1 CS 501 Spring 2005

CS 501: Software Engineering

Lecture 10

Requirements 4

2 CS 501 Spring 2005

Course Administration

Presentations, March 9-10

Read the instructions on the Assignments web page

Reserve a time slot by sending email to anat@cs.cornell.edu. Time slots are listed on the home page of the web site. First-come-first-served.

3 CS 501 Spring 2005

Formal Specification

Why?

• Precise standard to define and validate software.

Why not?

• May be time consuming

• Methods are not suitable for all applications

4 CS 501 Spring 2005

Remember

Formal specification does not prescribe the implementation

With formal specification it is possible, at least theoretically, to generate code automatically from the specification, but this may not be the most effective way:

• Writing the generator may be a very large programming task.

• The resulting code may perform badly.

Formal specification does not guarantee correctness

• If the specification is wrong, the system will be wrong.

5 CS 501 Spring 2005

Formal Specification using Mathematical Notation

Mathematical requirements can be specified formally.

Example: requirements from a mathematical package:

B1, B2, ... Bk is a sequence of m x m matrices

1, 2, ... k is a sequence of m x m elementary matrices

B1-1 = 1

B2-1 = 21

Bk-1 = k ... 21

The numerical accuracy must be such that, for all k,

BkBk-1 - I <

6 CS 501 Spring 2005

Formal Specification Using Diagrams

digitunsigned integer

digit. E

+

-

unsigned integerunsigned integer

unsigned number

Example: Pascal number syntax

7 CS 501 Spring 2005

Formal Specification of Programming Languages

<unsigned number> ::= <unsigned integer> | <unsigned real>

<unsigned integer> ::= <digit> {<digit>}

<unsigned real> ::= <unsigned integer> . <digit> {<digit>} | <unsigned integer> . <digit> {<digit>} E <scale factor> | <unsigned integer> E <scale factor>

<scale factor> ::= <unsigned integer> | <sign> <unsigned integer>

<sign> ::= + | -

Example: Pascal number syntax

8 CS 501 Spring 2005

Formal Specification using Z ("Zed")

Z is a specification language developed by the Programming Research Group at Oxford University around 1980. Z is used for describing and modeling computing systems. It is based on axiomatic set theory and first order predicate logic.

Ben Potter, Jane Sinclair, David Till,

An Introduction to Formal Specification and Z

(Prentice Hall) 1991

Jonathan Jacky

The Way of Z

(Cambridge University Press) 1997

9 CS 501 Spring 2005

Informal: The function intrt(a) returns the largest integer whose square is less than or equal to a.

Formal (Z):

intrt: N N

a : N •

intrt(a) * intrt(a) < a < (intrt(a) + 1) * (intrt(a) + 1)

Example: Specification using Z

10 CS 501 Spring 2005

Example: Implementation of intrt

1 + 3 + 5 + ... (2n - 1) = n2

Static specification does not describe the design of the system.

A possible algorithm uses the mathematical identity:

11 CS 501 Spring 2005

Example: Program for intrt

int intrt (int a)/* Calculate integer square root */{ int i, term, sum; term = 1; sum = 1; for (i = 0; sum <= a; i++) { term = term + 2; sum = sum + term; } return i;}

12 CS 501 Spring 2005

Formal Specification of Finite State Machine Using Z

A finite state machine is a broadly used method of formal specification:

• Event driven systems (e.g., games)

• User interfaces

• Protocol specification

etc., etc., ...

13 CS 501 Spring 2005

State Transition Diagram

Patients Fields Setup ReadyBeam

on

Enter Enter Start

Stop

Select field

Select patient(lock on)

(lock off)

14 CS 501 Spring 2005

State Transition Table

SelectPatient

SelectField

Enter lock off Start Stop lock on

Patients

Fields

Setup

Ready

Beamon

Fields

Fields

Fields

Patients

Patients

Patients

Setup

Setup

Setup

Ready

Beamon

Ready

15 CS 501 Spring 2005

Z Specification

STATE ::= patients | fields | setup | ready | beam_on

EVENT ::= select_patient | select_field | enter | start | stop | lock_off | lock_on

FSM == (STATE X EVENT) STATE

no_change, transitions, control : FSM

Continued on next slide

16 CS 501 Spring 2005

Z Specification (continued)

control = no_change transitions

no_change = { s : STATE; e : EVENT • (s, e) s }

transitions = { (patients, enter) fields,

(fields, select_patient) patients, (fields, enter) setup,

(setup, select_patient) patients, (setup, select_field) fields, (setup, lock_off) ready,

(ready, select_patient) patients, (ready, select_field) fields, (ready, start) beam_on, (ready, lock_on) setup,

(beam_on, stop) ready, (beam_on, lock_on) setup }

17 CS 501 Spring 2005

Schemas

Schema:

• The basic unit of formal specification.

• Enables complex system to be specified as subsystems

• Describes admissible states and operations of a system.

18 CS 501 Spring 2005

LibSys: An Example of Z

Library system:

• Stock of books.

• Registered users.

• Each copy of a book has a unique identifier.

• Some books on loan; other books on shelves available for loan.

• Maximum number of books that any user may have on loan.

19 CS 501 Spring 2005

LibSys: Operations

• Issue a copy of a book to a reader.

• Reader returns a book.

• Add a copy to the stock.

• Remove a copy from the stock.

• Inquire which books are on loan to a reader.

• Inquire which readers has a particular copy of a book.

• Register a new reader.

• Cancel a reader's registration.

20 CS 501 Spring 2005

LibSys: Modeling

Formal Specifications are models. As with all models, it is necessary to decide what should be included and what can be left out.

Level of detail

Assume given sets:

Copy, Book, Reader

Global constant:

maxloans

21 CS 501 Spring 2005

Domain and Range

dom mX Yx

ran my

m : X Y

dom m = { x X : y Y x y}

ran m = { y Y : x X x y}

m

domain:

range:

22 CS 501 Spring 2005

LibSys: Schema for Abstract States

Library

stock : Copy Bookissued : Copy Readershelved : F Copyreaders: F Reader

shelved dom issued = dom stockshelved dom issued = Øran issued readersr : readers • #(issued {r}) maxloans<

finite subset

Name

Declaration part

Predicate

23 CS 501 Spring 2005

Schema Inclusion

LibDB

stock : Copy Bookreaders: F Reader

LibLoansissued : Copy Readershelved : F Copy

r : Reader • #(issued {r}) maxloansshelved dom issued = Ø

<

24 CS 501 Spring 2005

Schema Inclusion (continued)

Library

LibDBLibLoans

dom stock = shelved dom issuedran issued readers

25 CS 501 Spring 2005

Schemas Describing Operations

Naming conventions for objects:

Before: plain variables, e.g., r

After: with appended dash, e.g., r'

Input: with appended ?, e.g., r?

Output: with appended !, e.g., r!

26 CS 501 Spring 2005

Operation: Issue a Book

• Inputs: copy c?, reader r?

• Copy must be shelved initially: c? shelved

• Reader must be registered: r? readers

• Reader must have less than maximum number of books on loan: #(issued {r?}) < maxloans

• Copy must be recorded as issued to the reader: issued' = issued {c? r?}

• The stock and the set of registered readers are unchanged: stock' = stock; readers' = readers

27 CS 501 Spring 2005

Operation: Issue a Book

stock, stock' : Copy Book

issued, issued' : Copy Reader

shelved, shelved': F Copy

readers, readers' : F Reader

c?: Copy; r? :Reader

[See next slide]

Issue

28 CS 501 Spring 2005

Operation: Issue a Book (continued)

[See previous slide]

Issue

shelved dom issued = dom stockshelved' dom issued' = dom stock'shelved dom issued = Ø; shelved' dom issued' = Øran issued readers; ran issued' readers'r : readers #(issued {r}) maxloansr : readers' #(issued' {r}) maxloansc? shelved; r? readers; #(issued {r?}) < maxloansissued' = issued {c? r?}stock' = stock; readers' = readers

<<

29 CS 501 Spring 2005

Schema Decoration

Issue

LibraryLibrary'c? : Copy; r? : Reader

c? shelved; r? readers#(issued {r?}) < maxloansissued' = issued {c? r?}stock' = stock; readers' = readers

30 CS 501 Spring 2005

Schema Decoration

Issue

Libraryc? : Copy; r? : Reader

c? shelved; r? readers#(issued {r?}) < maxloansissued' = issued {c? r?}stock' = stock; readers' = readers

31 CS 501 Spring 2005

The Schema Calculus

Schema inclusion

Schema decoration

Schema disjunction:

AddCopy AddKnownTitle AddNewTitle

Schema conjunction:

AddCopy EnterNewCopy AddCopyAdmin

Schema negation

Schema composition

=̂

=̂

32 CS 501 Spring 2005

Z in Practice

In carefully monitored industrial use, Z has been shown to improve the timeliness and accuracy of software development, yet it is widely used in practice.

Complexity of notation makes communication with client difficult.

Few software developers are comfortable with the underlying axiomatic approach.

Heavy notation is awkward to manipulate with conventional tools, such as word processors.