Formal Methods and Model-Based Specification

Document Sample
Formal Methods and Model-Based Specification Powered By Docstoc
					Model-Based Specification

         CIS 376
      Bruce R. Maxim
       UM-Dearborn
  Model-Based Specification Overview

• System model defined using well-understood
  mathematical entities like sets and functions
• System state is not hidden like it is in algebraic
  specification
• State changes are straight forward to define
• VDM and Z are the most widely used model-
  based specification languages
               Z Formal Language
•   Based on set theory and first-order predicate logic
•   Strongly typed
•   Declarative language
•   Makes use of a graphical construction known as a
    schema
    – provide an effective low level structuring facility
    – are useful as specification building blocks
    – can be understood fairly easily
                      Schemas
• Include
   – a unique name or identifier
   – a signature that declares entities and their types
   – a predicate part that defines invariants involving these
     entities
• Schemas can be included in other schemas and act
  as type definitions
• Names are local to the schema in which they are
  defined
        Schema: Declaration Part
• Contains local declarations (types and variables)
• Can import other types by listing their names
• Anonymous schemas (name omitted) are used to
  make global declarations
• Anonymous schemas usually do not contain a
  predicate part
         Schema: Predicate Part
• Statements about the entities defined in the
  declaration part of the schema
• These statements must be true at all times
• Multiple statements are assumed to be implicitly
  connected by a logical and
• Other logical connectives (e.g. or, implies,
  equivalent, etc.) can be used explicitly in
  compound statements
Z specification examples were posted
     on the World Wide Web by
           Ken Abernathy
         Furman University
                  Example Schema
The symbol P is used to indicate the power set of a type, and the
symbol  is used to define a relation between two types (i.e. a set
of ordered pairs from the Cartesian product of the two types).

                IO_Channel_Assignments
 Basic_Types
 active_instruments : P Platform_Instruments
 assigned_to : Communications_Channels  Platform_Instruments
 available, busy: P Communications_Channels
 range assigned_to [subset of] active_instruments
 available  busy = 
              Z Lexical Elements
• Character set includes all keyboard characters and
  special mathematical symbols
• Identifiers must begin with a letter and may
  contain any number of digits, letters (upper and
  lower case), and the underscore _
• Identifiers may have suffixes
   ? = input variable
   ! = output variable
   ` = new value for variable following a state change
          Z Types and Declarations
• Built-in types
   –   the integers denoted by Z
   –   natural numbers {0, 1, 2, …} denoted by N
   –   positive integers denoted by N1
   –   the reals are not a built-in type
• Free types = similar to enumerated types in C++
• Basic types (aka unspecified types)
             Z Operators - part 1
• Operator # denotes the cardinality of a finite set
• Operator < is used to extract ordered pairs from a
  relation having specified first coordinate values

 Example: #({channel?} < assigned_to) < 5

 This statement asserts that the number of pairs from the
 relation assigned_to whose first coordinates equal
 the value of the input variable channel? is less than 5.
           Z Operators - part 2
• The operator > functions almost like < except it
  extracts pairs from a relation based on the value of
  the second coordinate.

Example: #(assigned_to > {instrument?}) < 3

This states that the number of ordered pairs from
the relation assigned_to whose second coordinates
equal the value of the input variable instrument? is less
than 3.
              Z Operators - part 3
• The notation a->b is used to denote a specific
  potential pair in a relation -- instead of the more
  standard ordered pair notation (a,b)
• The following notation is used for the relational
  image operator | {range set} |

  Example:       assigned_to (| {channel?} |)

  In this example, the relational image operator returns the
  image (in the range set)of the value of the variable channel?
  for the relation assigned_to.
         Creating New Schemas from
              Existing Schemas
• The prefix  (Delta) is used to create a new schema
  from an existing one.
   – A Delta schema is obtained by combining the before and after
     specifications of a state.
• The prefix  (Xi) is also used to create a new schema
  from an existing one.
   – Similar to a Delta schema, an Xi schema is obtained by
     combining the before and after specifications of a state.
   – However, this schema is used to define specifications of
     operations (such as inquiries) that do not change the state of a
     structure.
            Delta Schema Example

       IO_Channel_Assignments
Basic_Types
active_instruments, active_instruments' : P Platform_Instruments
assigned_to, assigned_to' :
       Communications_Channels  Platform_Instruments
available, available', busy, busy' : P Communications_Channels
ran assigned_to [subset of] active_instruments
ran assigned_to' [subset of] active_instruments'
available  busy = 
available'  busy' = 
              Xi Schema Example

       IO_Channel_Assignments
Basic_Types
active_instruments, active_instruments' : P Platform_Instruments
assigned_to, assigned_to' :
       Communications_Channels  Platform_Instruments
available, available', busy, busy' : P Communications_Channels
ran assigned_to [subset of] active_instruments
available  busy = 
active_instruments' = active_instruments
assigned_to' = assigned_to
available' = available
busy' = busy
   Operation Specification Options
• Operations may be specified incrementally as
  separate schema and then combined to produce a
  complete specification
• Define a ‘normal’ operation as a schema
• Define schemas for exceptional situations
• Combine all schemas using a disjunctive or
  operator
   Importing Delta and Xi Schemas

• Importing  and  schemas into operation
  specifications provides a way to record the
  intended impact of the operations on state
  variables and predicate
• Provides a built-in check on the result of an
  operation
                       Z Specification Process
                                                                                       Co mpo se
                     Write in fo rmal       Deco mpo se            Specify sy stem    comp o nen t
                     specification            system                comp o nen ts
                                                                                     specification s




                                                                       Defin e           Defin e       Co mbine
Defin e g iven        Defin e state         Defin e in itial
                                                state y              ‘co rrect’       excep tio nal    o peration
s    e      t    s        a
                       variablesn       d        t             p         s
                                                                   e o peration s                      sch emas
                                                                                       o peration s
                  Example Problem
• A space platform contains a number of instruments.
• Several communications channels are provided allowing both input and
  output instrument communications.
• Platform instruments may be placed in active or inactive states.
• Only active instruments may be assigned to I/O-channels.
• Active instruments may be assigned to more than one I/O-channel, up to
  some maximum number of I/O-channels per instrument.
• I/O-channels may be shared by several active instruments, up to some
  maximum number of instruments shared per I/O-channel.
       Basic Variables and Invariants

             IO_Channel_Assignments
Basic_Types
active_instruments : P Platform_Instruments
assigned_to :
       Communications_Channels  Platform_Instruments
available, busy: P Communications_Channels

range assigned_to [subset of] active_instruments
available  busy = 
Schema for Making an Assignment - part 1

 • The schema is to define the basic operator to
   assign a channel to an instrument
 • The schema will later be combined using logical
   or’s with a number of message reporting schemas
   to complete the definition
 • Schema IO_Channel_Assignments should be
   imported in the declaration part of the new schema
   since this operator will potentially change the
   system state
Schema for Making an Assignment - part 2

 • The declaration part of the schema should also declare two
   variables -- one representing the instrument and one
   representing the channel to be included in the assignment


 • The predicate part of the schema should consist of the
   conjunction (logical and’ing) of several pre-conditions
   assuring that the input variables satisfy conditions for a
   legal assignment to be made, and several post-conditions
   defining the state changes that will complete the
   assignment
                 Preconditions

Desired pre-conditions on the input variables :
  • instrument must be active
  • channel must be available (i.e. not already have
     the maximum allowed instruments assigned to it)
  • instrument must have assigned to it fewer than the
     allowed maximum number of channels
  • the candidate assignment pair must not already
     exist in the relation assigned_to
   Schema with Precondition Added

      Make_An_Assignment0
IO_Channel_Assignments
instrument? : Platform_Instruments
channel? : Communications_Channels

instrument? active_instruments
channel?  available
#(assigned_to > {instrument?}) < Max_Channels
channel? -> instrument?  assigned_to
                Post-Conditions

Desired post-conditions -- the operator actions :
  • assure no change is made to the active state of the
     instrument (instrument remains active)
  • add the assignment pair to the assigned_to relation
  • (special case) if this assignment increases the
     number of instruments assigned to this channel to
     the maximum allowed, then the channel must be
     removed from the available channel set and placed
     in the busy channel set
Schema with Post-Conditions Added

          Make_An_Assignment0
  IO_Channel_Assignments
  instrument? : Platform_Instruments
  channel? : Communications_Channels

  instrument? active_instruments
  channel?  available
  #(assigned_to > {instrument?}) < Max_Channels
  channel? -> instrument?  assigned_to

  active_instruments' = active_instruments
  assigned_to' = assigned_to  {channel?->instrument?}
  [#({channel?} < assigned_to) < Max_Instruments-1] \/
       [#({channel?} < assigned_to) = Max_Instruments-1
             /\ available' = available - {channel?}
           /\ busy' = busy  {channel?}]
              Error Conditions
• Errors should be reported whenever one of the
  preconditions fail (which means the operation
  cannot take place)
• Schemas can be defined for each error condition
• The final schema will combine the operator
  schema and the error schema condition schemas
  using or operators
 Sample Error Condition Schema


       Instrument_Not_Active
IO_Channel_Assignments
instrument? : Platform_Instruments
message! : Possible_Message

instrument?  active_instruments
message! = instrument_not_active
  Completed Make_Assignment Schema

  Assuming three more error schemas are complete the
    definition of the Make_An_Assignment operation
    appears below. (\/ = logical or)

Make_An_Assignment == Make_An_Assignment0
                      \/ Instrument_Not_Active
                      \/ Channel_Not_Available
                      \/ Maximum_Channels_Assigned
                      \/ Assignment_Already_Made

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:11/12/2012
language:Unknown
pages:30
About Good!!!NICE!!! The best document database!