9/8/2015Rewriting Logic and Maude 1 Rewriting Logic and Maude Language Samira Tasharofi University...

04/19/23 Rewriting Logic and Maude 1

Rewriting Logic and Maude Language

Samira Tasharofi

University of Tehran

May 2007


Rewriting Logic

Rewriting logic Was studied since the 80s A logical framework in which other logics can be

represented Semantic framework for the specification of

languages and systems Based on simple deduction rules


Rewriting Logic (Cont.) Basic axioms are rewrite rules

t ->t’ with t and t expressions in a given language

The logic of concurrent action and change


Rewriting Logic (Cont.) There are two complementary readings of

a rewrite rule t->t’ Computational

Local transition in a concurrent system t and t’ describe patterns for fragments of the

distributed state of a system The rule explains how a local concurrent transition

can take place Logical

The rewrite rule t->t’ is interpreted as an inference rule so that we can infer formulas of t’ form t


Computational, Rewriting, Logical Elements

The computational and logical viewpoints are not exclusive they complement each other

StructurenalPropositioStructureAlgebraicStructuredDistibrute

DeductionRewritingTransition

nPropositioTermState


Rewriting Logic A signature in rewriting logic is an equational theory (, E) where

is an equational signature and E is a set of -equations

Rewriting will operate on equivalence classes of terms modulo E Free rewriting from the syntactic constraints of a term representation and

gain a much greater flexibility

Given a signature (, E), sentences of rewriting logic are sequents of the Form

where t and t’ are -terms possibly involving some variables and [t]E denotes the equivalence class of the term t modulo the equations E

Terms Variables, Constants, Operators

EE tt ]'[][


Rewrite Theory 4-tuple: (, E, L, R)

(, E) : the equational theory modulo which we rewrite

: equational signature E: a set of -equations

L: a set of labels R: a set of labeled rules (may be conditional)


Rewrite Theory: Rules of Deduction


Example I: Transition Systems


Example II: Context-free Grammars


Rewriting Logic Applications Semantic Framework Applications

Models of computations: Petri-net, Labeled transition systems Semantics of programming languages: CCS the pi-calculus Distributed Architectures and Components: CORBA, SOAP Specification and Analysis of Communication Protocols

Logical Framework Applications Representing Mapping and Reasoning about Logics : equational

logic, Hoare Logic, …. Specifying and Building Formal Tools: Full Maude tool, …

Language Implementations Maude


The Maude Rewriting Language Developed at SRI in Menlo Park California

Maximizes Simplicity

Only equations and rules Performance

Extensive use of advanced semi-compilation techniques

Expressiveness Equational pattern matching, User-definable syntax

and data


Maude Maude 2.0 is a powerful language based on Rewriting Logic

(RwL) and Equational Logic See: http://maude.cs.uiuc.edu

Maude is available for Unix-based operating systems: Linux, Mac OSX

Features Executability High performance engine Modularity and parameterization Builtins -- booleans, number hierarchy, strings Reflection -- using descent and ascent functions Search and model-checking


Maude (Cont.) Modules: the basic units of programming and

specification Functional modules: equational logic System modules: specify general rewrite theories Object-oriented modules: provide syntactic sugar for

object-oriented rewrite theories


Maude(Cont.) Maude is available in two versions:

Core Maude Provides all the basic functionalities

the interpreter : written in C++. the basic libraries the libraries implementing the model checking tool

Full Maude more precisely, it is an extension of Maude:

Is written in Maude itself (exploiting Maude as a meta-language) Contains Core Maude as a sublanguage Provides support for object-oriented programming (by means of

a specific notation) Some additional features for reflection


Running Maude Core Maude: maude-linux/bin$ maude-linux Full Maude: > maude.linux full-maude.maud Maude> load myList.maude


Core Maude


Core Maude: Foundations A Maude specification has two parts

An equational part describing structure and properties of system states (and ADT)

Functional module fmod NAME is … endfm

A rules part specifying how the system might change over time

System module mod NAME is … endm

Abstract Data Type (ADT) ADTs are specified in Maude using functional

modules

Data type: elements + operations on these elements

fmod <modname> is<imports> *** reuse, modularity<sorts> *** data types and subtyping<opdecls> *** names/and arities of operations<eqns> *** how to compute functions

endfm

Sort Kinds

sort Animal . subsort Dog < Animal .

sorts Terrier Hound Toy Sporting . subsorts Terrier Hound Toy Sporting < Dog .

There can be more than one topmost sort

Example: Natural Numbersfmod <NAME> PEANO-NAT-EXTRA is

<imports> *** reuse, modularity

<sorts> *** data types and subtypingsort Nat .

<opdecls> *** names/and arities of operations

<eqns> *** how to compute functions

endfm

Operator Declaration An operation can be thought of as a pathway between sorts

op <opname> : <argSorts> -> <resultSort> [<attributes>] .

attributes assoc, comm, id: <term>, ctor


Operator Declaration (Cont.) Operator name

Prefix op + : Nat Nat -> Nat . => +(x, y) ops + * : Nat Nat -> Nat . => +*(x, y)

Mixfix op _+_ : Nat Nat -> Nat . => x+y ops _+_ _*_ : Nat Nat -> Nat . op _OccursIn_ : Nat List -> Bool .

2 OccursIn list1 .


Operator Declaration(Cont.) Constructors and Operator Attributes

To designate a function as a constructor, one adds “[ctor]”

Can play the role of constants (ground terms) Maude variables do not carry or store values

op _ _ : Set Set -> Set [ctor assoc comm id: none] .

op _ _ : List List -> List [ctor assoc id: nil] .

Example: Natural Numbers

fmod PEANO-NAT-EXTRA is sort Nat .

<opdecls> *** names/and arities of operationsop 0 : -> Nat [ctor] .op s : Nat -> Nat [ctor] .op _+_ : Nat Nat -> Nat .

<eqns> *** how to compute functionsendfm

The numbers can represented as 0, s(0), s(s(0)), . . . can write 0, s(0), and s(0) + s(s(0))


Equations Provide the Maude interpreter with certain

rules to simplify an expression

Syntax uses the key word eq, followed by two expressions separated by the key symbol =, and then a period

Examples eq s(M) + N = s(M + N) .


Equations

The equations should be Terminating: no infinite computation

possible

Confluent: same result no matter how/which equations are applied

Example I: Natural Numbers

fmod PEANO-NAT-EXTRA issort Nat .op 0 : -> Nat [ctor] .op s : Nat -> Nat [ctor] .op _+_ : Nat Nat -> Nat .

<eqns> *** how to compute functions

vars M N : Nat .eq 0 + M = M .eq s(M) + N = s(M + N) .

endfm


The Maude Environment: Reduce Command

Maude’s red(uce) command computes the “value” of a term by using the equations from left to right until no equational can be applied Maude> load PEANO-NAT-EXTRA .maude Maude> red s(0) + s(s(0)) . result Nat: s(s(s(0)))


The Maude Environment: Reduce Command

To change the current module Maude> red in PEANO-NAT-EXTRA : s(0) +

s(s(0)) .

Seeing step by step reduction by Maude interpreter Maude> set trace on .


Built-in Modules Maude has a library (albeit small) of common modules to

import if needed

Common Supplied Modules: NAT, INT, FLOAT, and RAT QID: Quoted IDentifier STRING:

handles strings of characters and provides useful functions for searching and determining length.

BOOL with sort Bool Sort “Bool”

Constants: true , false Operators: ==, =/=, and, or, not (automatically imported)

Built-in modules in file prelude.maude


Import Modules A module M can import other modules

(submodules) in three different modes: protecting

Only using without altering extending

Only extending constructors including

Altering behaviors of ADT and deduction rules


Example: Natural Numbersfmod PEANO-NAT-MULT is

protecting PEANO-NAT-EXTRA . op _*_ : Nat Nat -> Nat . vars M N : Nat . eq N * 0 = 0 . eq N * s(M) = N + (N * M) .

endfm

Maude> red s(0) * s(s(0)) . Result Nat: s(s(0))

Maude> red s(s(0)) * s(s(s(0))) . result Nat: s(s(s(s(s(s(0)))))) .

Example II: List of Natural Numbersfmod LIST is protecting NAT .

sort List . subsort Nat < List .op nil : -> List [ctor] .op _++_ : List List -> List [ctor assoc id: nil] .op length : List -> Nat .var L : List . var N : Nat .eq length(nil) = 0 .eq length(L ++ N) = 1 + length(L) .

endfm Constructors: nil and _++_ (append)


Exercise Extend the module LIST with a function

op rev : List -> List .

which reverses a list

Test your function


Conditional Equations Conditional equation will execute a reduction

only if its condition reduces to true

Examples ceq N – M = 0 if M > N . eq max( M , N ) = if N > M then N else M fi .


Exercises In module LIST define a function

op _occursIn_ : Nat List -> Bool .which checks whether a number occurs in a list

Quick-sort:1. choose any element from a list as the pivot element2. recursively quicksort all elements smaller than pivot3. recursively sort all elements larger than pivot4. the sorted list is the result of (2), concatenated with all

elements equal to pivot, concatenated with result of (3)


Overloaded operators op _+_ : Integer Integer -> Integer . op _+_ : Nat Nat -> Nat . op _+_ : Wrong Wrong -> Right .


Summary Maude has many more features Maude assumes that equations terminating

and confluent Maude does not check it Termination and confluence are undecidable Undecidable whether t reduces to t’

Core Maude: System Modules System dynamics are specified in system modules using rewrite

rules

mod <modname> is*** functional part<imports> *** reuse, modularity<sorts> *** data types and subtyping<opdecls> *** names/and arities of operations<eqns> *** how to compute functions***

<rules>endfm

A system module defines a set of computations over the ADT specified by the functional part


Core Maude: System Modules A rewrite law declares the relationship

between the states and the transitions between them.

The most important characteristic of rewrite laws is their irreversibility. It’s a one-way street

Rule Declaration The <rules> part of a system module consists of rule

declarations having one of the forms rl[<id>]: <lhs> => <rhs> . crl[<id>]: <lhs> => <rhs> if <cond> . <lhs>, <rhs>, <cond> are terms, possibly containing variables

A rule applies to a term T if there is a substitution S (mapping variables to terms) such that S<lhs> is a subterm of T (<lhs> matches a subterm of T) and S <cond> rewrites to true.

In this case T can be rewritten by replacing the matched subterm by the matching instance of <rhs> (S <rhs>).


Petri-net Example: Vending Machine

An apple: 3 quarters A cake: 1 $


Petri-net Example: Vending Machine

mod VENDING-MACHINE issort Marking .

ops null $ c a q: -> Marking [ctor] .

op __ : Marking Marking -> Marking

[assoc comm id: null] .

rl[buy-c]: $ => c .

rl[buy-a]: $ => a q .

rl[change]: q q q q => $ .

endm


Rewriting Command Can simulate max n steps of one possible

behavior from initial state t: Maude> rew [n] t . Can omit ’[n]’ if terminating system


Search Command search [n] t =>* t’ such that cond . Search for up to n states reachable from t which

match t’ and satisfy cond Can omit ‘[n]’ and/or ‘such that cond’ cond is a semantic condition The arrow =>! searches for terminated

states/deadlocks Can show the path to a state

Show path …


Vending Machine: Maude Commands What is one way to use 3 $s?

Maude> rew $ $ $ . result Marking: q a c c

How can I get 2 apples with 3 $s?Maude> search $ $ $ =>! a a M:Marking .Solution 1 (state 8)M:Marking --> q q c

Solution 2 (state 9)M:Marking --> q q q a

No more solutions.states: 10 rewrites: 12


Vending Machine: Maude Commands

Show path command


Example: Gamemod GAME is protecting NAT .

protecting STRING .sort Game .op _-_ _:_ : String String Nat Nat -> Game .vars HOME AWAY : String .vars M N : Nat .rl [home-goal] :HOME - AWAY M : N => HOME - AWAY M + 1 : N .rl [away-goal] :HOME - AWAY M : N => HOME - AWAY M : N + 1 .

endm


Example: GameMaude> rew [5] "Italy" - "Brazil" 0 : 0 .result Game: "Italy" - "Brazil" 3 : 2

Maude> search [1]"Malmo FF" - "Fluminense" 0 : 0 =>* "Malmo FF" - "Fluminense" 5 : 1 .

Solution 1 (state 22)empty substitution

Maude> show path 22 .state 0, Game: "Malmo FF" - "Fluminense" 0 : 0===[ rl ... home-goal ]===>state 1, Game: "Malmo FF" - "Fluminense" 1 : 0...===[ rl ... away-goal ]===>state 22, Game: "Malmo FF" - "Fluminense" 5 : 1


Example: GameMaude> search [2] "Brazil" - "Italy" 0 : 0 =>* "Brazil" - "Italy" M:Nat :

N:Nat such that M:Nat > N:Nat + 4 .

Solution 1 (state 15)M --> 5N --> 0

Solution 2 (state 21)M --> 6N --> 0


Full Maude and Object-Oriented Modules


Object-Oriented Systems A state (or configuration) of a distributed

object system is seen a multiset of objects messages traveling between objects


Full Maude Full Maude supports object-oriented

specification in object-oriented modules (omod ... endom) special syntax for classes, objects all modules and commands enclosed in

parentheses

Full Maude: Configuration Module The predefined module CONFIGURATION

provides basic sorts and constructors for modeling object-based systems.

mod CONFIGURATION is*** basic object system sorts

sorts Object Msg Configuration .

*** construction of configurations

subsort Object Msg < Configuration .

op none : -> Configuration [ctor] .

op __ : Configuration Configuration -> Configuration

[ctor config assoc comm id: none] .

endm


Full Maude: Configuration Module classes ~ bigger versions of sorts objects ~ bigger versions of variables messages ~ bigger versions of operations

Object and Class An object can be represented as a term

< O: C | att1:val1, …, attn: valn > O is the object identifier of sort Oid C is the class of the object att1 to attn are the attributes of the object val1 to valn are their current values

Example: < "Peter" : Person | age : 35, status : single >

Class declarations: class Person | age : Nat, status : Status .

Object and Class : Inheritance

class TABLE | occupied : Bool , chairs : Nat .

class OutDoorTABLE | next2heater : Bool . subclass OutDoorTABLE < TABLE .

< A : OutDoorTABLE | occupied : O , chairs : N , next2heater : H >

Example: Objectsvar X : String . var N : Nat .

crl [birthday] :

< X : Person | age : N >

=>

< X : Person | age : N + 1 > if N < 1000 .

A state can be e.g.< "Peter" : Person | age : 35, status : single >

< "Ronaldo" : Person | age : 27, status : single >

< "Lizzie" : Person | age : 32, status : single >

Messages Messages are defined as terms of sort Msg:

msgs marry? yes no : Oid Oid -> Msg .

Message transmission modeled abstractly since we have multisets:

Send a marry? message:crl [propose] : < X : Person | age : N, status : single >=>< X : Person | status : waitFor(Y) >marry?(Y, X)if N > 15 .

Messages (Example)crl [accept] :marry?(Y, X)< Y : Person | age : N, status : single >=>< Y : Person | status : engaged(X) >yes(X, Y)if N > 15 .

rl [yes] :yes(X, Y)< X : Person | status : waitFor(Y) >=> < X : Person | status : engaged(Y) > .

Communication Example of asynchronous communication1. "Peter" sends marry? message2. "Lizzie" sends yes (or no) response3. "Peter" reads responsethings can happen in-between

Synchronous communication: both objects together:rl [wedding] :< X : Person | status : engaged(Y) >< Y : Person | status : engaged(X) >=>< X : Person | status : married(Y) >< Y : Person | status : married(X) > .


Case Study I: Dining Philosophers

Modeling the Chopsticks .

sort Chopstick .

op chopstick : Nat -> Chopstick [ctor] .

subsort Chopstick < Configuration .

msg chopstick : Nat -> Msg .

Philosophersclass Philosopher | state : State, noOfSticks : Nat, noOfEats :

Nat .

subsort Nat < Oid . *** Object names are numbers!

sort State .

ops thinking hungry eating : -> State [ctor] .

Rewrite Rulesvars I J K : Nat .

rl [hungry] : => .

crl [grabFirst] : chopstick(J) =>if I can use stick J .

op right : Nat -> Nat . *** The ‘‘right’’ chopstick index.eq right(I) = if I == 5 then 1 else I + 1 fi .op _can‘use‘stick_ : Nat Nat -> Bool .eq I can use stick J = (I == J) or (J == right(I)) .

Rewrite Rulescrl [grabSecond] : chopstick(J)

 =>



if I can use stick J .

rl [stopEating] : =>



chopstick(I) chopstick(right(I)) .

Executionop initState : -> Configuration .eq initState =chopstick(1) chopstick(2) chopstick(3) chopstick(4) chopstick(5)< 1 : Philosopher | state : thinking, noOfSticks : 0, noOfEats : 0 >< 2 : Philosopher | state : thinking, noOfSticks : 0, noOfEats : 0 >< 3 : Philosopher | state : thinking, noOfSticks : 0, noOfEats : 0 >< 4 : Philosopher | state : thinking, noOfSticks : 0, noOfEats : 0 >< 5 : Philosopher | state : thinking, noOfSticks : 0, noOfEats : 0

> .


Deadlock and Livelock Deadlock: The system is stuck and nothing can

happen in the system because no process can proceed until it gets a shared resource which is controlled by another process.

Livelock (also known as starvation): one philosopher could starve to death because she can never get hold of both chopsticks, while at the same time the other philosophers could feast merrily.


Exercises Execute the dining philosophers system using Full Maude’s

rew and frew commands. Do all philosophers get to eat sufficiently often?

Use Full Maude’s search command to show that there could be a deadlock in the system

Show a scenario (a “run”) which results in a deadlock

Propose a deadlock-free solution and show Explain there cannot be a deadlock in this specification.


Case Study II: Needham-Schroeder Public-KeyAuthentication Protocol

Protocol Specification Message 1. A→B : A.B.{Na .A}PK(B) Message 2. B →A : B.A.{Na .Nb}PK(A) Message 3. A→B : A.B.{Nb}PK(B)


Modeling Nonces and Keys(omod NSPK is

protecting NAT .

sort Nonce .

op nonce : Oid Nat -> Nonce [ctor] .

sort Key .

op pubKey : Oid -> Key [ctor] .

Modeling the Messagessort MsgContent .op _;_ : Nonce Oid -> MsgContent [ctor] . *** Message

kind "1"op _;_ : Nonce Nonce -> MsgContent [ctor] . ***

Message kind "2"subsort Nonce < MsgContent . *** Message kind "3“

sort EncrMsgContent .

op encrypt_with_ : MsgContent Key -> EncrMsgContent [ctor] .

msg msg_from_to_ : EncrMsgContent Oid Oid -> Msg .

Modeling the Initiatorsclass Initiator | initSessions : InitSessions, nonceCtr : Nat .

sorts Sessions InitSessions .subsort Sessions < InitSessions .op emptySession : -> Sessions [ctor] .op __ : InitSessions InitSessions -> InitSessions[ctor assoc comm id: emptySession] .

op __ : Sessions Sessions -> Sessions [ctor assoc comm id: emptySession] .

op notInitiated : Oid -> InitSessions [ctor] .op initiated : Oid Nonce -> InitSessions [ctor] .op trustedConnection : Oid -> Sessions [ctor] .


Modeling the Initiatorsvars A B : Oid .

vars M N : Nat .

vars NONCE NONCE’ : Nonce .

var IS : InitSessions .

Modeling the Initiators: Rulesrl [start-send-1] :< A : Initiator | initSessions : notInitiated(B) IS, nonceCtr : N >=>< A : Initiator | initSessions : initiated(B, nonce(A, N)) IS,nonceCtr : N + 1 >msg (encrypt (nonce(A, N) ; A) with pubKey(B)) from A to B .

rl [read-2-send-3] :(msg (encrypt (NONCE ; NONCE’) with pubKey(A)) from B to A)< A : Initiator | initSessions : initiated(B, NONCE) IS >=>< A : Initiator | initSessions : trustedConnection(B) IS >msg (encrypt NONCE’ with pubKey(B)) from A to B .

Modeling the Respondersclass Responder | respSessions : RespSessions, nonceCtr : Nat .

sort RespSessions .

subsort Sessions < RespSessions .

op __ : RespSessions RespSessions -> RespSessions

[ctor assoc comm id: emptySession] .

op responded : Oid Nonce -> RespSessions [ctor] .

var RS : RespSessions .

Modeling the Responderscrl [read-1-send-2] :(msg (encrypt (NONCE ; A) with pubKey(B)) from A

to B)=>msg (encrypt (NONCE ; nonce(B, N)) with

pubKey(A)) from B to Aif not A inSession RS .

Modeling the Respondersop _inSession_ : Oid RespSessions -> Bool .eq A inSession emptySession = false .eq A inSession (trustedConnection(B) RS) = (A == B) or (A inSession

RS) .eq A inSession (responded(B, NONCE) RS) = (A == B) or (A inSession

RS) .

rl [read-3] :(msg (encrypt NONCE with pubKey(B)) from A to B)=> .

Modeling Initiator and Responders

class InitiatorAndResponder .

subclass InitiatorAndResponder < Initiator Responder .

endom)

Executing the NSPK Specification(omod TEST-NSPK is

including NSPK .

including STRING .

subsort String < Oid .

op init : -> Configuration .

eq init =

< "a" : Initiator | initSessions : notInitiated("b"), nonceCtr : 1 >

< "b" : Responder | respSessions : emptySession, nonceCtr : 1 > .

Executing the NSPK Specificationop init2 : -> Configuration .

eq init2 =

< "a" : InitiatorAndResponder | initSessions : notInitiated("c"),

respSessions : emptySession,

nonceCtr : 1 >

< "Bank" : Responder | respSessions : emptySession, nonceCtr : 1 >

< "c" : InitiatorAndResponder | initSessions :

notInitiated("Bank") notInitiated("a"),

respSessions : emptySession,

nonceCtr : 1 > .

endom)

Executing the NSPK SpecificationMaude> (rew init .)result Configuration :< "a" : Initiator | nonceCtr : 2, initSessions : trustedConnection("b") >< "b" : Responder | nonceCtr : 2, respSessions : trustedConnection("a")

>

Maude> (search init =>! C:Configuration .)Solution 1C:Configuration <-< "a" : Initiator | nonceCtr : 2, initSessions : trustedConnection("b") >< "b" : Responder | nonceCtr : 2, respSessions : trustedConnection("a")

>No more solutions.

Executing the NSPK SpecificationMaude> (search init2 =>! C:Configuration .)Solution 1C:Configuration <-< "Bank" : Responder | nonceCtr : 2, respSessions : trustedConnection("c") >

< "a" : InitiatorAndResponder | nonceCtr : 3,initSessions : trustedConnection("c"),respSessions : trustedConnection("c") >

< "c" : InitiatorAndResponder | nonceCtr : 4, initSessions : (trustedConnection("Bank") trustedConnection("a")),respSessions : trustedConnection("a") >

No more solutions.

9/8/2015Rewriting Logic and Maude 1 Rewriting Logic and Maude Language Samira Tasharofi University...

Documents

Transcript of 9/8/2015Rewriting Logic and Maude 1 Rewriting Logic and Maude Language Samira Tasharofi University...