No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Membership algebra as a semantic framework for equational specification
... In addition, the ordering relation among sorts, a feature of both CafeOBJ and Maude, increases the complexity level of many-sorted first-order logic. Fortunately, the development of the results at the appropriated level of abstraction and the modularization principles that guided our study allowed us to cover also the case of order-sorted algebra [15,25] with minimal effort. Compactness. ...
... There are several non-equivalent axiomatizations of OSA in the literature including the ones proposed by Goguen and Meseguer [15] and by Poigné [30]. The version we consider here originates in [25], and it enjoys better mathematical properties than the ones enumerated before. See [26] for a comparison. ...
... Hereafter, we assume that all order-sorted signatures are sensible and locally filtered. According to [25], sensibility ensures the existence of the initial order-sorted algebra of terms T Σ , which is defined as follows: ...
Lindström’s theorem characterizes first-order logic in terms of its essential model theoretic properties. One cannot gain expressive power extending first-order logic without losing at least one of compactness or downward Löwenheim–Skolem property. We cast this result in an abstract framework of institution theory, which does not assume any internal structure either for sentences or for models, so it is more general than the notion of abstract logic usually used in proofs of Lindström’s theorem; indeed, it can be said that institutional model theory is both syntax and semantics free. Our approach takes advantage of the methods of institutional model theory to provide a structured proof of Lindström’s theorem at a level of abstraction applicable to any logical system that is strong enough to describe its own concept of isomorphism and its own concept of elementary equivalence. We apply our results to some logical systems formalized as institutions and widely used in computer science practice.
... We present some preliminaries on order-sorted equational logic and rewriting logic. The material is adapted from [15,30,31]. ...
... Order-Sorted Equational Logic. We assume the basic notions of order-sorted (abbreviated OS) signature Σ, Σ-term t, Σ-algebra A, and Σ-homomorphism f : A Ñ B [15,30]. Intuitively, Σ defines a partially ordered set of sorts pS , ďq, which are interpreted in a Σ-algebra A with carrier family of sets A " tA s u sPS as sort containments. ...
... The OS algebras over signature Σ and their homomorphisms form a category OSAlg Σ . Furthermore, under mild syntactic conditions on Σ, the term algebra T Σ is initial [30]; all signatures are assumed to satisfy these conditions. An S -sorted set X " tX s u sPS of variables, satisfies s s 1 ñ X s X X s 1 " H, and the variables in X are always assumed disjoint from all constants in Σ. ...
This paper presents a rewriting logic specification of the Illinois Browser Operating System (IBOS) and defines several security properties, including the same-origin policy (SOP) in reachability logic. It shows how these properties can be deductively verified using our constructor-based reachability logic theorem prover. This paper also highlights the reasoning techniques used in the proof and three modularity principles that have been crucial to scale up and complete the verification effort.
... The notation t : s is used to state that the term t has sort s. This notation supports reasoning in membership equational logic [25], which conservatively extends ordersorted logic by unary membership predicates of the form _:s, stating that a term t has sort s. This allows us to reason inductively to prove that a membership t : s holds in the initial algebra of an order-sorted equational theory or, more generally, of a theory in membership equational logic [25,4]. ...
... This notation supports reasoning in membership equational logic [25], which conservatively extends ordersorted logic by unary membership predicates of the form _:s, stating that a term t has sort s. This allows us to reason inductively to prove that a membership t : s holds in the initial algebra of an order-sorted equational theory or, more generally, of a theory in membership equational logic [25,4]. Although in this paper we restrict ourselves to order-sorted logic, we will still use the notation t : s to specify membership predicates and to reason inductively about them. ...
... RAT-ACU1375 for RAT-ACU-01 and RAT-ACU-26 @4:[Rat]+ @1:Int / @2:NzNat = @4:[Rat]+(@3:NzNat * @1:Int)/ @2:NzNat * @3:NzNat . cp RAT-ACU1565 for RAT-ACU-02 and RAT-ACU-25 1 + @2:NzInt =(@1:NzNat + @1:NzNat * @2:NzInt)/ @1:NzNat . cp RAT-ACU1644 for RAT-ACU-02 and RAT-ACU-26 (@2:NzNat + @1:Int)/ @2:NzNat =(@2:NzNat * @3:NzNat + @3:NzNat * @1:Int)/ @2:NzNat * @3:NzNat . ...
Terminating functional programs should be deterministic, i.e., should evaluate to a unique result, regardless of the evaluation order. For equational functional programs such determinism is exactly captured by the ground confluence property. For operationally terminating conditional equations this is equivalent to ground local confluence, which follows from local confluence. Checking local confluence by computing critical pairs is the standard way to check ground confluence [33]. The problem is that some perfectly reasonable equational programs are not locally confluent and it can be very hard or even impossible to make them so by adding more equations. We propose three methods, called Methods 1–3, that can be synergistically combined to prove an order-sorted conditional specification modulo axioms B ground locally confluent. Method 1 applies the strategy proposed in [14] to use non-joinable critical pairs as completion hints to either achieve local confluence or reduce the number of critical pairs. Method 2 uses the inductive joinability inference system proposed in this paper to try to prove the critical pairs remaining after applying Method 1 ground joinable. It can furthermore show ground local confluence of the original specification. Method 3 is hierarchical in nature: it can be used to prove the ground local confluence of a conditional equational specification whose conditions belong to a subspecification that has already been proved ground confluent and operationally terminating, and that is conservatively extended by the overall specification in an appropriate sense. These methods apply to order-sorted and possibly conditional equational programs modulo axioms such as, e.g., Maude functional modules. We show their effectiveness in proving the ground confluence of non-trivial examples that have eluded previous proof attempts.
... I present needed preliminaries on order-sorted algebra, logic, and variants. The material is adapted from [70,73]. The presentation is self-contained: only the notions of many-sorted signature and many-sorted algebra, e.g., [34], are assumed. ...
... A many-sorted signature is the special case where the poset (S, ≤) is discrete, i.e., s ≤ s iff s = s . [70] The category OSAlg has an initial algebra. Furthermore, if is sensible, then the term algebra T with: ...
... conditional -equations of the form i=1...n u i = v i ⇒ t = t ). OSAlg ( ,E) always has an initial algebra T /E , and free algebras T /E (X) [70]. The inference system in [70] is sound and complete for OS equational deduction, i.e., for any OS equational theory ( , E), and -equation ...
A new notion of generalized rewrite theory suitable for symbolic reasoning and generalizing the standard notion in [19] is motivated and defined. Also, new requirements for symbolic executability of generalized rewrite theories that extend those in [33] for standard rewrite theories, including a generalized notion of coherence, are given. Symbolic executability, including coherence, is both ensured and made available for a wide class of such theories by automatable theory transformations. Using these foundations, several symbolic reasoning methods using generalized rewrite theories are studied, including: (i) symbolic description of sets of terms by pattern predicates; (ii) reasoning about universal reachability properties by generalized rewriting; (iii) reasoning about existential reachability properties by constrained narrowing; and (iv) symbolic verification of safety properties such as invariants and stability properties.
... This paper presents several new contributions to conditional term rewriting and to the semantics of declarative, rewriting-based languages. Conditional rewriting is considered within the general and highly expressive framework of order-sorted rewrite theories (OSRTs), that is, theories R = (Σ, B, R), where (Σ, B) is an order-sorted equational theory [17,7] with equational axioms B, and R is a collection of conditional rewrite rules with oriented conditions of the form: → r ⇐ s 1 → t 1 , . . . , s n → t n , which are applied modulo B. All the results are in particular new results for Conditional Term Rewriting Systems (CTRSs); that is, for order-sorted rewrite theories of the special form R = (Σ, ∅, R), with B = ∅ and Σ unsorted, i.e., having a single sort. ...
... Order-Sorted Algebra. We summarize here material from [7,17] on ordersorted algebra. We start with a partially ordered set (S, ≤) of sorts, where s ≤ s is interpreted as subsort inclusion. ...
... An order-sorted conditional theory is a pair (Σ, E) with E a set of conditional Σ-equations. The models of (Σ, E) are precisely the order-sorted Σ-algebras that satisfy the conditional equations E [7,17]. Order-sorted conditional equational logic has a sound and complete inference system [17]. ...
We present several new concepts and results on conditional term rewriting within the general framework of order-sorted rewrite theories (OSRTs), which support types, subtypes and rewriting modulo axioms, and contains the more restricted framework of conditional term rewriting systems (CTRSs) as a special case. The concepts shed light on several subtle issues about conditional rewriting and conditional termination. We point out that the notions of irreducible term and of normal form, which coincide for unconditional rewriting, have been conflated for conditional rewriting but are in fact totally different notions. Normal form is a stronger concept. We call any rewrite theory where all irreducible terms are normal forms a normal theory. We argue that normality is essential to have good executability and computability properties. Therefore we call all other theories abnormal, freaks of nature to be avoided. The distinction between irreducible terms and normal forms helps in clarifying various notions of strong and weak termination. We show that abnormal theories can be terminating in various, equally abnormal ways; and argue that any computationally meaningful notion of strong or weak conditional termination should be a property of normal theories. In particular we define the notion of a weakly operationally terminating (or weakly normalizing) OSRT, discuss several evaluation mechanisms to compute normal forms in such theories, and investigate general conditions under which the rewriting-based operational semantics and the initial algebra semantics of a confluent, weakly normalizing OSRT coincide thanks to a notion of canonical term algebra. Finally, we investigate appropriate conditions and proof methods to ensure that a rewrite theory is normal; and characterize the stronger property of a rewrite theory being operationally terminating in terms of a natural generalization of the notion of quasi-decreasing order.
... We follow the classical notation and terminology from [23] for term rewriting and from [16,12] for order-sorted equational logic. ...
... An equational theory (Σ, E) over a kindcompleted, pre-regular, and order-sorted signature Σ = (S, F, ≤) is called kindcompleted, pre-regular, and order-sorted equational theory. Given an equational theory (Σ, E), order-sorted equational logic induces a congruence relation = E on terms t, t ′ ∈ T (Σ, V), see [12,16]. ...
The dual of most general equational unifiers is that of least general equational anti-unifiers, i.e., most specific anti-instances modulo equations. This work aims to provide a general mechanism for equational anti-unification that leverages the recent advances in variant-based symbolic computation in Maude. Symbolic computation in Maude equational theories is based on folding variant narrowing (FVN), a narrowing strategy that efficiently computes the equational variants of a term (i.e., the irreducible forms of all of its substitution instances). By relying on FVN, we provide an equational anti-unification algorithm that computes the least general anti-unifiers of a term in any equational theory E where the number of least general E-variants is finite for any given term.
... We follow the classical notation and terminology from [20] for term rewriting and from [13,15] for order-sorted equational logic. ...
... An equational theory (Σ, B) over a kind-completed, pre-regular, and order-sorted signature Σ = (S, F, ≤) is called kind-completed, pre-regular, and order-sorted equational theory. Given an equational theory (Σ, B), order-sorted equational logic induces a congruence relation = B on terms t, t ∈ T Σ (X ), see [13,15]. ...
Generalization, also called anti-unification, is the dual of unification. A generalizer of two terms t and t′ is a term t′′ of which t and t′ are substitution instances. The dual of most general equational unifiers is that of least general equational generalizers, i.e., most specific anti-instances modulo equations. In a previous work, we extended the classical untyped generalization algorithm to: (1) an order-sorted typed setting with sorts, subsorts, and subtype polymorphism; (2) work modulo equational theories, where function symbols can obey any combination of associativity, commutativity, and identity axioms (including the empty set of such axioms); and (3) the combination of both, which results in a modular, order-sorted equational generalization algorithm. However, Cerna and Kutsia showed that our algorithm is generally incomplete for the case of identity axioms and a counterexample was given. Furthermore, they proved that, in theories with two identity elements or more, generalization with identity axioms is generally nullary, yet it is finitary for both the linear and one-unital fragments, i.e., either solutions with repeated variables are disregarded or the considered theories are restricted to having just one function symbol with an identity or unit element. In this work, we show how we can easily extend our original inference system to cope with the non-linear fragment and identify a more general class than one–unit theories where generalization with identity axioms is finitary.
... The insertion of a 'rewriting-based system' R (e.g., Term Rewriting Systems (TRSs, Context-Sensitive TRSs Conditional TRSs (CTRSs, Membership Equational Programs [32,47,41], and more general rewriting-based formalisms [3,20,42]) into FOL is made in two steps: first a specialized inference system I(R) is obtained from the generic inference system I describing the operational semantics of R as provability (à la natural deduction) of goals with predicate symbols → (one-step reduction), → * (many-step reduction), ↓ (joinability), : s (membership for a given sort s), etc.; then, a set R of sentences is obtained from I(R) by just treating inference rules B1 ··· Bn A as universally quantified implications (∀ x) B 1 ∧ · · · ∧ B n ⇒ A (with provability equivalently implemented now as resolution [54] or using Hilbert's style [40, Section 2.3]). ...
... For the base case, if n = n 0 is the least element of A Nat , then, since A |= (38) s holds, and (41) holds, there is a constant symbol c of sort s such that x = c A , as required. If n > n 0 , then A |= (39) s and together with (41) there is m such that n > m such that we have two possibilities: If A |= term s (x, n)[y → x, n → m], then, by the induction hypothesis the conclusion follows. ...
The semantics of computational systems (e.g., relational and knowledge data bases, query-answering systems, programming languages, etc.) can often be expressed as (the specification of) a logical theory Th. Queries, goals, and claims about the behavior or features of the system can be expressed as formulas φ which should be checked with respect to the intended model of Th, which is often huge or even incomputable. In this paper we show how to prove such semantic properties φ of Th by just finding a model A of Th∪{φ}∪Zφ, where Zφ is an appropriate (possibly empty) theory depending on φ only. Applications to relational and deductive databases, rewriting-based systems, logic programming, and answer set programming are discussed.
... Rewriting logic is always parameterized by an underlying equational logic. This work is focused in membership equational logic [33], an equational logic that generalizes both many-sorted and order-sorted equational theories and that can also handle partial functions [3]. There are several language implementations of rewriting logic, one of them being Maude [9], a language whose underlying logic is membership equational logic. ...
... Equivalence of R/E and R ∪ E, A rewriting was proved by Viry [41] for unsorted rewrite theories. Membership equational logic was defined by Meseguer [33]. Comon studied the completion of rewrite systems with membership constraints [12,13]. ...
This work studies the relationship between verifiable and computable answers for reachability problems in rewrite theories with an underlying membership equational logic. A new definition for R, A-rewriting that allows us to solve a bigger class of reachability problems, and a calculus that solves this class of problems always working with canonical terms and normalized substitutions has been developed. Given a reachability problem in a rewrite theory, this calculus can compute any normalized answer that can be checked by rewriting, or a more general one that can be instantiated to that answer.
... Readers familiar with such terminology and notation can skip this section and proceed to the next section, where we provide examples of protocol specification. We follow the classical notation and terminology from [36] for term rewriting and from [31,32] for rewriting logic and order-sorted notions. ...
... A Σ-equation is an unoriented pair t = t ′ , where t ∈ T Σ (X ) s , t ′ ∈ T Σ (X ) s ′ , and s and s ′ are sorts in the same connected component of the poset (S, ≤). Given a set E of Σ-equations, order-sorted equational logic induces a congruence relation = E on terms t, t ′ ∈ T Σ (X ); see [32]. Throughout this paper we assume that T Σ,s = ∅ for every sort s. ...
Protocols do not work alone, but together, one protocol relying on another to provide needed services. Many of the problems in cryptographic protocols arise when such composition is done incorrectly or is not well understood. In this paper we discuss an extension to the Maude-NPA syntax and its operational semantics to support dynamic sequential composition of protocols, so that protocols can be specified separately and composed when desired. This allows one to reason about many different compositions with minimal changes to the specification, as well as improving, in terms of both performance and ease of specification, on an earlier composition extension we presented in [18]. We show how compositions can be defined and executed symbolically in Maude-NPA using the compositional syntax and semantics. We also provide an experimental analysis of the performance of Maude-NPA using the compositional syntax and semantics, and compare it to the performance of a syntax and semantics for composition developed in earlier research. Finally, in the conclusion we give some lessons learned about the best ways of extending narrowing-based state reachability tools, as well as comparison with related work and future plans.
... We follow the classical notation and terminology from [41] for term rewriting and from [31,32] for rewriting logic and ordersorted notions. We assume an order-sorted signature Σ with a finite poset of sorts (S, ≤) and a finite number of function symbols. ...
... A Σ-equation is an unoriented pair t = t . Given a set B of Σ-equations, order-sorted equational logic induces a congruence relation =B on terms t, t ∈ T Σ (X ); see [32]. ...
Recent advances in the automated analysis of cryptographic protocols have aroused new interest in the practical application of unification modulo theories, especially theories that describe the algebraic properties of cryptosystems. However, this application requires unification algorithms that can be easily implemented and easily extended to combinations of different theories of interest. In practice this has meant that most tools use a version of a technique known as variant unification. This requires, among other things, that the theory be decomposable into a set of axioms B and a set of rewrite rules R such that R has the finite variant property with respect to B. Most theories that arise in cryptographic protocols have decompositions suitable for variant unification, but there is one major exception: the theory that describes encryption that is homomorphic over an Abelian group.
In this paper we address this problem by studying various approximations of homomorphic encryption over an Abelian group. We construct a hierarchy of increasingly richer theories, taking advantage of new results that allow us to automatically verify that their decompositions have the finite variant property. This new verification procedure also allows us to construct a rough metric of the complexity of a theory with respect to variant unification, or variant complexity. We specify different versions of protocols using the different theories, and analyze them in the Maude-NPA cryptographic protocol analysis tool to assess their behavior. This gives us greater understanding of how the theories behave in actual application, and suggests possible techniques for improving performance.
... If we remove all marks from any term in this chain and restore the contexts which were removed from the rules of R to obtain the pairs in DP HC (R), we obtain an infinite rewrite sequence witnessing nontermination of R. H-chain consists of (32) followed by (33). Thus, R is terminating. ...
... However, [36] presented five different notions of CTRS termination, some of them actually wrong, in the sense that any reasonable interpreter will loop evaluating CTRSs declared terminating under the given notion, so considerable uncertainty about the right notion of CTRS termination remained. The notion of operational termination was proposed in [26] for general logics [32] and used in [14] to study and characterize the termination of MEL Rewrite Theories (based on the Membership Equational Logic (MEL) in [33]) and of CTRSs in [26], where the notion of quasi-decreasingness (see [36,Definition 7.2.39]) and of operational termination of a CTRS were proved equivalent. ...
The notion of operational termination provides a logic-based definition of termination of computational systems as the absence of infinite inferences in the computational logic describing the operational semantics of the system. For Conditional Term Rewriting Systems we show that operational termination is characterized as the conjunction of two termination properties. One of them is traditionally called termination and corresponds to the absence of infinite sequences of rewriting steps (a horizontal dimension). The other property, that we call V-termination, concerns the absence of infinitely many attempts to launch the subsidiary processes that are required to perform a single rewriting step (a vertical dimension). We introduce appropriate notions of dependency pairs to characterize termination, V-termination, and operational termination of Conditional Term Rewriting Systems. This can be used to obtain a powerful and more expressive framework for proving termination properties of Conditional Term Rewriting Systems.
... This paper follows notation and terminology from [17] for order-sorted equational logic and from [5] for rewriting logic. An order sorted signature Σ is a tuple Σ = (S, ≤, F ) with finite poset of sorts (S, ≤) and a finite index set of function symbols F = {F w,s } (w,s)∈S * ×S . ...
... A Σ-equation is a Horn clause t = u if γ, where t = u is a Σ-equality with t, u ∈ T Σ (X) s for some sort s ∈ S, and the condition γ is a finite conjunction of Σ-equalities i∈I t i = u i . An equational theory is a tuple (Σ, E) with ordersorted signature Σ and finite set of Σ-equations E. For ϕ a Σ-equation, (Σ, E) ϕ iff ϕ can be proved from (Σ, E) by the deduction rules in [17] iff ϕ is valid in all models of (Σ, E); assuming T Σ,s = ∅ for each s ∈ S, (Σ, E) induces the congruence relation = E on T Σ (X) defined for any t, u ∈ T Σ (X) by t = E u iff (Σ, E) t = u. For an equational theory (Σ, E) and a term t ∈ T Σ (X), the expression [t] E denotes the equivalence class of t modulo E, i.e., ...
The logic of E. W. Dijkstra and C. S. Scholten has been shown to be useful in program correctness proofs and has attracted a substantial following in research, teaching, and programming. However, there is confusion regarding this logic to the point in which, for some time, it was not considered a logic, as logicians use the word. The main objections arise from the fact that: (i) symbolic manipulations seem to be based on the meaning of the terms involved, and (ii) some notation and the proof style of the logic are different, to some extent, from those found in the traditional use of logic. This paper presents the Dijkstra-Scholten logic as a formal system, and explains its proof-theoretic foundations as a formal system, thus avoiding any confusion regarding term manipulation, notation, and proof style. The formal system is shown to be sound and complete, mainly, by using rewriting and narrowing based decision and semi-decision procedures for, respectively, propositional and first-order logic previously developed by C. Rocha and J. Meseguer.
... The membership declaration, done with syntax mb specifies that when the index env is related to and environment E:Env by the operator :, a field is formed. (Membership equational logic [14] is a generalization of order-sorted equational logic.) If this example specification were to be further extended with a store component, a similar declaration would be then necessary but this time declaring and index, let us say, sto and a membership equation binding sto to a term of sort Store, the data type for memory stores. ...
... The use of [BVal] as the image sort for the function find means that this represents a partial function that might return an error term at the kind level. (A kind [14] is the connected component of sorts related by the subsort relation). For example, when the identifier is not found on the given environment, the function should return an error term, such as no-value. ...
Modularity is a pragmatic property of specifications that is not easy to achieve. For instance, it has been left as an open problem by Plotkin in his 81 Aarhus lecture notes where Structural Operational Semantics (SOS) was defined. This open problem has been solved only recently by Mosses with Modular SOS (MSOS), a framework that extends labelled transitions systems with a label category where the semantic information is encapsulated inside its arrows. This extension gave rise to arrow-labelled transition systems that allow MSOS specifications to be made modular, that is, extended monotonically. The objective of this paper is to present the Maude MSOS Tool, a Maude implementation of MSOS. Maude is a fast implementation of rewriting logic, a reflective logic that has been shown as a generic framework which can represent many logics, specification languages and models of computation. It is precisely the reflective capabilities of rewriting logic implemented in the Maude system that allow us to create an executable environment for MSOS: Maude MSOS Tool. 1
... An order-sorted signature is defined by a tuple (S, ≤, F ). For making construction of symbolic presentations of models (i.e., term algebras, see 2.2.3) possible, the following sensibility condition is the most general sufficient condition for avoiding ambiguity found until now [17]. An order-sorted signature (S, ≤, F ) is defined to be sensible iff (w ≡ ≤ w ′ ⇔ s ≡ ≤ s ′ ) for any operator f ∈ F ws ∩ F w ′ s ′ where w ≡ ≤ w ′ means that (i) w and w ′ are of the same length and (ii) any element of w is in the same connected component with corresponding element of w ′ . ...
Critical flaws continue to exist at the level of domain, requirement, and/or design specification, and specification verification (i.e., to check whether a specification has desirable properties) is still one of the most important challenges in software/system engineering. CafeOBJ is an executable algebraic specification language system and domain/requirement/design engineers can write proof scores for improving quality of specifications by the specification verification. This paper describes advances of the proof scores for the specification verification in CafeOBJ.
... We recall basic notions related to term rewriting [10,11], and many sorted equational logic [36]. ...
We develop a multiset query and update language executable in a term rewriting system. Its most remarkable feature, besides non-standard approach to quantification and introduction of fresh values, is non-determinism - a query result is not uniquely determined by the database. We argue that this feature is very useful, e.g., in modelling user choices during simulation or reachability analysis of a data-centric business process - the intended application of our work. Query evaluation is implemented by converting the query into a terminating term rewriting system and normalizing the initial term which encapsulates the current database. A normal form encapsulates a query result. We prove that our language can express any relational algebra query. Finally, we present a simple business process specification framework (and an example specification). Both syntax and semantics of our query language is implemented in Maude.
... A membership equational logic (Mel) [35] signature is a triple Σ = (K , σ, S) with K a set of kinds, σ = {Σ w,k } (w,k)∈K * ×K a many-kinded signature, and S = {S k } k∈K a K -kinded family of disjoint sets of sorts. The kind of a sort s is denoted by [s]. ...
When a person is concurrently interacting with different systems, the amount of cognitive resources required (cognitive load) could be too high and might prevent some tasks from being completed. When such human multitasking involves safety-critical tasks, such as in an airplane, a spacecraft, or a car, failure to devote sufficient attention to the different tasks could have serious consequences. For example, using a GPS with high cognitive load while driving might take the attention away for too long from the safety-critical task of driving the car. To study this problem, we define an executable formal model of human attention and multitasking in Real-Time Maude. It includes a description of the human working memory and the cognitive processes involved in the interaction with a device. Our framework enables us to analyze human multitasking through simulation, reachability analysis, and LTL and timed CTL model checking, and we show how a number of prototypical multitasking problems can be analyzed in Real-Time Maude. We illustrate our modeling and analysis framework by studying: (i) the interaction with a GPS navigation system while driving, (ii) some typical scenarios involving human errors in air traffic control (ATC), and (iii) a medical operator setting multiple infusion pumps simultaneously. We apply model checking to show that in some cases the cognitive load of the navigation system could cause the driver to keep the focus away from driving for too long, and that working memory overload and distraction may cause an air traffic controller or a medical operator to make critical mistakes.
... Γ ⊢ ∀L, E, F · (@ lifo del)((@ fifo del)(L;E;F)) = (@ fifo del)((@ lifo del)(L;E;F)) by applying (Trans) to 1, 2 and 4 symbols defined on top of preordered algebra [25], order-sorted algebra [32], partial algebra [3,55], membership algebra [52] or higher-order algebra [53]. ...
The definition of institution formalizes the intuitive notion of logic in a category-based setting. Similarly, the concept of stratified institution provides an abstract approach to Kripke semantics. This includes hybrid logics, a type of modal logics expressive enough to allow references to the nodes/states/worlds of the models regarded as relational structures, or multi-graphs. Applications of hybrid logics involve many areas of research such as computational linguistics, transition systems, knowledge representation, artificial intelligence, biomedical informatics, semantic networks and ontologies. The present contribution sets a unified foundation for developing formal verification methodologies to reason about Kripke structures by defining proof calculi for a multitude of hybrid logics in the framework of stratified institutions. In order to prove completeness, the paper introduces a forcing technique for stratified institutions with nominal and frame extraction and studies a forcing property based on syntactic consistency. The proof calculus is shown to be complete and the significance of the general results is exhibited on a couple of benchmark examples of hybrid logical systems.
... A Σ-equation is an unoriented pair t = t , where t,t ∈ T Σ,s (X ) for some sort s ∈ S. Given Σ and a set E of Σ-equations, order-sorted equational logic induces a congruence relation = E on T Σ (X ) (see [54]). An equational theory (Σ, E ) is a Otherwise, the overloading of f is called ad-hoc. ...
Partial evaluation is a powerful and general program optimization technique with many successful applications. Existing PE schemes do not apply to expressive rule-based languages like Maude, CafeOBJ, OBJ, ASF+SDF, and ELAN, which support: 1) rich type structures with sorts, subsorts, and overloading; and 2) equational rewriting modulo various combinations of axioms such as associativity, commutativity, and identity. In this paper, we develop the new foundations needed and illustrate the key concepts by showing how they apply to partial evaluation of expressive programs written in Maude. Our partial evaluation scheme is based on an automatic unfolding algorithm that computes term variants and relies on high-performance order-sorted equational least general generalization and order-sorted equational homeomorphic embedding algorithms for ensuring termination. We show that our partial evaluation technique is sound and complete for convergent rewrite theories that may contain various combinations of associativity, commutativity, and/or identity axioms for different binary operators. We demonstrate the effectiveness of Maude's automatic partial evaluator, Victoria, on several examples where it shows significant speed-ups.
... An equational theory (Σ, E) is a pair with Σ an order-sorted signature and E a set of Σ-equations. Given Σ and a set E of Σ-equations, order-sorted equational logic induces a congruence relation = E on terms t,t ∈ T Σ (X ) (see [28]). Throughout this paper we assume that T Σ,s = / 0 for every sort s, because this affords a simpler deduction system. ...
Equational unification of two terms consists of finding a substitution that, when applied to both terms, makes them equal modulo some equational properties. Equational unification is of special relevance to automated deduction, theorem proving, protocol analysis, partial evaluation, model checking, etc. Several algorithms have been developed in the literature for specific equational theories, such as associative-commutative symbols, exclusive-or, Diffie-Hellman, or Abelian Groups. Narrowing was proved to be complete for unification and several cases have been studied where narrowing provides a decidable unification algorithm. A new narrowing-based equational unification algorithm relying on the concept of the variants of a term has been developed and it is available in the most recent version of Maude, version 2.7.1, which provides quite sophisticated unification features. A variant of a term t is a pair consisting of a substitution sigma and the canonical form of tsigma. Variant-based unification is decidable when the equational theory satisfies the finite variant property. However, it may compute many more unifiers than the necessary and, in this paper, we explore how to strengthen the variant-based unification algorithm implemented in Maude to produce a minimal set of most general variant unifiers. Our experiments suggest that this new adaptation of the variant-based unification is more efficient both in execution time and in the number of computed variant unifiers than the original algorithm available in Maude.
... Maude implements rewriting based on membership equational logic [18], which extends many-sorted equational logic with membership axioms. The expressiveness of such axioms is illustrated by the specification of ordered lists, which cannot be defined using plain many-sorted equational logic. 1 In the short example below, we use a conditional membership axiom to state that a list with at least two elements is ordered: In this case, lists are constructed simply by juxtaposition, and OList < List is the subsort of ordered lists; the first condition indicates that the first two elements of the list must 1 They can be defined using predicates, but not as a subsort of all lists. ...
... A rewrite theory R formally describes a concurrent system including its static structure and dynamic behavior. It is a tuple (Σ, E ∪ A, R) consisting of: (1) a membership equational logic (MEL) [25] signa- ture Σ that declares the kinds, sorts and operators to be used in the specification; (2) a set E of Σ-sentences, which are universally quan- tified Horn clauses with atoms that are either equations (t = t ′ ) or memberships (t : s) (where t and t ′ are terms and s is a sort); (3) a set A of equational axioms, such as commutativity, associativity and/or identity axioms; and (4) a set R of rewrite rules t −→ t ′ if C specifying the computational behavior of the system. (See [12] for a detailed account of generalized rewrite theories). ...
Distance-bounding (DB) protocols protect against relay attacks on proximity-based access control systems. In a DB protocol, the verifier computes an upper bound on the distance to the prover by measuring the time-of-flight of exchanged messages. DB protocols are, however, vulnerable to distance fraud, in which a dishonest prover is able to manipulate the distance bound computed by an honest verifier. Despite their conceptual simplicity, devising a formal characterization of DB protocols and distance fraud attacks that is amenable to automated formal analysis is non-trivial, primarily because of their real-time and probabilistic nature. In this work, we introduce a generic, computational model, based on Rewriting Logic, for formally analyzing various forms of distance fraud, including recently identified timing attacks, on the Hancke-Kuhn family of DB protocols through statistical model checking. While providing an insightful formal characterization on its own, the model enables a practical formal analysis method that can help system designers bridge the gap between conceptual descriptions and low-level designs. In addition to accurately confirming known results, we use the model to define new attack strategies and quantitatively evaluate their effectiveness under realistic assumptions that would otherwise be difficult to reason about manually.
... An equational theory is a tuple (Σ, E), with Σ an order-sorted signature and E a finite collection of (possibly conditional) Σ-equations. An equational theory E = (Σ, E) induces the congruence relation = E on T Σ (X) defined for t, u ∈ T Σ (X) by t = E u if and only if E t = u, where E t = u denotes E-provability by the deduction rules for order-sorted equational logic in [22]. The expressions T E (X) and T E (also written T Σ/E (X) and T Σ/E ) denote the quotient algebras induced by = E on the term algebras T Σ (X) and T Σ , respectively. ...
The Business Process Model and Notation () is the standard notation for modeling business processes. It relies on a workflow-based language that allows for the modeling of the control-flow graph of an entire process. In this paper, the main focus is on an extension of with data, which is convenient for describing real-world processes involving complex behavior and data descriptions. By considering this level of expressiveness due to the new features, challenging questions arise regarding the choice of the semantic framework for specifying such an extension of , as well as how to carry out the symbolic simulation, validation, and correctness of the process models. These issues are addressed first by providing a symbolic executable rewriting logic semantics of using the rewriting modulo SMT framework, where the execution is driven by rewriting modulo axioms and by querying SMT decision procedures for data conditions. Second, reachability properties, such as deadlock freedom and detection of unreachable states with data exhibiting certain values, can be specified and automatically checked with the help of Maude, thanks to its support for rewriting modulo SMT. The approach presented in this paper has been validated on realistic processes and it is illustrated with a running example.
... In this paper we explore some new uses of first-order logic in program analysis. After providing a generic approach where we consider arbitrary firstorder theories, we apply our results to rewriting-based systems, including Term Rewriting Systems (TRSs, [2]), Conditional TRSs (CTRSs, [3,11,28]), Membership Equational Programs [26], and more general rewriting-based formalisms [4,15,27]. The insertion of a 'rewriting-based system' R into First-Order Logic is made as a Horn theory R, i.e., a set of universally quantified implications A 1 ∧ · · · ∧ A n ⇒ B for some n ≥ 0, where A i , 1 ≤ i ≤ n and B are atoms with predicate symbols →, → * , etc. ...
Computational systems based on a first-order language that can be given a canonical model which captures provability in the corresponding calculus can often be seen as first-order theories , and computational properties of such systems can be formulated as first-order sentences that hold in such a canonical model of . In this setting, standard results regarding the preservation of satisfiability of different classes of first-order sentences yield a number of interesting applications in program analysis. In particular, properties expressed as existentially quantified boolean combinations of atoms (for instance, a set of unification problems) can then be disproved by just finding an arbitrary model of the considered theory plus the negation of such a sentence. We show that rewriting-based systems fit into this approach. Many computational properties (e.g., infeasibility and non-joinability of critical pairs in (conditional) rewriting, non-loopingness, or the secure access to protected pages of a web site) can be investigated in this way. Interestingly, this semantic approach succeeds when specific techniques developed to deal with the aforementioned problems fail.
... In it, a system is axiomatized by a rewrite theory (Σ, E, R), where (Σ, E) is an equational theory describing its set of states in terms of an algebraic data type T Σ/E associated to an initial algebra (Σ, E), and R is a collection of rewrite rules. Maude's underlying equational logic is membership equational logic [21], a Horn logic whose atomic sentences are equalities t = t and membership assertions of the form t : S, stating that a term t has sort S. ...
Complex Event Processing (CEP) is a cutting-edge technology for analyzing and correlating streams of information about events that happen in a system, and deriving conclusions from them. CEP permits defining complex events based on the events produced by the incoming sources, to identify complex meaningful circumstances and to respond to them as quickly as possible. Such event types and patterns are defined using Event Processing Languages (EPLs). However, as the complexity of CEP programs grows, they become difficult to understand and to prove correct. This paper proposes a formal framework for the specification of CEP applications, using rewriting logic and Maude, to allow developers to formally analyze and prove properties of their CEP programs. Several case studies are presented to illustrate the approach, as well as a discussion on the benefits of using Maude and its toolkit for modeling and analyzing CEP systems.
... Notons tout de suite qu'en trouvant un encodage en déduction surnaturelle, nous avons donc par le biais des présentations compatibles une expression des systèmes de type purs comme théorie de la logique du premier ordre. Il ne s'agit pas de la première représentation des systèmes de type purs en logique du premier ordre, puisque par exemple Mark-Oliver Stehr et José Meseguer (2004) les ont exprimés en logique équationnelle d'appartenance (José Meseguer, 1998) qui peut être vue comme une sous-logique de la logique du premier ordre. Néanmoins notre traduction permet une plus grande similitude entre les dérivations de type et les démonstrations en logique du premier ordre (en déduction surnaturelle plus exactement), notamment en ce qui concerne leur normalisation. ...
Cette thèse étudie comment l'intégration du calcul dans les démonstrations peut les simplifier. Nous nous intéressons pour cela à la déduction modulo et à la surdéduction, deux formalismes proches dans lesquels le calcul est incorporé dans les démonstrations via un système de réécriture. Pour améliorer la recherche mécanisée de démonstration, nous considérons trois critères de simplicité.
L'admissibilité des coupures permet de restreindre l'espace de recherche des démonstrations, mais elle n'est pas toujours assurée en déduction modulo. Nous définissons une procédure qui complète le système de réécriture pour, au final, admettre les coupures. Au passage, nous montrons comment transformer toute théorie pour l'intégrer à la partie calculatoire des démonstrations.
Nous montrons ensuite comment la déduction modulo permet de réduire arbitrairement la taille des démonstrations, en transférant des étapes de déduction dans le calcul. En particulier, nous appliquons ceci à l'arithmétique d'ordre supérieur pour démontrer que les réductions de taille qui sont possibles en augmentant l'ordre dans lequel on se place disparaissent si on travaille en déduction modulo.
Suite à ce dernier résultat, nous avons recherchés quels sont les systèmes d'ordre supérieur pouvant être simulés au premier ordre, en déduction modulo. Nous nous sommes intéressés aux systèmes de type purs et nous montrons comment ils peuvent être encodés en surdéduction, ce qui offre de nouvelles perspectives concernant leur normalisation et la recherche de démonstration dans ceux-ci. Nous développons également une méthodologie qui permet d'utiliser la surdéduction pour spécifier des systèmes de déduction.
... In this paper we explore some new uses of first-order logic in program analysis. After providing a generic approach where we consider arbitrary firstorder theories, we apply our results to rewriting-based systems, including Term Rewriting Systems (TRSs, [2]), Conditional TRSs (CTRSs, [3,11,28]), Membership Equational Programs [26], and more general rewriting-based formalisms [4,15,27]. The insertion of a 'rewriting-based system' R into First-Order Logic is made as a Horn theory R, i.e., a set of universally quantified implications A 1 ∧ · · · ∧ A n ⇒ B for some n ≥ 0, where A i , 1 ≤ i ≤ n and B are atoms with predicate symbols →, → * , etc. ...
Computational systems based on a first-order language that can be given a *canonical model* which captures provability in the corresponding calculus can often be seen as first-order theories S, and computational properties of such systems can be formulated as first-order sentences that hold in such a canonical model of S. In this setting, standard results regarding the *preservation* of satisfiability of different classes of first-order sentences yield a number of interesting applications in program analysis. In particular, properties expressed as existentially quantified boolean combinations of atoms (for instance, a set of *unification problems*) can then be *disproved* by just finding an *arbitrary* model of the considered theory plus the *negation* of such a sentence. We show that rewriting-based systems fit into this approach. Many computational properties (e.g., infeasibility and non-joinability of critical pairs in (conditional) rewriting, non-loopingness, or the secure access to protected pages of a web site) can be investigated in this way. Interestingly, this semantic approach succeeds when specific techniques developed to deal with the aforementioned problems fail.
... First-Order Logic is an appropriate language to express the semantics of computational systems and also the (claimed) properties of such computational systems [5]. In this paper we explore the use of first-order logic in the analysis of rewriting-based systems, including Term Rewriting Systems (TRSs, [2]), Conditional TRSs (CTRSs, [3,11,30]), Membership Equational Programs [12,28], and more general rewriting-based formalisms [4,16,29]. The insertion of a 'rewritingbased system' R into First-Order Logic is made as (the specification of) a Horn theory, i.e., a set of sentences R which are universally quantified implications A 1 ∧ · · · ∧ A n ⇒ B for some n ≥ 0 where A i , 1 ≤ i ≤ n and B are atoms corresponding to predicate symbols →, → * , etc. ...
Properties expressed as the provability of a first-order sentence can be disproved by just finding a model of the negation of the sentence. This fact, however, is meaningful in restricted cases only, depending on the shape of the sentence and the class of systems at stake. In this paper we show that a number of interesting properties of rewriting-based systems can be investigated in this way, including infeasibility and non-joinability of critical pairs in (conditional) rewriting, non-loopingness of conditional rewrite systems, or the secure access to protected pages of a web site modeled as an order-sorted rewrite theory. Interestingly, this uniform, semantic approach succeeds when specific techniques developed to deal with the aforementioned problems fail.
... A functional module specifies a membership equational theory, and a system model specifies a rewrite theory. A membership equational theory is a pair of the form ( , E ∪ A), whose underlying logic is called membership equational logic [16]. ...
The UML profile for Modeling and Analysis of Real-Time and Embedded systems (MARTE) is used to design and analyze real-time and embedded systems. The Clock Constraint Specification Language (ccsl) is a companion language for MARTE. It introduces logical clocks as first class citizens as a way to formally specify the expected behavior of models, thus allowing formal verification. ccsl describes the expected infinite behaviors of reactive embedded systems. In this paper we introduce and focus on the notion of periodic schedule to allow for a nice finite abstraction of these infinite behaviors. After studying the theoretical properties of those schedules we give a practical way to deal with them based on the executable operational semantics of ccsl in rewriting logic with Maude. We also propose an algorithm to find automatically periodic schedulers with the proposed sufficient condition, and to perform formal analysis of ccsl constraints by means of customized simulation and bounded LTL model checking.
... First-Order Logic is an appropriate language to express the semantics of computational systems and also the (claimed) properties of such computational systems [5]. In this paper we explore the use of first-order logic in the analysis of rewriting-based systems, including Term Rewriting Systems (TRSs, [2]), Conditional TRSs (CTRSs, [3,11,30]), Membership Equational Programs [12,28], and more general rewriting-based formalisms [4,16,29]. The insertion of a 'rewritingbased system' R into First-Order Logic is made as (the specification of) a Horn theory, i.e., a set of sentences R which are universally quantified implications A 1 ∧ · · · ∧ A n ⇒ B for some n ≥ 0 where A i , 1 ≤ i ≤ n and B are atoms corresponding to predicate symbols →, → * , etc. ...
Properties expressed as the provability of a first-order sentence can be disproved by just finding a model of the negation of the sentence. This fact, however, is meaningful in restricted cases only, depending on the shape of the sentence and the class of systems at stake. In this paper we show that a number of interesting properties of rewriting-based systems can be investigated in this way, including infeasibility and non-joinability of critical pairs in (conditional) rewriting, non-loopingness of conditional rewrite systems, or the secure access to protected pages of a web site modeled as an order-sorted rewrite theory. Interestingly, this uniform, semantic approach succeeds when specific techniques developed to deal with the aforementioned problems fail.
... Maude's functional modules are theories in membership equational logic [9,69], a Horn logic whose atomic sentences are either equalities t = t or membership assertions of the form t : s, stating that a term t has a certain sort s. Such a logic extends OBJ3's [48] order-sorted equational logic and supports sorts, subsorts, subsort polymorphic overloading of operators, and definition of partial functions with equationally defined domains. ...
This paper is a tribute to José Meseguer, from the rest of us in the Maude team, reviewing the past, the present, and the future of the language and system with which we have been working for around two decades under his leadership. After reviewing the origins and the language’s main features, we present the latest additions to the language and some features currently under development. This paper is not an introduction to Maude, and some familiarity with it and with rewriting logic are indeed assumed.
... Goguen's and Burstall's invention of the concept of institution to formalise the notion of logical system has stimulated a research programme with the general idea that modular structuring of complex specifications can be studied largely independently of the details of the underlying logical system. José Meseguer has made important contributions to institutions and their translations [1][2][3][4]7,[11][12][13][14][15]19], and to the study of module systems over arbitrary institutions, see especially [7]. His contributions have been inspiring for our work, and some of his papers are among those we cite most frequently. ...
The notion of module extraction has been studied extensively in the ontology community. The idea is to extract, from a large ontology, those axioms that are relevant to certain concepts of interest (formalised as a subsignature). The technical concept used for the definition of module extraction is that of inseparability, which is related to indistinguishability known from observational specifications.
Module extraction has been studied mainly for description logics and the Web Ontology Language . In this work, we generalise previous definitions and results to an arbitrary inclusive institution. We reveal a small inaccuracy in the formal definition of inseparability, and show that some results hold in an arbitrary inclusive institution, while others require the institution to be weakly union-exact.
This work provides the basis for the treatment of module extraction within the institution-independent semantics of the distributed ontology, modeling and specification language (DOL), which is currently under submission to the Object Management Group (OMG).
... An equational theory is a tuple (Σ, E), with Σ an order-sorted signature and E a finite collection of (possibly conditional) Σ-equations. An equational theory E = (Σ, E) induces the congruence relation = E on T Σ (X) defined for t, u ∈ T Σ (X) by t = E u if and only if E t = u, where E t = u denotes E-provability by the deduction rules for order-sorted equational logic in [47]. For the purpose of this paper, such inference rules, which are analogous to those of many-sorted equational logic, are even simpler thanks to the assumption that Σ has nonempty sorts, which makes unnecessary the explicit treatment of universal quantifiers. ...
This paper proposes rewriting modulo SMT, a new technique that combines the power of SMT solving, rewriting modulo theories, and model checking. Rewriting modulo SMT is ideally suited to model and analyze reachability properties of infinite-state open systems, i.e., systems that interact with a nondeterministic environment. Such systems exhibit both internal nondeterminism, which is proper to the system, and external nondeterminism, which is due to the environment. In a reflective formalism, such as rewriting logic, rewriting modulo SMT can be reduced to standard rewriting. Hence, rewriting modulo SMT naturally extends rewriting-based reachability analysis techniques, which are available for closed systems, to open systems. Furthermore, a single state expression with symbolic constraints can now denote an infinite set of concrete states. The proposed technique is illustrated with the formal analysis of: (i) a real-time system that is beyond the scope of timed-automata methods and (ii) automatic detection of reachability violations in a synchronous language developed to support autonomous spacecraft operations.
... Example 1. The following Maude program is a Membership Equational Logic specification [16] somehow sugared, as explained in [13]. Sort Node represents the nodes in a graph and sorts Edge and Path are intended to classify paths consisting of a single edge or many of them, respectively [ The execution of PATH is described as deduction of goals t → [s] u (one-step rewriting for terms t, u with sorts in the kind [s]), t → * ...
A declarative programming language is based on some logic L and its operational semantics is given by a proof calculus which is often presented in a natural deduction style by means of inference rules. Declarative programs are theories S of L and executing a program is proving goals ϕ in the inference system I(S) associated to S as a particulariza-tion of the inference system of the logic. The usual soundness assumption for L implies that every model A of S also satisfies ϕ. In this setting, the operational termination of a declarative program is quite naturally defined as the absence of infinite proof trees in the inference system I(S). Proving operational termination of declarative programs often involves two main ingredients: (i) the generation of logical models A to abstract the program execution (i.e., the provability of specific goals in I(S)), and (ii) the use of well-founded relations to guarantee the absence of infinite branches in proof trees and hence of infinite proof trees, possibly taking into account the information about provability encoded by A. In this paper we show how to deal with (i) and (ii) in a uniform way. The main point is the synthesis of logical models where well-foundedness is a side requirement for some specific predicate symbols.
... To deal with polymorphism in our institution, we introduce the concept of polymorphic sorts. Polymorphic sorts recall type classes of Haskell or kinds such as defined in [19]. ...
Large software systems are best specified using a multi-paradigm approach. Depending on which aspects of a system one wants to model, some logic formalisms are better suited than others. The theory of institutions and (co)morphisms between institutions provides a general framework for describing logical systems and their connections. This is the foundation of multi-modelling languages allowing one to deal with heterogeneous specifications in a consistent way. To make Object-Z accessible as part of such a multi-modelling language, we define the institution OZS for Object-Z. We have chosen Object-Z in part because it is a prominent software modelling language and in part because it allows us to study the formalisation of object-oriented concepts, like object identity, object state, dynamic behaviour, polymorphic sorts and inheritance.
... Maude [4] is a highperformance language and system that provides a powerful variety of correctness tools and techniques including prototyping, state space exploration, and model checking of temporal formulas. Maude programs correspond to specifications in rewriting logic (RWL) [5], which is an extension of membership equational logic [6] that, besides supporting equations and allowing the elements of a type or sort to be characterized by means of membership axioms, adds rewrite rules that can be non-deterministic in order to represent transitions in a concurrent system. Thanks to its reflective design and meta-level capabilities, the Maude system provides powerful and highly efficient meta-programming facilities. ...
In this paper we propose a dynamic analysis methodology for improving the diagnosis of erroneous Maude programs. The key idea is to combine runtime checking and dynamic trace slicing for automatically catching errors at runtime while reducing the size and complexity of the erroneous traces to be analyzed (i.e., those leading to states failing to satisfy some of the assertions). First, we formalize a technique that is aimed at automatically detecting deviations of the program behavior (symptoms) with respect to two types of user-defined assertions: functional assertions and system assertions. The proposed dynamic checking is provably sound in the sense that all errors flagged are definitely violations of the specifications. Then, upon eventual assertion violations we generate accurate trace slices that help identify the cause of the error. Our methodology is based on (i) a logical notation for specifying assertions that are imposed on execution runs; (ii) a runtime checking technique that dynamically tests the assertions; and (iii) a mechanism based on (equational) least general generalization that automatically derives accurate criteria for slicing from falsified assertions.
... We will define an institution, that we will denote Maude pre , which can be, like in the case of Maude's logic, parametric over the underlying equational logic. Following the Maude implementation, we have used membership equational logic [Meseguer, 1998]. The resulting institution M aude pre is very similar to the one defined in the context of CafeOBJ [Futatsugi andDiaconescu, 1998, Diaconescu, 2008] for preordered algebra (the differences are mainly given by the discussion about operation profiles below, but this is only a matter of representation). ...
The main objective of this work is to bring a number of improvements to the Heterogeneous Tool Set HETS, both from a theoretical and an implementation point of view. In the first part of the thesis we present a number of recent extensions of the tool, among which declarative specifications of logics, generalized theoroidal comorphisms, heterogeneous colimits and integration of the logic of the term rewriting system Maude. In the second part we concentrate on the CASL architectural refinement language, that we equip with a notion of refinement tree and with calculi for checking correctness and consistency of refinements. Soundness and completeness of these calculi is also investigated. Finally, we present the integration of the VSE refinement method in HETS as an institution comorphism. Thus, the proof manangement component of HETS remains unmodified.
Most of us share the feeling that the teaching of an interdisciplinary field spanning logic, linguistics and computer science should be available in such a way that will facilitate further interdisciplinary research. Nevertheless, we are aware that the needs are different in those fields of study which have already been stablished. The overall concern is in the teaching of logic, but with special regard in addressing innovations and the systematization of educational activity.
We believe that the role of logic in the shaping of the epistemology of this XXI creature should be crucial; Information technology is rapidly changing the world we live in, and logic is helping us to produce, distribute and process information, as well as to understand how coded information can modify people's state of knowlege. At the University of Salamanca the First International Congress on Tools for Teaching Logic took place in June 2000. A number of logicians from different countries in Europe, the US and South America gathered there to focus on education on the interfaces between philosophy, linguistics, mathematics, computer science and related disciplines.
More information: http://logicae.usal.es/SICTTL/
In the present study, we provide conditions for the existence of pushouts of signature morphisms in constructor-based order-sorted algebra, and then we prove that reducibility and termination of term rewriting systems are closed under pushouts. Under the termination assumption, reducibility is equivalent to sufficient-completeness, which is crucial for proving several important properties in computing for constructor-based logics such as completeness, existence of initial models and interpolation. In logic frameworks that are not based on constructors, sufficient-completeness is essential to establish the soundness of the induction schemes which are based on some methodological constructor operators. We discuss the application of our results to the instantiation of parameterized specifications.
Equational unification of two terms consists of finding a substitution that, when applied to both terms, makes them equal modulo some equational properties. Equational unification is of special relevance to automated deduction, theorem proving, protocol analysis, partial evaluation, model checking, etc. Several algorithms have been developed in the literature for specific equational theories, such as associative-commutative symbols, exclusive-or, Diffie-Hellman, or Abelian Groups. Narrowing was proved to be complete for unification and several cases have been studied where narrowing provides a decidable unification algorithm. A new narrowing-based equational unification algorithm relying on the concept of the variants of a term has been developed and it is available in the most recent version of Maude, version 2.7.1, which provides quite sophisticated unification features. A variant of a term t is a pair consisting of a substitution sigma and the canonical form of tsigma. Variant-based unification is decidable when the equational theory satisfies the finite variant property. However, it may compute many more unifiers than the necessary and, in this paper, we explore how to strengthen the variant-based unification algorithm implemented in Maude to produce a minimal set of most general variant unifiers. Our experiments suggest that this new adaptation of the variant-based unification is more efficient both in execution time and in the number of computed variant unifiers than the original algorithm available in Maude.
Designers of distributed database systems face the choice between stronger consistency guarantees and better performance. A number of applications only require read atomicity (RA) (either all or none of a transaction’s updates are visible to other transactions) and prevention of lost updates (PLU). Existing distributed transaction systems that meet these requirements also provide additional stronger consistency guarantees (such as causal consistency), but this comes at the price of lower performance. In this paper we propose a new distributed transaction protocol, ROLA, that targets application scenarios where only RA and PLU are needed. We formally specify ROLA in Maude. We then perform model checking to analyze both the correctness and the performance of ROLA. For correctness, we use standard model checking to analyze ROLA’s satisfaction of RA and PLU. To analyze performance we: (a) perform statistical model checking to analyze key performance properties; and (b) compare these performance results with those obtained by also modeling and analyzing in Maude the well-known protocols Walter and Jessy that also guarantee RA and PLU. Our statistical model checking results show that ROLA outperforms both Walter and Jessy.
A theory S in a logic supplied with an inference system is operationally terminating if no goal has an infinite well-formed proof tree. Well-formed proof trees are those which an interpreter would incrementally build when trying to solve a condition at a time from left to right. For this reason, infinite well-formed proof trees have a unique infinite branch which is called the spine. This paper introduces the notion of a directed proof tree for S and a set of formulas ∆, which we call a direction. Intuitively, a direction ∆ is intended to collect formulas that are infinitely often used in the spine of an infinite well-formed proof tree (which is then called ∆-directed) due to the repeated use of some specific inference rules. Then we introduce the notion of ∆-directed operational termination of a theory as the absence of ∆-directed proof trees. This new notion permits the definition of different termination properties which can be useful to distinguish different computational behaviors. It also gives a new characterization of operational termination of a (finite) theory S as the conjunction of the ∆-directed operational termination of S for each direction ∆ in a (finite) set of directions.
Invited talk at the Seminaire du Laboratorie d’Informatique et de Mathématiques. Université de la Reunión
A declarative programming language is based on some logic L and its operational semantics is given by a proof calculus which is often presented in a natural deduction style by means of inference rules. Declarative programs are theories S of L and executing a program is proving goals φ in the inference system I (S ) associated to S as a particularization of the inference system of the logic. The usual soundness assumption for L implies that every model A of S also satisfies φ. In this setting, the operational termination of a declarative program is quite naturally defined as the absence of infinite proof trees in the inference system I (S ). Proving operational termination of declarative programs often involves two main ingredients: (i) the generation of logical models A to abstract the program execution (i.e., the provability of specific goals in I (S )), and (ii) the use of well-founded relations to guarantee the absence of infinite branches in proof trees and hence of infinite proof trees, possibly taking into account the information about provability encoded by A . In this tutorial we show how to deal with (i) and (ii) in a uniform way. The main point is the synthesis of logical models where well-foundedness is a side requirement for some specific predicate symbols.
Software models are the core development artifact in model-based engineering (MBE). The MBE paradigm promotes the use of software models to describe structure and behavior of the system under development and proposes the automatic generation of executable code from the models. Thus, defects in the models most likely propagate to executable code. To detect defects already at the modeling level, many approaches propose to use formal verification techniques to ensure the correctness of these models. These approaches are the subject of this survey. We review the state of the art of formal verification techniques for software models and provide a feature-based classification that allows us to categorize and compare the different approaches.
A patternt, i.e., a term possibly with variables, denotes the set (language) of all its ground instances. In an untyped setting, symbolic operations on finite sets of patterns can represent Boolean operations on languages. But for the more expressive patterns needed in declarative languages supporting rich type disciplines such as subtype polymorphism, untyped pattern operations and algorithms break down. We show how they can be properly defined by means of a signature transformation that enriches the types of . We also show that this transformation allows a systematic reduction of the first-order logic properties of an initial order-sorted algebra supporting subtype-polymorphic functions to equivalent properties of an initial many-sorted (i.e., simply typed) algebra. This yields a new, simple proof of the known decidability of the first-order theory of an initial order-sorted algebra.
Variant satisfiability is a theory-generic algorithm to decide quantifier-free satisfiability in an initial algebra when the theory has the finite variant property and its constructors satisfy a compactness condition. This paper: (i) gives a precise definition of several meta-level sub-algorithms needed for variant satisfiability; (ii) proves them correct; and (iii) presents a reflective implementation in Maude 2.7 of variant satisfiability using these sub-algorithms.
Research in the formal analysis of cryptographic protocols has produced much good work in the solving of equality constraints, developing new methods for unification, matching, and deducibility. However, considerably less attention has been paid to disequality constraints. These also arise quite naturally in cryptographic protocol analysis, in particular for analysis of indistinguishability properties. Thus methods for deciding whether or not they are satisfiable could potentially be quite useful in reducing the size of the search space by protocol analysis tools. In this paper we develop a framework for reasoning about disequality constraints centered around the paradigm of the most discriminating Dolev-Yao attacker, who is able to detect a disequality if it is satisfied in some implementation of the crypto-algebra satisfying given equality properties. We develop several strategies for handling disequalities, prove their soundness and completeness, and demonstrate the result of experimental analyses using the various strategies. Finally, we discuss how disequality checking algorithms could be incorporated within symbolic reachability protocol analysis methods.
ResearchGate has not been able to resolve any references for this publication.