Formal Specification: Z Notation. CITS5501 Software Testing and Quality Assurance

Size: px

Start display at page:

Download "Formal Specification: Z Notation. CITS5501 Software Testing and Quality Assurance"

Lewis Malone
5 years ago
Views:

1 Formal Specification: Z Notation CITS5501 Software Testing and Quality Assurance The Zed Notation, J.M.Spivey. Semester 1, 2017

2 A Formal Specification Notation A Syntax - often based on set theory and logic. This tells us how specifications are written. A Semantics - indicates how the language represents system requirements. A set of Relations - defines the rules that specify how the objects are manipulated. 2

3 Maths vs Natural Language The advantages of using mathematics over a natural language are: Precision Abstraction Conciseness Consistency Completeness Unambiguity 3

4 Set Theory A set is a well-defined aggregate of distinct elements such that we can readily determine whether any given object is a member of not. Russel s Paradox: The set of all sets that contain themselves Formal methods requires that all elements of a set are of the same type. 4

5 Names in Z Identifiers: alpha-numeric, that start with a letter. Predefined Types: Integers Z = {,-2,-1,0,1,2, } Natural numbers N = {0,1,2,3, } Arithmetic Operations: +,-,,,=,<,>,,, Basic Types: e.g. [STUDENTS], to refer the type, students. Free Types: e.g. FMStudents::= James Miles Herbert 5

6 Further Properties of Sets Disjoint Sets: A and B are disjoint if A B = A partition of A is a set of disjoint sets whose union is equal to A. The Cardinality, #A, of a set, A, is the number of elements contained in a set: # = 0 #{True, False} = 2 #ΡA = 2 #A # Z is undefined (mathematically, # Z =ℵ 0 ). 6

7 Examples Suppose E = Formal Methods is easy S = I study hard P = I pass Formal Methods E S P E S (S P) E 7

8 Quantifiers Predicate logic can state that some (or every) value makes a predicate true. Existential Quantification - x: N x<1 states that there is some natural number x such that x is less than 1. Universal Quantification - x: Z x 2 0 states that for every integer x, x 2 is greater than or equal to 0. 8

9 Examples Suppose S is the set of students and U is the set of units. E(y) is true iff the unit y is easy. H(x) is true iff student x studies hard. P(x,y) is true iff student x passes unit y. x: S H(x) y: U P(x,y) y: U x: S P(x,y) (E(y) H(x)) x: S (P(x,FM) H(x)) 9

10 Components of a Z-spec A Z specification consists of Type declarations - e.g. [NAME, DATE] Axiomatic definitions - e.g. Schemas Prime : P Z x : Z x Prime x>1 y,z : Z z x y x y z x 10

11 Schemas BirthdayBook known : P NAME birthday : NAME DATE known = dom birthday Note: here refers to a partial function, and should ideally be written as. 11

12 Interpretation of Schemas In the Schema: S1 var : VAR pred pred describes a property of the system with respect to the named variables var of type VAR. In a schema, variable s are defined above the line, and constraints are specified below the line. The predicates are built using predicate logic with arithmetic and set operations, or predefined functions and relations. 12

13 Static Schemas n Describe the state space of a system BirthdayBook known: P NAME birthday : NAME DATES known = dom(birthday) The variables describe data in the system. The predicate describes an invariant of the system. 13

14 Dynamic schemas Describe operations on the system. For each variable v in Schema S, we let v refer to the variable after the operation. E.g. ΔBirthdayBook known, known : P NAME birthday, birthday : NAME DATE known = dom birthday known = dom birthday ΞBirthdayBook known, known : NAME birthday, birthday : NAME DATE known = dom birthday known = dom birthday known = known birthday = birthday 14

15 Operations as schemas AddBirthday ΔBirthdayBook name? : NAME date? : DATE name? known birthday = birthday {(name?, date?)} FindBirthday ΞBirthdayBook name? : NAME date! : DATE name? known date! = birthday(name?) 15

16 IO and preconditions name? - a variable name ending with a? is assumed to be an input. result! - a variable name ending with a! is assumed to be an output preconditions are the predicates involving only inputs and unprimed variables postconditions are any other predicates. 16

17 Using schemas Schemas can be used in many ways (as types, predicates, variables ). Z has many operators, but many of them are simply abbreviations for commonly used predicates. Later we will consider a calculus for schemas, that allows us to combine schemas in complex operations. 17

18 Relations in Z Relations associate elements of one set with elements of other sets. A relation R from set X to set Y is an element of P(X Y) Relations can be unary, binary, ternary, n-ary For example teaches is a ternary relation between STAFF, UNITS and SEMSTER. We have (Tim, CITS4221, S2-2006) teaches. 18

19 Notation Binary relations are declared by R : X Y == R : P( X Y) Maplets give a direction to relations: x y == (x, y) Binary relations can be defined as infix relations: _ _ : N N x, y : N x y z : N (y + z) = x 19

20 Data structures in Z Besides sets, Z notation provides syntax for two different data structures: Sequences - Given a type X, seq X is the type consisting of sequences of elements of X Bags - Given a type X, bag X is a type similar to a set, except a single element may appear more than once in a Bag. 20

21 Sequences seq X == { f : N X dom f = 1 #f } Stacks, queues, arrays and lists can easily be defined using sequences Sequences are used when there is a need to specify some ordering over a finite set. Given list : Seq X, we write list = x, y, z rather than list = {(1,x), (2, y), (3, z) }. 21

22 Example Let [AIRPORT] be the type of airports, and trip : seq AIRPORT trip = Perth, Adelaide, Sydney, Perth dom trip = {1,2,3,4} and e.g. trip(1)= Perth The length of trip is #trip. The empty sequence is written. A sequence that is never empty may be declared, seq 1 AIRPORT. 22

23 Operators for Sequences Let trip1 = Perth, Adelaide, Sydney. trip1(2) = Adelaide head trip1 = trip1(1) = Perth last trip1 = trip1(#trip1) = Sydney front trip1 = Perth, Adelaide tail trip1 = Adelaide, Sydney rev trip1 = Sydney, Adelaide, Perth 23

24 Concatenation. Let trip1 = Perth, Adelaide, Sydney and trip2 = Hobart, Perth. Then: trip1 trip2 = Perth, Adelaide, Sydney,Hobart,Perth 24

25 Filtering Sequences Given t : Seq X and a : PX, t a is the sequence of elements of a that appear in t. E.g. 1, 4, 2, 2, 6 {1, 2, 7} = 1, 2, 2 Given t : Seq X and a : PN, t a is the sequence of elements in t that appear at the indices of a. E.g. a, b, c, d, e {1, 2, 7} = a, b 25

26 Specifying a stack Stack[X] s : seq X InitStack[X] Stack[X] s = length[x] ΞStack[X] length! : N length! = # s 26

27 Specifying a Stack cont Push[X] ΔStack[X] x? : X s = x? s Pop[X] ΔStack[X] x! : X #s > 0 x! = head s s = tail s 27

2.4 The Z Notation. [Reference: M. Spivey: The Z Notation, Prentice Hall] Modellbasierte Softwareentwicklung

2.4 The Z Notation. [Reference: M. Spivey: The Z Notation, Prentice Hall] Modellbasierte Softwareentwicklung Modellbasierte Softwareentwicklung 2.4 The Z Notation [Reference: M. Spivey: The Z Notation, Prentice Hall] Properties of Z Is a very expressive formal language (well-defined syntax and semantics). Based