236368 Emilia Katz, Shahar Dag
1
Formal Specifications for Complex Systems (236368)
Tutorial #13
Algebraic Specification and Larch
236368 Emilia Katz, Shahar Dag
2
Today:
• Larch Specification Language
• Initial and Final Algebras
• Larch Interface Language
• Examples
236368 Emilia Katz, Shahar Dag
3
General Structure
trait_name : trait //data stucture behavior, properties
includes trait1 rename_list, trait2 rename_list, …
Introduces //operations declaration
operator_list
Asserts //axioms – operations definition
predicate_list
var_type generated by operator_list
var_type partitioned by observer_list
implies additional_claims
implies converts operation_list
implies converts operation_list exempting special_cases
236368 Emilia Katz, Shahar Dag
4
Example (includes)trait1 : trait
introduces:__ ↔ __: T, T → bool
asserts∀x:T x↔x
trait2 : traitintroduces:
__ R __: T, T → boolasserts
∀x, y, z:T (x R y ∧ y R z) ⇒ x R z
trait3: traitincludes trait1 ( ≤ for ↔ ), trait2 ( ≤ for R )
What is the meaning of these traits?
trait1: reflexive relationtrait2: transitive relation
trait3: pre-order
What operations are defined for this trait?
≤ instead of ↔ , R
236368 Emilia Katz, Shahar Dag
5
Example - Set
Want to be able to:
• Create a new set• Add / remove elements from a set• Check whether an element is in the set• Get the size of the set• Get a union / intersection of two sets
236368 Emilia Katz, Shahar Dag
6
Example – Set (cont.)
settrait : traitintroduces
{} : → set_ ∈ _ : E , set → boolinsert : E , set → setdelete : E , set → setsize : set → int_ ∪ _ : set , set → set_ ⋂ _ : set , set → set
// to be continued…
can write “E x set” instead of “E, set” (another notation…)
236368 Emilia Katz, Shahar Dag
7
Example – Set (contd.2)
Define operations and connections between them:
• What does a newly created set look like?• What is the effect of adding / removing elements from a
set?• How is the size of a set defined?• What is a union / intersection of two sets?
236368 Emilia Katz, Shahar Dag
8
Example – Set (contd.3)
asserts∀ e , e1 : E , s , s1 : S¬( e ∈ {} );e ∈ insert(e1 , s) == e = e1 ⋁ e ∈ s;size( {} ) == 0;size( insert(e , s)) == if e ∈ s then size(s) else size(s) +
1;delete( e , {} ) == {};delete(e, insert(e1, s)) ==
if e=e1 then delete(e, s) else insert(e1, delete(e, s));s ∪ {} == s;s ∪ insert( e , s1 ) == insert( e , s ∪ s1 );s ⋂ {} == {};s ⋂ insert( e , s1 ) ==
if e ∈ s then insert( e , s ⋂ s1 ) else s ⋂ s1;
236368 Emilia Katz, Shahar Dag
9
Example – Set (contd.4)
generated by:set generated by {} , insert
partitioned by:set partitioned by ∈
Well-definedness of operations of the trait:
implies converts {} , ∈, insert, delete, size, ∪, ⋂ (all the operations are well-defined, no special cases)
236368 Emilia Katz, Shahar Dag
10
Example – Set (contd.5)
delete(5 , insert(7 , insert(5 , {}))) == insert(7 , delete(5 , insert(5 , {}))) ==insert(7 , delete(5 , {})) ==insert(7 , {})
Is the following true?
set implies delete(5 , insert(7 , insert(5 , {}))) = insert(7 , {})
// axiom 2 about delete, the “else” part// axiom 2 about delete, the “then” part// axiom 1 about delete
=> The statement is true!
236368 Emilia Katz, Shahar Dag
11
Example – Set (contd.6)
Is the following true?
set implies insert(7 , insert(5 , {})) = insert(5 , insert(7 , {}))
No axioms to help us decide!
236368 Emilia Katz, Shahar Dag
12
Initial and Final Algebras
Initial algebra:
insert(7 , insert(5 , {})) insert(5 , insert(7 , {})) since they cannot be proven equal from the axioms of set
Final algebra:
insert(7 , insert(5 , {})) = insert(5 , insert(7 , {})) since they cannot be distinguished by the observers
Larch keeps the decision open for the user of the trait (by the addition of partitioned by)
236368 Emilia Katz, Shahar Dag
13
Initial and Final Algebras
Question:What would the following statement mean:- set partitioned by size
Answer:We claim that two sets are equal if they are of the same size.
Is this good?No! it would mean that insert(5 , {}) = insert(7 , {}) which “breaks” the algebra as we can now prove false claims!-5 ∈ insert(5 , {}) -insert(5 , {}) = insert(7 , {})-=> 5 ∈ insert(7 , {}) -=> 5 ∈ {} !
236368 Emilia Katz, Shahar Dag
14
Larch Interface Language - LCL
• second layer of a Larch specification
• we will only show some of the main features of LCL
• termination requirement is implicit
• may use any sorts and operations defined in LSL traits
• the mapping of types to sorts (E for set…) is done when introducing the
used traits, by renaming the sorts to the correct types: uses trait (type
for sort, …)
• LCL manipulates objects (variables). They can be:
• mutable: its value can be changed (specified by var)
• immutable: its guaranteed to stay constant.
236368 Emilia Katz, Shahar Dag
15
LCL – The general formuses traits with [rename_list]procedure headerrequires Pmodifies Lensures Q
P – the precondition of the I/O assertion• Contains restrictions on the input • Prevents calls with illegal values• Must be fulfilled by the caller
L – the list of changeable objectsQ – the post condition
• Relating final values [primed (‘) version] to initial ones.• Must be established by the procedure
Note – implicit condition: the function must terminate!
236368 Emilia Katz, Shahar Dag
16
Exampleuses settrait with [set for set, integer for E]
procedure setinit(var s : set)modifies sensures s’ = {}
procedure setinsert(e : integer; var s : set)requires size( insert( e , s ) ) ≤ 100modifies sensures s’ = insert( e , s )
procedure setrem(e : integer; var s : set; var f : bool)modifies s , fensures s’ = delete( e , s ) ∧ f’ = ( e ∈ s)
function choose(s : set; var e : integer) : boolmodifies e , chooseensures if size( s ) > 0 then ( choose’ ∧ (e’ ∈ s)) else (¬choose’ ∧ (e’ = e))
Use Pascal-like syntax
corresponds to {} of settrait
corresponds to insert; add a restriction: size ≤100
Delete an element; report if it was in the set before
combination of delete and
return an arbitrary element
no corresp. operation
236368 Emilia Katz, Shahar Dag
17
setדוגמא ממבחן -
setבהינתן
והפעולות האריתמטיות (כמו שראינו)
וגם סימני היחס (<, <=, <, ...)
יש להגדיר:
maxהאיבר המקסימאלי בקבוצה -
secondהאיבר השני בגודלו -
236368 Emilia Katz, Shahar Dag
18
(המשך) setדוגמא ממבחן –
(פיתרון של סטודנט)maxניסיון ראשון לפיתרון
max: S → E max(s) = e . e∈S ∧ ¬∃a∈S . a>e
האם זה הוא פיתרון טוב?
לא(נתעלם מהרישום המקורב בו השתמשנו לדוגמא)
אנחנו רוצים הגדרה אינדוקטיבית בדומה לפעולות האחרות,כדי שנוכל להשתמש בה בהוכחות באינדוקציה ובאקסיומות
== max( insert( e , s ) )אחרות (ולא פיתרון מלוגיקה)if size(s)=0 then eelse if max(s) > e then max(s) else e
implies converts max exempting max( {} )
236368 Emilia Katz, Shahar Dag
19
(המשך) setדוגמא ממבחן –
כבר צריך להיות קלsecondעכשיו לפתור את
second: S → E
second( s ) == max( delete( max( s ) , s ) ) (*)
implies converts second exemptingsecond( {} ),∀e∈E second( insert( e , {} ) )
האם השורה המסומנת ב * לא משנה את הקבוצה שלנו ?
לא, אנחנו רק מתארים כאן את הפעולות, שפת הממשק תדאג לקבוצה
מועד א2013שאלה ממבחן –
236368 Emilia Katz, Shahar Dag
20
מועד א2013שאלה ממבחן –
236368 Emilia Katz, Shahar Dag
21
מופיע באתר תחת מבחנים משנים קודמות פתרון: