COMP 2600: Formal Methods for Software Engineeing Specification in - - PowerPoint PPT Presentation

COMP 2600: Formal Methods for Software Engineeing

Specification in Z: Logical Analysis of Schemas

Dirk Pattinson

Australian National University

Semester 2, 2013

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 1 / 20

Brief Recap

Given Types

Containers for data without internal structure. Declaration: [T1, T2, . . . , Tn] where T1, . . . , Tn are the type names.

Schemas

Combination of declared variables and constraint. Name(optional) v1 : T1; . . . ; vn : Tn (alternatively line breaks for semicolons) c1; . . . ; cn

◮ types built from given types using type constructors ◮ constraints first-order formulae involving builtin functions/relations

Conjunctive Reading: The constraint of the above schema is c1 ∧ . . . ∧ cn.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 2 / 20

Operations on Schemas

Priming of Schemas

If S is a schema, then S′ is the schema with all variable names primed (in declaration and constraints).

Delta and Xi

If S is a schema, then ∆S is the union of S and S′ and ΞS is the schema ∆S together with v = v′ for all declared variables v of S.

Schema Import

If R is a schema, then S R; (other declarations) (some constraints) has the effect of adding all declared variables of R (to the declared variables) and adding all constraints of R (to the constraints).

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 3 / 20

Combination of Schemas

Free Types

A free type declaration is of the form T ::= C1 | · · · | Cn (which works like in Haskell).

Logical Connectives

If R and S are schemas so that all declared variables have the same type, then R ∧ S and R ∨ S are schemas.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 4 / 20

Schema Consistency

Problem: Schemas can easily be inconsistent

◮ just like prose specifications can be inconsistent . . . ◮ but we have tools to check formal specs: automated proof search!

Example

MangledCount c : Z c = c + 1 This is obviously inconsistent. But can we say inconsistent precisely?

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 5 / 20

Inconsistencies, Formally

Definition

S v1 : T1; . . . ; vn : Tn c1; . . . ; cn A schema of the form above is inconsistent if the first-order formula ∃ v1 : T1 • . . . ∃ vn : Tn • (c1 ∧ . . . ∧ cn) is logically equivalent to false (i.e. constraint cannot be satisfied).

Aside: Automation

◮ consistency conditions can be automatically generated. ◮ they can be passed to an automated theorem prover

We may detect (some) inconsistencies already at the design phase!

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 6 / 20

Robustness of Specifications

Basic Counter

Cnt n : Z n ≥ 0

Two Variants of Decrement: What’s the difference?

Dec1 ∆Cnt n > 0 ∧ n′ = n − 1 Dec2 ∆Cnt n > 0 → n′ = n − 1 Robustness is the property of covering all possible inputs.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 7 / 20

Robustness of Specifications

Basic Counter

Cnt n : Z n ≥ 0

Two Variants of Decrement: What’s the difference?

Dec1 ∆Cnt n > 0 ∧ n′ = n − 1 Dec2 ∆Cnt n > 0 → n′ = n − 1 Robustness is the property of covering all possible inputs.

◮ Dec1 does not cover the case cnt = 0 (it is not robust) ◮ Dec2 allows an arbitrary value if cnt = 0 (it is robust)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 7 / 20

Robustness as Logical Property

Definition

S v : T c Op ∆S i? : U; o! : V d The operation Op of the form above is robust if the formulae c and ∃ v′ : T • ∃ o! : V • (c ∧ c′ ∧ d) are logically equivalent (where c′ is c with all variables primed). Informal Reading. The right formula signifies the set of state/input variables for which the operation can succeed as specified.

• Generalisation. In the general case, all output variables and all primed

variables are existentially quantified and c, d are replaced by the conjunction of all constraints.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 8 / 20

Robustness of Counters

Basic Counter (in linear notation)

Cnt = [n : Z | n ≥ 0]

First Counter: Dec1 is not robust

Dec1 ∆Cnt n > 0 ∧ n′ = n − 1 ∃ n′ : Z • n ≥ 0 ∧ n′ ≥ 0 ∧ n > 0 ∧ n′ = n − 1 is equivalent to n > 0.

Second Counter: Dec2 is robust

Dec1 ∆Cnt n > 0 → n′ = n − 1 ∃ n′ : Z • n ≥ 0 ∧ n′ ≥ 0 ∧ (n > 0 → n′ = n − 1) is equivalent to n ≥ 0

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 9 / 20

More Examples

Another Counter

Cnt n : Z n ≥ 0 Dec3 ∆Cnt n′ = n′ − 1 Dec4 ∆Cnt n′ = n − 1

Robustness: Formulae to Consider

For Dec3. ∃ n′ : Z • n ≥ 0 ∧ n′ ≥ 0 ∧ n′ = n′ − 1 For Dec4. ∃ n′ : Z • n ≥ 0 ∧ n′ ≥ 0 ∧ n′ = n − 1

◮ the first formula is equivalent to false - not robust. ◮ the second formula is equivalent to n > 0 – not robust(!)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 10 / 20

Logical Operators on Schemas

Propositional Logic

We have seen ∧ and ∨ as operators – can we also have something like ∃ and ∀ ?

Hiding of Variables

Let S be a schema and v : T be a declaration of S. Then ∃ v : P • S is the schema with declarations those of S but without v : P constraint ∃ s : P • (c1 ∧ . . . ∧ cn) where c1, . . . , cn are the constraints of S. (We have the same definition with ∀ in place of ∃.)

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 11 / 20

Hiding – Example

AddBirthday, Again

AddBirthday ∆BirthdayBook person? : Person; date? : Date person? ∈ known; birthday′ = birthday ∪ {person? → date?} ∃ known′ : P Person, birthday′ : Person → Birthday • AddBirthday known : P Person; birthday : Person → Date person? : Person; date? : Date ∃ known′ : P Person, birthday′ : Person → Birthday • (person? ∈ known ∧ known = dom birthday ∧ known′ = dom birthday′ ∧ birthday′ = birthday ∪ {person? → date?})

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 12 / 20

Understanding the Effect of Hiding

Original Constraints

∃known′ : P Person, birthday′ : Person → Birthday • (person? ∈ known ∧ known = dom birthday ∧ known′ = dom birthday′ ∧ birthday′ = birthday ∪ {person? → date?})

Simplifying: Moving ∃ over independent parts

person? ∈ known ∧ known = dom birthday ∧ ∃known′: P Person, birthday′:Person → Birthday • (known′ = dom birthday′ ∧ birthday′ = birthday ∪ {person? → date?})

Simplifying: Evaluating the Quantifier

person? ∈ known ∧ known = dom birthday This is the precondition of our manual translation!

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 13 / 20

In Terms of Equivalence

Equivalent Schemas

AddBirthday ∆BirthdayBook person? : Person; date? : Date person? ∈ known; birthday′ = birthday ∪ {person? → date?} Given the above, the two schemas below are equivalent: ∃ known′ : P Person, birthday′ : Person → Date • AddBirthday QuantifiedAddBirthday known : P Person; birthday : Person → Date person? : Person; date? : Date person ∈ known ∧ known = dom birthday

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 14 / 20

From Z to Hoare, Systematically

The Precondition

Given a Schema that extends ∆S (and specifies an operation):

◮ obtained by existentially quantifying output and primed variables ◮ together with equations v = V for every declared variable v

(here specification variables are lower case (v) and logical variables are upper case (V ))

The Postcondition

Obtained from the schema constraint by

◮ replacing primed variables v′ by their non-primed counterparts (v) ◮ replacing non-primed variables v by their logical counterparts (V )

at the same time!.

Example: Check for Yourself

This gives precisely what we had produced manually before!

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 15 / 20

Pre/Postconditions: Example

Incrementing Counter – with intensional typo

Cnt n : Z n ≥ 0 Inc ∆Cnt n′ = n′ + 1

Precondition

∃ n′ : Z • . . . ∧ n′ = n′ + 1 ∧ . . . equiv. to false (The postcondition simplifies to false, too.)

Extracted Hoare Triple

Program P satisfies Inc iff {false}P{false} is a valid Hoare-triple.

◮ this is valid for any program P (e.g. P = erase-hard-disk) ◮ so any program satisfies this specification – what’s wrong?

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 16 / 20

Precondition and Robustness

Problem: Inc is not robust

◮ it does not specify after-values for all declared variables ◮ in fact, it specifies after-values for none of the variables

(Check this, using the definition of robustness!)

Intuitive Explanation

S v : T c Op ∆S; i? : U; o! : V d

◮ F = c ∧ c′ ∧ d is a formula over before/after/input/output variables ◮ it describes all legal situations specified by Op ◮ so ∃ v′ : T • ∃ o! : V • (c ∧ c′ ∧ d) are the situations for which

• utput/after var’s are specified

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 17 / 20

Alternative Explanation

Inconsistent Counter, again

Cnt n : Z n ≥ 0 Inc ∆Cnt n′ = n′ + 1

◮ for no input variable values are outputs prescribed ◮ S does not describe any situations (variable-value patterns)

And, of course, every program is consistent with no requirements!

Caveat

◮ try understanding specifications when using them ◮ there are subtleties – but also tool support.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 18 / 20

Tool Support across entire lifecycle

Requirements Analysis and Design

◮ production of formal specs (in Z or otherwise) ◮ refine the specs towards an implementation

We can check for robustness, refinement etc.

Implementation

◮ automatic generation of test cases – not covered here ◮ automatic generation of Hoare proof obligations

Tests can be automated, Hoare proofs require extra effort.

Overall Effect

Requirements and Specs are enforced consistently along the whole development process.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 19 / 20

Literature

Today’s Lecture

Like the last lecture: ‘Z and Hoare Logics’ by A. Diller, in J. E. Nicholls (eds.), Proc. Z User Workshop 1991, pp. 59–76, Springer 1992. Available at

http://www.cantab.net/users/antoni.diller/papers/z-hoare.pdf

’Using Z’ by Jim Davies and Jim Woodcock, Prentice Hall 1996. Avaliable at http://usingz.com with lots of examples and further discussion.

Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 20 / 20