COMP 2600: Formal Methods for Software Engineeing Specification in - - PowerPoint PPT Presentation

COMP 2600: Formal Methods for Software Engineeing

Specification in Z: Introduction and Examples

Dirk Pattinson

Australian National University

Semester 2, 2013

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 1 / 24

System Specification in Z

Logic

◮ we have met first-order logic – speaks about properties of structures ◮ formal notion of proof – those statements which are true

Set Theory

◮ basic mechanism to speak about, well, sets ◮ basic operations to construct sets: power sets, products etc.

System Specification in Z

Logic + Set Theory

◮ Set Theory speaks about types ◮ Logic speaks about properties

(Z is one particular specification formalism – there are others.)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 2 / 24

Specification and Proof

Functional Programs

◮ techniques to show that a function has a desired property ◮ to verify that a program meets its specification

Imperative Programs

◮ techniques to reason about state changes brought about by a program ◮ to verify that a program meets its specification.

System Specification

◮ What on earth is a specification? ◮ How can we write down and combine specifications?

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 3 / 24

Our View on System Specification

Basic Tenet

A Type is a Set. An operation is a function on sets. (Hardcore theorists may disagree. But we take this view here.)

Specification is Abstract

◮ we don’t care about the how. Only the what matters. ◮ we don’t care about the internal structure of types. ◮ we don’t care about implementation.

But we care a lot about the effects of operations!

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 4 / 24

Why should we care at all?

Specification as Contract

◮ typical requirement specifications are English prose. Often several

hunderes of pages.

◮ Ambiguities abound! Specifications are a way to be precise.

Specification as Language

◮ Software developmens typically involves large teams. Often hundereds

• f people.

◮ Interfaces matter! Specifications are a way to be precise.

Specifications are Machine-Checkable

◮ formal language enables tool support ◮ idealy spans the whole software life cycle.

(But of course, specification is not a magic bullet.)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 5 / 24

Introductory Example

Spivak’s Birthday Book

◮ consists of a set of people – my friends ◮ every person has a birthday – which may be unknown.

But I know the birthdays of all my friends!

Data / Property Split

Data:

◮ my friends: a subset of the set of people. ◮ the mapping: a partial function from people to birthdays

Constraint.

◮ The birthdays of my friends are known.

(This structure / property split is typical. We’ll see it all the time.)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 6 / 24

A more abstract view

Static Aspects: Legal Data

Data The basic containers that store information Constraint Containers may not be filled at random. Examples abound:

◮ lists that have to be sorted ◮ August 57 is an invalid date ◮ . . . I know the birthdays of my friends ;-)

Dynamic Aspect: Operations on Legal Data

Operations Described in terms of before / after relation Examples abound:

◮ after inserting a tuple into a database, we have it ◮ ordered insert into an ordered list produces an ordered list ◮ . . . looking up a birthday gives the correct date ;-)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 7 / 24

Birthday Book: Basic Types

Basic Ingredients

◮ Person and Date. These are types (i.e. sets) and we don’t care about

their structure. But we need to declare them. Like so: [Person, Date]

◮ types declared in this way are called given types.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 8 / 24

Birthday Book: Structure and Constraints

People known to me (P is powerset)

◮ every element of known is a subset of Person. ◮ so known: PPerson – note the role of P as type constructor!

Records of birthdays ( → is partial functions)

◮ everybody has at most one birthday. ◮ so birthday : Person

→ Date – note → as type constructor!

I know my friends’ birthdays (dom is domain)

◮ every element of known is in the domain of birthday (and vice versa) ◮ so known = dom birthday – note dom as built-in function!

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 9 / 24

Birthday Book as Z-Specification

Graphical Notation

[Person, Date] BirthdayBook known : P Person birthday : Person → Date known = dom birthday

Terminology

◮ The bit in the box is a Z-schema. It encapsulates the fundamental

structure / property pattern.

◮ the bit above the horizontal line declares structure ◮ and the bit below is the constraint. ◮ The schema together with the declatration is an example of

specification, also called Z-document. (So far lots of overhead to express something very simple . . . )

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 10 / 24

Built in Type Constructors

BirthdayBook known : P Person birthday : Person → Date known = dom birthday

Type Constructors

Z has a number of built in type constructors, containing P powerset

• →

partial functions → total functions ↔ relations Z integers seq sequences (we will see more later. I’ll try and provide a cheat sheet.) Types are expressions built from type constructors using given types.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 11 / 24

Built in Functions

BirthdayBook known : P Person birthday : Person → Date known = dom birthday

Built in Functions/ Relations

Z has a number of built in functions and relations, containing dom the domain of a function/relation ≤ less than ∈ set membership ♯ cardinality Every function/relation has a type which may be polymorphic. There are more builtins than shown above. Constraints are just formulae of predicate logic involving these.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 12 / 24

Operations: A simple Example

AddBirthday

inputs person? and date?

• utputs none

action add the person/date pair to birthdays (By convention, input variables end in ? and output variables end in !.)

Precondition

◮ the new person should not be in the birthday book already. ◮ so person? ∈ known.

(before-values of schema variables have the declared name)

Postcondition

◮ after the update, the new birthday is known ◮ so birthday′ = birthday ∪ {person? → date?}

(after-values of schema variables are primed, e.g. birthday′)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 13 / 24

AddBirthday as a Schema

Explicit Variant

AddBirthday known : P Person; known′ : P Person birthday : Person → Date; birthday′ : Person → Date person? : Person date? : Date known = dom birthday; known′ = dom birthday′ person? ∈ known; birthday′ = birthday ∪ {person? → date?}

This is overkill . . . but shows that operations are schemas

◮ the new schema incorporates two copies of BirthdayBook ◮ one for before (non-primed) and one for after (primed) ◮ augmented with input variables and just one formula!

Surely we can do better . . .

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 14 / 24

Operations on Schemas

Priming a Schema

If S is a schema, then S′ is the schema where all variable names in declaration and constraints have been primed.

Example

BirthdayBook known : P Person birthday : Person → Date; known = dom birthday; BirthdayBook′ known′ : P Person birthday′ : Person → Date known′ = dom birthday′

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 15 / 24

Operations that change state

Delta, or before/after

If S is a schema, then ∆S is the union of S and S′ (both of variables and constraints, separately).

Example

BirthdayBook known : P Person birthday : Person → Date known = dom birthday; ∆BirthdayBook known : P Person; known′ : P Person birthday : Person → Date; birthday′ : Person → Date known = dom birthday; known′ = dom birthday′

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 16 / 24

Schema Import

Adding a Birthday, More Concisely

AddBirthday ∆BirthdayBook person? : Person date? : Date person? ∈ known birthday′ = birthday ∪ {person? → date?}

Schema Import on the Sly

◮ we have included a schema as a declaration ◮ this adds all declared variables and constraints

(Schema import as above is an important mechanism for defining

• schemas. It saves lots of writing!)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 17 / 24

Birthday Lookup

As a schema

FindBirthday ∆BirthdayBook person? : Person date! : Date person? ∈ known date! = birthday(person?) (Note the convention of banged variables (date!) designating output.)

Question

Is this a good specification, at least for the case where name? ∈ known ?

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 18 / 24

Birthday Book from Hell

Is this a good specification?

FindBirthday ∆BirthdayBook person? : Person date! : Date perosn? ∈ known date! = birthday(person?) birthday′ = ∅; known′ = ∅

Strenghening of Schemas

Every implementation that is consistent with the augmented schema is consistent with the original schema (without the red bits).

◮ this is trivial – we just ask that more assertions are satisfied ◮ but it shows that there’s something we haven’t thought about . . .

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 19 / 24

Operations that don’t change state

Xi, or before = after

If S is a schema, then ΞS is the schema ∆S with additional constraints v = v′ for every declared variable of S.

Example

BirthdayBook known : P Person birthday : Person → Date known = dom birthday; ΞBirthdayBook known : P Person; known′ : P Person birthday : Person → Date; birthday′ : Person → Date known = dom birthday; known′ = dom birthday′ birthday′ = birthday; known′ = known

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 20 / 24

Finally: Finding a Birthday

Using Ξ-Schemas

FindBirthday ΞBirthdayBook person? : Person date! : Date person? ∈ known date! = birthday(person?)

Quick Summary

◮ use primed variables to signify values after an operation ◮ use ∆ for operations that change state, Ξ for those that don’t ◮ both contain primed and non-primed variables and constraints ◮ Ξ additionally forces equality between primed and non-primed

variables.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 21 / 24

Who’s Birthday is Today?

As a Schema

Remind ΞBirthdayBook today?Date cards! : P Person ∀ p : Person • p ∈ cards! ⇔ birthday(p) = today?

◮ constraints can be complex first-order formulae ◮ in Z, people write ∀ x : P • φ for ∀ x ∈ P φ.

Shorthand Notation

The last constraint above can also be written as cards! = {p : Person | birthday(p) = today?} using set comprehension as cards! is of type P Person.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 22 / 24

Schema Equivalence

What’s the difference? What if Ξ is replaced by ∆

FindBirthday ΞBirthdayBook person? : Person date! : Date person? ∈ known date! = birthday(name?) FindBirthday ΞBirthdayBook person? : Person date! : Date person? ∈ known′ date! = birthday′(person?) ← − note the primes

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 23 / 24

Literature

Today’s Lecture

Based on ‘The Z notation: A reference Manual’, Second Edition, by J.M. Spivey, Oxford Programming Research Group. Available at http://spivey.oriel.ox.ac.uk/mike/zrm/zrm.pdf Read Chapter 1 (Tutorial Introduction) and get it straight from the mouth

• f the horse!

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 24 / 24