Introduction to Algebraic Specifications with CafeOBJ

Lecture 221/11/2012

National Technical University of Athens

CafeOBJ Use Cases

• TESLA Protocol• Sensor Network Encryption Protocol• MPEG-2 Encoding Algorithm • Social Networks • Semantic Web• DRM systems• E-Government Systems• Many more…

CafeOBJ Use Cases

• Take it slow…• Systems:– DATA TYPES– ACTIONS ON DATA TYPES

• Before we go into systems we must start simple:– Study the specification of simple data types

(Natural numbers)– Learn how to verify

Review of a ModuleModule Name

Signature

equations

operations

Variable definition

Sortmod! NATplus {

[Nat] op 0 : -> Nat op s_ : Nat -> Nat op _+_ : Nat Nat -> Nat

vars M N : Nateq 0 + N = N .eq (s M) + N = s(M + N) .

}

Example Factorial

• Define Factorial• What data types do we need??• Which operations on these data types ???

NO SORT DECLARED!!!!We only import the module PNAT:

This allows us to use everything defined in PNAT

Example Factorialmod! FACT {

pr(PNAT)

op _! : Nat -> Natvar X : Natceq X ! = s(0) if X = 0 .eq s(X) ! = s(X) * (X !) .

}

Example Factorial

• Reduction:open FACT

red 0 ! .red s(s(s(0))) ! .

close

Proofs – Example Associativity of +

• Data types required??• Operations on these data types???

Proofs – Example Associativity of +mod! PNAT { [Nat] op 0 : -> Nat op s : Nat -> Nat op _+_ : Nat Nat -> Nat {prec: 30} op _*_ : Nat Nat -> Nat {prec: 29} op _=_ : Nat Nat -> Bool {comm}

vars X Y : Nat -- _+_ eq 0 + Y = Y . eq s(X) + Y = s(X + Y) .

-- _*_ eq 0 * Y = 0 . eq s(X) * Y = Y + (X * Y) . -- _=_ eq (X = X) = true . eq (0 = s(Y)) = false . eq (s(X) = s(Y)) = (X = Y) . }

Proofs – Example Associativity of +

mod THEOREM-PNAT { pr(PNAT) -- arbitrary values ops x y z : -> Nat .-- Names of Theoremsop th1 : Nat Nat Nat -> Booleq th1(X,Y,Z) = ((X + Y) + Z = X + (Y + Z)) . }

Proofs – Example Associativity of +-- I. Base case.open THEOREM-PNAT

reduce when X = 0 .close---- II. Induction case.open THEOREM-PNAT-- check

if it holds for X then it should hold for S(X)(th1(X,Y,Z) implies th1(S(X),Y,Z) )

close

Proofs – Example Commutativity of +

• Previous proof was very easy– Minimum human interaction was required

• Are all proofs this easy??– 99.9% of the cases no.– Example Commutativity of +

Commutativity of +

• eq th2(X,Y) = (X + Y = Y + X) .• Open THEOREM-PNAT– red th2(0,Y) .close

• CafeOBJ returns : (y = (y + 0)):Bool• Conclude it cannot reduce y + 0 to 0• We must PROVE it

Commutativity of +

• eq th5(X) = (X + 0 = X) .open THEOREM-PNAT-- check red th5(0) .close---- II. Induction case.open THEOREM-PNAT-- check red th5(x) implies th5(s(x)) .close

Commutativity of +

• Use the New theorem to prove the base case of th2:open THEOREM-PNAT-- check red th5(y) implies th2(0,y) .close

Commutativity of +

• Inductive Step:– red th2(x,y) implies th2(s(x),y) .

• CafeOBJ returns:– ((((x + y) = (y + x)) and (s((x + y)) = (y + s(x)))) xor

(((x + y) = (y + x)) xor true)):Bool• No obvious Lemma:– SPLIT THE CASE

Commutativity of +

• Case Splitting is donned by:– Selecting a part of the returned term– Adding as assumptions that it is equal to true and

false respectively

red th2(x,y) implies th2(s(x),y) .

eq (x + y = y + x) = false .red th2(x,y) implies th2(s(x),y) .

eq (x + y = y + x) = true.red th2(x,y) implies th2(s(x),y) .

Commutativity of +

• open THEOREM-PNAT-- assumptions eq (x + y = y + x) = false .-- check red th2(x,y) implies th2(s(x),y) .close

Specification of a STACK

top

pushpop

Specification of a STACK

mod! STACK (X :: ELEMENT) { [ EmptyStack NonEmptyStack < Stack ] op empty : -> EmptyStack op push : Element Stack -> NonEmptyStack

op pop_ : NonEmptyStack -> Stack -- only applicable to NonEmptyStack op top_ : NonEmptyStack -> Element -- only applicable to NonEmptyStack

eq top push (E:Element, S:Stack) = E . eq pop push (E:Element, S:Stack) = S . }

Verification of a simple property

• Prove that :– pop(pop(push(E1,(push(E2,S)))) =

pop(pop(push(E2,(push(E1,S))))

Homework

• Associativity *• Commutativity *