INF 5130: Selected topics in rewriting logic
Place: Postscript, seminar room OJD 2458
Lecturer: Olaf Owe (8. floor OJD room 8463)
email: olaf at ifi.uio.no
PMA group
INF5130
“Continues” from INF3230/INF4230: Formal modeling and
analysis of communicating systems (The “Maude course”):
I
5000-course: base on “state of the art research” and self
studying
I
recommended background: some knowledge about Maude like
INF3230
I
less weight on “theory” than in INF3230
I
follow the course’s web page
www.uio.no/studier/emner/matnat/ifi/INF5130/h15
INF 5130: Overview
I
Masters’ course:
I
I
I
I
read and understand scientific papers
do presentations
gain more insight on formal modeling and analysis of
distributed systems with a high level of abstraction
New specification and analysis techniques:
I
I
temporal logic for “requirement specifications”
meta-programming
INF 5130: Overview (cont.)
I
New problem domains (not totally fixed):
I
I
I
I
I
I
real time computer systems
bio-chemical processes
mobile processes
probabilistic systems and OS-analysis
...
“Theory”: reflection (meta-programming semantics)
Note: Maude is a tool that we use for illustrations
Course content
I
Two mandatory assignments
I
Student presentations of different topics (30 % of the
overall grade)
I
Final oral exam (70 % of the overall grade)
I
Some lectures and weekly assignments at the beginning
I
A lot of work on the mandatory assignments in the first part
of the course
I
Student presentations and discussions in the second part of
the course
Mandatory assignment 1
Modeling and analysing the Reliable Broadcast Protocol (RBP)
I
from (1995), a communication protocol presented in a large
communication conference (ICC ’96)
I
developed by a giant within communication systems
I
“proved correct” in the article
task: modeling and executing/analysing (parts of) RBP in
Maude
I
I
I
consider the original specification: impreciseness, ambiguities
and implicit assumptions
consider the protocol’s “soundness” and weaknesses
I
work one and one or two and two?
I
available next week!
Mandatory assignment 2
An assignment in meta programming:
I
program an “iterative depth first search” strategy and
apply it on the NSPK protocol.
Student presentations (preliminary – may adjust themes)
Presenting articles about e.g.
I
temporal logic and Maude’s model checker
I
specifying and analysing real time computer systems using
Real-Time Maude
I
mobile systems and Mobile Maude
I
probabilistic systems and PMaude
I
modeling and analysing bio-chemical processes in Maude
I
reachability analysis by narrowing techniques
I
. . . other wishes?
Student presentations (cont.)
I
1 or 2 students lecturing about one or more articles within one
subject (40 min.)
I
making slides for the lecture
Everybody should be present at the presentations
I
I
I
I
I
learning the topics through presentations, discussions, and my
comments
learn presentation techniques
and of solidarity
If you have (clinical) anxiety or similar, other forms of
evaluations can be discussed.
The exam
I
I
Oral exam
The curriculum so far:
I
I
I
assignments
presented topics and articles
lectures and discussions around the lectures
Some repetition of Maude
Information about Maude
I
Manual, papers, etc. about Maude:
http://maude.cs.uiuc.edu
I
Compendium from INF3230
The compendium can be found at the INF3230 course pages
http://www.uio.no/studier/emner/matnat/ifi/INF3230/v15
Repetition
I
I
Starts by executing the command maude, or followed by a file
name
Data types and related functions are defined by equational
specifications
I
I
I
I
Dynamic behaviours are modeled by rewriting rules
I
I
I
sorts, subsorts, function symbols, equations
must be terminating and confluent (this is not checked by
Maude)
included modules for integers, rationale numbers, strings, etc
not necessarily terminating or confluent
different ways of executions: simulations/rewritings, search,
user defined strategies, model checking.
Full Maude supports object oriented specifications and
executions
I
bad error messages
Some useful Maude commands
q .: quit
eof: end-of-file
load/in file .: read in file
ls/cd/pwd
select module .: let the module be the “actual” module
show module .: show module
show all .: show the flat version of the actual modules
Commands can be given as input also in a file!
Comments are either *** or --- (online) or ***( . . . ) or ---(
. . . ) (for regions)
Functional Modules
Data types: elements + operations on these elements
I
Must define explicitly all values/elements of the data type
I
“Values/elements” are terms constructed from user defined
function symbols (operators) and constants
I
Terms/functions have sorts describing the input/output types
Some function symbols/constants are used to construct
elements/values
I
I
I
these are Constructors [ctor]
Other functions are defined functions and are defined by
equations
Example: natural numbers
Equational specifications are defined as functional modules:
I
Define a data type for natural numbers
I
Numbers can be represented by 0, s(0), s(s(0)), . . .
I
A defined function _+_
fmod MY-NAT is
sort Nat .
op 0 : -> Nat [ctor] .
op s : Nat -> Nat [ctor] .
op _+_ : Nat Nat -> Nat .
vars M N : Nat .
eq 0 + M = M .
eq s(M) + N = s(M + N) .
endfm
Example: natural numbers (cont.)
I
Underscore (_) for an argument position
I
Maude’s red(uce) command computes the “value” of a term
by using equations from left to right, until no equations can
be applied:
Maude> red s(0) + s(s(0)) .
Exercise 1: Nat
I
Extend the module MY-NAT with functions
I
I
_*_ for multiplication
_! for factorial function
and use Maude to compute
I
I
I
(s(0) + s(0)) * (s(s(s(0))) * s(s(0)))
(s(s(0)) * s(s(0))) !
Note: An earlier defined module can be imported by using
protecting or including:
fmod EXERCISE-1 is including MY-NAT .
...
endfm
Associativity and commutativity
A binary function symbol can be declared to be associative
([assoc]) and/or commutative ([comm]) and/or have one identity
element
I All computations are modulo these axioms
I
Assoc and comm:
op h : s s -> s [assoc comm] .
I
I
I
h(x1 , x2 ) = h(x2 , x1 )
essentially multiset
Identity: op f : s s -> s [id: t] .
Lists of natural numbers
I
Use subsorts, and assoc/id attributes
I
nil and concatenations (__) are constructors:
fmod LIST is protecting NAT .
sort List .
subsort Nat < List .
op nil : -> List [ctor] .
op __ : List List -> List
[ctor assoc id: nil] .
op length : List -> Nat .
var L : List . var N : Nat .
eq length(nil) = 0 .
eq length(L N) = 1 + length(L) .
endfm
The list “1 2 3” is represented by the term 1 2 3
Exercise 2: List
I
Explain why length is also defined for lists with one element
I
Define a function rev for reversing of lists
I
Define a function
op _occursIn_ : Nat List -> Bool .
that checks whether a number is an element of a list.
(remember that you can use the built-in symbols such as _==_
and _=/=_ to check equality)
I
Test out your functions.
Multiset
Multiset: the multiset union constructor is assoc/comm/id
fmod MSET is protecting NAT .
sort Mset .
subsort Nat < Mset .
op none : -> Mset [ctor] .
op __ : Mset Mset -> Mset
[ctor assoc comm id: none] .
op size : Mset -> Nat .
var MS : Mset . var N : Nat .
eq size(none) = 0 .
eq size(N MS) = 1 + size(MS) .
endfm
Empty syntax: A multiset {5, 8, 6, 8, 5, 5} is represented by the
term 5 8 6 8 5 5 and by all AC-equivalent terms!
Note: one may specify the type of a (sub)term t by the syntax
(t).sortname. For instance to distinguish (5 8 6 8 5 5).Mset
and (5 8 6 8 5 5).List.
Exercise 3: Multiset
I
Define functions
op mult : Mset Nat -> Nat .
op _in_ : Nat Mset -> Bool .
op del : Mset Nat -> Mset .
such that
I
I
I
I
mult(MS, N) gives number the of N in MS
N in MS true if MS contains the element N
del(MS, N) removes one occurrences of N from MS (and does
nothing if N is not in MS)
Test out your functions!
Other assignments
I
Tasks from 3230-compendium: quick-sort, binary trees
I
Given a sort Oid, define a data type OidSet of sets (or
multiset) of Oid-elements
Dynamic systems
Dynamic systems: the systems’ states change
I
airport/nuclear plant controller systems
I
football match:
sort Game .
op _-_ _:_ : String String Nat Nat -> Game
[ctor] .
I
I
one state could be "Malmo FF" - "Flamengo" 0 : 0
after 32 minutes, the state can be
"Malmo FF" - "Flamengo" 6 : 1
Rewriting rules
I
I
Dynamic behaviors are modeled by (labeled) rewriting rules,
syntax
rl [l] : t => t 0 .
crl [l] : t => t 0 if cond .
Static properties are modeled by equations
I
I
I
I
rewritings are (logically) modulo equations
operational: Maude reduces a term to its normal-form before
using the rules
the left-hand side of a rule must be a constructor term
Rules need not to be terminating/confluent
Football
Rewriting theories are system modules:
mod GAME is protecting NAT .
protecting STRING .
sort Game .
op _-_ _:_ : String String Nat Nat -> Game .
vars HOME AWAY : String .
vars M N : Nat .
rl [home-goal] :
HOME - AWAY M : N => HOME - AWAY M + 1 : N .
rl [away-goal] :
HOME - AWAY M : N => HOME - AWAY M : N + 1 .
endm
Rewriting logic
I
Logic about the possible state change:
Is t 0 reachable from t in zero or more steps?
I
Is "Malmo FF" - "Flamengo" 12 : 0 reachable from
"Malmo FF" - "Flamengo" 0 : 0 ?
I
Is "Brazil" - "Italy" 2 : 3 reachable from
"Brazil" - "Italy" 0 : 0 ?
I
Is "South Corea" - "Spain" 0 : 0 reachable from
"South Corea" - "Spain" 0 : 1 ?
Executions/Analysis
A rewriting theory can be non-terminating or non-deterministic
I execution strategies that “rewrite until no rules can be
applied” are not enough
I
I
infinite behaviors are possible (e.g. livelocks)
executes only one of many possible behaviors
(behavior = a sequence of rewrite steps)
Maude analysis
Maude has a number of effective analysis commands:
I rewritings for simulations/prototyping:
I
I
search: analyze all possible behaviors from one initial state by
checking whether one state pattern can be reached
I
I
can possibly not terminate if such state(s) does not exist
temporal logic model checking: verifying whether all possible
behaviors from one initial state satisfy a formula in temporal
logic
I
I
simulate one behavior from one initial state
when the number of reachable states is finite
one can define its own analysis strategies by using Maude’s
meta programming facilities
Rewritings
Simulate maximum n steps of one behavior from the initial state t:
Maude> rew [n] t .
I
can leave out ’[n]’ if the system is terminating or the state
space reachable from t is finite
I
Maude> rew [5] "Italy" - "Brazil" 0 : 0 .
result Game: "Italy" - "Brazil" 3 : 2
I
can trace the rewriting steps
Search
search [n] t =>* t 0 such that cond .
I
search for maximum n states that can be reached from t,
which match t 0 and satisfy cond
I
can leave out ‘[n]’ and/or ‘such that cond’
I
t 0 must be a constructor term and may contain variables
I
cond is a semantic requirement
I
the arrow =>! searches for a terminating state/deadlocks
I
can list out the path
I
Task: Use search to check whether the away team can win the
football match
Examples with search
Maude> search [1]
"Malmo FF" - "Vasco da Gama" 0 : 0 =>*
"Malmo FF" - "Vasco da Gama" 1 : 5 .
Solution 1 (state 22)
empty substitution
Maude> show path 22 .
state 0, Game: "Malmo FF" - "Vasco da Gama" 0 : 0
===[ rl ... home-goal ]===>
state 1, Game: "Malmo FF" - "Vasco da Gama" 1 : 5
...
===[ rl ... away-goal ]===>
state 22, Game: "Malmo FF" - "Vasco da Gama" 1 : 5
Note: 22 is the number of states visited (breadth-first)
Examples with search (cont.)
Maude> search [2]
"Brazil" - "Italy" 0 : 0 =>*
"Brazil" - "Italy" M:Nat : N:Nat
such that M:Nat > N:Nat + 4 .
Solution 1 (state 15)
M --> 5
N --> 0
Solution 2 (state 21)
M --> 6
N --> 0
Useful analysis with search commands
Useful search commands for analysis:
I to check if all reachable states satisfy an invariant:
I
I
I
by looking for a state that violates the invariant and is
reachable from the initial state
search [1] init =>* unwanted state .
if the system is terminating: check all the final states:
I
search init =>! X:S .
where init is the initial state and S is the sort of the state
Full Maude
Full Maude supports object oriented specifications in
object oriented modules (omod ... endom)
I
special syntax for classes, objects
I
all modules and commands are surrounded by parenthesis
I
start Full Maude by loading the file full-maude.maude
in Maude
I
a state in an OO system can be seen as a multiset of objects
and messages between objects
I
Full Maude is not as solid as Maude, but will be better.
Objects
I
An object is represented by the term
< O : C | att1 : val1 , ..., attn : valn >
I
I
I
I
I
O is the object’s identification of sort Oid
C is the class of the object
att1 till attn are the object’s attributes
val1 till valn are the object’s values
Example:
< "Peter" : Person | age : 35,
status : single >
I
the Maude syntax for class declarations
class Person | age : Nat, status : Status .
Objects (cont.)
I
Rule for aging:
var X : String .
var N : Nat .
crl [birthday] :
< X : Person | age : N >
=>
< X : Person | age : N + 1 >
if N < 1000 .
I
The attributes that are not relevant for the application of the
rule can be omitted
Objects (cont.)
A state in an OO system can for example be
< "Peter" : Person | age : 35, status : single >
< "Ronaldo" : Person | age : 27, status : single >
< "Lizzie" : Person | age : 32, status : single >
Communication
Maude has no determined/built-in communication primitives
I
flexible: different types of communications can be modeled
with appropriate abstraction levels, instead of simulating one
type of communication by using a given simulation primitive
I
all communications must be explicitly modeled
I
users must find the appropriate type of communication
I
in INF3230, some suggestions are given for how different kinds
of communications can be modeled
Communications and their models
I
I
synchronous (handshake): several objects on the left hand
side of a rule
asynchronous communication, point-to-point: sending
messages
I
I
I
unordered: the order messages are received differs from the
order they are send (like Internet): simple sending of messages
and reading the messages
ordered: the messages are received in the same order as they
are send: modeling explicit use of some FIFO-links to transport
messages, or use sequence numbers
abstraction and generality are wanted: if something works with
unordered communication, then it will also work when the
communication is ordered!
Communications and their models (cont.)
I
multicast: sending messages to a set of receiver objects
I
I
simple if the communication is unordered
more involved if the communication is ordered (sequence
numbers or “spreaders”)
I
loose/duplicating/corrupted messages?
I
message transmissions take time and if this must be modeled:
the Real-Time Maude article suggests some modeling
techniques
I
other types of communication need other kinds of modeling
techniques: for example wireless sensor networks
Messages
Messages can be defined by terms of sort Msg:
msgs marry? yes no : Oid Oid -> Msg .
Sending a marry? message:
crl [propose] :
< X : Person | age : N, status : single >
=>
< X : Person | status : waitFor(Y) >
marry?(Y, X)
if N > 15 .
Messages (cont.)
Two rules for handling a marry? request:
crl [accept] :
marry?(Y, X)
< Y : Person | age : N, status : single >
=>
< Y : Person | status : engaged(X) >
yes(X, Y)
if N > 15 .
rl [reject] :
marry?(Y, X) < Y : Person | >
=> < Y : Person | > no(X, Y) .
Messages (cont.)
Rules for reading a response:
rl [yes] :
yes(X, Y)
< X : Person | status : waitFor(Y) >
=>
< X : Person | status : engaged(Y) > .
rl [no] :
no(X, Y)
< X : Person | status : waitFor(Y) >
=>
< X : Person | status : single > .
Message transmissions
Messages are transported abstractly since a configuration is a
multiset:
< "Peter" : Person | ..., status : waitFor("Lizzie") >
marry?("Lizzie", "Peter")
< "Ronaldo" : Person | ..., status : single >
< "Lizzie" : Person | ..., status : single >
is exactly the same as
< "Peter" : Person | ..., status : waitFor("Lizzie") >
< "Ronaldo" : Person | ..., status : single >
marry?("Lizzie", "Peter")
< "Lizzie" : Person | ..., status : single >
that can be rewritten to . . .
Message transmissions (cont.)
< "Peter" : Person | ..., status : waitFor("Lizzie") >
< "Ronaldo" : Person | ..., status : single >
< "Lizzie" : Person | ..., status : engaged("Peter") >
yes("Peter", "Lizzie")
which is the same as
yes("Peter", "Lizzie")
< "Peter" : Person | ..., status : waitFor("Lizzie") >
< "Ronaldo" : Person | ..., status : single >
< "Lizzie" : Person | ..., status : engaged("Peter") >
A trivial broadcast protocol
I
Topology: graph — each node knows its neighbors
I
Goal: Broadcast:
All nodes that can be reached from the initiator, should have
seen the message
Protocol:
I
1. the initiator sends messages to its neighbors
2. when a node reads a message for the first time, it will store the
message and multicast the message to its other neighbors
3. a node ignores an already received message
The broadcast protocol: Data types
(omod BROADCAST is protecting STRING .
subsort String < Oid .
msgs m1 m2 m3 m4 m5 : -> Msg .
msg broadcast : Msg Oid -> Msg .
sort OidSet . subsort Oid < OidSet .
op none : -> OidSet [ctor] .
op _;_ : OidSet OidSet -> OidSet
[ctor assoc comm id: none] .
I
m1 till m5 are the possible message contents that will be
broad-casted
I
broadcast starts the protocol
I
OidSet: multiset of object identifications (for a set of
neighbors)
The broadcast protocol: Data types (cont.)
op msg_from_to_ : Msg Oid Oid -> Msg [ctor] .
op multimsg_from_to_ : Msg Oid OidSet -> Msg [ctor] .
var M : Msg . vars SENDER ARECEIVER : Oid .
var OTHER-RECEIVERS : OidSet .
eq multimsg M from SENDER to none = none .
eq multimsg M from SENDER to ARECEIVER ; OTHER-RECEIVERS =
(msg M from SENDER to ARECEIVER)
(multimsg M from SENDER to OTHER-RECEIVERS) .
I
message wrapper msg_from_to_ is used to send a msg from a
sender to a receiver
I
message wrapper multimsg_from_to_ is used to multicast a
msg from a sender to a set of receivers
The node class
class Node | neighbors : OidSet,
msgRead : Configuration .
I
msgRead is either none or contains messages to be
read/stored
I
neighbors is (object identifications of) the neighbors
A broadcast example: Rules
1. The initiator multicasts the message M (will be broadcasted)
to all its neighbors:
rl [startBroadcast] :
broadcast(M, O)
< O : Node | neighbors : OS,
msgRead : none >
=>
< O : Node | msgRead : M >
multimsg M from O to OS .
Task: the rest of the broadcast protocol
I
finish the specification with rules for:
I
I
I
a node to receive a message M for the first time and pass on
this message
a node to read an already received message M and ignore this
message
Let the initial state be
eq initState =
broadcast(m4, "b")
< "a" : Node | neighbors
msgRead :
< "b" : Node | neighbors
msgRead :
< "c" : Node | neighbors
< "d" : Node | neighbors
msgRead :
< "e" : Node | neighbors
msgRead :
I
: "b" ; "e",
none >
: "a" ; "d",
none >
: "d", msgRead : none >
: "b" ; "c" ; "e",
none >
: "a" ; "d",
none > .
Use Full Maude’s search commands to check if every
terminating result is OK
Task: ordered communication
I
I
I
Sending/receiving peers: the sender has a list of messages
that are to be sent
Goal: achieve ordered communication through an unordered
transmission medium
(Trivial) protocol:
1.
2.
3.
4.
I
I
the
the
the
...
sender sends the first message with sequence number 1
receiver stores the message and acks message 1
sender sends message 2
and so on
Specify such a system with suitable initial states
Check that all the receivers have received the messages in the
correct order, in all possible terminating states