27.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof....
-
Upload
ursula-mason -
Category
Documents
-
view
220 -
download
2
Transcript of 27.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof....
27.5.2008
Formal Methods of Systems SpecificationLogical Specification of Hard- and Software
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
and
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
27.5.2008 Slide 2H. Schlingloff, Logical Specification
First-Order Predicate Logics
•FOL FOL ::= R (Vn) | | (FOL FOL) | V FOL
•Typed FOL V:D FOL
•Typed FOL=
(t1=t2) special predicate (not expressible in FOL) 1x stands for x(y((yx)¬(y:=x)))
27.5.2008 Slide 3H. Schlingloff, Logical Specification
Set theory
• Comprehension scheme {x: T|(x) ● expr(x)}
- expr(x) is an expression of type D involving variable x of type T
- The set of all values of expr(x) (in DU) where the value of x (in TU) satisfies (x)
{x: T|(x)} stands for {x: T|(x) ● x}
• Set operations y{x: T|(x) ● expr(x)} stands for
x:T ((x) y=expr(x)) M1M2 stands for x(xM1xM2) etc.
• Power set operator M1ℙM2 if M1M2 (but: set variables not available in
FOL!)
27.5.2008 Slide 4H. Schlingloff, Logical Specification 20.5.2008 Slide H. Schlingloff, Logical Specification
Z
• Properties described in FOL (Q x:T|(x) • (x))
- [quantifer][variable]:[type]|[constraint]•[predicate]
(x:T| • ) stands for x:T ( ∧ ) (x:T| • ) stands for x:T ( )
• Z schemes: name, signature and formulas
27.5.2008 Slide 5H. Schlingloff, Logical Specification
Z semantics
• Every Z scheme defines a set of (first-order) models M: (U,I,V) („each model being a function from names defined by the specification to values that those names are permitted to have by the constraints imposed on them in the specification“) U contains a domain for each type in the scheme
(named and unnamed types), such that the set constraints are satisfied- e.g. ℙM is the set of all subsets of M- e.g. ℤ is the set of integers
I is an interpretation of function and relation symbols- built-in functions are interpreted as expected
V is a first-order variable valuation, such that all specification formulae are satisfied- note: type names cannot be used as variables!
27.5.2008 Slide 6H. Schlingloff, Logical Specification
Example
defines the set of models
Each section defines a set of section models
27.5.2008 Slide 7H. Schlingloff, Logical Specification
The Z standard
• International standard 2002
•Defines standard operations sets, powersets tuples, products, sequences functions, relations numbers
•Markup languages LaTeX, ASCII
27.5.2008 Slide 8H. Schlingloff, Logical Specification
Sets, Powersets
27.5.2008 Slide 9H. Schlingloff, Logical Specification
Tuples, Sequences
27.5.2008 Slide 10H. Schlingloff, Logical Specification
Functions, Relations
27.5.2008 Slide 11H. Schlingloff, Logical Specification
Numbers
27.5.2008 Slide 12H. Schlingloff, Logical Specification
27.5.2008 Slide 13H. Schlingloff, Logical Specification
Three Definitions of abs
27.5.2008 Slide 14H. Schlingloff, Logical Specification Slide H. Schlingloff, Logical Specification
Z schemas – state changes
•delta abbreviation
•specifies extended models compare the propositional case unprimed variables: current state primed variables: next state
27.5.2008 Slide 15H. Schlingloff, Logical Specification
General Form of Transition
27.5.2008 Slide 16H. Schlingloff, Logical Specification
Z – Another Example
The Steam Boiler Control Specification Problem
• Jean-Raymond Abrial, Egon Börger, and Hans Langmaack: Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control. Springer LNCS 1165, October 1996 (ISBN 3-540-61929-1)
• Purpose: control the level of water in a steamboiler The quantity of water present when the steamboiler is
working has to be neither too low nor to high otherwise the steamboiler or the turbine sitting in front of it might be seriously affected
• More than 30 solutions available
27.5.2008 Slide 17H. Schlingloff, Logical Specification
Z – Steam Boiler Example
27.5.2008 Slide 18H. Schlingloff, Logical Specification
Z – Steam Boiler Example
27.5.2008 Slide 19H. Schlingloff, Logical Specification
Z – Steam Boiler Example
27.5.2008 Slide 20H. Schlingloff, Logical Specification
Z – Steam Boiler Example
27.5.2008 Slide 21H. Schlingloff, Logical Specification
Steam Boiler Variables
Summary of various constants or physical variables of the system
27.5.2008 Slide 22H. Schlingloff, Logical Specification
Steam Boiler Control
27.5.2008 Slide 23H. Schlingloff, Logical Specification
Steam Boiler Control
27.5.2008 Slide 24H. Schlingloff, Logical Specification
Steam Boiler Operation
• The program operates in different modes, namely: initialization, normal, degraded, rescue, emergency stop
• The initialization mode is the mode to start with. The program enters a state in which it waits for the message STEAM-BOILER_WAITING to come from the physical units As soon as this message has been received the program checks whether the quantity of steam coming out of the steamboiler is really zero. If the unit for detection of the level of steam is defective, that is, when d is not equal to zero, the program enters the emergency stop mode. If the quantity of water in the steamboiler is above wmax, the program activates the valve of the steamboiler in order to empty it. If the quantity of water in the steamboiler is below N wmin, …
27.5.2008 Slide 25H. Schlingloff, Logical Specification
Steam Boiler Operation: Init
27.5.2008 Slide 26H. Schlingloff, Logical Specification
Steam Boiler Operation: Init
27.5.2008 Slide 27H. Schlingloff, Logical Specification
Steam Boiler Operation: Normal
• The normal mode is the standard operating mode in which the program tries to maintain the water level in the steamboiler between wmin and wmax with all physical units operating correctly. As soon as the water level is below wmin or above wmax the level can be adjusted by the program by switching the pumps on or off. The corresponding decision is taken on the basis of the information which has been received from the physical units. As soon as the program recognizes a failure of the water level measuring unit…
27.5.2008 Slide 28H. Schlingloff, Logical Specification
Steam Boiler Operation: Normal
27.5.2008 Slide 29H. Schlingloff, Logical Specification
Steam Boiler Operation: Normal
27.5.2008 Slide 30H. Schlingloff, Logical Specification
Reflection on Z
• State-based system, similar to finite automaton – Z may not be the ideal specification language
• High expressiveness by set theory and logic• Possibility of under-specification in Z• Modularity (but no object orientation)• Well-suited for program verification
• Not well-suited for refinement (transformational program development) and/or test generation
27.5.2008 Slide 31H. Schlingloff, Logical Specification
Yet Another Case Study
1. The subject is to invoice orders.2. To invoice is to change the state of an order (to
change it from the state "pending" to "invoiced").
3. On an order, we have one and one only reference to an ordered product of acertain quantity. The quantity can be different to other orders.
4. The same reference can be ordered on several different orders.
5. The state of the order will be changed into "invoiced" if the ordered quantity is either less or equal to the quantity which is in stock according to the reference of the ordered product.
27.5.2008 Slide 32H. Schlingloff, Logical Specification
Yet Another Case Study (2)
6. You have to consider the two following cases:(a) Case 1
All the ordered references are references in stock. The stock or the set of the orders may vary:- due to the entry of new orders or cancelled orders;- due to having a new entry of quantities of products in stock at
thewarehouse.
However, we do not have to take these entries into account. This means that you will not receive two entry flows (orders, entries in stock). The stock and the set of orders are always given to you in a up-to-date state.
(b) Case 2You do have to take into account the entries of:- new orders;- cancellations of orders;- entries of quantities in the stock.