Train example revisited TDDC 05: Embedded Systems Simulation and Verification
advertisement
Train example revisited
TDDC 05: Embedded Systems
Simulation and Verification
Lecture 5: Proof systems,
Sequent Calculus and Stålmarck’s method
• Let formula M represent the closed
system’s design model, and R represent
the requirements specification
• Does M R hold then?
• Can one prove this without checking all
possible interpretations?
Simin Nadjm-Tehrani
Real-time Systems Laboratory
Department of Computer and Information Science
Embedded systems simulation and verification
Linköping university
24 pages
Spring term 2006
Embedded systems simulation and verification
Linköping university
2 of 24
Spring term 2006
Mechanical deduction
• Proof systems and proof methods (sv.
bevissystem resp. bevismetod) make
this possible
• Examples of deduction mechanisms:
– Sequent calculus
– Resolution
– Natural deduction
Embedded systems simulation and verification
Linköping university
3 of 24
Spring term 2006
Sequent Calculus
• Let Γ and ∆ be sequences av formulas
F1, …, Fn resp. G1, …, Gm
n, m ≥ 0
• A sequent is a triple
Γ ∆
read as: ”formulas in Γ are true and
formulas in ∆ are false”
Embedded systems simulation and verification
Linköping university
4 of 24
Spring term 2006
Proof procedure
In order to prove
we must prove
Γ
Γ’
.
.
.
∆
(andL)
∆’
Embedded systems simulation and verification
Linköping university
(andR)
Γ, F ∧ G
∆
Γ, F , G
∆
Γ
Γ
and so on.
But this is where we stop
Proof rules (1)
Γ’’, F
∆,F∧G
∆,F
Γ
∆,G
∆’’, F
5 of 24
Spring term 2006
Embedded systems simulation and verification
Linköping university
6 of 24
Spring term 2006
Proof rules (2)
(orL)
Proof rules (3)
(orR)
Γ, F ∨ G
∆
(implL)
Γ
∆,F∨G
Γ
∆, F , G
Γ, F → G
Γ
Γ, F
∆ Γ, G
F, ∆
(implR)
∆
Γ, G
Γ
∆
Γ, F
7 of 24
Spring term 2006
Embedded systems simulation and verification
Linköping university
Proof rules (4)
(negL)
Γ
∆, G
∆
Embedded systems simulation and verification
Linköping university
Γ, ¬F
∆,F→G
F, ∆
Γ
Γ, F
¬F, ∆
∆
Embedded systems simulation and verification
Linköping university
Provable
• Γ
∆ is provable if there exists a proof
tree with the root Γ
∆ in which all
leaves have the form
Γ1, F
∆1, F
• Γ
∆ is not provable if there exists a
tree with the root Γ
∆ in which some
leaf has the form Γ1 ∆1 and
Γ 1 ∩ ∆1 = ∅
(negR)
∆
9 of 24
Spring term 2006
Embedded systems simulation and verification
Linköping university
Soundness and completeness
• Theorem [soundness]: If Γ
provable then Γ
∆
• Theorem [completeness]: If Γ
Γ
∆ is provable
Embedded systems simulation and verification
Linköping university
8 of 24
Spring term 2006
∆ is
Corollaries
• Γ is unsatisfiable iff Γ
∆ then
11 of 24
Spring term 2006
10 of 24
Spring term 2006
• Γ is satisfiable iff Γ
Embedded systems simulation and verification
Linköping university
⊥ is provable
⊥ is not provable
12 of 24
Spring term 2006
Exercise
• Use sequent calculus to show that the
train crossing system satisfies its safety
requirements.
Embedded systems simulation and verification
Linköping university
13 of 24
Spring term 2006
The Stålmarck method
Builds on a proof system in which:
• Formulas only use → and ⊥
• The rules consist of 7 simple rules and
one branching rule (so called Dilemma
rule)
Embedded systems simulation and verification
Linköping university
Formulas as triplets
Let the implication A be represented by
B1,B2,…,Bk where
• Bi are subformulas in A, and have the
form Ci → Di
• Bk is the same as A
• We denote the subformulas Bi with new
symbols bi , i.e. bi = rep(Bi)
Embedded systems simulation and verification
Linköping university
15 of 24
Spring term 2006
Triplets
• Formulas are represented by a set of
triplets:
{ (b1, rep(C1), rep(D1)),
(b2, rep(C2), rep(D2)),
...
(bk, rep(Ck), rep(Dk)) }
• ⊥ is represented by 0
• ⊥ → ⊥ is represented by 1
Embedded systems simulation and verification
Linköping university
Example
• (p → (q → p)) is represented by
{(b1, q, p), (b2, p, b1)}
14 of 24
Spring term 2006
16 of 24
Spring term 2006
Terminals
Triplets that can not be transformed any
more (contradictions)
• The train system:
((A ∨ I) → D) ∧ ((F ∨ L) → U) must be
first rewritten as:
• (1, 1, 0)
• (0, x, 1)
• (0, 0, x)
(((( A → D) → ⊥) → ⊥) →
(( I → D) → ⊥ )) → ⊥ ) → … etc
Embedded systems simulation and verification
Linköping university
17 of 24
Spring term 2006
Embedded systems simulation and verification
Linköping university
18 of 24
Spring term 2006
Stålmarck’s simple rules
Stålmarck’s simple rules
• (r1)
0, y, z
y/1, z/0
(r3)
x, 0, z
x/1
• (r5)
x, y, 0
x/¬y
• (r2)
x, y ,1
x/1
(r4)
x, 1, z
x/z
• (r7)
x, y, y
x/1
Embedded systems simulation and verification
Linköping university
19 of 24
Spring term 2006
U[S1]
V[S2]
T [S1 ∩ S2]
Embedded systems simulation and verification
Linköping university
Proof example
21 of 24
Spring term 2006
Embedded systems simulation and verification
Linköping university
Theorem
• Stålmarck’s proof system is sound and
complete:
Γ ∆ iff Γ ∆
And it is computationally efficient!
Embedded systems simulation and verification
Linköping university
20 of 24
Spring term 2006
• Show that
(p → (q → p))
• (b1, q, p), (b2, p, b1 )
Assume b2= 0
via (r1):
p/1 , b1/0
• (0, q, 1), (0, 1, 0)
• Since (0, q, 1) is a terminal (we arrive
at a contradiction) then the assumption
does not hold. Thus, b2 =1.
T
T[x/1]
D2
x, x, z
z/1
Embedded systems simulation and verification
Linköping university
Dilemma rule
T[x/0]
D1
(r6)
23 of 24
Spring term 2006
22 of 24
Spring term 2006
Epilog
I deeply disagree
with Shakespeare's bright suggestion:
To be or not to be that is the question.
The truth has dawned on me,
his faithful lancer:
To be and not to be that is the answer.
Embedded systems simulation and verification
Linköping university
24 of 24
Spring term 2006
