Rewriting Logic and Maude Language

About This Presentation

Title:

Rewriting Logic and Maude Language

Description:

sorts Terrier Hound Toy Sporting . subsorts Terrier Hound Toy Sporting Dog. ... NAT, INT, FLOAT, and RAT. QID: Quoted IDentifier. STRING: ... – PowerPoint PPT presentation

Number of Views:345

Avg rating:3.0/5.0

Slides: 86

Provided by: Tasha

Category:

more less

Transcript and Presenter's Notes

Title: Rewriting Logic and Maude Language

1
Rewriting Logic and Maude Language

Samira Tasharofi
University of Tehran
May 2007

2
Rewriting Logic

Rewriting logic
Was studied since the 80s
A logical framework in which other logics can be
represented
Semantic framework for the specification of
languages and systems
Based on simple deduction rules

3
Rewriting Logic (Cont.)

Basic axioms are rewrite rules
t -gtt with t and t expressions in a given
language
The logic of concurrent action and change

4
Rewriting Logic (Cont.)

There are two complementary readings of a rewrite
rule t-gtt
Computational
Local transition in a concurrent system
t and t describe patterns for fragments of the
distributed state of a system
The rule explains how a local concurrent
transition can take place
Logical
The rewrite rule t-gtt is interpreted as an
inference rule so that we can infer formulas of
t form t

5
Computational, Rewriting, Logical Elements

The computational and logical viewpoints are not
exclusive they complement each other

6
Rewriting Logic

A signature in rewriting logic is an equational
theory (?, E) where ? is an equational signature
and E is a set of ? -equations
Rewriting will operate on equivalence classes of
terms modulo E
Free rewriting from the syntactic constraints of
a term representation and gain a much greater
flexibility
Given a signature (?, E), sentences of rewriting
logic are sequents of the Form
where t and t are ?-terms possibly involving
some variables and tE denotes the equivalence
class of the term t modulo the equations E
Terms
Variables, Constants, Operators

7
Rewrite Theory

4-tuple (?, E, L, R)
(?, E) the equational theory modulo which we
rewrite
? equational signature
E a set of ?-equations
L a set of labels
R a set of labeled rules (may be conditional)

8
Rewrite Theory Rules of Deduction
9
Rewrite Theory Rules of Deduction
10
Derived Rules
11
Example I Transition Systems
12
Example II Context-free Grammars
13
Rewriting Logic Applications

Semantic Framework Applications
Models of computations Petri-net, Labeled
transition systems
Semantics of programming languages CCS the
pi-calculus
Distributed Architectures and Components CORBA,
SOAP
Specification and Analysis of Communication
Protocols
Logical Framework Applications
Representing Mapping and Reasoning about Logics
equational logic, Hoare Logic, .
Specifying and Building Formal Tools Full Maude
tool,
Language Implementations
Maude

14
The Maude Rewriting Language

Developed at SRI in Menlo Park California
Maximizes
Simplicity
Only equations and rules
Performance
Extensive use of advanced semi-compilation
techniques
Expressiveness
Equational pattern matching, User-definable
syntax and data

15
Maude

Maude 2.0 is a powerful language based on
Rewriting Logic (RwL) and Equational Logic
See http//maude.cs.uiuc.edu
Maude is available for Unix-based operating
systems Linux, Mac OSX
Features
Executability
High performance engine
Modularity and parameterization
Builtins -- booleans, number hierarchy, strings
Reflection -- using descent and ascent functions
Search and model-checking

16
Maude (Cont.)

Modules the basic units of programming and
specification
Functional modules equational logic
System modules specify general rewrite theories
Object-oriented modules provide syntactic sugar
for object-oriented rewrite theories

17
Maude(Cont.)

Maude is available in two versions
Core Maude
Provides all the basic functionalities
the interpreter written in C.
the basic libraries
the libraries implementing the model checking
tool
Full Maude
more precisely, it is an extension of Maude
Is written in Maude itself (exploiting Maude as a
meta-language)
Contains Core Maude as a sublanguage
Provides support for object-oriented programming
(by means of a specific notation)
Some additional features for reflection

18
Running Maude

Core Maude maude-linux/bin maude-linux
Full Maude gt maude.linux full-maude.maud
Maudegt load myList.maude

Core Maude

20
Core Maude Foundations

A Maude specification has two parts
An equational part describing structure and
properties of system states (and ADT)
Functional module
fmod NAME is endfm
A rules part specifying how the system might
change over time
System module
mod NAME is endm

21
Abstract Data Type (ADT)

ADTs are specified in Maude using functional
modules
Data type elements operations on these
elements
fmod ltmodnamegt is
ltimportsgt reuse, modularity
ltsortsgt data types and subtyping
ltopdeclsgt names/and arities of operations
lteqnsgt how to compute functions
endfm

22
Sort

Kinds
sort Animal .
subsort Dog lt Animal .
sorts Terrier Hound Toy Sporting .
subsorts Terrier Hound Toy Sporting lt Dog .
There can be more than one topmost sort

23
Example Natural Numbers

fmod ltNAMEgt PEANO-NAT-EXTRA is
ltimportsgt reuse, modularity
ltsortsgt data types and subtyping
sort Nat .
ltopdeclsgt names/and arities of operations
lteqnsgt how to compute functions
endfm

24
Operator Declaration

An operation can be thought of as a pathway
between sorts
op ltopnamegt ltargSortsgt -gt ltresultSortgt
ltattributesgt .
attributes
assoc, comm, id lttermgt, ctor

25
Operator Declaration (Cont.)

Operator name
Prefix
op Nat Nat -gt Nat . gt (x, y)
ops Nat Nat -gt Nat . gt (x, y)
Mixfix
op __ Nat Nat -gt Nat . gt xy
ops __ __ Nat Nat -gt Nat .
op _OccursIn_ Nat List -gt Bool .
2 OccursIn list1 .

26
Operator Declaration(Cont.)

Constructors and Operator Attributes
To designate a function as a constructor, one
adds ctor
Can play the role of constants (ground terms)
Maude variables do not carry or store values
op _ _ Set Set -gt Set ctor assoc comm id
none .
op _ _ List List -gt List ctor assoc id nil .

27
Example Natural Numbers

fmod PEANO-NAT-EXTRA is
sort Nat .
ltopdeclsgt names/and arities of operations
op 0 -gt Nat ctor .
op s Nat -gt Nat ctor .
op __ Nat Nat -gt Nat .
lteqnsgt how to compute functions
endfm
The numbers can represented as 0, s(0), s(s(0)),
. . .
can write 0, s(0), and s(0) s(s(0))

28
Equations

Provide the Maude interpreter with certain rules
to simplify an expression
Syntax uses the key word eq, followed by two
expressions separated by the key symbol , and
then a period
Examples
eq s(M) N s(M N) .

29
Equations

The equations should be
Terminating no infinite computation possible
Confluent same result no matter how/which
equations are applied

30
Example I Natural Numbers

fmod PEANO-NAT-EXTRA is
sort Nat .
op 0 -gt Nat ctor .
op s Nat -gt Nat ctor .
op __ Nat Nat -gt Nat .
lteqnsgt how to compute functions
vars M N Nat .
eq 0 M M .
eq s(M) N s(M N) .
endfm

31
The Maude Environment Reduce Command

Maudes red(uce) command computes the value of
a term by using the equations from left to right
until no equational can be applied
Maudegt load PEANO-NAT-EXTRA .maude
Maudegt red s(0) s(s(0)) .
result Nat s(s(s(0)))

32
The Maude Environment Reduce Command

To change the current module
Maudegt red in PEANO-NAT-EXTRA s(0) s(s(0)) .
Seeing step by step reduction by Maude
interpreter
Maudegt set trace on .

33
Built-in Modules

Maude has a library (albeit small) of common
modules to import if needed
Common Supplied Modules
NAT, INT, FLOAT, and RAT
QID Quoted IDentifier
STRING
handles strings of characters and provides useful
functions for searching and determining length.
BOOL with sort Bool
Sort Bool
Constants true , false
Operators , /, and, or, not (automatically
imported)
Built-in modules in file prelude.maude

34
Import Modules

A module M can import other modules (submodules)
in three different modes
protecting
Only using without altering
extending
Only extending constructors
including
Altering behaviors of ADT and deduction rules

35
Example Natural Numbers

fmod PEANO-NAT-MULT is
protecting PEANO-NAT-EXTRA .
op __ Nat Nat -gt Nat .
vars M N Nat .
eq N 0 0 .
eq N s(M) N (N M) .
endfm
Maudegt red s(0) s(s(0)) .
Result Nat s(s(0))
Maudegt red s(s(0)) s(s(s(0))) .
result Nat s(s(s(s(s(s(0)))))) .

36
Example II List of Natural Numbers

fmod LIST is protecting NAT .
sort List .
subsort Nat lt List .
op nil -gt List ctor .
op __ List List -gt List ctor assoc id nil
.
op length List -gt Nat .
var L List . var N Nat .
eq length(nil) 0 .
eq length(L N) 1 length(L) .
endfm
Constructors nil and __ (append)

37
Exercise

Extend the module LIST with a function
op rev List -gt List .
which reverses a list
Test your function

38
Conditional Equations

Conditional equation will execute a reduction
only if its condition reduces to true
Examples
ceq N M 0 if M gt N .
eq max( M , N ) if N gt M then N else M fi .

39
Exercises

In module LIST define a function
op _occursIn_ Nat List -gt Bool .
which checks whether a number occurs in a list
Quick-sort
choose any element from a list as the pivot
element
recursively quicksort all elements smaller than
pivot
recursively sort all elements larger than pivot
the sorted list is the result of (2),
concatenated with all elements equal to pivot,
concatenated with result of (3)

40
Overloaded operators

op __ Integer Integer -gt Integer .
op __ Nat Nat -gt Nat .
op __ Wrong Wrong -gt Right .

41
Summary

Maude has many more features
Maude assumes that equations terminating and
confluent
Maude does not check it
Termination and confluence are undecidable
Undecidable whether t reduces to t

42
Core Maude System Modules

System dynamics are specified in system modules
using rewrite rules
mod ltmodnamegt is
functional part
ltimportsgt reuse, modularity
ltsortsgt data types and subtyping
ltopdeclsgt names/and arities of operations
lteqnsgt how to compute functions
ltrulesgt
endfm
A system module defines a set of computations
over the ADT specified by the functional part

43
Core Maude System Modules

A rewrite law declares the relationship between
the states and the transitions between them.
The most important characteristic of rewrite laws
is their irreversibility. Its a one-way street

44
Rule Declaration

The ltrulesgt part of a system module consists of
rule declarations having one of the forms
rlltidgt ltlhsgt gt ltrhsgt .
crlltidgt ltlhsgt gt ltrhsgt if ltcondgt .
ltlhsgt, ltrhsgt, ltcondgt are terms, possibly
containing variables
A rule applies to a term T if there is a
substitution S (mapping variables to terms) such
that Sltlhsgt is a subterm of T (ltlhsgt matches a
subterm of T) and S ltcondgt rewrites to true.
In this case T can be rewritten by replacing the
matched subterm by the matching instance of ltrhsgt
(S ltrhsgt).

45
Maude Analysis

Maude provides a range of efficient analysis
commands
Rewriting for simulation/prototyping simulate
one behavior from one initial state
Search analyze all possible behaviors from one
initial state by checking whether a state is
reachable
may not terminate if state(s) not found
Temporal logic model checking check whether all
possible behaviors from one initial state
satisfies a temporal logic formula
only when reachable state space finite

46
Petri-net Example Vending Machine

An apple 3 quarters
A cake 1

47
Petri-net Example Vending Machine

mod VENDING-MACHINE is
sort Marking .
ops null c a q -gt Marking ctor .
op __ Marking Marking -gt Marking
assoc comm id null .
rlbuy-c gt c .
rlbuy-a gt a q .
rlchange q q q q gt .
endm

48
Rewriting Command

Can simulate max n steps of one possible behavior
from initial state t
Maudegt rew n t .
Can omit n if terminating system

49
Search Command

search n t gt t such that cond .
Search for up to n states reachable from t which
match t and satisfy cond
Can omit n and/or such that cond
cond is a semantic condition
The arrow gt! searches for terminated
states/deadlocks
Can show the path to a state
Show path

50
Vending Machine Maude Commands

What is one way to use 3 s?
Maudegt rew .
result Marking q a c c
How can I get 2 apples with 3 s?
Maudegt search gt! a a MMarking .
Solution 1 (state 8)
MMarking --gt q q c
Solution 2 (state 9)
MMarking --gt q q q a
No more solutions.
states 10 rewrites 12

51
Vending Machine Maude Commands

Show path command

52
Example Game

mod GAME is protecting NAT .
protecting STRING .
sort Game .
op _-_ __ String String Nat Nat -gt Game .
vars HOME AWAY String .
vars M N Nat .
rl home-goal
HOME - AWAY M N gt HOME - AWAY M 1 N .
rl away-goal
HOME - AWAY M N gt HOME - AWAY M N 1 .
endm

53
Example Game

Maudegt rew 5 "Italy" - "Brazil" 0 0 .
result Game "Italy" - "Brazil" 3 2
Maudegt search 1
"Malmo FF" - "Fluminense" 0 0 gt "Malmo FF" -
"Fluminense" 5 1 .
Solution 1 (state 22)
empty substitution
Maudegt show path 22 .
state 0, Game "Malmo FF" - "Fluminense" 0 0
rl ... home-goal gt
state 1, Game "Malmo FF" - "Fluminense" 1 0
...
rl ... away-goal gt
state 22, Game "Malmo FF" - "Fluminense" 5 1

54
Example Game

Maudegt search 2
"Brazil" - "Italy" 0 0 gt "Brazil" - "Italy"
MNat NNat such that MNat gt NNat 4 .
Solution 1 (state 15)
M --gt 5
N --gt 0
Solution 2 (state 21)
M --gt 6
N --gt 0

55
Example Counting Cigarettes

mod COUNTING-CIGARETTES is
protecting NAT .
sort State .
op c Nat -gt State ctor .
op b Nat -gt State ctor .
op __ State State -gt State ctor assoc comm .
vars W X Y Z Nat .
rl smoke c(X) gt b(X 1) .
rl makenew b(W) b(X) b(Y) b(Z) gt c(W X Y
Z) .
endm
Rewrite Command
rew 100 c(0) c(0) c(0) c(0) c(0) c(0) c(0) c(0)
c(0) c(0) c(0) c(0) c(0) c(0) c(0) c(0) .
Answer b(21)

Full Maude and Object-Oriented Modules

57
Object-Oriented Systems

A state (or configuration) of a distributed
object system is seen a multiset of
objects
messages traveling between objects

58
Full Maude

Full Maude supports object-oriented specification
in object-oriented
modules (omod ... endom)
special syntax for classes, objects
all modules and commands enclosed in parentheses

59
Full Maude Configuration Module

The predefined module CONFIGURATION provides
basic sorts and constructors for modeling
object-based systems.
mod CONFIGURATION is
basic object system sorts
sorts Object Msg Configuration .
construction of configurations
subsort Object Msg lt Configuration .
op none -gt Configuration ctor .
op __ Configuration Configuration -gt
Configuration
ctor config assoc comm id none .
endm

60
Full Maude Configuration Module

classes bigger versions of sorts
objects bigger versions of variables
messages bigger versions of operations

61
Object and Class

An object can be represented as a term
lt O C att1val1, , attn valn gt
O is the object identifier of sort Oid
C is the class of the object
att1 to attn are the attributes of the object
val1 to valn are their current values
Example
lt "Peter" Person age 35, status single gt
Class declarations
class Person age Nat, status Status .

62
Object and Class Inheritance

class TABLE occupied Bool , chairs Nat .
class OutDoorTABLE next2heater Bool .
subclass OutDoorTABLE lt TABLE .
lt A OutDoorTABLE occupied O , chairs N ,
next2heater H gt

63
Example Objects

var X String . var N Nat .
crl birthday
lt X Person age N gt
gt
lt X Person age N 1 gt if N lt 1000 .
A state can be e.g.
lt "Peter" Person age 35, status single gt
lt "Ronaldo" Person age 27, status single
gt
lt "Lizzie" Person age 32, status single gt

64
Messages

Messages are defined as terms of sort Msg
msgs marry? yes no Oid Oid -gt Msg .
Message transmission modeled abstractly since we
have multisets
Send a marry? message
crl propose lt X Person age N, status
single gt
gt
lt X Person status waitFor(Y) gt
marry?(Y, X)
if N gt 15 .

65
Messages (Example)

crl accept
marry?(Y, X)
lt Y Person age N, status single gt
gt
lt Y Person status engaged(X) gt
yes(X, Y)
if N gt 15 .
rl yes
yes(X, Y)
lt X Person status waitFor(Y) gt
gt lt X Person status engaged(Y) gt .

66
Communication

Example of asynchronous communication
1. "Peter" sends marry? message
2. "Lizzie" sends yes (or no) response
3. "Peter" reads response
things can happen in-between
Synchronous communication both objects together
rl wedding
lt X Person status engaged(Y) gt
lt Y Person status engaged(X) gt
gt
lt X Person status married(Y) gt
lt Y Person status married(X) gt .

67
Case Study I Dining Philosophers
68
Modeling the Chopsticks

lt i Chopstick gt .
sort Chopstick .
op chopstick Nat -gt Chopstick ctor .
subsort Chopstick lt Configuration .
msg chopstick Nat -gt Msg .

69
Philosophers

lt i Philosopher state s, noOfSticks j ,
noOfEats k gt
class Philosopher state State, noOfSticks
Nat, noOfEats Nat .
subsort Nat lt Oid . Object names are numbers!
sort State .
ops thinking hungry eating -gt State ctor .

70
Rewrite Rules

vars I J K Nat .
rl hungry lt I Philosopher state
thinking gt gt
lt I Philosopher state hungry gt .
crl grabFirst chopstick(J)
lt I Philosopher state hungry, noOfSticks
0 gt gt
lt I Philosopher state hungry, noOfSticks
1 gt
if I can use stick J .
op right Nat -gt Nat . The right
chopstick index.
eq right(I) if I 5 then 1 else I 1 fi .
op _canusestick_ Nat Nat -gt Bool .
eq I can use stick J (I J) or (J
right(I)) .

71
Rewrite Rules

crl grabSecond chopstick(J)
lt I Philosopher noOfSticks 1, noOfEats K
gt gt
lt I Philosopher state eating, noOfSticks
2,
noOfEats K 1 gt
if I can use stick J .
rl stopEating lt I Philosopher state
eating gt gt
lt I Philosopher state thinking, noOfSticks
0 gt
chopstick(I) chopstick(right(I)) .

72
Execution

op initState -gt Configuration .
eq initState
chopstick(1) chopstick(2) chopstick(3)
chopstick(4) chopstick(5)
lt 1 Philosopher state thinking, noOfSticks
0, noOfEats 0 gt
lt 2 Philosopher state thinking, noOfSticks
0, noOfEats 0 gt
lt 3 Philosopher state thinking, noOfSticks
0, noOfEats 0 gt
lt 4 Philosopher state thinking, noOfSticks
0, noOfEats 0 gt
lt 5 Philosopher state thinking, noOfSticks
0, noOfEats 0 gt .

73
Deadlock and Livelock

Deadlock The system is stuck and nothing can
happen in the system because no process can
proceed until it gets a shared resource which is
controlled by another process.
Livelock (also known as starvation) one
philosopher could starve to death because she can
never get hold of both chopsticks, while at the
same time the other philosophers could feast
merrily.

74
Exercises

Execute the dining philosophers system using Full
Maudes rew and frew commands. Do all
philosophers get to eat sufficiently often?
Use Full Maudes search command to show that
there could be a deadlock in the system
Show a scenario (a run) which results in a
deadlock
Propose a deadlock-free solution and show Explain
there cannot be a deadlock in this specification.

75
Case Study II Needham-Schroeder
Public-KeyAuthentication Protocol

Protocol Specification
Message 1. A?B A.B.Na .APK(B)
Message 2. B ?A B.A.Na .NbPK(A)
Message 3. A?B A.B.NbPK(B)

76
Modeling Nonces and Keys

(omod NSPK is
protecting NAT .
sort Nonce .
op nonce Oid Nat -gt Nonce ctor .
sort Key .
op pubKey Oid -gt Key ctor .

77
Modeling the Messages

sort MsgContent .
op __ Nonce Oid -gt MsgContent ctor .
Message kind "1"
op __ Nonce Nonce -gt MsgContent ctor .
Message kind "2"
subsort Nonce lt MsgContent . Message kind "3
sort EncrMsgContent .
op encrypt_with_ MsgContent Key -gt
EncrMsgContent ctor .
msg msg_from_to_ EncrMsgContent Oid Oid -gt Msg
.

78
Modeling the Initiators

class Initiator initSessions InitSessions,
nonceCtr Nat .
sorts Sessions InitSessions .
subsort Sessions lt InitSessions .
op emptySession -gt Sessions ctor .
op __ InitSessions InitSessions -gt InitSessions
ctor assoc comm id emptySession .
op __ Sessions Sessions -gt Sessions ctor assoc
comm id emptySession .
op notInitiated Oid -gt InitSessions ctor .
op initiated Oid Nonce -gt InitSessions ctor .
op trustedConnection Oid -gt Sessions ctor .

79
Modeling the Initiators

vars A B Oid .
vars M N Nat .
vars NONCE NONCE Nonce .
var IS InitSessions .

80
Modeling the Initiators Rules

rl start-send-1
lt A Initiator initSessions notInitiated(B)
IS, nonceCtr N gt
gt
lt A Initiator initSessions initiated(B,
nonce(A, N)) IS,
nonceCtr N 1 gt
msg (encrypt (nonce(A, N) A) with pubKey(B))
from A to B .
rl read-2-send-3
(msg (encrypt (NONCE NONCE) with pubKey(A))
from B to A)
lt A Initiator initSessions initiated(B,
NONCE) IS gt
gt
lt A Initiator initSessions
trustedConnection(B) IS gt
msg (encrypt NONCE with pubKey(B)) from A to B .

81
Modeling the Responders

class Responder respSessions RespSessions,
nonceCtr Nat .
sort RespSessions .
subsort Sessions lt RespSessions .
op __ RespSessions RespSessions -gt RespSessions
ctor assoc comm id emptySession .
op responded Oid Nonce -gt RespSessions ctor .
var RS RespSessions .

82
Modeling the Responders

crl read-1-send-2
(msg (encrypt (NONCE A) with pubKey(B)) from A
to B)
lt B Responder respSessions RS, nonceCtr N
gt
gt
lt B Responder respSessions responded(A,
nonce(B, N)) RS,
nonceCtr N 1 gt
msg (encrypt (NONCE nonce(B, N)) with
pubKey(A)) from B to A
if not A inSession RS .

83
Modeling the Responders

op _inSession_ Oid RespSessions -gt Bool .
eq A inSession emptySession false .
eq A inSession (trustedConnection(B) RS) (A
B) or (A inSession RS) .
eq A inSession (responded(B, NONCE) RS) (A
B) or (A inSession RS) .
rl read-3
(msg (encrypt NONCE with pubKey(B)) from A to B)
lt B Responder respSessions responded(A,
NONCE) RS gt
gt
lt B Responder respSessions
trustedConnection(A) RS gt .

84
Modeling Initiator and Responders

class InitiatorAndResponder .
subclass InitiatorAndResponder lt Initiator
Responder .
endom)

85
Executing the NSPK Specification

(omod TEST-NSPK is
including NSPK .
including STRING .
subsort String lt Oid .
op init -gt Configuration .
eq init
lt "a" Initiator initSessions
notInitiated("b"), nonceCtr 1 gt
lt "b" Responder respSessions emptySession,
nonceCtr 1 gt .

86
Executing the NSPK Specification

op init2 -gt Configuration .
eq init2
lt "a" InitiatorAndResponder initSessions
notInitiated("c"),
respSessions emptySession,
nonceCtr 1 gt
lt "Bank" Responder respSessions
emptySession, nonceCtr 1 gt
lt "c" InitiatorAndResponder initSessions
notInitiated("Bank") notInitiated("a"),
respSessions emptySession,
nonceCtr 1 gt .
endom)

87
Executing the NSPK Specification

Maudegt (rew init .)
result Configuration
lt "a" Initiator nonceCtr 2, initSessions
trustedConnection("b") gt
lt "b" Responder nonceCtr 2, respSessions
trustedConnection("a") gt
Maudegt (search init gt! CConfiguration .)
Solution 1
CConfiguration lt-
lt "a" Initiator nonceCtr 2, initSessions
trustedConnection("b") gt
lt "b" Responder nonceCtr 2, respSessions
trustedConnection("a") gt
No more solutions.

88
Executing the NSPK Specification

Maudegt (search init2 gt! CConfiguration .)
Solution 1
CConfiguration lt-
lt "Bank" Responder nonceCtr 2,
respSessions trustedConnection("c") gt
lt "a" InitiatorAndResponder nonceCtr 3,
initSessions trustedConnection("c"),
respSessions trustedConnection("c") gt
lt "c" InitiatorAndResponder nonceCtr 4,
initSessions (trustedConnection("Bank")
trustedConnection("a")),
respSessions trustedConnection("a") gt
No more solutions.

The fact that under reasonable assumptions
rewriting logic specifications are executable
allows us to have a flexible range of
increasingly stronger formal methods to which a
system specification can be subjected Only after
less costly and lighter methods have been used it
is meaningful and worthwhile to invest e ort on
heavier and costlier methods A rewriting logic
language implementation together with an
associated environment of formal tools can be
used to support the following increasingly
stronger methods formal specication execution
of the specication modelchecking analysis
narrowing analysis and formal proof

Executability combined with program
transformation and compilation techniques has yet
another key advantage namely that rewriting logic
specications validated by the above formal
methods can then be directly trans formed and
compiled for efficient execution.

Write a Comment

User Comments (0)