model-based specification u formal specification of ...bmitchell/course/mcs451/ch_11.pdf · ©ian...

©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 11 Slide 1

Model-based Specification

u Formal specification ofsoftware by developing amathematical model of thesystem


Objectivesu To introduce an approach to formal specification

based on mathematical system modelsu To present some features of the Z specification

languageu The illustrate the use of Z using small examplesu To show how Z schemas may be used to develop

incremental specifications


Topics coveredu Z schemasu The Z specification processu Specifying ordered collections


Model-based specificationu Defines a model of a system using well-

understood mathematical entities such as sets andfunctions

u The state of the system is not hidden (unlikealgebraic specification)

u State changes are straightforward to defineu VDM and Z are the most widely used

model-based specification languages


Z as a specification languageu Based on typed set theoryu Probably now the most widely-used

specification languageu Includes schemas, an effective low-level

structuring facilityu Schemas are specification building blocksu Graphical presentation of schemas make Z

specifications easier to understand


Z schemasu Introduce specification entities and defines

invariant predicates over these entitiesu A schema includes

• A name identifying the schema• A signature introducing entities and their types• A predicate part defining invariants over these entities

u Schemas can be included in other schemas andmay act as type definitions

u Names are local to schemas


Z schema highlighting

contents Š capacity

Containercontents: capacity:

Schema name Schema signature Schema predicate


An indicator specification

light = on ⇔ reading Š danger_le vel

Indicator

light: {off, on}reading: danger_le vel:


Storage tank specification

reading = contentscapacity = 5000danger_level = 50

Storage_tank

ContainerIndicator


Full specification of a storage tank

contents Š capacitylight = on ⇔ reading Š danger_le velreading = contentscapacity = 5000danger_le vel = 50

Stor age_tank

contents: capacity: reading: d a n g e r _ l eve l : light: {off, on}


Z conventionsu A variable name decorated with a quote mark

(N‘) represents the value of the state variable Nafter an operation

u A schema name decordated with a quote markintroduces the dashed values of all names definedin the schema

u A variable name decorated with a ! represents anoutput


Z conventionsu A variable name decorated with a ? represents an

inputu A schema name prefixed by the Greek letter Xi

(Ξ) means that the defined operation does notchange the values of state variables

u A schema name prefixed by the Greek letterDelta (∆) means that the operation changes someor all of the state variables introduced in thatschema


Operation specificationu Operations may be specified incrementally as

separate schema then the schema combined toproduce the complete specification

u Define the ‘normal’ operation as a schemau Define schemas for exceptional situationsu Combine all schemas using the disjunction (or)

operator


A partial spec. of a fill operation

contents + amount? Š capacityc o n t e n t s ’ = c o n t e n t s + a m o u n t ?

Fill-OK

² S t o ra g e _ t a n kamount?:


Storage tank fill operation

capacity < contents + amount?r! = “Insufficient tank capacity – Fill cancelled”

OverFill

Ξ Stora ge-tankamount?: r!: seq CHAR

Fill

F i l l - O K O ve r F i l l


The Z specification process

Define gi vens e t s a n d t y p e s

Define statevariables

Define initialstate

Define‘correct’operations

Defineexceptionaloperations

Combineoperationschemas

Write informalspecification

Decomposesystem

Specify systemcomponents

Composecomponent

specifications


Data dictionary specificationu Data dictionary, introduced in Chapter 6, will be

used as an example. This is part of a CASEsystem and is used to keep track of system names

u Data dictionary structure• Item name• Description• Type. Assume in these examples that the allowed types are

those used in semantic data models• Creation date


Given setsu Z does not require everything to be defined at

specification timeu Some entities may be ‘given’ and defined lateru The first stage in the specification process is to

introduce these given sets• [NAME, DATE]• We don’t care about these representations at this stage


Type definitionsu There are a number of built-in types (such as

INTEGER) in Zu Other types may be defined by enumeration

• Sem_model_types = { relation, entity, attribute }

u Schemas may also be used for type definition.The predicates serve as constraints on the type


Specification using functionsu A function is a mapping from an input value to an

output value• SmallSquare = {1 → 1, 2 → 4, 3 → 9, 4 → 16, 5 → 2 25, 6 →

2 36, 7 → 49 }

u The domain of a function is the set of inputs overwhich the function has a defined result• dom SmallSquare = {1, 2, 3, 4, 5, 6, 7 }

u The range of a function is the set of results whichthe function can produce• rng SmallSquare = {1, 4, 9, 16, 25, 36, 49 }


The function SmallSquare

onetwothreefourfivesix

seven

14916253649

Domain (Smal lSquare) Range (Smal lSquare)


Data dictionary modellingu A data dictionary may be thought of as a

mapping from a name (the key) to a value (thedescription in the dictionary)

u Operations are• Add. Makes a new entry in the dictionary or

replaces an existing entry• Lookup. Given a name, returns the description.• Delete. Deletes an entry from the dictionary• Replace. Replaces the information associated with an entry


Data dictionary entry

#descr iption Š 2000

DataDictionar yEntry

entr y: NAMEdesc: seq chart y p e : S e m _ m o d e l _ t y p e screation_date: DATE


Data dictionary as a function

DataDictionaryDataDictionaryEntryddict: NAME→ {DataDictionaryEntry}


Data dictionary - initial state

d d i c t ’ = Ø

I n i t - D a t a D i c t i o n a ry

DataDictionar y’


Add and lookup operations

name? ∉ dom ddictd d i c t ’ = d d i c t ∪ { n a m e ? → e n t ry ? }

Add_OK

² DataDictionar yname?: NAMEe n t ry ? : D a t a D i c t i o n a ry E n t ry

name? ∈ dom ddicte n t ry ! = d d i c t ( n a m e ? )

Lookup_OK

Ξ DataDictionar yname?: NAMEe n t ry ! : D a t a D i c t i o n a ry E n t ry


Add and lookup operations

name? ∈ dom ddicte r r o r ! = “ N a m e a l r e a d y i n d i c t i o n a ry ”

Add_Error

Ξ D a t a D i c t i o n a ryname?: NAMEerror!: seq char

name? ∉ dom ddicte r r o r ! = “ N a m e n o t i n d i c t i o n a ry ”

Lookup_Error

Ξ D a t a D i c t i o n a ryname?: NAMEerror!: seq char


Function over-riding operatoru ReplaceEntry uses the function overriding

operator (written ⊕ ). This adds a new entry orreplaces and existing entry..• phone = { Ian → 3390, Ray → 3392, Steve → 3427}• The domain of phone is {Ian, Ray, Steve} and the range is

{3390, 3392, 3427}.• newphone = {Steve → 3386, Ron → 3427}• phone ⊕ newphone = { Ian → 3390, Ray → 3392, Steve

→ 3386, Ron → 3427}


Replace operation

name? ∈ dom ddictd d i c t ’ ⊕ { n a m e ? → e n t ry ? }

Replace_OK

² DataDictionar yname?: NAMEe n t ry ? : D a t a D i c t i o n a ry E n t ry


Deleting an entryu Uses the domain subtraction operator (written

4) which, given a name, removes that namefrom the domain of the function

• phone = { Ian → 3390, Ray → 3392, Steve → 3427}• {Ian} 4 phone• {Ray → 3392, Steve → 3427}


Delete entry

name? ∈ dom ddictd d i c t ’ = { n a m e ? } d d i c t

Delete_OK

² D a t a D i c t i o n a ryname?: NAME


Specifying ordered collectionsu Specification using functions does not allow

ordering to be specifiedu Sequences are used for specifying ordered

collectionsu A sequence is a mapping from consecutive

integers to associated values


A Z sequence

1234567

14916253649

Domain (SqSeq) Range (SqSeq)


Data dictionary extract operationu The Extract operation extracts from the data

dictionary all those entries whose type is the sameas the type input to the operation

u The extracted list is presented in alphabeticalorder

u A sequence is used to specify the ordered outputof Extract


The Extract operation

∀ n : d o m d d i c t • d d i c t ( n ) . t y p e = i n _ t y p e ? ⇒ d d i c t ( n ) ∈ rn g r e p !∀ i : 1 Š i Š #rep! • rep! (i).type = in_type?∀ i : 1 Š i Š #rep! • rep! (i) ∈ rng ddict∀ i , j: dom rep! • (i < j) ⇒ rep . name(i) < NAME rep .name (j)

Extract

DataDictionar yr e p ! : s e q { D a t a D i c t i o n a ry E n t ry }in_type?: Sem_model_types


Extract predicateu For all entries in the data dictionary whose type is

in_type?, there is an entry in the output sequenceu The type of all members of the output sequence is

in_type?u All members of the output sequence are members

of the range of ddictu The output sequence is ordered


Data dictionary specification

The_Data_Dictionary

DataDictionaryInit-DataDictionaryAddLookupDeleteReplaceExtract


Key pointsu Model-based specification relies on building a

system model using well-understoodmathematical entities

u Z specifications are made up of mathematicalmodel of the system state and a definition ofoperations on that state

u A Z specification is presented as a number ofschemas

u Schemas may be combined to make new schemas


Key pointsu Operations are sepcified by defining their effect

on the system state. Operations may be specifiedincrementally then different schemas combined tocomplete the specification

u Z functions are a set of paitrs where the domainof the funciton is the set of valid inputs. Therange is the set of associated outputs. A sequenceis a special type of function whose domain is theconsecutive integers

model-based specification u formal specification of ...bmitchell/course/mcs451/ch_11.pdf · ©ian...

Documents