formal methods 4 - z notation
DESCRIPTION
My course of Formal Methods at Santa Clara University, Winter 2014.TRANSCRIPT
Formal Methods in Software
Lecture 4. Z Notation
Vlad PatryshevSCU2014
you may need Chrome browser to view these slides
Z Notation, a Specification Language● Vaguely based on typed version of Zermelo-Fraenkel set theory● Uses set-theoretic notation for algorithm description● Software tools exist(ed) that could, arguably, verify algorithms● Related to computational logic● Partially replaced these days by Coq and Agda● ISO standard: ISO/IEC 13568:2002● WSDL definition uses it● Lives in an ideal world, not very good for programming with effects● But is related to Agda
The Logic of Z● Propositional logic
○ predicates; true/false○ connectives: a∧b, a∨b,¬a, a⇒b, a⇔b
● Quantifiers○ ∀x • q○ ∃x • q○ ∃1x • q (“exists unique”)
● Many laws (but nothing unusual)
Z has types and constraintsa:T - a is of type Tq a - a satisfies a constraint (a predicate) q
E.g.a,b: Humanx: Dog
likes(a,x)likes(b,x)loves(x,a)loves(x,b)
Signature
Predicates (constraints)
Z uses typed sets● ∅[T] - empty set of elements of type T● {Peter, Paul, James} - a set of people; elements must be of the same type● order does not matter; repetitions make no sense● x∈S - x is an element of S e.g. William ∉ {Jonathan, Jane, Alice, Emma}● P∪Q - union● P∩Q - intersection● P\Q - complement ({x∈P|x∉Q})● P ⊆ Q - P is a subset of Q (P∩Q=P)● P- - complement of P, all members of type that do not belong to P (P-=T\P)
E.g. T-=∅[T] and ∅[T]-=T
● ∪{A,B,C,...} = A∪B∪C∪…
● ∩{A,B,C,...} = A∩B∩C∩…
Set Comprehension{x∈T|P(x)} - a set of all such x that P(x) is true
Properties:● {x:T |p}∩{x:T |q}={x:T |p∧q}● {x:T |p}∪{x:T |q}={x:T |p∨q}● {x:T |p}− ={x:T |¬p}● {x:T |p}⊆{x:T |q} ≡ p⇒q● {x:T |p}={x:T |q} ≡ p⇔q● ∅[T]={x:T |false}● T={x:T |true}
Cartesian ProductIf T and U are types, T×U is the type of pairs (t,u), where t:T, u:U
If P and Q are sets, P×Q = {p:T; q:U|p∈P∧q∈Q • (p,q)}
(meaning, take ps from P, qs from Q, produce all pairs (p,q))
PowersetX∈ℙS ≡ X⊆S
E.g.ℙ∅ = {∅}; ℙ{a} = {∅,{a}}
Finite subsets of S: FSℙ1S = {X∈ℙS | X!=∅}
F1S = {X∈FS | X!=∅}
Binary Relations
R⊆P×QNotation: given a relation R, pRq means (p,q)∈R Alternative notation for pairs (p,q): p↦qE.g. authors = {Bjarne ↦ Cpp, Guido ↦ Python, Martin ↦ Scala}
Set of all relations T ↔ U == ℙ(T × U)E.g. authors ∈ Humans ↔ Languages
Domain and RangeR ∈ T ↔ U
dom R = {x:T |(∃y:U•(x,y)∈R)} - not a very good idea, actually
ran R = {y:U |(∃x:T•(x,y)∈R)} - an even worse idea
E.g.
dom authors = {Bjarne, Guido, Martin}
ran authors = {Cpp, Python, Scala}
Inverse RelationEvery relation has an inverse
R∼ = {y:U;x:T|(x,y)∈R}
E.g. authors = {Bjarne↦Cpp, Guido↦Python, Martin↦Scala}authors~ = {Cpp↦Bjarne, Python↦Guido, Scala↦Martin}
Obviously,● ran(R∼ ) = dom R● dom(R∼ ) = ran R● (R∼)∼ = R
Functions are Relations● Partial Function f: A�B ≡
∀x:A ∀y1,y2:B (x,y1)∈f∧(x,y2)∈f⇒y1=y2
● Total function f: A→B ≡ f is p.f. and ∀x:A ∃y:B (x,y)∈f
● Injection f: A↣B ≡ f is function, and ∀x1,x2:A (x1,y)∈f∧(x2,y)∈f⇒x1=x2
● Surjection f: A↠B: f is function, and ∀y:B ∃x:A (x,y)∈f
● Partial injection, partial surjection● Finite partial function, A�B
● Identity id A = {(x,x):T×T|x∈A}● RTL Composition Q∘R = {(z,x):T×V|∃y:U•(y,x)∈R∧(z,y)∈Q}● Domain restriction A◁R = {(x,y):T×U|(x,y)∈R∧x∈A}● Domain anti-restriction A�R = {(x,y):T×U|(x,y)∈R∧x∉A}● Range restriction A▷R = {(x,y):T×U|(x,y)∈R∧y∈A}● Range anti-restriction A�R = {(x,y):T×U|(x,y)∈R∧y∉A}● Image R(|A|) = {y:U|∃x:T•(x,y)∈R∧x∈A● Inverse R~● Iteration iter n R = R∘(iter (n-1) R); iter 0 R = id● Overriding Q⨁R = (dom R � Q) ∪ R
Operations on Relations
Numbers● ℤ - all integers● ℕ = {x∈ℤ|x≥0}● _+_, _-_, _*_, _div_, _mod_, -_● _≥_, _>_, _≤_, _<_● max(<nonempty set>), min
Axiomatic Description● new operator
● new data with constraint
abs : Z → Z
∀n:Z•
n ≤ 0 ⇒ abs n = −n ∧ n ≥ 0 ⇒ abs n = n
n:ℕ
n<10
Iteration etc● Introduce succ=={0↦1,1↦2,...}; pred==succ~ ● succ = ℕ◁(_+1)
● Rn=R∘R∘...∘R
e.g. succn = ℕ◁(_+n)● Number range a..b={n:ℕ|a≤n≤b}● Cardinality of set S ∈ F T , #S
(For a set to be ‘finite’, it must be in bijection with 1..n for some n.)
Introducing New Types● Just by naming, [A]● data type (like enum): Friends ::= Peter|John|James● recursively, e.g. ℕ ::= zero | succ⟨⟨ℕ⟩⟩
Sequencesseq T =={s:ℕ�T |∃n:ℕ • dom s = 1..n}
● ⟨⟩ - empty sequence● Nonempty sequence seq1 T == seq T \ {⟨⟩}● Injective sequence iseq T == {f: seq T| injective f}● ⟨’a’,’b’,’c’⟩● concatenation: ⟨’a’,’b’,’c’⟩◠⟨’d’,’e’,’f’⟩● prefix ⟨’a’,’b’⟩ ⊆ ⟨’a’,’b’,’c’⟩● head s = s(1); last s = s(#s); tail s; front s● rev ⟨⟩ = ⟨⟩, rev ⟨x⟩ = ⟨x⟩, rev(s◠t) = rev(t)◠rev(s)
SchemasExample:
alternatively,Book≘[author:People;title:seq CHAR; readership: ℙ People;rating:0..10 | readership = dom rating]
author:Peopletitle: seq CHARreadership: ℙ Peoplerating: ↠ 0..10
readership = dom rating
Book
State Machine: Operational SchemaOperation ≘ [ x1:S1;...;xn:Sn; // current state
x1′:S1;...;xn′:Sn; // new state
i1?:T1;...;im?:Tm; // input
o1!:U1;...;op!:Up // output
|
Pre(i1?,...,im?,x1,...,xn); // preconditions
Inv(x1,...,xn); // invariants
Inv(x1′,...,xn′); // invariants
Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function
]
Example of Operational SchemaAddBirthday ≘ [
known : ℙ NAME;
birthday : NAME � DATE
known′ : ℙ NAME;
birthday′ : NAME � DATE
name? : NAME;
date? : DATE;
|
name? ∉ known;
known = dom birthday;
known′ = dom birthday′;
birthday′ = birthday ∪ {name? ↦ date?}
]
Δ: Operational Schemas ReuseStateSpace ≘ [ x1:S1;...;xn:Sn | Inv(x1,...,xn) ]
Operation ≘ [ Δ StateSpace; // encapsulates changing state
i1?:T1;...;im?:Tm; // input
o1!:U1;...;op!:Up // output
|
Pre(i1?,...,im?,x1,...,xn); // preconditions
Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function
]
Example of Δ inclusionAddBirthday ≘ [ Δ BirthdayBook;
name? : NAME;
date? : DATE;
|
name? ∉ known;
birthday′ = birthday ∪ {name? ↦ date?}
]
Operations that don’t change StateOperation ≘ [ x1:S1;...;xn:Sn; // current state
x1′:S1;...;xn′:Sn; // new state
i1?:T1;...;im?:Tm; // input
o1!:U1;...;op!:Up // output
|
Pre(i1?,...,im?,x1,...,xn); // preconditions
Inv(x1,...,xn); // invariants
Inv(x1′,...,xn′ ); // invariants
(x1’=x1∧x2’=x2∧...∧xn’=xn); // state does not change
Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function
]
Ξ: Operational Schemas ReuseGreek letter Ξ, pronounced as /ˈzaɪ/ or /ˈksaɪ/
Operation ≘ [ Ξ StateSpace; // encapsulates unchanging state
i1?:T1;...;im?:Tm; // input
o1!:U1;...;op!:Up // output
|
Pre(i1?,...,im?,x1,...,xn); // preconditions
Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function
]
Example of Ξ inclusionFindBirthday ≘ [ Ξ BirthdayBook;
name? : NAME;
date! : DATE;
|
name? ∈ known;
date! = birthday(name?)
]
And more...● Can compose schema states● Can connect schemas (output to input)● Can include schemas
WSDLhttp://www.w3.org/TR/wsdl20/wsdl20-z.html
ServiceComponents ≘ [ ComponentModel1; serviceComps : ℙ Service; endpointComps : ℙ Endpoint;|
serviceComps = { x : Service |service(x)∈components }
endpointComps = { x : Endpoint | endpoint(x)∈components }
]
Referenceshttp://images4.wikia.nocookie.net/formalmethods/images/4/4e/Zbook.pdfISO/IEC 13568:2002W3C WSDL standardWikipedia