Theoretical Foundations of the UML Lecture 15+16: A Logic for MSCs - - PowerPoint PPT Presentation

SLIDE 1

Theoretical Foundations of the UML

Lecture 15+16: A Logic for MSCs Joost-Pieter Katoen

Lehrstuhl für Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ss-20/fuml/

June 15, 2020

Joost-Pieter Katoen Theoretical Foundations of the UML 1/41

SLIDE 2

Outline

1

Introduction

2

Local Formulas and Path Expressions Syntax Formal Semantics

3

PDL Formulas

4

Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability

Joost-Pieter Katoen Theoretical Foundations of the UML 2/41

SLIDE 3

Overview

1

Introduction

2

Local Formulas and Path Expressions Syntax Formal Semantics

3

PDL Formulas

4

Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability

Joost-Pieter Katoen Theoretical Foundations of the UML 3/41

SLIDE 4

A logic for MSCs

This lecture will be devoted to a logic that is interpreted over MSCs

Joost-Pieter Katoen Theoretical Foundations of the UML 4/41 "÷

"÷÷

SLIDE 5

A logic for MSCs

This lecture will be devoted to a logic that is interpreted over MSCs The logic is used to umambigously express properties of MSCs

does a given MSC M satisfy the logical formula ϕ?

And to characterise a set of MSCs by means of a logical formula

all MSCs that satisfy the formula ϕ

Based on propositional dynamic logic (PDL) [Fischer & Ladner, 1979]

combines easy-to-grasp concepts such as regular expressions and Boolean operators Joost-Pieter Katoen Theoretical Foundations of the UML 4/41 + modal

logic

a ; &

• V

n ⇒ s > Atx E ] a*

SLIDE 6

A logic for MSCs

This lecture will be devoted to a logic that is interpreted over MSCs The logic is used to umambigously express properties of MSCs

does a given MSC M satisfy the logical formula ϕ?

And to characterise a set of MSCs by means of a logical formula

all MSCs that satisfy the formula ϕ

Based on propositional dynamic logic (PDL) [Fischer & Ladner, 1979]

combines easy-to-grasp concepts such as regular expressions and Boolean operators

Syntax, semantics, examples and various verification problems.

Joost-Pieter Katoen Theoretical Foundations of the UML 4/41

SLIDE 7

Some informal example properties

1 The (unique) maximal event of M is labeled by ?(2, 1, a) Yes.

No.

Joost-Pieter Katoen Theoretical Foundations of the UML 5/41

• co

co @ ⑥ O

• M

left M right Mleff Might

SLIDE 8

Some informal example properties

1 The (unique) maximal event of M is labeled by ?(2, 1, a) Yes.

No.

2 The maximal event on process 2 is labeled by ?(2, 1, a)

Yes. Yes.

Joost-Pieter Katoen Theoretical Foundations of the UML 5/41

• M

left Aright

SLIDE 9

Some informal example properties

1 The (unique) maximal event of M is labeled by ?(2, 1, a) Yes.

No.

2 The maximal event on process 2 is labeled by ?(2, 1, a)

Yes. Yes.

3 No two consecutive events are labeled with ?(2, 3, c)

No. Yes.

Joost-Pieter Katoen Theoretical Foundations of the UML 5/41

• M

left M right

SLIDE 10

Some informal example properties

1 The (unique) maximal event of M is labeled by ?(2, 1, a) Yes.

No.

2 The maximal event on process 2 is labeled by ?(2, 1, a)

Yes. Yes.

3 No two consecutive events are labeled with ?(2, 3, c)

No. Yes.

4 The number of send events at process 3 is odd.

No. No.

Joost-Pieter Katoen Theoretical Foundations of the UML 5/41 @

• ⑥

a M M left right

SLIDE 11

The need for logics

Properties stated in natural language are ambiguous. We prefer to use a formal language for expressing properties. A formal semantics yields an unambiguous interpretation. This provides the basis for verification algorithms and common understanding. As formal language for properties we use logic.

Joost-Pieter Katoen Theoretical Foundations of the UML 6/41

SLIDE 12

Overview

1

Introduction

2

Local Formulas and Path Expressions Syntax Formal Semantics

3

PDL Formulas

4

Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability

Joost-Pieter Katoen Theoretical Foundations of the UML 7/41

SLIDE 13

The logic PDL

Local formulas

Statements interpreted for single events in an MSC Express properties about other events at the same process Express properties about send and matched receive events Joost-Pieter Katoen Theoretical Foundations of the UML 8/41

f

2 2 vertical { e .

be

, . → e " →

• horizontal

SLIDE 14

The logic PDL

Local formulas

Statements interpreted for single events in an MSC Express properties about other events at the same process Express properties about send and matched receive events

Path expressions

Used to navigate through an MSC Use choice, concatenation and repetition Can be embraced in box and diamond modalities Joost-Pieter Katoen Theoretical Foundations of the UML 8/41 a ' " a a

• IT

>

Lp

'

¥

.

!

!

.

t

.

⇒

← . * regular expressions

(

x ; p > true ( a

;ptx

'

;p

' > tone

SLIDE 15

The logic PDL

Local formulas

Statements interpreted for single events in an MSC Express properties about other events at the same process Express properties about send and matched receive events

Path expressions

Used to navigate through an MSC Use choice, concatenation and repetition Can be embraced in box and diamond modalities

PDL-formulas

Express properties about an entire MSC Joost-Pieter Katoen Theoretical Foundations of the UML 8/41

• events

SLIDE 16

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) Joost-Pieter Katoen Theoretical Foundations of the UML 9/41 e

§a

e ' e E ! Caria ) e '

tf

! Caza )

SLIDE 17

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) proctrue There is a next event at the same process Joost-Pieter Katoen Theoretical Foundations of the UML 9/41 I 2 3 e

• e

f C proc > true

I

• e

' tf Cpuc > true e '

SLIDE 18

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) proctrue There is a next event at the same process proc; proctrue There are (at least) two next events at this process Joost-Pieter Katoen Theoretical Foundations of the UML 9/41

• e

a

f

e t ( proc ; proc > tune e ' a

t

e "

SLIDE 19

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) proctrue There is a next event at the same process proc; proctrue There are (at least) two next events at this process [proc]−1false There is no preceding event at this process Joost-Pieter Katoen Theoretical Foundations of the UML 9/41

• T
• f
• et

[ proc ]

• '

false

• e

" look backwards "

• e

, e '

tf

Epoc ]

• 1

false

SLIDE 20

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) proctrue There is a next event at the same process proc; proctrue There are (at least) two next events at this process [proc]−1false There is no preceding event at this process msgtrue This event is a send matching a (next) receive event Joost-Pieter Katoen Theoretical Foundations of the UML 9/41

I

.

]

Ceo-→ e , e f C msg > tune

SLIDE 21

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) proctrue There is a next event at the same process proc; proctrue There are (at least) two next events at this process [proc]−1false There is no preceding event at this process msgtrue This event is a send matching a (next) receive event proc ?(1, 2, b) Event ?(1, 2, b) is a possible next event on this process Joost-Pieter Katoen Theoretical Foundations of the UML 9/41

sit

SLIDE 22

Local formulas

Local formulas

These are statements over single events in an MSC. That is, an event either satisfies or refutes such formula.

Example local formulas

!(1, 2, a) The current event is labeled with !(1, 2, a) proctrue There is a next event at the same process proc; proctrue There are (at least) two next events at this process [proc]−1false There is no preceding event at this process msgtrue This event is a send matching a (next) receive event proc ?(1, 2, b) Event ?(1, 2, b) is a possible next event on this process [{ ¬!(1, 2, a) }]true An event is possible after any event different from !(1, 2, a) Joost-Pieter Katoen Theoretical Foundations of the UML 9/41

←

SLIDE 23

Local formulas

Definition (Syntax of local formulas)

For communication action σ ∈ Act and path expression α, the grammar

• f local formulas is given by:

ϕ ::= true | σ | ¬ϕ | ϕ ∨ ϕ | αϕ | α−1ϕ The syntax of path expressions α will be defined later on.

Joost-Pieter Katoen Theoretical Foundations of the UML 10/41

• I

(

"

, a ,

Kaisa

an " > ? ( 2,3 , by } Awards backwards

SLIDE 24

Local formulas

Definition (Syntax of local formulas)

For communication action σ ∈ Act and path expression α, the grammar

• f local formulas is given by:

ϕ ::= true | σ | ¬ϕ | ϕ ∨ ϕ | αϕ | α−1ϕ The syntax of path expressions α will be defined later on.

Definition (Derived operators)

false := ¬true ϕ1 ∧ ϕ2 := ¬(¬ϕ1 ∨ ¬ϕ2) ϕ1 → ϕ2 := ¬ϕ1 ∨ ϕ2 [α]ϕ := ¬α¬ϕ [α]−1ϕ := ¬α−1 ¬ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 10/41

• 11

I I

a :*

:÷ :#

i÷÷÷÷÷÷

.

satisfy

if [ )

• i

( )

• i

77

SLIDE 25

Intuitive meaning of local formulas

true Valid statement. Satisfied by every event. σ Current event is labelled with σ ¬ϕ Current event does not satisfy ϕ ϕ1 ∨ ϕ2 Current event satisfies ϕ1 or ϕ2 αϕ Some forward path satisfying α reaches an event satisfying ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 11/41

O

• s >

e . → 2 = poc ; proc ; msg

t

.

• t .→_•

e- true

SLIDE 26

Intuitive meaning of local formulas

true Valid statement. Satisfied by every event. σ Current event is labelled with σ ¬ϕ Current event does not satisfy ϕ ϕ1 ∨ ϕ2 Current event satisfies ϕ1 or ϕ2 αϕ Some forward path satisfying α reaches an event satisfying ϕ α−1 ϕ Some backward path α reaches an event satisfying ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 11/41 T

• #

y

a = proc ; msg → → a e

SLIDE 27

Intuitive meaning of local formulas

true Valid statement. Satisfied by every event. σ Current event is labelled with σ ¬ϕ Current event does not satisfy ϕ ϕ1 ∨ ϕ2 Current event satisfies ϕ1 or ϕ2 αϕ Some forward path satisfying α reaches an event satisfying ϕ α−1 ϕ Some backward path α reaches an event satisfying ϕ [α]ϕ All forward paths satisfying α reach an event satisfying ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 11/41

• (

a > = " existential

quantification

• ver

possible

navigations

through

a MSC " [ a ] = " universal

quantification

• .

. .

• .

, "

SLIDE 28

Intuitive meaning of local formulas

true Valid statement. Satisfied by every event. σ Current event is labelled with σ ¬ϕ Current event does not satisfy ϕ ϕ1 ∨ ϕ2 Current event satisfies ϕ1 or ϕ2 αϕ Some forward path satisfying α reaches an event satisfying ϕ α−1 ϕ Some backward path α reaches an event satisfying ϕ [α]ϕ All forward paths satisfying α reach an event satisfying ϕ [α]−1ϕ All backward paths satisfying α reach an event satisfying ϕ How are path expressions like α defined?

Joost-Pieter Katoen Theoretical Foundations of the UML 11/41

SLIDE 29

Path expressions

Definition (Syntax of local formulas)

For communication action σ ∈ Act and path expression α, the grammar of local formulas is given by: ϕ ::= true | σ | ¬ϕ | ϕ ∨ ϕ | αϕ | α−1ϕ

Definition (Syntax of path expressions)

For local formula ϕ, the grammar of path expressions is given by: α ::= { ϕ } | proc | msg | α; α | α + α | α∗

Joost-Pieter Katoen Theoretical Foundations of the UML 12/41 ^

4

T Eaten .tn/-lkleere

/

keywords alternative

Steffan

SLIDE 30

Intuitive meaning of path expressions

{ ϕ } specifies an event that satisfies ϕ proc requires a (direct) successor relation between events at the same process msg requires a matching between current event and a receive event The composition α; β defines the set of pairs (e, e′) for which there exist event e′′ such that (e, e′′) | = α and (e′′, e′) | = β

Joost-Pieter Katoen Theoretical Foundations of the UML 13/41

• e

. a

{

:

• r

e "

• B

e ,

SLIDE 31

Intuitive meaning of path expressions

{ ϕ } specifies an event that satisfies ϕ proc requires a (direct) successor relation between events at the same process msg requires a matching between current event and a receive event The composition α; β defines the set of pairs (e, e′) for which there exist event e′′ such that (e, e′′) | = α and (e′′, e′) | = β α + β denotes the union of the relations α and β α∗ denotes the reflexive and transitive closure of the relation α

Joost-Pieter Katoen Theoretical Foundations of the UML 13/41 # Zero

• r

more Limes x

SLIDE 32

Intuitive meaning of local formulas

Local formulas are interpreted over MSC events Event e satisfies !(p, q, a)

• σ

iff e is labelled with action !(p, q, a)

• σ

Path expression α defines a binary relation between events:

1 {ϕ} is the set of pairs (e, e′) such that e satisfies ϕ 2 (e, e′) | = proc iff e and e′ reside at the same process (p, say) and e′ is a direct successor of e wrt. <p 3 (e, e′) | = msg iff e′ is the matching event of e, i.e., e′ = m(e) Joost-Pieter Katoen Theoretical Foundations of the UML 14/41

• D

SLIDE 33

Forward and backward local formulas

Event e satisfies αϕ iff there is an event e′ such that (e, e′) satisfies α and e′ satisfies ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 15/41

↳

e ' can be reached from e when navigating according to x .

SLIDE 34

Forward and backward local formulas

Event e satisfies αϕ iff there is an event e′ such that (e, e′) satisfies α and e′ satisfies ϕ Formula αϕ looks “forward” along the partial order of the MSC starting from the current event The interpretation of α−1ϕ is dual, i.e., e satisfies it iff there is an event e′ such that (e′, e) satisfies α and e′ satisfies ϕ Formula α−1ϕ looks “backward” along the partial order of the MSC starting from the current event

Joost-Pieter Katoen Theoretical Foundations of the UML 15/41

SLIDE 35

Example

1 u |

= !(1, 2, a) u is labelled with the action !(1, 2, a)

2 u |

= [proc]−1 false u is the first event on u’s process

3 u |

= msg?(2, 1, a) event u matches with the event v

Joost-Pieter Katoen Theoretical Foundations of the UML 16/41

• ,

I

v t ? Can , a)

SLIDE 36

Example

1 u |

= !(1, 2, a) u is labelled with the action !(1, 2, a)

2 u |

= [proc]−1 false u is the first event on u’s process

3 u |

= msg?(2, 1, a) event u matches with the event v

4 u |

= (proc + msg)∗!(3, 2, c) event u happens before !(3, 2, c)

Joost-Pieter Katoen Theoretical Foundations of the UML 16/41

• ←

X I →

f

• ←

K ! ( 3,2 , c ) W event w

• u

f S proc ; msg ; proc ) ! ( 3,2 . c )

÷

SLIDE 37

Semantics of local formulas (1)

Definition (Syntax of local formulas)

For communication action σ ∈ Act and path expression α: ϕ ::= true | σ | ¬ϕ | ϕ ∨ ϕ | αϕ | α−1ϕ

Definition (Semantics of base local formulas)

Let M = (P, E, C, l, m, <) ∈ M be an MSC and e ∈ E.

Binary relation | = is defined such that ((M, e), ϕ) ∈ | = iff event e of MSC M satisfies local formula ϕ. We write M, e | = ϕ for ((M, e), ϕ) ∈ | =.

M, e | = true for all e ∈ E M, e | = σ iff l(e) = σ M, e | = ¬ϕ iff not M, e | = ϕ M, e | = ϕ1 ∨ ϕ2 iff M, e | = ϕ1 or M, e | = ϕ2

Joost-Pieter Katoen Theoretical Foundations of the UML 17/41

• ÷

c

)

SLIDE 38

Semantics of local formulas (2)

Definition (Semantics of forward path formulas)

Let M = (P, E, C, l, m, <) ∈ M be an MSC and e ∈ E. e | = {ψ}ϕ iff e | = ψ and e | = ϕ e | = procϕ iff ∃e′ ∈ E. e < ·p e′ and e′ | = ϕ e | = msgϕ iff ∃e′ ∈ E. e′ = m(e) and e′ | = ϕ e | = α1; α2ϕ iff e | = α1α2ϕ e | = α1 + α2ϕ iff e | = α1ϕ or e | = α2ϕ e | = α∗ϕ iff ∃n ∈ N. e | = (α)n ϕ Where e < ·p e′ iff e <p e′ and ¬(∃e′′. e <p e′′ <p e′), i.e., e′ is a direct successor of e under <p.

Joost-Pieter Katoen Theoretical Foundations of the UML 18/41

• a

> e

MX

, e t Ca > p P

• 243
• proc
• msg

4942

: f

am .

• O

at e D) http iff et K > Kaj > y (

& > Jp

iff eff

9

SLIDE 39

Semantics of local formulas (3)

Definition (Semantics of backward path formulas)

Let M = (P, E, C, l, m, <) ∈ M be an MSC and e ∈ E. e | = {ψ}−1ϕ iff e | = ψ and e | = ϕ e | = proc−1ϕ iff ∃e′ ∈ E. e′ < ·p e and e′ | = ϕ e | = msg−1ϕ iff ∃e′ ∈ E. e′ = m−1(e) and e′ | = ϕ e | = α1; α2−1ϕ iff e | = α1−1α2−1ϕ e | = α1 + α2−1ϕ iff e | = α1−1ϕ or e | = α2−1ϕ e | = α∗−1ϕ iff ∃n ∈ N. e | =

• α−1n ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 19/41

~

soit

I

weak

• defined

,

• s

function

• mis

bijective

• t

SLIDE 40

Examples

• M

, e

t (

proc

> Cmsg >

true

• T

Tff

(

ta semantics

• f

C proc )

if

te )

(

Fe

' . e

ape

' n M ,e '

f

Cms

g)

be

)

C- E f '

iff

(

t semantics

• f

Cmsg )

Y

' te )

(

Fe

' .

esp

e ' n

(

Fe

" EE .

e'

' em

(

e ' ) and e "

f

true ))

C- E

• Tff

(

F e'

EE .

espe

' n

(

Fe

" EE .

e'

' em

le

' ) ) )

• event

e has a

direct

successor at its

process

which is a send event

with

a matching receive "

• e

'

SLIDE 41

Example

2

• u

f

E

proc )

"

false

• 1
• n

Tff

Csa rewrite

Ex ]

interns

• f

a >

te )

• n

U

f

7

C

proc >

7

false iff

(

se

senates

• f
• se )

not

(

u

f

C

proc

)

• ^

true

)

Tff

Ct

semantics

• f

Cpw

→

p

& )

not

(

Fv

"

EE

.

Vt Ep

u and v '

Ftme ) iff

not

(

Fu

'

EE

.

V'

Gp

u ) "

there

is no

preceding

event to

u

at

its

process

"

SLIDE 42

Example

3

if

• u

f C

( pwctmsg

)*

>

! (

size )

iff

( te

semantics

• f

S

a > * & )

Fn

E

IN

. u

f

( ( pwctmsg ) >

"

! (

size )

iff

(f)

Fn

E

IN

.

at

( ( pwctmsg )

;

• ;

( proctmsg ) ) !(sad

p

• n

times

In

• ur

example

MSC

• f

slide

76

,

this holds

as

for

n =3 i le

f

s

proc

;

msg

;

pwc )

! C

33C )

step

• by
• step

this

means u

t s

proc

>

t

(

1,3 , b )

• e

and e

t

C

msg )

? ( 3,7

, b)

• e

' and e '

F

S

pwc

)

!

(

3,2 , c )

• w

SLIDE 43

Overview

1

Introduction

2

Local Formulas and Path Expressions Syntax Formal Semantics

3

PDL Formulas

4

Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability

Joost-Pieter Katoen Theoretical Foundations of the UML 20/41

SLIDE 44

PDL formulas

Definition (Syntax of PDL formulas)

For local formula ϕ, the grammar of PDL formulas is given by: Φ ::= ∃ϕ | ∀ϕ | Φ ∧ Φ | Φ ∨ Φ

Negation

Negation is absent. As existential and universal quantification, as well as conjunction and disjunction are present, PDF-formulas are closed under negation. Joost-Pieter Katoen Theoretical Foundations of the UML 21/41 S

• ver

an

y

Proper he entire MSC

SLIDE 45

Intuitive meaning of PDL formulas

MSC M satisfies ∃ϕ if M has some event e satisfying ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 22/41

SLIDE 46

Intuitive meaning of PDL formulas

MSC M satisfies ∃ϕ if M has some event e satisfying ϕ MSC M satisfies ∃αϕ if from some event e in M, there exists an α-labelled path from e to an event e′, say, satisfying ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 22/41

SLIDE 47

Intuitive meaning of PDL formulas

MSC M satisfies ∃ϕ if M has some event e satisfying ϕ MSC M satisfies ∃αϕ if from some event e in M, there exists an α-labelled path from e to an event e′, say, satisfying ϕ MSC M satisfies ∃[α]ϕ if from some event e in M, every event that can be reached via an α-labelled path satisfies ϕ

Joost-Pieter Katoen Theoretical Foundations of the UML 22/41

SLIDE 48

Semantics of PDL formulas

Definition (Semantics of PDL formulas)

Let M = (P, E, C, l, m, <) ∈ M be an MSC. (M, Φ) ∈ | = iff PDL formula Φ holds in MSC M. M | = ∃ϕ iff ∃e ∈ E. M, e | = ϕ M | = ∀ϕ iff ∀e ∈ E. M, e | = ϕ M | = Φ1 ∧ Φ2 iff M | = Φ1 and M | = Φ2 M | = Φ1 ∨ Φ2 iff M | = Φ1 or M | = Φ2

Joost-Pieter Katoen Theoretical Foundations of the UML 23/41

SLIDE 49

Example (1)

The (unique) maximal event of M is labeled by ?(2, 1, a) Yes. No. ∀ ((proc + msg)∗([proc] false ∧ ?(2, 1, a))) Yes. No.

Joost-Pieter Katoen Theoretical Foundations of the UML 24/41

6

at

• maximal

event globally maximally local

SLIDE 50

Example (2)

The maximal event on process 2 is labeled by ?(2, 1, a) Yes. Yes. ∃ ([proc] false ∧ ?(2, 1, a)) Yes. Yes.

Joost-Pieter Katoen Theoretical Foundations of the UML 25/41 it ←

Taxed

Tie

SLIDE 51

Example (3)

No two consecutive events are labeled with ?(2, 3, c) No. Yes. ∀ ([{ ?(2, 3, c) }; proc; { ?(2, 3, c) }] false) No. Yes.

Joost-Pieter Katoen Theoretical Foundations of the UML 26/41

• to
• p

two consecutive events impossible labeled 7.123 , a ) event