .5

6 eq [ subsume ] : l ,CTX |− CS , ( l \/ C) = l ,CTX |− CS .7

8 eq [ r e s o l v e 1 ] : p ,CTX |− CS , ( ˜( p ) \/ C) = p ,CTX |− CS , C .9 eq [ r e s o l v e 2 ] : ˜( p ) ,CTX |− CS , ( p \/ C) = ˜( p ) ,CTX |− CS , C .

10

11 eq [ c l o s e 1 ] : CTX |− C , CS , [ ] = n u l l |− [ ] .12 eq [ c l o s e 2 ] : CTX, l |− CS , [ ] = n u l l |− [ ] .13

14 ceq [ a s s e r t ] : CTX |− CS , l = CTX, l |− CS15 i f ( l i n CTX) =/= t r u e and ( ˜( l ) i n CTX) =/= t r u e .16

17

18 c r l [ s p l i t 1 ] : CTX |− CS , ( l \/ C) => l ,CTX |− CS19 i f ( l i n CTX) =/= t r u e and ( ˜( l ) i n CTX) =/= t r u e and C =/=

[ ] .20 c r l [ s p l i t 2 ] : CTX |− CS , ( l \/ C) => ˜( l ) ,CTX |− CS , C21 i f ( l i n CTX) =/= t r u e and ( ˜( l ) i n CTX) =/= t r u e and C =/=

[ ] .22 endm



DPLL sequent calculus in Maude

Let’s execute DPLL in Maude!



Exercise!

Move back to Section 1 and study how the search command was used tounderstand the behavior of the concurrent system.


Search, LTL model checking and narrowing LTL model checking

Model checking

• Is a decision procedure for temporal logic.

• Combines automata induced by a system specification and propertyspecification.

• Maude allows for model checking of Linear Temporal Logic (LTL)formulae.



LTL

ϕ ::= p | ¬ϕ | ϕ ∧ ϕ | Xϕ | ϕUϕ | ϕ | ♦ϕ

• > is a formula that always holds at the current state.

• Xϕ holds at the current state if ϕ holds at the state that follows.

• ϕUψ holds at the current state if ψ is eventually satisfied at a futurestate and, until that moment, ϕ holds at all intermediate states.

• ϕ holds if ϕ holds at every state from now on.

• ♦ϕ holds if ϕ holds at some state in the future.

• Note that: ♦ϕ = >Uϕ and ϕ = ¬♦¬ϕ.



Kripke structures

A Kripke structure A = (A,→A, L)

• A is the set of states.

• →A⊆ A× A is the transition relation.

• L : A→ 2AP is the labeling function that specifies which atomicpropositions hold in a given state.

• A path is a function π : N→ A with π(i)→A π(i + 1) for every i .

• The suffix of π starting at π(i) is denoted πi .



Kripke structures associated with rewrite theories• Given a module M specifying a rewrite theory R = (Σ,E ,R),

• chose a kind k in M as the kind of states,• define state predicates Π and their semantics in a module, say M-PRED,

by means of the operation

op |= : State Prop −> Bool.

declared in the predefined module SATISFACTION.

• The Kripke structure associated with R is

K(R, k)Π = (TΣ/E ,k , (→1R)•, LΠ).

where (→1R)• is the one-step reflexive extension of the rewrite relation

R and LΠ is the labeling function that assigns to a term in TΣ/E ,k theset of atomic propositions in Π which are true.

• Under some assumptions on M and M-PRED, including that the set ofreachable states from [t] is finite, the relation K(R, k)Π, [t] |= ϕbecomes decidable.



Exercise!

• Move back to Section 1 and study how the model check commandwas used to verify safety and liveness.

• Run the model checker for strong liveness: If a process waits infinitelyoften, then it is in its critical section infinitely often.


Search, LTL model checking and narrowing Narrowing

Narrowing relation

• A term t narrows to a term t ′ using a rule l ⇒ r in R and asubstitution σ if

1 there is a subterm t|p of t in a nonvariable position p of t such that land t|p are unifiable via σ, and

2 t ′ = σ(t[r ]p) is obtained from σ(t) by replacing the subtermσ(t|p) ≡ σ(l) with term σ(r).

• Narrowing can also be defined modulo an equational theory A.

• Currently, there are some restrictions on the allowed rules. Forexample, they can not be conditional.



Some Pie

• A Rewriting Logic Semantics for the Generalized SubstitutionLanguage

• Joint (ongoing) work with David Deharbe, Anamaria Moreira andNarciso Martı-Oliet

• ETMF 2016



Motivation

• The B method is a leading technique to develop and reason oncomponent-based software.

• B specifications, described in the Abstract Machine Notation, can betransformed to descriptions in the Generalized SubstitutionLanguage.

• The main technique in the method is to validate invariants aboutrefinements of a B machine into another.



Proposal

We would like to endow the B method with the different automatedanalysis techniques available in the Maude system: simulation byrewriting, state space exploration with search, symbolic analysis withnarrowing and temporal logic model checking.



Approach

Let G be the Rewriting Logic semantics for GSL, g a GSL program, and ϕa property one wishes to validate with respect to g .

G, g |= ϕ (1)



This talk: GSL semantics

We propose a Rewriting Logic semantics for GSL equivalent to aStructural Operational Semantics for GSL.



GSL Structural Operational Semantics

Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto) ∪ abort)

E, sto −→∗ nv := E, sto −→ skip, update(sto, v, n)

(simple)

P, sto −→∗ trueP | S, sto −→ S, sto

(pre 1)P, sto −→∗ false

P | S, sto −→ abort(pre 2)

(bchoice 1) S1 [] S2, sto −→ S1, sto (bchoice 2) S1 [] S2, sto −→ S2, sto

P, sto −→∗ trueP ==> S, sto −→ S, sto

(guard 1)P, sto −→∗ false

P ==> S, sto −→ skip, sto(guard 2)

(uchoice) @v.S, sto −→ S[n/v], sto if v 6∈ var(sto), for some n.




Sto = (Var 7→fin N)−→⊆ (Subst × Sto)× ((Subst × Sto)∪abort)


(simple)










The transition relation relates pairs of asubstitution (a GSL program) and astore





(simple)










The transition relation relates pairs of asubstitution (a GSL program) and astore, a finite map of variables tonatural numbers (in this simplifiedspec).



Sto = (Var 7→fin N)−→⊆ (Subst × Sto)×((Subst × Sto)∪abort)


(simple)










The transition relation also specifiesthat a GSL program may terminateabnormally.





(simple)










Simple assignment v := E assigns tovariable v in the store the valueresulting from the evaluation ofexpression E.





(simple)










Pre-condition substitution P | Sbehaves as substitution S whenpredicate P is true or aborts otherwise.





(simple)










Bounded choice substitution S1 [] S2behaves either as substitution S1 or S2.





(simple)










Guarded substitution P ==> S behavesas substitution S when P is true orterminates normally, behaving as skip,otherwise.





(simple)










Unbounded substitution @v.S behaves assubstitution S after replacing alloccurrences of v in S with some value n.We assume that v is free in S.


Structural Operational Semantics in Rewriting Logic

Transitions are identified with rewrites.

Structural Operational Semantics rules

Pf (

#»t ) −→ γ

(t)

Rewriting Logic rules

ceq[t] : f (#»t ) = γ if P, if Jf K is functional (deterministic).

crl[t] : f (#»t )⇒ γ if P, if Jf K is relational (non-deterministic).



Conditional rewriting logic semantics for GSL

Simple assignmentceq [simple] : (v := E, sto) = (skip, sto ′) if

(E, sto) = n ∧ sto ′ := update(sto, v, n)Pre-conditionceq [pre1 ] : (P | S, sto) = (S, sto) if (P, sto) = true

ceq [pre2 ] : (P | S, sto) = abort if (P, sto) = false

Bounded choicerl [bchoice] : (S1 [] S2, sto)⇒ (S1, sto)

Guarded substitutionceq [guard1 ] : (P ==> S, sto) = (S, sto) if (P, sto) = true

ceq [guard2 ] : (P ==> S, sto) = (skip, sto) if (P, sto) = false

Unbounded choicecrl [uchoice] : (@v.S, sto)⇒ (S[n/v], sto) if v 6∈ var(sto)












Simple assignment,pre-condition andguarded substitutionhave a functionalsemantics.











Bounded andunboundedsubstitutions have arelational semantics.











Bounded substitutions rewrite modulocommutativity. Only one rule is needed.











Variable n is existentially quantified in the rule for unboundedchoice. Replacement operation [ / ] is equationally defined on thesyntax of substitutions.


Executability of unbounded choice rule in Maude

• The representation of transitions as rewrites provides us with a directmapping from the SOS specification of GSL to Rewriting Logic.

• However, the rule for unbounded choice is not executable in theMaude system due to the existentially quantified variable onright-hand side of the rule.



Unbounded choice and narrowing in Maude

• One way to execute such specifications in Maude is throughnarrowing.

• Narrowing is a generalization of term rewriting that allows for freevariables in terms (as in logic programming) and replaces patternmatching by unification in order to (non-deterministically) reducethese terms.



Executability requirements for narrowing in Maude

Essentially, a system module mod(Σ,G ∪ E ∪ Ax ,R)endm, for thenarrowing relation, must fulfill the following requirements:

1 only associative and commutative axioms may be used in Ax ;

2 rules in R must be unconditional, topmost and may not be specifiedby a single variable in the left-hand side of the rule;

3 rules in R must be coherent with respect to E ∪ Ax .



Making GSL semantics unconditional

Let op be a binary operation in the conditional GSL semantics, that is, asimple assignment, a pre-condition or a guarded substitution, T be astatement, that is, either an expression or predicate, S a GSL substitution,and γ a GSL substitution,

crl (op(T ,S), sto) ⇒ (γ(val , S), sto) if T ⇒ val

rl (op(T ,S), sto) ⇒ (T , op(T ,S), sto)rl (val , op(T ,S), sto) ⇒ (γ(val , S), sto).



Making GSL semantics unconditional: unfoldingstatements





The configuration being rewritten becomes a triple during theevaluation of the statement.


Making GSL semantics unconditional: folding values





After the statement is fully evaluated, the configurationbecomes a pair again.


Unconditional GSL rewriting logic semantics

Simple assignmenteq [simple1 ] : (v := E, sto) = (E, v := E, sto)eq [simple2 ] : (n1, v := E, v 7→ n2 sto) = (skip, v 7→ n1 sto)

Pre-conditioneq [pre1 ] : (P | S, sto) = (P, P | S, sto)eq [pre2 ] : (true, P | S, sto) = (S, sto)eq [pre3 ] : (false, P | S, sto) = abort


Guarded substitutioneq [guard1 ] : (P ==> S, sto) = (P, P ==> S, sto)eq [guard2 ] : (true, P ==> S, sto) = (S, sto)eq [guard3 ] : (false, P ==> S, sto) = (skip, sto)

Unbounded choicerl [uchoice] : (@p.S, sto)⇒ (S[n/p], sto), for some n, where p is a place holder.










Unfolding statements









Folding values









Since p can not be part of the store, we simply consider it aplaceholer, a sort disjoint of the sort of variables.


Equivalence of conditional and unconditional semanticsmodulo unfolding

Proposition

Let C be the conditional rewriting logic semantics for GSL and U theunconditional one.

C ` t → t ′ ⇐⇒ U ` t →/ρ t′



Fulfilling narrowing executability requirements

Recall from Slide 112:









Axioms are used only for bounded choice operator which is associativeand commutative.









All rules in the unconditional Rewriting Logic semantics of GSL areunconditional. They only apply to operators at the top and theirleft-hand side pattern is not composed by a single variable.









The rules do not give rise to critical pairs as their left-hand sidepatterns are disjoint.



Support for Abstract Machine Notation

We equationally reduce from AMN syntax to GSL syntax.

1 eq BEGIN S END = S .2 eq PRE P THEN S END = P | S .3 eq IF P THEN S ELSE T END = (P ==> S ) [ ] ( neg (P) ==> S ) .4 eq IF P THEN S END = IF P THEN S ELSE s k i p END .5 eq X := b o o l ( P ) = IF P THEN (X := t r u e ) ELSE (X := f a l s e ) END

.6 eq CHOICE SS END = SS .7 eq S OR T = S [ ] T .8 eq S OR (T OR SS ) = S [ ] (T OR SS ) .9 eq ANY X WHERE P THEN S END = (@ X . (P ==> S ) ) .



A trivial example

Just to illustrate how narrowing command works:

1 ( sea rch [ , 2 ] i n SAMN−EXAMPLE :2 CHOICE3 ANY x WHERE t r u e THEN y := x + s ( 0 ) END4 OR5 ANY x WHERE t r u e THEN y := x END6 END, STO: S t o r e ˜>∗ s k i p , STO ’ : S t o r e . )7

8 So l u t i on 19 STO ’ : S t o r e −−> #13: S t o r e y |−> #7:GNat ;

10 STO: S t o r e −−> #13: S t o r e y |−> #12:GNat11 So l u t i on 212 STO ’ : S t o r e −−> #13: S t o r e y |−> s (#7:GNat ) ;13 STO: S t o r e −−> #13: S t o r e y |−> #12:GNat14 No more s o l u t i o n s .



Search as an instantiation of our validation approach

Let us recall Equation 1 from Slide 93,

G, g |= ϕ.

The search command of Slide 126 instantiates it as follows,

SAMN-EXAMPLE, CHOICE . . . OR . . . END |=∃STO,STO ′[(g ,STO) (skip, STO ′)]

such that the Maude module SAMN-EXAMPLE includes the Maudemodule that specifies the unconditional Rewriting Logic semantics ofGSL.


Linear Temporal Logic of Rewriting and Metaprogramming

LINEAR TEMPORAL LOGIC OF REWRITING ANDMETAPROGRAMMING


Linear Temporal Logic of Rewriting and Metaprogramming Linear Temporal Logic of Rewriting

Linear Temporal Logic of Rewriting

• LTLR generalizes LTL with action patterns:

ϕ ::= p | δ | ¬ϕ | ϕ ∧ ϕ | Xϕ | ϕUϕ | ϕ | ♦ϕ

• Spatial action patterns describe properties of one-step rewrites(equivalently, one-step proof terms) in R.

• Examples of ground spatial action patterns to describe one-steprewrites are, where u1, . . . , um are ground terms, and where ifl : t → t ∈ R, then x1, . . . , xn ⊆ vars(t):

• l : one-step proof terms involving a rule in R with label l .• l(x1\u1; . . . ; xm\um) : one-step proof terms with a rule label l whose

matching substitution φ satisfies [φ(xi )]E∪A = [ui ]E∪A.• t[l(x1\u1; . . . ; xm\um)]p : one-step proof terms that are instances of

the pattern l(x1\u1; . . . ; xm\um) where the corresponding rewriteshappen at position p of [t]E∪A.




• The semantics of LTLR formulas ϕ is defined by the satisfactionrelation R, [t]E∪A |= ϕ, on a computable deadlock-free rewrite theoryR.

• By definition, R, [t]E∪A |= ϕ holds if and only if for each infinitecomputation (π, γ) starting at [t]E∪A in R, the path satisfactionrelation R, (π, γ) |= ϕ holds.

• The path satisfaction relation for LTLR is quite similar to that ofLTL. The key difference between the LTLR and the LTL semantics isthe semantics of spatial action patterns. Specifically, the relationR, (π, γ) |= δ holds iff the first proof term γ(0) of the currentcomputation satisfies the spatial action pattern δ.



Model checking LTL

(Thanks to Ariel Gurfinkel, SEI/CMU)

• Checking the satisfiability

S , s0 |= ϕ

can be done algorithmically by verifying

L(B(S) ∩ B(¬ϕ)) = ∅

where B(S) is the Buchi automaton (a finite automaton that acceptsinfinite words) for the system S , B(ψ) is the Buchi automaton for anLTL formula ψ, and L(A) is the language accepted by automaton A.

• Counterexamples (words in L(B(S) ∩ B(¬ϕ))) are always of the formuvω, where u and v are finite words.



Model checking LTL

Buchi automaton:

• A = (Σ,Q,∆,Q0,F ), ∆ ⊆ Q × Σ× Q, Q0 ⊆ Q, F ⊆ Q.

• Recognizes words from Σω.

• A run ρ : N → Q over v ∈ Σω in A is such that ρ(0) ∈ Q0 and

∀i ≥ 0, (ρ(i), v(i), ρ(i + 1)) ∈ ∆.

• Acceptance: runs over infinite words.• Let inf (ρ) be the set of states that appear infinitely often on a run ρ:

inf (ρ) = q | ∀i ∈ N,∃j ≥ i , ρ(j) = q.

• A run ρ is accepting iff inf (ρ) ∩ F 6= ∅.• Buchi-recognizable languages are closed under complement and

intersection.



Labeled Kripke Structures as a Rewrite Theory

• Given a computable deadlock-free rewrite theory R, and an LTLRformula ϕ with set of atomic propositions P and set of actionpatterns W ,

R, (π, γ) |= ϕ⇔ KP,W (R)π(0), (π, α) |= ϕ,

where for each computation (π, γ) of R, there is a path (π, α) ofKP,W (R)π(0) with α(i) = δ ∈W : [γ(i) |= δ]E = [true]E for eachi ∈ N.

• A path in a Labeled Kripke Structures K is such that

π(i)α(i)π(i + 1) for each i ≥ 0.



Union traces and Buchi automata for LTLR

• If the set of atomic propositions in a Labeled Kripke Structure and itsset of actions are disjoint,

(L(π), α)⇔ L(π) ∪ α,

where (L(π) ∪ α)(i) = L(π)(i) ∪ α(i) for each i ≥ 0.

• In union traces there is no distinction between event and statepropositions.

• Therefore, we can check whether a union trace L(π) ∪ α is acceptedby a Buchi automaton for a formula ¬ϕ using the same Buchiautomata construction as in the LTL case.



Model checking LTLR

Given an LTLR formula ϕ with set of atomic propositions P and set ofspatial action patterns W , a computable deadlock-free rewrite theory R,and an initial state [t]E ,

R, [t]E |= ϕ⇔ L(KP,W (R)[t]E ⊗ B(¬ϕ)) = ∅.

where M ⊗ B(¬ϕ) is a special product which advances to the next stateonly if both state labels and event labels are accepted by the currenttransition of B(¬ϕ).



Model checking LTLR

Let’s take a look at the client-server example code!


Linear Temporal Logic of Rewriting and Metaprogramming Metaprogramming

Reflection

Reflective tower:

R ` t → t ′ ⇔ U ` 〈R, t〉 → 〈R, t ′〉 ⇔ U ` 〈U , 〈R, t〉〉 → 〈U , 〈R, t ′〉〉 . . .



Maude’s metalevel



Maude’s metalevel

• Terms and modules have a metarepresentation.

• Comprehensive API to move between representation levels, with upand down functions, and perform rewrites at the metalevel:metaReduce, metaRewrite, metaApply, metaMatch, their extendedversions to consider structural axioms, metaSearch, metaSearchPath,parsing, and pretty-printing.



Representing terms

1 s o r t s Constant V a r i a b l e Term .2 s u b s o r t s Constant V a r i a b l e < Qid Term .3 op <Qids> : −> Constant [ s p e c i a l ( . . . ) ] .4 op <Qids> : −> V a r i a b l e [ s p e c i a l ( . . . ) ] .5 s o r t TermList .6 sub so r t Term < TermList .7 op , : TermList TermList −> TermList8 [ c t o r a s s o c g a t h e r ( e E) p r e c 1 2 0 ] .9 op [ ] : Qid TermList −> Term [ c t o r ] .



Representing modules

1 s o r t s FModule SModule FTheory STheory Module .2 s u b s o r t s FModule < SModule < Module .3 s u b s o r t s FTheory < STheory < Module .4 s o r t Header .5 sub so r t Qid < Header .6 op : Qid P a r a m e t e r D e c l L i s t −> Header [ c t o r ] .7 op f m o d i s s o r t s . e n d f m : Header I m p o r t L i s t S o r t S e t8 S u b s o r t D e c l S e t OpDeclSet MembAxSet E q u a t i o n S e t −>

FModule9 [ c t o r g a t h e r (& & & & & & &) ] .

10 op m o d i s s o r t s . e n d m : Header I m p o r t L i s t S o r t S e t11 S u b s o r t D e c l S e t OpDeclSet MembAxSet E q u a t i o n S e t R u l e S e t12 −> SModule [ c t o r g a t h e r (& & & & & & & &) ] .13 op f t h i s s o r t s . e n d f t h : Qid I m p o r t L i s t S o r t S e t

S u b s o r t D e c l S e t14 OpDeclSet MembAxSet E q u a t i o n S e t −> FTheory15 [ c t o r g a t h e r (& & & & & & &) ] .16 op t h i s s o r t s . e n d t h : Qid I m p o r t L i s t S o r t S e t

S u b s o r t D e c l S e t17 OpDeclSet MembAxSet E q u a t i o n S e t R u l e S e t −> STheory18 [ c t o r g a t h e r (& & & & & & & &) ] .



Moving between levels

1 op upModule : Qid Bool ˜> Module [ s p e c i a l ( . . . ) ] .2 op u p S o r t s : Qid Bool ˜> S o r t S e t [ s p e c i a l ( . . . ) ] .3 op u p S u b s o r t D e c l s : Qid Bool ˜> S u b s o r t D e c l S e t [ s p e c i a l ( . . . ) ] .4 op upOpDecls : Qid Bool ˜> OpDeclSet [ s p e c i a l ( . . . ) ] .5 op upMbs : Qid Bool ˜> MembAxSet [ s p e c i a l ( . . . ) ] .6 op upEqs : Qid Bool ˜> E q u a t i o n S e t [ s p e c i a l ( . . . ) ] .7 op upRls : Qid Bool ˜> R u l e S e t [ s p e c i a l ( . . . ) ] .

In all these (partial) operations:

• The first argument is expected to be a module name.

• The second argument is a Boolean, indicating whether we areinterested also in the imported modules or not.



Moving between levels

1 op upTerm : U n i v e r s a l −> Term .2 op downTerm : Term U n i v e r s a l −> U n i v e r s a l .

• upTerm takes a term t and returns the metarepresentation of itscanonical form.

• downTerm takes the metarepresentation of a term t and a term t ′,and returns the canonical form of t, if t is a term in the same kind ast ′; otherwise, it returns the canonical form of t ′.



metaSearch

• metaSearch takes as arguments:• the metarepresentation of a module,• the metarepresentation of the starting term for search,• the metarepresentation of the pattern to search for,• the metarepresentation of a condition to be satisfied,• the metarepresentation of the type of search to carry on,• a Bound value that indicates the maximum depth of the search, and• a natural number, to enumerate solutions.

• The searching strategy used by metaSearch coincides with that ofthe object level search command.

• The possible types of search are:• ’* for a search involving zero or more rewrites (corresponding =>* in

the search command),• ’+ for a search consisting in one or more rewrites (=>+),• ’ ! for a search that only matches canonical forms (=>!).



Exercise!

• Move back to Section 1 and study how the narrowing searchcommand was used at the metalevel.

• Open Maude’s online manual, study the metalevel documentation,and execute a metaApply command in the mutex system.



Some Pie

• Towards Reasoning in Dynamic Logics with Rewriting Logic: thePetri-PDL Case.

• Joint work with Bruno Lopes.

• SBMF 2015



Petri nets

R1 S2 P1 R2 S1 P2

W1W2

D

G1 G2

C

Petri Net for “Rock-Paper-Scissors” game



Reasoning on Petri nets

R1 S2 P1 R2 S1 P2

W1W2

D

G1 G2

C

Petri Net for “Rock-Paper-Scissors”game

• Will it always have a winner?

• Which would be a suitable logicto reason about Petri nets’properties?

• How to automate reasoning insuch a logic?



Petri-PDL

• There are many logical approaches to reason about Petri nets.(Please see a discussion in the paper.)

• We choose Propositional Dynamic Logic (PDL), a simple and yetexpressive modal logic that appears to be suitable to reason aboutPetri nets.



PDL

• Syntax: Let p be an atomic proposition and α a basic program,

• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ• π ::= α | π;π | π ∪ π | π?.



PDL


• ϕ ::= p | > | ¬ϕ | ϕ1 ∧ ϕ2 | 〈π〉ϕ “modality generator”

• π ::= α | π;π | π ∪ π | π?.

• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction. Kripke structure

• Satisfaction: Let w ∈ W,• M,w p iff w ∈ V(p),• M,w > always,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈π〉ϕ iff there is w ′ ∈ W such that wRπw

′ and M,w ′ ϕ.

• PDL may be extended. Petri-PDL is one such extension.



PDL



• π ::= α | π;π | π ∪ π | π?.• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction.

Kripke structure


′ and M,w ′ ϕ.




PDL



• π ::= α | π;π | π ∪ π | π?.• Model: M = 〈W,Rπ,V〉, W is a set of states or worlds,Rπ ⊆ W ×W, for each basic program πb, V : Φ→ 2W is a valuationfunction. Kripke structure


′ and M,w ′ ϕ.




Petri-PDL

Petri-PDL extends PDL with a new set of programs π which are essentiallya combination of 3 basic ones:

X Y

(a) Type 1 : t1

X

Y

Z

(b) Type 2 : t2

X

Y

Z

(c) Type 3 : t3

Basic Petri nets



Petri-PDL

• Syntax:• πb ::= a t1 b | ab t2 c | a t3 bc, where a, b, and c are place names,• π ::= πb | π π,• πm ::= (s, π), where s is a multiset of names.

• Model: M = 〈W,Rπ,V,M〉 where 〈W,Rπ,V〉 is a Kripke structureand M : W → S is a function assigning places to worlds.

• Satisfaction:• M,w p iff w ∈ V(p),• M,w >,• M,w ¬ϕ iff M,w 6 ϕ,• M,w ϕ1 ∧ ϕ2 iff M,w ϕ1 and M,w ϕ2,• M,w 〈s, η〉ϕ iff there exists

v ∈ W,wRηv , s ⊆ M(w), and M,v ϕ.

• In a nutshell: Petri-PDL is a PDL where programs are marked netswhose models are Kripke structures with an assignment of places toworlds.



Rock-Paper-Scissors in Petri-PDL

R1 S2 P1 R2 S1 P2

W1W2

D

G1 G2

C

Petri Net for “Rock-Paper-Sicissors”game

In Petri-PDL:π = ct3g1g2 g1t1r1 g1t1s1 g1t1p1 g2t1r2 g2t1s2 g2t1p2 r1s2t2w1 r1p2t2w2 r1r2t2d s1r2t2w2 s1s2t2d s1p2t2w1 p1r2t2w1 p1s2t2w2 p1p2t2d .



Kripke structures as rewrite theories

Let’s recall from Slide 87 how Kripke structures are represented asRewriting Logic theories!



PETRI-PDL Maude module1 mod PETRI−PDL i s2 s o r t P l a c e P l a c e s B a s i c P r o g Prog Net .3 sub so r t P l a c e < P l a c e s .4 sub so r t B a s i c P r o g < Prog .5

6 op : P l a c e s P l a c e s −> P l a c e s [ p r e c 20 a s s o c comm i d : e p s i l o n ].

7 op t 1 : P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .8 op t 2 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .9 op t 3 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .

10 op + : Prog Prog −> Prog [ a s s o c comm p r e c 4 0 ] .11 op , : P l a c e s Prog −> Net .12

13 va r s A B C : P l a c e . var W : P l a c e s . var P : Prog .14

15 r l [ t1 ] : A W , A t1 B => B W , A t1 B .16 r l [ t2 ] : A B W , A B t2 C => C W , A B t2 C .17 r l [ t3 ] : A W , A t3 B C => B C W , A t3 B C .18

19 r l [ t1 ] : A W , A t1 B + P => B W , A t1 B + P .20 r l [ t2 ] : A B W , A B t2 C + P => C W , A B t2 C + P .21 r l [ t3 ] : A W , A t3 B C + P => B C W , A t3 B C + P .22 endm



PETRI-PDL Maude module

1 mod PETRI−PDL i s2 s o r t P l a c e P l a c e s B a s i c P r o g Prog Net .3 sub so r t P l a c e < P l a c e s .4 sub so r t B a s i c P r o g < Prog .5

6 op : P l a c e s P l a c e s −> P l a c e s [ p r e c 20 a s s o ccomm i d : e p s i l o n ] .

7 op t 1 : P l a c e P l a c e −> B a s i c P r o g [ p r e c 3 0 ] .8 op t 2 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c

3 0 ] .9 op t 3 : P l a c e P l a c e P l a c e −> B a s i c P r o g [ p r e c

3 0 ] .10 op + : Prog Prog −> Prog [ a s s o c comm p r e c 4 0 ]

.11 op , : P l a c e s Prog −> Net .12

13 va r s A B C : P l a c e . var W : P l a c e s . var P :Prog .

14

15 r l [ t1 ] : A W , A t1 B => B W , A t1 B .16 r l [ t2 ] : A B W , A B t2 C => C W , A B t2 C .17 r l [ t3 ] : A W , A t3 B C => B C W , A t3 B C .18

19 r l [ t1 ] : A W , A t1 B + P => B W , A t1 B + P .20 r l [ t2 ] : A B W , A B t2 C + P => C W , A B t2

C + P .21 r l [ t3 ] : A W , A t3 B C + P => B C W , A t3 B C

+ P .22 endm

Specifies thebehavior ofPetri-PDL basicprograms.



Maude reflective API in module META-LEVEL

• Allows for the representation and handling of modules as terms andterms as meta-terms.

• Includes functions:• metaSearch: given a meta-module and a meta-term produces the terms

reachable from the given meta-term according to the givenmeta-module.

• upModule: produces the meta-representation of a module.• upTerm: produces the meta-representation of a term.• downTerm: produces the object representation of a meta-term.



Petri-PDL Maude model checker

• Given a Petri-PDL model•M= 〈

•W,Rπ,V〉, with

•W= (S × π), we

associate it with a rewrite theory R = 〈ΣNet ,Evaluation,RNet〉 where

Net =•W and valuation : S → FormulaSet such that

K(R, [Net]) = (TΣNet, (→1

RNet)•,Evaluation) =

•M.

• Module PETRI-PDL-MODEL-CHECKER includes modulesPETRI-PDL and META-LEVEL.

• Sort Places represents set S .• Relation Rπ is implemented by meta-function ppdlNStepRew, which

encapsulates a call to metaSeach from Maude META-LEVEL..• Meta-function modelCheck is responsible for the implementation of

Petri-PDL’ satisfaction predicate (which includes the “modalitygenerator”).

• Module VALUATION, that includes PETRI-PDL-MODEL-CHECKER,provides equations for operation valuation defining which atomicpropositions hold on each place.



Petri-PDL Maude model checker code

Let’s take a look at the code!



Model checking “Rock-Paper-Scissors”

1 mod VALUATION i s2 i n c PETRI−PDL−MODEL−CHECKER .3 ops c g1 g2 s1 s2 r 1 r 2 p1 p2 w1 w2 d : −> P l a c e .4 ops p q : −> Formula .5 eq v a l u a t i o n (w1) = p . eq v a l u a t i o n (w2) = q . eq v a l u a t i o n ( d ) =

( (¬ p ) (¬ q ) ) .6 endm

1 reduce i n VALUATION : modelCheck (¬ < c , ( g1 t1 r 1 + g1 t1 p1 + g1 t1s1 + g2 t1 r 2 +

2 g2 t1 p2 + g2 t1 s2 + ( ( ( ( ( ( (3 s1 s2 t2 d + s1 p2 t2 w1) + s1 r 2 t2 w2) + p1 s2 t2 w2) + p1 p2

t2 d ) + p1 r2 t2 w1) + r 1 s2 t2 w1) + r 1 p24 t2 w2) + r 1 r 2 t2 d ) + c t3 g1 g2 > (¬ ( p \/ q ) ) , 4 , mt−

p l a c e s l i s t s e t ) .5 r e w r i t e s : 1139 i n 24ms cpu (25ms r e a l ) (45942 r e w r i t e s / second )6 r e s u l t PPDLModel : ppdlModel ( f a l s e , c −> g1 g2 −> g1 s2 −> s1 s2 −>

d )



Bibliography

• Kyungmin Bae and Jose Meseguer, A Rewriting-Based Model Checker forthe Linear Temporal Logic of Rewriting.

• Kyungmin Bae and Jose Meseguer, The Maude LTLR Model checker.

• Steven Eker et al, The Maude LTL model checker.

• Santiago Escobar et al., Built-in Variant Generation and Unification, andTheir Applications in Maude 2.7

• Narciso Martı-Oliet and Jose Meseguer, Rewriting Logic as a logical andsemantic framework.

• Narciso Martı-Oliet, Specifying, Programming and Verifying in Maude,Lecture notes.

• Jose Meseguer, Conditional rewriting logic as a unified model of concurrency.

• Jose Meseguer, The Temporal Logic of Rewriting: A Gentle Introduction.

• Jose Meseguer, Twenty years of Rewriting Logic.


maude in a nutshell - universidade federal fluminensecbraga/maude-in-a-nutshell/unb.pdfthis course...

Documents