z—an introduction to formal methods (2nd edn): antoni diller john wiley, chichester (1994) £22.50...
TRANSCRIPT
Book reviews
Z-An Introduction to Formal Methods (2nd edn) Antoni Diller John Wiley, Chichester (1994) f22.50 (1st edn published in 1990) ISBN 0 47193973 0
Z is a formal language intended for both writing and developing software specific- ations. In this review I attempt to give an account of Diller’s book on Z, remarking on its suitability as an introductory text.
The book consists of 19 pages of content and preface; 307 pages of text; 47 pages of glossary; a bibliography and index. It is manufactured to a good quality in paperback and is presented in a form common with many student texts. The pages were pro- duced from camera-ready copy using the author’s LATEX source and I did not find any poorly aligned text, print or diagrams, but there were a few ink blemishes on a couple of pages and some trace of paper manufacture. The cover is much more gentle on the eye than the first edition and the printed paper is well-cut, of a good quality and thickness and generally feels good. My review copy was slightly damaged at both the top and bottom of the spine, probably during shipping, and leads me to expect that the book will survive a reasonable level of wear and tear.
According to the author, the book can be used for introductory courses on Z and formal methods and by people who wish to learn 2 on their own. Given the breadth of material covered though, the book by Lightfoot’ may represent a better choice for students who have, say, a single term of study or for those people who wish only to acquaint themselves with Z. I would place Diller’s book in the marketplace for those who have more time for study or greater commitment to the use of Z, where it would compete with Potter3 and Wordsworth’.
The contents are organized into six parts including a sizeable appendix, and this arrangement has brought about some changes from the first edition. The earlier material matter is essentially the same, but there are new chapters on Floyd-Hoare logic and on getting to executable program code; however, a chapter on animation using Prolog has been inexplicably lost.
The reference manual part has been made more compact and the appendices have been extended to include glossaries of terms and symbols.
Let me begin my analysis of the contents by saying that I think the book is actually quite good. My criticism is fairly pedantic and I had to hunt for examples of poor substance. A little more care could have been taken with writing style as the occasional spelling mistake creeps in and some of the grammar and sentence con- struction takes on a personality of its own, but generally speaking the text flows and makes for easy reading. Some terms are used in explanations before they have been properly introduced and this makes for a certain lack of pedagogic style; however, the new glossary of terms in the appendix is clear enough.
A very important point to note is that the book cover claims that the standard Z notation is used, which is rather presumptive since the language currently remains a draft IS0 standard. What the author actually uses is the de facto standard of Spivey4, a fact pointed out in the body of Chapter 1.
At the end of most chapters there are a number of exercises for the reader to attempt in order to try out the mechanisms of the language and, of equal importance, solutions to all exercises are offered in the appendices. Some of the answers given are incomplete, such as exercise 2.6~ from Chapter 2, and in this case the finished answer can be deduced from the text in Chapter 3. Other answers are one of several possibilities and it would have been polite for the author to point this out.
In addition to the case studies in Part 4, examples are used to illustrate concepts of Z as they are introduced. Some people may find it easier if a smaller number of examples were built up using the new ideas rather than jumping between different ones, although I didn’t find this a problem since the examples given are generally fairly well treated.
Part 1 introduces Z, ‘a formal specific- ation language . based on conventional mathematical notations’, and treats all the essential topics of Z-logic and calculus, sets, Cartesian products (including relations,
0950-5849/95/$09.50 0 1995 Elsevier Science B.V. All rights reserved
functions and sequences), bags and schemas -in a suitable fashion.
The abstraction principle, introduced in the opening paragraph of section 4.3, is an important one, but sometimes it can bring about a certain lack of usefulness or reality, which is a trap this book has fallen into. For example, on page 108 we have the specification for a vending machine that can print messages and I pity the programmer who has to implement the firmware to do this! In this particular case, the specification might perhaps be modified to require a program to flash an LED or emit an audible tone from a beeper; but in general it is important for people to balance pure abstraction with some knowledge of what is actually going to be produced from a specification or against a known target implementation and to beware such a rigid sequential approach to specification development.
The author might have taken a little more care to adjust the layout produced by LATEX such that figures appear more juxtaposed to their associated text in certain cases. For example, in section 1.2 one turns page 5 expecting to see a schema for the first time and is instead met with a programming language function which could be a source of possible confusion. There is some text missing at the top of page 51 along the lines of ‘Consider the general case for two schemas, S and T’.
Some formal parts of a specification are not properly introduced, violating the definition before use rule of Z. See, for example, the definition of the Report type in section 4.4, page 54, although this particular case is admitted 10 pages later. I also found some accompanying explan- ations rather terse, such as the generic definition for the nondecreasing function on page 106.
The occasional equivocal statement slips in, such as on page 63, ‘. CODoAddEntry
captures the requirement that the operation DoAddEntry is only to be carried out when the command ae has been issued
’ which is not strictly true. Similar misinformation appears on page 165 in section 12.6: ‘ . . if a state satisfies PreS, then the operation specified by S can be carried out on that state’. Actually, an
521
Book reviews
operation can be carried out at any time but if the preconditions are not satisfied then we do not know the outcome. For this reason error schemas are added to make a specification total, or to complete a truth table of preconditions for the operation, the absence of which leaves a specification incomplete. An incomplete specification may not cause concern if the specifier and programmer can communicate easily since the programmer can ask questions of the specifier; but for safety critical designs there would be a problem. The book does provide good examples of total specific- ations; see for example page 67.
When developing operations in Z and as a memory aid for helping people to avoid both specification incompleteness and a common mistake associated with sequential composition of schemas, I find it helps to bear in mind that ‘there is no time in Z but the present’.
Part 2 of the book introduces the reader to formal reasoning and proof obligations. Chapter 10 begins the topic of proof, but without saying why the subject is ap- proached and consequently some readers may find the material rather thrown at them. An introductory paragraph saying something like: ‘We can use proof methods to reason about or analyse Z specifications for certain desirable attributes’ might inform the reader of what to expect.
Proofs are illustrated well enough but the book does not really teach the reader how to conduct them. It may not always be obvious why certain structures are intro- duced when constructing a proof and, especially so in this part, the reader’s full attention is demanded and I would recommend having pencil and paper to hand. Consequently this part of the book will probably take the longest to study, sections or even whole chapters requiring an iterative read-which is no bad thing.
Returning to an earlier point, there is some inconsistency about the author’s use of abstraction. On page 210 the AddSales schema includes a confirmation variable used to validate input as part of a security feature. This does not strike me as a true abstraction of the operation, as advocated in Chapter 4, and the author is in effect including information that might have come about in a later pass of the specific- ation where it would be introduced using the schema calculus of Z.
Following the study of proofs, the book progresses to issues which are still a matter of research, namely developing an ex- ecutable computer program from a Z specification. Since the language of Z is in the world of sets and that of conventional imperative programming languages like C or Ada is not, there is inevitably a lack of
522
clarity about how best to program from Z. In Chapters 14 and 15, those on Hoare
logic and programming, the author invites the interested reader to study his approach for relating Z specifications with programs of a form suitable for input to a compiler or interpreter. Diller’s approach requires the software developer to ‘guess’ a program, rather than derive or calculate one, and then try to prove the guess is satisfactory with respect to the Z specification using a Hoare logic. The approach described is a perfectly valid one to follow although some may feel that the guessing game and the absence of a semantic model of com- puter programs makes the approach semi- rigorous or systematic rather than formal. Some readers may like to study these chapters and form their own opinion, while others might prefer to stop after Chapter 13 and admit a truly ad hoc approach to programming such as taken in Chapter 1 of Spivey’s book4. The truly formally minded may choose to further their reading and I suggest Morgan’s books would be worth a look.
Returning to the review, a couple of opportunities for carping emerge in this part. Firstly, on page 209 the book violates the definition before use rule of Z in the SalesDB schema, where the function sumarray is not formally defined, and this results in an incomplete specification and initial state. Secondly, on page 216 it would be nice if the verification conditions for the command y were actually written out as an example.
For many people I think that Part 2 will seem to be more than an introduction and lead them into more advanced topics (advanced in the sense of Z) . Consequently I could suggest that the book may have benefited from having each section graded for its ‘difficulty’, using some form of enumeration. Thus, rather than having to read through the pages in sequence, readers could pore over the book in two or three sittings, working through the grades of difficulty. Organizations could use grades to adopt the ‘level’ of Z they require. Furthermore, perhaps the style of writing could be influenced in that intro- ductory grades could focus on teaching and advanced grades could concentrate more on technical issues at the expense of pedagogic needs.
In Part 3 we are presented with four case studies for review. I like the fact that the first two in Chapter 16 are small, one being comparable to a published VDM example. (VDM is a peer language of Z.) Chapter 17 presents a substantial library database example, aimed at students, and is a lec- turer’s all-time favourite, as I recall. But in particular, I really like the inclusion of
Sufrin’s text editor in Chapter 18. To me this is such a good example of applying Z to a computing problem and so much more interesting than database examples. The only real negative point about this example is that schema promotion rather jumps out at the reader on page 265 without being adequately explained. On a more trivial note, the names of the variables applied to truncate in the Doc3 schema on page 268 might be confusing, although the schema
correctly computes. A theme on the abstraction versus reality
problem recurs in Chapter 17 on page 241 where the CopyNotOwned schema is pres- ented. Quite how someone will physically attempt to check out a copy of a book that the library does not own prompts us to question the need for this operation. In a real situation we would need to discuss the specification with the customer to find out if events like this are indeed actually possible.
For the sake of the reader learning Z, at least one of the case studies might have covered proofs or reification and maybe an additional lengthier example could have been developed in a more stepwise or methodical fashion to show how the use of Z fits in with the software process.
Part 4 introduces animation but does not say why we want to study this topic. In general, animation can be used for testing or prototyping although it should be made clear what the author is setting out to do. The example is written using the Miranda language, more familiar to students of functional programming than to others, and its development takes some intuitive leaps from the Z specification. It might indeed be a correct representation, but the book could take more care to illustrate how the program is arrived at.
Since Miranda is not a programming language familiar to many and that an animation is an informal translation itself possibly prone to error, some people might prefer to write animations of Z specific- ations in a more conventional language like C, particularly if a specification were first reified. Once such an animation were accepted by customer and developer alike, the program might then form the basis for a full development and be tuned for performance and other design goals not addressed by Z.
The reference manual in Part 5 provides a succinct summary of the Z language toolkit and of rules for conducting proofs, and the appendices in Part 6 include useful glossaries of terms and symbols. These two parts in addition to the others, essen- tially make the book a complete package.
What about the bottom line-would I part with money for this book? Yes, I
Information and Software Technology 1995 Volume 37 Number 9
Book reviews
could happily do so. The book has definitely benefited from a second edition to the extent that a third may only be necessary when the 2 language is finally standardized.
When choosing a book to learn Z from I would bear in mind that a novice will take a year or more of steady study to be really comfortable enough to use Z and would compare Diller with Wordsworth’ and with Potter3 in order to choose the approach and style I most liked. Diller is
perhaps the choice of the mathematically minded; Potter offers a better pedagogic style, while Wordsworth is perhaps more for the industrialist.
Julian Rose SGS-Thomson Microelectronics Limited,
Almondsbury, UK
References
1 Formal specijcation using Z, David Lightfoot,
Macmillan (1991) ISBN 0 333 54408 0. 2 Programming from specifications, Carroll
Morgan, Prentice-Hall (1990) ISBN 0 13 726233 7.
3 An introduction to formal spec$cation and Z, Ben Potter, Jane Sinclair, and David Till, Prentice-Hall (1991) ISBN 0 13 478702 1.
4 The Z notation: a reference manual, J. Michael Spivey, Prentice-Hall (1992) ISBN 0 13 978529 9.
5 Sofiare development with Z, John Wordsworth, Addison-Wesley (1992) ISBN 0 201 62757 4.
Software Reusability Wilhelm Schafer, Ruben Prieto-Diaz and Matsumoto Ellis Hot-wood (I 994) 160 pp
One definition of reusability, taken from the IEEE Standard Glossary of Sofrware Engineering Terminology is: ‘the extent to which a module can be used in multiple applications’.
In fact, reuse has been part of the vocab- ulary of computing or software engineering from the earliest times. Perhaps more accurately it has been part of the aspirations and wishes of the software engineering community, since breakthroughs in the area are needed to defeat the software crisis. It has been part of the reality and practice in software engineering in a number of fairly closely defined areas, e.g. num- erical algorithms, sorting and searching, graph theory.
The importance of this topic cannot be undervalued. The proper evolution of any range of activities and its maturity into a true engineering discipline depends on reuse, the development of tools and a range of management techniques that facilitate these and strive to benefit from them. Thus it is both interesting and highly appropriate to see the publication of this text devoted solely to the topic of reuse.
The text appears in the Ellis Horwood Workshop Series and claims to be a review of the field. Although published in 1994 the text is based on the 1st International Workshop on Sofnyare Reusability held in Dortmund in Germany in July 1991. The
book contains six chapters in total. Initially there is a historical overview (by Ruben Prieto-Diaz) which tracks developments from the early days of Doug McIlroy’s thoughts at the initial Nato Software Engineering conference in 1968 through to the more recent thoughts on mega- programming by Boehm and Scherlis in 1992. The second chapter (by Guillermo Arango) reviews methods of domain analysis which are seen to be a popular and promising technique. Managerial and organizational issues are addressed by a team consisting of Martin Griss, John Favaro and Paul Walton in the third chapter. The more esoteric depths and contribution of formal methods are reviewed by Joachim Cramer and Ernst-Erich Doberkat in the next chapter. In Chapter five Hans Dieter Rombach and Wilhelm Schafer tackle the issue of tools and environments which properly support reuse. And in a final chapter there is a relatively brief report by William Frakes on certain empirical studies associated with the whole area of reuse.
As a text, this is important from the perspective of the research community. It offers a good overview of the present situation. A number of topics, such as re- engineering, are not addressed in detail. Additionally, projects such as the relatively ambitious PROSPECTRA project receive little attention. But overall the coverage is fairly comprehensive and the material reads well. There are no exercises to support use of the text at an undergraduate level but advanced undergraduates may find considerable interest in the text.
In summary a conclusion that can be drawn from the text is that reuse has not yet been achieved in sufficient quantity. It holds the potential of better productivity for software developers and greater quality in terms of the code produced. However, beyond certain well-defined areas, perfor- mance indicators that give quantitative evidence of genuine improvement are hard to find. Ultimately reuse covers code, specification, designs, and all kinds of entities that form part of the software engineering baggage. There remains much to be done-generic specifications, wider insight into the contribution of formal methods, more sophisticated tools, and so on.
Professor A D McGettrick
Information and So&are Technology 1995 Volume 37 Number 9 523