lectures 9,10
Post on 07-Jan-2016
36 Views
Preview:
DESCRIPTION
TRANSCRIPT
Software Engineering, COMP201 Slide 1
Lectures 9,10
Formal Specifications
Software Engineering, COMP201 Slide 2
Formal Specification - Techniques for the unambiguous specification of software
Objectives:
To explain why formal specification techniques help discover problems in system requirements
To describe the use of • algebraic techniques (for interface specification) and • model-based techniques(for behavioural specification)
To introduce Abstract State Machine Model
Software Engineering, COMP201 Slide 3
Formal methods
Formal specification is part of a more general collection of techniques that are known as ‘formal methods’ COMP313 “Formal Methods”
These are all based on mathematical representation and analysis of
software Formal methods include
• Formal specification• Specification analysis and proof• Transformational development• Program verification
Software Engineering, COMP201 Slide 4
Acceptance of formal methods
Formal methods have not become mainstream software development techniques as was once predicted• Other software engineering techniques have been successful at
increasing system quality. Hence the need for formal methods has been reduced
• Market changes have made time-to-market rather than software with a low error count the key factor. Formal methods do not reduce time to market
• The scope of formal methods is limited. They are not well-suited to specifying and analysing user interfaces and user interaction
• Formal methods are hard to scale up to large systems
Software Engineering, COMP201 Slide 5
Use of formal methods Their principal benefits are in reducing the number of
errors in systems so their main area of applicability is critical systems:• Air traffic control information systems,• Railway signalling systems• Spacecraft systems• Medical control systems
In this area, the use of formal methods is most likely to be cost-effective
Formal methods have limited practical applicability
Software Engineering, COMP201 Slide 6
Specification in the software process
Specification and design are inextricably mixed.
Architectural design is essential to structure a specification.
Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.
Software Engineering, COMP201 Slide 7
Specification and design
Architecturaldesign
Requirementsspecification
Requirementsdefinition
Softwarespecification
High-leveldesign
Increasing contractor involvement
Decreasing client involvement
Specification
Design
Software Engineering, COMP201 Slide 8
Specification in the software process
Requirementsspecification
Formalspecification
Systemmodelling
Architecturaldesign
Requirementsdefinition
High-leveldesign
Software Engineering, COMP201 Slide 9
Specification techniques
Algebraic approach• The system is specified in terms of its operations and
their relationships Model-based approach
• The system is specified in terms of a state model that is constructed using mathematical constructs such as sets and sequences.
• Operations are defined by modifications to the system’s state
Software Engineering, COMP201 Slide 10
Formal specification languages
ASML - Abstract State Machine Language
Yuri. Gurevich, Microsoft Research, 2001
Software Engineering, COMP201 Slide 11
Use of formal specification
Formal specification involves investing more effort in the early phases of software development
This reduces requirements errors as it forces a detailed analysis of the requirements
Incompleteness and inconsistencies can be discovered and resolved !!!
Hence, savings as made as the amount of rework due to requirements problems is reduced
Software Engineering, COMP201 Slide 12
Development costs with formal specification
Specification
Design andImplementation
Validation
Specification
Design andImplementation
Validation
Cost
Without formalspecification
With formalspecification
Software Engineering, COMP201 Slide 13
1. Interface specification Large systems are decomposed into subsystems
with well-defined interfaces between these subsystems
Specification of subsystem interfaces allows independent development of the different subsystems
Interfaces may be defined as abstract data types or object classes
The algebraic approach to formal specification is particularly well-suited to
interface specification
Software Engineering, COMP201 Slide 14
Sub-system interfaces
Sub-systemA
Sub-systemB
Interfaceobjects
Software Engineering, COMP201 Slide 15
The structure of an algebraic specification
sort < name >imports < LIST OF SPECIFICATION NAMES >
Informal descr iption of the sor t and its operations
Operation signatures setting out the names and the types ofthe parameters to the operations defined over the sort
Axioms defining the operations over the sort
< SPECIFICATION NAME > (Gener ic Parameter)
introduction
description
signature
axioms
Software Engineering, COMP201 Slide 16
Behavioural specification
Algebraic specification can be cumbersome when the object operations are not independent of the object state
Model-based specification exposes the system state and defines the operations in terms of changes to that state
Software Engineering, COMP201 Slide 17
OSI reference model
Application
Presentation
Session
Transport
Network
Data link
Physical
7
6
5
4
3
2
1
Communica tions medium
Network
Data link
Physical
Application
Presentation
Session
Transport
Network
Data link
Physical
ApplicationModel-based specification
Algebraic specification
Software Engineering, COMP201 Slide 18
Abstract State Machine Language (AsmL)
AsmL is a language for modelling the structure and behaviour of digital systems
AsmL can be used to faithfully capture the abstract structure and step-wise behaviour of any discrete systems, including very complex ones such as:Integrated circuits, software components, and devices that combine both hardware and software
Software Engineering, COMP201 Slide 19
Abstract State An AsmL model is said to be abstract because it
encodes only those aspects of the system’s structure that affect the behaviour being modelled
The goal is to use the minimum amount of detail that accurately reproduces (or predicts) the
behaviour of the system Abstraction helps us reduce complex problems into
manageable units and prevents us from getting lost in a sea of details
AsmL provides a variety of features that allow you to describe the relevant state of a system in
a very economical, high-level way
Software Engineering, COMP201 Slide 20
Abstract State Machine and Turing Machine
An abstract state machine is a particular kind of mathematical machine, like the Turing machine (TM)
But unlike a TM, ASMs may be defined a very high level of abstraction
An easy way to understand ASMs is to see them as defining a succession of states that may follow an initial state
Software Engineering, COMP201 Slide 21
State transitions
The behaviour of a machine (its run) can always be depicted as a sequence of states linked by state transitions
• Moving from state A to state B is a state transition
paint in green
paint in redA B
Software Engineering, COMP201 Slide 22
Configurations Each state is a particular “configuration” of
the machine
The state may be simple or it may be very large, with complex structure
But no matter how complex the state might be, each step of the machine’s operation can be seen as a well-defined transition from one particular state to another
Software Engineering, COMP201 Slide 23
Evolution of state variables
paint in green
paint in redA B
We can view any machine’s state as a dictionary of
(Name, Value) pairs, called state variables
(Colour, Red) is a variable, where “Colour” is the name of variable, “Red” is the value
Software Engineering, COMP201 Slide 24
Evolution of state variables Names are given by the machine’s symbolic
vocabulary Values are fixed elements, like numbers and
strings of characters
The run of a machine is a series of
states and state transitions that
results form applying operations
to each state in succession
Software Engineering, COMP201 Slide 25
ExampleDiagram shows the run of a machine that models how orders might be processed
S1
Mode = “Initial”
Orders = 0
Balance = £0
Initialise Process All Orders
S3
Mode = “Final”
Orders = 0
Balance = £500
S2
Mode = “Active”
Orders = 2
Balance = £200
Each transition operation: • can be seen as the result of invoking the machine’s
control logic on the current state • calculates the subsequence state as output
Software Engineering, COMP201 Slide 26
Control LogicThe machine’s control logic
behaves like a fix set of transition rules that say how state may evolve
We can think of the control logic as a text that precisely specifies, for any given state, what the values of the machine’s variables will be in the following step
Typical form of the operational text is:
“ if condition then update ”
Software Engineering, COMP201 Slide 27
Control Logic as a Black Box
The two dictionaries S1 and S2 have the same set of keys, but the values associated with each variable name may differ between S1 and S2
The Machine’s Control Logic
…
if mode = “Initial”
then mode := “Active”
mode “Initial”
orders 0
balance £0
Mode “Active”
orders 2
balance £200
input
output
• The machine control logic is a black box that takes as input a state dictionary S1 and gives as output a new dictionary S2
Software Engineering, COMP201 Slide 28
Run of the Machine The run of the machine can be seen as what happens
when the control logic is applied to each state in turn The run starts form initial state
S1 S2 S3 …S1 is given to the black box yielding S2, processing S2 results in S3,
and so on …
When no more changes to state are possible, the run is complete
Software Engineering, COMP201 Slide 29
Update operations We use the symbol
“: =” (reads as “gets”) to indicate the value that a name will have in the resulting state
For example: mode:=“Active”
Update can be seen only during the following step (this is in contrast to Java, C, Pascal, …)
All changes happen simultaneously, when you moving from one step to another. Then, all updates happen at once.(atomic transaction)
Software Engineering, COMP201 Slide 30
Programs
Example 1. Hello, world
Main()
step WriteLine(“hello, world!”)
ASML uses indentations to denote block structure, and blocks can be places inside other blocks
Statement block affect the scope of variables
Whitespace includes blanks and new-line character, ASML does not recognize tab character for indentation !!!!!!!
An operation names Main() gives the top-level operational definition of the model (Main() is like main() in Java and C )
Software Engineering, COMP201 Slide 31
The Executable Specification Language - ASML
Compiler
asmlc [name of the program]
!!! Use D drive at the University Laboratories !!!
Example
D:\>asmlc test.asml
D:\> test.exe
D:\> test.exe >output_file.txt
Software Engineering, COMP201 Slide 32
I. StepsThe general syntax for steps is
Step [label] [stopping-condition] statement block a statement block consists of
indented statement that follow a label is an optional string,
number of identifier followed by a colon (“:”)
stopping condition is any these forms:
until fixpointuntil expressionwhile expression
A step can be introduced independently or as part of sequence of steps in the form:
step …
step …
Software Engineering, COMP201 Slide 33
Stopping for fixed point “until fixed point”enum EnumMode Initial Started Finishedvar mode = Initialvar count = 0
Main() step until fixpoint if mode = Initial then mode :=Started count:=1 if mode = Started and count < 10 then count:= count+1 if mode = Started and count >=10 then mode:= Finished
Initial
Started
Finished
if count < 10 then count:= count+1
count 10
count:= 1
Software Engineering, COMP201 Slide 34
Stopping for conditions “while” & “until”
while expression until expressionvar x as Integer = 1Main() step while x < 10 WriteLine(x) x:= x + 1
var x as Integer = 1Main() step until x > 9 WriteLine(x) x:= x + 1
Running each of these examples produces nine steps. It will print numbers: 1,2,3,4,5,6,7,8 and 9 as output
Either while or until may be used to give an explicit stopping condition for iterated sequential steps of the machine.
Software Engineering, COMP201 Slide 35
Conditions
eq =ne lt <gt >in notin subset superset subseteq superseteq
Software Engineering, COMP201 Slide 36
Sequences of steps
The syntax step … step … indicates a sequence of steps that will be performed in order
• Labels after the “step” keyword are optional but helpful as documentation.
Software Engineering, COMP201 Slide 37
Be wary ! Be wary of introducing unnecessary steps
This can occur if two operations are really not order-dependent but are given as two sequential steps, regardless
It is very easy to fall into this trap, since most people are used to the sequential structures used by other programming languages
Software Engineering, COMP201 Slide 38
Iteration over collections
Another common idiom for iteration is to do one step per element in some finite collection such as a set or sequence
step foreach ident1 in expr1, ident2 in expr2 … statement-block
myList = [1,2,3]Main() step foreach i in myList WriteLine (i)
Sequential, step-based iteration is available for sets as well as sequences, but in the case of sets, the order is not specified
Software Engineering, COMP201 Slide 39
Guidelines for using steps
Situation You choose …
operations occur in a fixed order
sequence of steps
each operation must be done in order
iterated steps with stopping condition “while”,“until”
operations must be done in sequence, one after another
iteration over collection
“foreach”
operations can be done without order
iteration over collection “forall”
Repeat an operation until no more changes occur
fixed-point stopping condition “until fixed point”
Software Engineering, COMP201 Slide 40
II. Updates “How are variables updated?”
A program defines state variables and operations
The most important concept is that state is a dictionary of (name,value) pairs
Each name identifies an occurrence for state variables
• Operations may propose new values for state variables
• But effect of these changes is only visible in subsequent step
Software Engineering, COMP201 Slide 41
The update statementUpdate symbol “: =” (reads as “gets”)
var x = 0var y = 1Main() step WriteLine(“In the first step, x =” + x) // x is 0 WriteLine (“In the first step, y =” + y) // y is 1 x:=2 step // updates occur here WriteLine(“In the second step, x =” + x)//x is 2 WriteLine(“In the second step, y =” + y)//y is 1
Software Engineering, COMP201 Slide 42
Delayed effect of updates
Updates don’t actually occur until the step following the one in which they are written
var x = 0var y = 1Main() step WriteLine(“In the first step, x =” + x) // x is 0 WriteLine(“In the first step, y =” + y) // y is 1 step x:=2 WriteLine (“In the second step, x =” + x) // x is 0 step WriteLine (“In the third step, x =” + x) // x is 2
Software Engineering, COMP201 Slide 43
When updates occur
in C, Java in ASML
temp = x
x = y
y = temp
step
x:= y
y:=x
Swapping values
All updates given within a single step occur simultaneously at the end of the step.
Conceptually, the updates are applied “in between” the steps.
Software Engineering, COMP201 Slide 44
Consistency of updates• The order within a step does not matter, but all of
updates in the step must be consistent• None of the updates given within a step may contradict
each other• If updates do contradict, then they are called
“inconsistent updates” and an error occur
Inconsistent update Error: CLASH
in the update set
step
x:=1
x:=2
we don’t know which of the two should take effect
Software Engineering, COMP201 Slide 45
Total and partial updates
An update of the variable can either be total or partial
Total update is a simple replacement of variable’s value with a new value
Partial updates apply to variables that have structure
The left hand side of the update operation
“ X : = val ”
indicates whether the update is total or partial
Software Engineering, COMP201 Slide 46
Total update of a set-valued variable
1. The variable Students was, initially, an empty set2. It was then updated to contain the names of the four
students3. Update became visible in the second step as the finial
roster
var Students as Set of String = {}Main() step WriteLine (“The initial roster is = ” + Students) Students := {“Bill”, “Carol”, “Ted”, “Alice”} step WriteLine (“The final roster is = ” + Students)
Software Engineering, COMP201 Slide 47
Partial update of a set-valued variable
“ X : = val ” is update operation If X ends with an index form, then the update is partial If X ends with a variable name, then the update is total
var Students as Set of String = {}Main() step WriteLine (“The initial roster is = ” + Students) Students(“Bill”) := true Students(“Carol”) := true Students(“Ted”) := true Students(“Alice”) := truestep WriteLine (“The final roster is = ” + Students)
Software Engineering, COMP201 Slide 48
Updating a set-valued variable
Updating the set Students with updating statement (*) removes “Bill ” from the set
The update is partial in the sense that other students may be added to the set Students in the same step without contradiction
var Students as Set of String = {}Main() step WriteLine (“The initial roster is = ” + Students) Students := {“Bill”, “Carol”,
“Ted”, “Alice”}step WriteLine (“The current roster is = ” + Students) Students ( “Bill”) := false // ( * ) step WriteLine (“The final roster is = ” + Students)
top related