©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 1
Model-based Specification
u Formal specification ofsoftware by developing amathematical model of thesystem
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 2
Objectivesu To introduce an approach to formal specification
based on mathematical system modelsu To present some features of the Z specification
languageu The illustrate the use of Z using small examplesu To show how Z schemas may be used to develop
incremental specifications
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 3
Topics coveredu Z schemasu The Z specification processu Specifying ordered collections
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 4
Model-based specificationu Defines a model of a system using well-
understood mathematical entities such as sets andfunctions
u The state of the system is not hidden (unlikealgebraic specification)
u State changes are straightforward to defineu VDM and Z are the most widely used
model-based specification languages
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 5
Z as a specification languageu Based on typed set theoryu Probably now the most widely-used
specification languageu Includes schemas, an effective low-level
structuring facilityu Schemas are specification building blocksu Graphical presentation of schemas make Z
specifications easier to understand
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 6
Z schemasu Introduce specification entities and defines
invariant predicates over these entitiesu A schema includes
• A name identifying the schema• A signature introducing entities and their types• A predicate part defining invariants over these entities
u Schemas can be included in other schemas andmay act as type definitions
u Names are local to schemas
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 7
Z schema highlighting
contents Š capacity
Containercontents: capacity:
Schema name Schema signature Schema predicate
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 8
An indicator specification
light = on ⇔ reading Š danger_le vel
Indicator
light: {off, on}reading: danger_le vel:
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 9
Storage tank specification
reading = contentscapacity = 5000danger_level = 50
Storage_tank
ContainerIndicator
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 10
Full specification of a storage tank
contents Š capacitylight = on ⇔ reading Š danger_le velreading = contentscapacity = 5000danger_le vel = 50
Stor age_tank
contents: capacity: reading: d a n g e r _ l eve l : light: {off, on}
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 11
Z conventionsu A variable name decorated with a quote mark
(N‘) represents the value of the state variable Nafter an operation
u A schema name decordated with a quote markintroduces the dashed values of all names definedin the schema
u A variable name decorated with a ! represents anoutput
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 12
Z conventionsu A variable name decorated with a ? represents an
inputu A schema name prefixed by the Greek letter Xi
(Ξ) means that the defined operation does notchange the values of state variables
u A schema name prefixed by the Greek letterDelta (∆) means that the operation changes someor all of the state variables introduced in thatschema
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 13
Operation specificationu Operations may be specified incrementally as
separate schema then the schema combined toproduce the complete specification
u Define the ‘normal’ operation as a schemau Define schemas for exceptional situationsu Combine all schemas using the disjunction (or)
operator
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 14
A partial spec. of a fill operation
contents + amount? Š capacityc o n t e n t s ’ = c o n t e n t s + a m o u n t ?
Fill-OK
² S t o ra g e _ t a n kamount?:
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 15
Storage tank fill operation
capacity < contents + amount?r! = “Insufficient tank capacity – Fill cancelled”
OverFill
Ξ Stora ge-tankamount?: r!: seq CHAR
Fill
F i l l - O K O ve r F i l l
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 16
The Z specification process
Define gi vens e t s a n d t y p e s
Define statevariables
Define initialstate
Define‘correct’operations
Defineexceptionaloperations
Combineoperationschemas
Write informalspecification
Decomposesystem
Specify systemcomponents
Composecomponent
specifications
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 17
Data dictionary specificationu Data dictionary, introduced in Chapter 6, will be
used as an example. This is part of a CASEsystem and is used to keep track of system names
u Data dictionary structure• Item name• Description• Type. Assume in these examples that the allowed types are
those used in semantic data models• Creation date
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 18
Given setsu Z does not require everything to be defined at
specification timeu Some entities may be ‘given’ and defined lateru The first stage in the specification process is to
introduce these given sets• [NAME, DATE]• We don’t care about these representations at this stage
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 19
Type definitionsu There are a number of built-in types (such as
INTEGER) in Zu Other types may be defined by enumeration
• Sem_model_types = { relation, entity, attribute }
u Schemas may also be used for type definition.The predicates serve as constraints on the type
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 20
Specification using functionsu A function is a mapping from an input value to an
output value• SmallSquare = {1 → 1, 2 → 4, 3 → 9, 4 → 16, 5 → 2 25, 6 →
2 36, 7 → 49 }
u The domain of a function is the set of inputs overwhich the function has a defined result• dom SmallSquare = {1, 2, 3, 4, 5, 6, 7 }
u The range of a function is the set of results whichthe function can produce• rng SmallSquare = {1, 4, 9, 16, 25, 36, 49 }
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 21
The function SmallSquare
onetwothreefourfivesix
seven
14916253649
Domain (Smal lSquare) Range (Smal lSquare)
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 22
Data dictionary modellingu A data dictionary may be thought of as a
mapping from a name (the key) to a value (thedescription in the dictionary)
u Operations are• Add. Makes a new entry in the dictionary or
replaces an existing entry• Lookup. Given a name, returns the description.• Delete. Deletes an entry from the dictionary• Replace. Replaces the information associated with an entry
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 23
Data dictionary entry
#descr iption Š 2000
DataDictionar yEntry
entr y: NAMEdesc: seq chart y p e : S e m _ m o d e l _ t y p e screation_date: DATE
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 24
Data dictionary as a function
DataDictionaryDataDictionaryEntryddict: NAME→ {DataDictionaryEntry}
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 25
Data dictionary - initial state
d d i c t ’ = Ø
I n i t - D a t a D i c t i o n a ry
DataDictionar y’
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 26
Add and lookup operations
name? ∉ dom ddictd d i c t ’ = d d i c t ∪ { n a m e ? → e n t ry ? }
Add_OK
² DataDictionar yname?: NAMEe n t ry ? : D a t a D i c t i o n a ry E n t ry
name? ∈ dom ddicte n t ry ! = d d i c t ( n a m e ? )
Lookup_OK
Ξ DataDictionar yname?: NAMEe n t ry ! : D a t a D i c t i o n a ry E n t ry
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 27
Add and lookup operations
name? ∈ dom ddicte r r o r ! = “ N a m e a l r e a d y i n d i c t i o n a ry ”
Add_Error
Ξ D a t a D i c t i o n a ryname?: NAMEerror!: seq char
name? ∉ dom ddicte r r o r ! = “ N a m e n o t i n d i c t i o n a ry ”
Lookup_Error
Ξ D a t a D i c t i o n a ryname?: NAMEerror!: seq char
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 28
Function over-riding operatoru ReplaceEntry uses the function overriding
operator (written ⊕ ). This adds a new entry orreplaces and existing entry..• phone = { Ian → 3390, Ray → 3392, Steve → 3427}• The domain of phone is {Ian, Ray, Steve} and the range is
{3390, 3392, 3427}.• newphone = {Steve → 3386, Ron → 3427}• phone ⊕ newphone = { Ian → 3390, Ray → 3392, Steve
→ 3386, Ron → 3427}
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 29
Replace operation
name? ∈ dom ddictd d i c t ’ ⊕ { n a m e ? → e n t ry ? }
Replace_OK
² DataDictionar yname?: NAMEe n t ry ? : D a t a D i c t i o n a ry E n t ry
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 30
Deleting an entryu Uses the domain subtraction operator (written
4) which, given a name, removes that namefrom the domain of the function
• phone = { Ian → 3390, Ray → 3392, Steve → 3427}• {Ian} 4 phone• {Ray → 3392, Steve → 3427}
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 31
Delete entry
name? ∈ dom ddictd d i c t ’ = { n a m e ? } d d i c t
Delete_OK
² D a t a D i c t i o n a ryname?: NAME
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 32
Specifying ordered collectionsu Specification using functions does not allow
ordering to be specifiedu Sequences are used for specifying ordered
collectionsu A sequence is a mapping from consecutive
integers to associated values
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 33
A Z sequence
1234567
14916253649
Domain (SqSeq) Range (SqSeq)
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 34
Data dictionary extract operationu The Extract operation extracts from the data
dictionary all those entries whose type is the sameas the type input to the operation
u The extracted list is presented in alphabeticalorder
u A sequence is used to specify the ordered outputof Extract
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 35
The Extract operation
∀ n : d o m d d i c t • d d i c t ( n ) . t y p e = i n _ t y p e ? ⇒ d d i c t ( n ) ∈ rn g r e p !∀ i : 1 Š i Š #rep! • rep! (i).type = in_type?∀ i : 1 Š i Š #rep! • rep! (i) ∈ rng ddict∀ i , j: dom rep! • (i < j) ⇒ rep . name(i) < NAME rep .name (j)
Extract
DataDictionar yr e p ! : s e q { D a t a D i c t i o n a ry E n t ry }in_type?: Sem_model_types
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 36
Extract predicateu For all entries in the data dictionary whose type is
in_type?, there is an entry in the output sequenceu The type of all members of the output sequence is
in_type?u All members of the output sequence are members
of the range of ddictu The output sequence is ordered
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 37
Data dictionary specification
The_Data_Dictionary
DataDictionaryInit-DataDictionaryAddLookupDeleteReplaceExtract
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 38
Key pointsu Model-based specification relies on building a
system model using well-understoodmathematical entities
u Z specifications are made up of mathematicalmodel of the system state and a definition ofoperations on that state
u A Z specification is presented as a number ofschemas
u Schemas may be combined to make new schemas
©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 39
Key pointsu Operations are sepcified by defining their effect
on the system state. Operations may be specifiedincrementally then different schemas combined tocomplete the specification
u Z functions are a set of paitrs where the domainof the funciton is the set of valid inputs. Therange is the set of associated outputs. A sequenceis a special type of function whose domain is theconsecutive integers