Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Z Z Z Z Z Z Z Z Z Z
Formal Specification andDocumentation using Z:
A Case Study Approach
A Brief Introduction to Z. (Schemas)
Jonathan Bowen
Department of Computer ScienceUniversity of Reading
Email: [email protected]
URL:http://www.comlab.ox.ac.uk/oucl/users/jonathan.bowen/zbook.html
Z Z Z Z Z Z Z Z Z Z
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Schemas
Boxed notation for structuring Z specifications.
Example:
Bookauthor � Peopletitle � seqCHARreadership � P Peoplerating � People �� � � ���
readership � domrating
Top half: defines named variables with constraining typeinformation.
Bottom half: constraining predicates.
1
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
‘Normalized’ schema:
Bookauthor � Peopletitle � P�Z�CHAR�readership � P Peoplerating � P�People�Z�
title � seqCHARrating � People �� � � ���readership � domrating
N.B., predicates on separate lines conjoined by default.
Mentally calculating normalized types can helpunderstanding a specification.
2
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Schemas normally used for state spaces and operationsin mathematical modelling of systems.
Example:
StateSpacex� � S�x� � S�
...xn � Sn
Inv�x�� � � � �xn�
To save space:
StateSpacex� � S�� � � � � xn � Sn
Inv�x�� � � � �xn�
Horizontal form:
StateSpace d��x� � S�� � � � � xn � Sn j Inv�x�� � � � �xn�
3
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
State space: x�� � � � �xn are state variables; S�� � � � �Sn areexpressions.
ooo N.B.: x�� � � � �xn should not occur free in S�� � � � �Sn
If they do, they refer to other occurrences of variablesalready in scope.
Inv�x�� � � � �xn� is the state invariant.
Note that unlike in an ordered tuple,
Variables in a schema are unordered (cf., ordered tuple).
Variable names are not in scope until the bottom half ofthe schema, where any interdependencies should bedefined.
4
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Example specification
‘Birthday Book’ – well known example fromSpivey’s Z Reference Manual.
Basic types (or given sets):
�NAME�DATE
State space:
BirthdayBookknown � PNAMEbirthday � NAME �� DATE
known � dombirthday
State variables: known and birthday
‘Invariant’ property: known � dombirthday(Every known person has a birth date.)
5
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Identifier decorations
No decoration: current (before) stateState variable ending with prime (�): next (after) state
Variable ending with a question mark (): inputVariable ending with an exclamation mark (�): output
State change using an operation schema:
Operationx� � S�� � � � � xn � Sn
x�
�� S�� � � � � x�
n � Sn
i� � T�� � � � � im � Tm
o�� � U�� � � � � op� � Up
Pre�i�� � � � � im�x�� � � � �xn�
Inv�x�� � � � �xn�
Inv�x�
�� � � � �x�
n�
Op�i�� � � � � im�x�� � � � �xn�x�
�� � � � �x�
n�o��� � � � �op��
6
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Inputs: i�, � � � , imOutputs: o��, � � � , op�Precondition: Pre�i�� � � � � im�x�� � � � �xn�
State change �x�� � � � �xn� to �x�
�� � � � �x�
n�:
Op�i�� � � � � im�x�� � � � �xn�x�
�� � � � �x�
n�o��� � � � �op��
ooo N.B.: unconstrained before and after states may takeany value (cf. programming languages).Use x�
i � xi to retain the same value.
7
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Operation schema:
AddBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname � NAMEdate � DATE
name �� knownknown � dombirthdayknown� � dombirthday�
birthday� � birthday�fname �� dateg
The entire state with its invariant is repeated for before(undashed) and after (dashed) states.Fortunately schemas may be ‘included’ in others.
Precondition: name �� known.
Operation part: birthday� � birthday�fname �� dateg
8
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Schema inclusion - � conventionStateSpacex� � S�� � � � � xn � Sn
Inv�x�� � � � �xn�
Operation�StateSpacei�� � T�� � � � � im� � Tm
o�� � U�� � � � � op� � Up
Pre�i��� � � � � im��x�� � � � �xn�
Op�i��� � � � � im��x�� � � � �xn�x�
�� � � � �x�
n�o��� � � � �op��
abbreviates:
Operationx� � S�� � � � � xn � Sn
x�
�� S�� � � � � x�
n � Sn
i�� � T�� � � � � im� � Tm
Pre�i��� � � � � im��x�� � � � �xn�
Inv�x�� � � � �xn�
Inv�x�
�� � � � �x�
n�
Op�i��� � � � � im��x�� � � � �xn�x�
�� � � � �x�
n�o��� � � � �op��
9
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Schema inclusion
Widely used structuring technique in Z.
Adds all state components and associated constrainingpredicates in included schema.
ooo Matching names merge and must be type-compatible.
Allows information hiding.
Enables emphasis on important details.
10
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
� example:
AddBirthday�BirthdayBookname � NAMEdate � DATE
name �� knownbirthday� � birthday�fname �� dateg
abbreviates:
AddBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname � NAMEdate � DATE
name �� knownknown � dombirthdayknown� � dombirthday�
birthday� � birthday�fname �� dateg
11
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
No change of state
E.g., status operations:
Operationx� � S�� � � � � xn � Sn
x�
�� S�� � � � � x�
n � Sn
i� � T�� � � � � im � Tm
o�� � U�� � � � � op� � Up
Pre�i�� � � � � im�x�� � � � �xn�
Inv�x�� � � � �xn�
�x�
�� x� � � � � � x�
n � xn�
Op�i�� � � � � im�x�� � � � �xn�o��� � � � �op��
ooo Strictly, Inv�x�
�� � � � �x�
n� is also included, but isredundant.
Output produced, but state unchanged.
12
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Status operation example:
FindBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname � NAMEdate� � DATE
name � knownknown � dombirthdayknown� � knownbirthday� � birthdaydate� � birthday�name�
Precondition: name � knownOperation part: date� � birthday�name�
13
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
�-inclusionStateSpacex� � S�� � � � � xn � Sn
Inv�x�� � � � �xn�
Operation�StateSpacei�� � T�� � � � � im� � Tm
o�� � U�� � � � � op� � Up
Pre�i��� � � � � im��x�� � � � �xn�
Op�i��� � � � � im��x�� � � � �xn�x�
�� � � � �x�
n�o��� � � � �op��
abbreviates:
Operationx� � S�� � � � � xn � Sn
x�
�� S�� � � � � x�
n � Sn
i�� � T�� � � � � im� � Tm
o�� � U�� � � � � op� � Up
Pre�i��� � � � � im��x�� � � � �xn�
Inv�x�� � � � �xn�
�x�
� x� � � � � � x�
n xn�
Op�i��� � � � � im��x�� � � � �xn�x�
�� � � � �x�
n�o��� � � � �op��
14
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
example:
FindBirthday�BirthdayBookname� � NAMEdate� � DATE
name� � known
date� birthday�name��
abbreviates:
FindBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname� � NAMEdate� � DATE
name� � knownknown dombirthdayknown� knownbirthday� birthdaydate� birthday�name��
15
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Schema operators
Matching logical connectives: � , �, �, and Quantification: �, � and �
�
The schemas are first normalized.ooo Especially important for negation to negate hiddenconstaints in the signature.
ooo For binary connectives, there must be no conflictingdeclarations.
Schemas as types
E.g., state � StateSpaceComponent selection: state�x� returns component x�, etc.
16
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Schema tuples
Cf., ordered tuple.ooo But components are named and unordered.
Notation: �StateSpaceAll named schema components x�� � � � �xn are included.
convention may be defined as follows:
StateSpace d���StateSpace j �StateSpace� � �StateSpace
17
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Components may be hidden(i.e., existentially quantified).
Schema hiding: StateSpace n �x��x�� is the same as�x� � S�� x� � S� StateSpace
Components may be projected.
Schema projection: If ProjectSpace d� �x� � S�� x� � S� thenStateSpace � ProjectSpace hides all components inStateSpace except x� and x�.
Components may be renamed.
Schema renaming: StateSpace�y��x��y��x� returns anew schema with x� component replaced by y� and x�replaced by y�. Helps in avoiding name clashes.
Precondition of a schema: pre Operation existentiallyquantifies all after state and output components. I.e.,
�x�
�� S�� � � � � x�
n � Sn� o�� � T�� � � � � op� � Tp Operation
18
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Sequential composition (‘o�’)
Operationx� � S�� � � � � xp � Sp
z� � U�� � � � � zn � Un
z�
�� U�� � � � � z�
n � Un
Op�x�� � � � �xp�z�� � � � �zn�z�
�� � � � �z�
n�
Operation�y� � T�� � � � � yq � Tq
z� � U�� � � � � zn � Un
z�
�� U�� � � � � z�
n � Un
Op��y�� � � � �yq�z�� � � � �zn�z�
�� � � � �z�
n�
Operation o�Operation�
x� � S�� � � � � xp � Sp
y� � T�� � � � � yq � Tq
z� � U�� � � � � zn � Un
z�
�� U�� � � � � z�
n � Un
�z��
�� U�� � � � � z��
n � Un �
Op�x�� � � � �xp�z�� � � � �zn�z��
�� � � � �z��
n� �
Op��y�� � � � �yq�z��
�� � � � �z��
n�z�
�� � � � �z�
n�
19
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
AddThenFindBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname� � NAMEdate� � DATEdate� � DATE
�known�� � PNAME�birthday�� � NAME �� DATE �
known dombirthday �known�� dombirthday�� �
name� �� known �birthday�� birthday�fname� �� date�g �known�� dombirthday�� �
known� known�� �
birthday� birthday�� �
name� � known�� �
date� birthday���name��
Also a similar schema piping operator matching outputs of 1stschema with inputs of 2nd.
20
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Properties
AddThenFindBirthday � date� � date
If proved, provides an extra level of confidence.
Confirms intuitions (or otherwise!).
Finds errors earlier.
ooo No standard way to write theorems in Z.
A convention: � p where p is a predicate.
Alternatively: d � p where d represents universallyquantified declarations.
21
Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998
Conclusion
Extensive standard mathematical ‘toolkit’: set-theoreticdefinitions(See Spivey’s Z Reference Manual and Z Standard)
Further toolkit libraries possible(e.g., for real numbers)
ooo Z is based on first order logic.Common mistake: attempt to form relations and functionson predicates.No predefined Boolean type in Z; normally unnecessary.Binary valued type possible, but often better avoided.
Z type-checker – recommended for discovery of manyerrors.
Z has evolved. Lack of tools helped this!
De facto standard:Spivey’s Z Notation: A Reference ManualDevelopment of an ISO international standard.
22