Michael Mendler

Propositional Lax Logic

We investigate a peculiar intuitionistic modal logic, called Propositional Lax Logic (PLL), which has promising applications to the formal verification of computer hardware. The logic has emerged from an attempt to express correctness up to behavioural constraints?a central notion in hardware verification?as a logical modality. As a modal logic it is special since it features a single modal operator ? that has a flavour both of possibility and of necessity. In the paper we provide the motivation for PLL and present several technical results. We investigate some of its proof-theoretic properties, presenting a cut-elimination theorem for a standard Gentzen-style sequent presentation of the logic. We go on to define a new class of fallible two-frame Kripke models for PLL. These models are unusual since they feature worlds with inconsistent information; furthermore, the only frame condition imposed is that the ?-frame be a subrelation of the ?-frame. We give a natural translation of these models into Goldblatts J-space models of PLL. Our completeness theorem for these models yields a Godel-style embedding of PLL into a classical bimodal theory of type (S4,S4) and underpins a simple proof of the finite model property. We proceed to prove soundness and completeness of several theories for specialized classes of models. We conclude with a brief exploration of two concrete and rather natural types of model from hardware verification for which the modality ? models correctness up to timing constraints. We obtain decidability of ?-free fragment of the logic of the first type of model, which coincides with the stable form of Maksimovas intermediate logicL?.

Categorical and Kripke Semantics for Constructive S4 Modal Logic

We consider two systems of constructive modal logic which are computationally motivated. Their modalities admit several computational interpretations and are used to capture intensional features such as notions of computation, constraints, concurrency, etc. Both systems have so far been studied mainly from type-theoretic and category-theoretic perspectives, but Kripke models for similar systems were studied independently. Here we bring these threads together and prove duality results which show how to relate Kripke models to algebraic models and these in turn to the appropriate categorical models for these logics.

MOSEL: A FLexible Toolset for Monadic Second-Order Logic

Mosel is a new tool-set for the analysis and verification in Monadic Second-order Logic. In this paper we concentrate on the systems design: Mosel is a tool-set to include a flexible set of decision procedures for several theories of the logic complemented by a variety of support components for input format translations, visualization, and interfaces to other logics and tools. The main distinguishing features of Mosel are its layered approach to the logic, based on a formal semantics for a minimal subset, its modular design, and its integration in a heterogeneous analysis and verification environment.

The intuitionism behind Statecharts steps

The semantics of Statecharts macro steps, as introduced by Pnueli and Shalev [1991], lacks compositionality. This article first analyzes the compositionality problem and traces it back to the invalidity of the Law of the Excluded Middle. It then characterizes the semantics via a particular class of linear intuitionistic Kripke models. This yields, for the first time in the literature, a simple fully abstract semantics that interprets Pnueli and Shalevs concept of failure naturally. The results not only give insight into the semantic subtleties of Statecharts, but also provide a basis for an implementation, for developing algebraic theories for macro steps, and for comparing different Statecharts variants.

An Algebraic Theory of Multiple Clocks

This paper develops a temporal process algebra, CSA, for reasoning about distributed systems that involve qualitative timing constraints. It is a conservative extension of Milners CCS that combines the idea of multiple clocks from the algebra PMC with the assumption of maximal progress familiar from timed process algebras such as TPL. Using a typical class of examples drawn from hardware design, we motivate why these features are useful and in some cases necessary for modeling and verifying distributed systems. We also present fully-abstract behavioral congruences based on the notion of strong bisimulation and observational equivalence, respectively. For temporal strong bisimulation we give sound and complete axiomatizations for several classes of processes.

Sequentially constructive concurrency: a conservative extension of the synchronous model of computation

Synchronous languages ensure deterministic concurrency, but at the price of heavy restrictions on what programs are considered valid, or constructive. Meanwhile, sequential languages such as C and Java offer an intuitive, familiar programming paradigm but provide no guarantees with regard to deterministic concurrency. The sequentially constructive model of computation (SC MoC) presented here harnesses the synchronous execution model to achieve deterministic concurrency while addressing concerns that synchronous languages are unnecessarily restrictive and difficult to adopt. In essence, the SC MoC extends the classical synchronous MoC by allowing variables to be read and written in any order as long as sequentiality expressed in the program provides sufficient scheduling information to rule out race conditions. The SC MoC is a conservative extension in that programs considered constructive in the common synchronous MoC are also SC and retain the same semantics. In this paper, we identify classes of variable accesses, define sequential constructiveness based on the concept of SC-admissible scheduling, and present a priority-based scheduling algorithm for analyzing and compiling SC programs.

Constructive Boolean circuits and the exactness of timed ternary simulation

We classify gate level circuits with cycles based on their stabilization behavior. We define a formal class of combinational circuits, the constructive circuits, for which signals settle to a unique value in bounded time, for any input, under a simple conservative delay model, called the up-bounded non-inertial (UN) delay. Since circuits with combinational cycles can exhibit asynchronous behavior, such as non-determinism or metastability, it is crucial to ground their analysis in a formal delay model, which previous work in this area did not do.We prove that ternary simulation, such as the practical algorithm proposed by Malik, decides the class of constructive circuits. We prove that three-valued algebra is able to maintain correct and exact stabilization information under the UN-delay model, and thus provides an adequate electrical interpretation of Malik’s algorithm, which has been missing in the literature. Previous work on combinational circuits used the upbounded inertial (UI) delay to justify ternary simulation. We show that the match is not exact and that stabilization under the UI-model, in general, cannot be decided by ternary simulation. We argue for the superiority of the UN-model for reasons of complexity, compositionality and electrical adequacy. The UN-model, in contrast to the UI-model, is consistent with the hypothesis that physical mechanisms cannot implement non-deterministic choice in bounded time.As the corner-stone of our main results we introduce UN-Logic, an axiomatic specification language for UN-delay circuits that mediates between the real-time behavior and its abstract simulation in the ternary domain. We present a symbolic simulation calculus for circuit theories expressed in UN-logic and prove it sound and complete for the UN-model. This provides, for the first time, a correctness and exactness result for the timing analysis of cyclic circuits. Our algorithm is a timed extension of Malik’s pure ternary algorithm and closely related to the timed algorithm proposed by Riedel and Bruck, which however was not formally linked with real-time execution models.

An asynchronous process algebra with multiple clocks

In this paper we introduce a novel approach to the specification of real-time behaviour with process algebras. In contrast to the usual pattern, involving a fixed, measurable, and global notion of time, we suggest to represent real-time constraints indirectly through uninterpreted clocks enforcing broadcast synchronization between processes. Our approach advocates the use of asynchronous process algebras, which admit the faithful representation of nondeterministic and distributed computations.

An Intuitionistic Modal Logic with Applications to the Formal Verification of Hardware

We investigate a novel intuitionistic modal logic, called Propositional Lax Logic, with promising applications to the formal verification of computer hardware. The logic has emerged from an attempt to express correctness ‘up to’ behavioural constraints — a central notion in hardware verification — as a logical modality. The resulting logic is unorthodox in several respects. As a modal logic it is special since it features a single modal operator O that has a flavour both of possibility and of necessity. As for hardware verification it is special since it is an intuitionistic rather than classical logic which so far has been the basis of the great majority of approaches. Finally, its models are unusual since they feature worlds with inconsistent information and furthermore the only frame condition is that the O-frame be a subrelation of the ⊃-frame. We provide the motivation for Propositional Lax Logic and present several technical results. We investigate some of its proof-theoretic properties, and present a cut-elimination theorem for a standard Gentzen-style sequent presentation of the logic. We further show soundness and completeness for several classes of fallible two-frame Kripke models. In this framework we present a concrete and rather natural class of models from hardware verification such that the modality O models correctness up to timing constraints.

Newtonian arbiters cannot be proven correct

Computing hardware is designed by refining an abstract specification through various lower levels of abstraction to arrive at a transistor layout implemented in a physical medium. Formalizing the refinements—one task of the mathematical semantics of computation—involves proving that the device described at each level of abstraction does indeed behave as prescribed by the description at the next higher level. One obstacle to this goal that has long been recognized is that certain classes of behaviors can be physically realized only approximately. The notorious problems of metastable operation precludes, for example, the realization on classical principles of flipflops that react in bounded time to arbitrary input signals.The literature suggests that the difficulty lies ultimately in the specifications requiring that the realizing device react properly in bounded time. We show, however, that a simple-time-unbounded synchronization problem, namely, mutual exclusion by means of an arbiter, cannot be solved with perfect reliability using continuous, i.e., Newtonian, physical phenomena. In particular, for any physical device operating on Newtonian principles that satisfies specific assumptions concerning an arbiters input—output behavior, there always exist competing requests to which it reacts by granting them all.