model-based specification cis 376 bruce r. maxim um-dearborn
TRANSCRIPT
Model-Based Specification
CIS 376
Bruce R. Maxim
UM-Dearborn
Model-Based Specification Overview
• System model defined using well-understood mathematical entities like sets and functions
• System state is not hidden like it is in algebraic specification
• State changes are straight forward to define• VDM and Z are the most widely used model-
based specification languages
Z Formal Language
• Based on set theory and first-order predicate logic• Strongly typed• Declarative language• Makes use of a graphical construction known as a
schema– provide an effective low level structuring facility
– are useful as specification building blocks
– can be understood fairly easily
Schemas
• Include– a unique name or identifier
– a signature that declares entities and their types
– a predicate part that defines invariants involving these entities
• Schemas can be included in other schemas and act as type definitions
• Names are local to the schema in which they are defined
Schema: Declaration Part
• Contains local declarations (types and variables) • Can import other types by listing their names• Anonymous schemas (name omitted) are used to
make global declarations• Anonymous schemas usually do not contain a
predicate part
Schema: Predicate Part
• Statements about the entities defined in the declaration part of the schema
• These statements must be true at all times• Multiple statements are assumed to be implicitly
connected by a logical and• Other logical connectives (e.g. or, implies,
equivalent, etc.) can be used explicitly in compound statements
Z specification examples were posted on the World Wide Web by
Ken Abernathy
Furman University
Example SchemaThe symbol P is used to indicate the power set of a type, and the symbol is used to define a relation between two types (i.e. a set of ordered pairs from the Cartesian product of the two types).
IO_Channel_Assignments Basic_Typesactive_instruments : P Platform_Instrumentsassigned_to : Communications_Channels Platform_Instrumentsavailable, busy: P Communications_Channels
range assigned_to [subset of] active_instrumentsavailable busy =
Z Lexical Elements
• Character set includes all keyboard characters and special mathematical symbols
• Identifiers must begin with a letter and may contain any number of digits, letters (upper and lower case), and the underscore _
• Identifiers may have suffixes? = input variable
! = output variable
` = new value for variable following a state change
Z Types and Declarations
• Built-in types– the integers denoted by Z
– natural numbers {0, 1, 2, …} denoted by N
– positive integers denoted by N1
– the reals are not a built-in type
• Free types = similar to enumerated types in C++• Basic types (aka unspecified types)
Z Operators - part 1• Operator # denotes the cardinality of a finite set• Operator < is used to extract ordered pairs from a
relation having specified first coordinate values
Example: #({channel?} < assigned_to) < 5
This statement asserts that the number of pairs from the relation assigned_to whose first coordinates equal the value of the input variable channel? is less than 5.
Z Operators - part 2
• The operator > functions almost like < except it extracts pairs from a relation based on the value of the second coordinate.
Example: #(assigned_to > {instrument?}) < 3
This states that the number of ordered pairs from the relation assigned_to whose second coordinates equal the value of the input variable instrument? is less than 3.
Z Operators - part 3
• The notation a->b is used to denote a specific potential pair in a relation -- instead of the more standard ordered pair notation (a,b)
• The following notation is used for the relational image operator | {range set} |
Example: assigned_to (| {channel?} |)
In this example, the relational image operator returns the image (in the range set)of the value of the variable channel? for the relation assigned_to.
Creating New Schemas from Existing Schemas
• The prefix (Delta) is used to create a new schema from an existing one. – A Delta schema is obtained by combining the before and after
specifications of a state.
• The prefix (Xi) is also used to create a new schema from an existing one. – Similar to a Delta schema, an Xi schema is obtained by
combining the before and after specifications of a state.
– However, this schema is used to define specifications of operations (such as inquiries) that do not change the state of a
structure.
Delta Schema Example
IO_Channel_AssignmentsBasic_Typesactive_instruments, active_instruments' : P Platform_Instrumentsassigned_to, assigned_to' :
Communications_Channels Platform_Instrumentsavailable, available', busy, busy' : P Communications_Channels
ran assigned_to [subset of] active_instrumentsran assigned_to' [subset of] active_instruments'available busy = available' busy' =
Xi Schema Example
IO_Channel_AssignmentsBasic_Typesactive_instruments, active_instruments' : P Platform_Instrumentsassigned_to, assigned_to' :
Communications_Channels Platform_Instrumentsavailable, available', busy, busy' : P Communications_Channels
ran assigned_to [subset of] active_instrumentsavailable busy = active_instruments' = active_instrumentsassigned_to' = assigned_toavailable' = availablebusy' = busy
Operation Specification Options
• Operations may be specified incrementally as separate schema and then combined to produce a complete specification
• Define a ‘normal’ operation as a schema• Define schemas for exceptional situations• Combine all schemas using a disjunctive or
operator
Importing Delta and Xi Schemas
• Importing and schemas into operation specifications provides a way to record the intended impact of the operations on state variables and predicate
• Provides a built-in check on the result of an operation
Z Specification Process
Define givensets and types
Define statevariables
Define initialstate
Define‘correct’operations
Defineexceptionaloperations
Combineoperationschemas
Write informalspecification
Decomposesystem
Specify systemcomponents
Composecomponent
specifications
Example Problem
• A space platform contains a number of instruments.
• Several communications channels are provided allowing both input and output instrument communications.
• Platform instruments may be placed in active or inactive states.
• Only active instruments may be assigned to I/O-channels.
• Active instruments may be assigned to more than one I/O-channel, up to some maximum number of I/O-channels per instrument.
• I/O-channels may be shared by several active instruments, up to some maximum number of instruments shared per I/O-channel.
Basic Variables and Invariants
IO_Channel_Assignments Basic_Typesactive_instruments : P Platform_Instrumentsassigned_to :
Communications_Channels Platform_Instrumentsavailable, busy: P Communications_Channels
range assigned_to [subset of] active_instrumentsavailable busy =
Schema for Making an Assignment - part 1
• The schema is to define the basic operator to assign a channel to an instrument
• The schema will later be combined using logical or’s with a number of message reporting schemas to complete the definition
• Schema IO_Channel_Assignments should be imported in the declaration part of the new schema since this operator will potentially change the system state
Schema for Making an Assignment - part 2
• The declaration part of the schema should also declare two variables -- one representing the instrument and one representing the channel to be included in the assignment
• The predicate part of the schema should consist of the conjunction (logical and’ing) of several pre-conditions assuring that the input variables satisfy conditions for a legal assignment to be made, and several post-conditions defining the state changes that will complete the assignment
Preconditions
Desired pre-conditions on the input variables :• instrument must be active• channel must be available (i.e. not already have
the maximum allowed instruments assigned to it)• instrument must have assigned to it fewer than the
allowed maximum number of channels• the candidate assignment pair must not already
exist in the relation assigned_to
Schema with Precondition Added
Make_An_Assignment0
IO_Channel_Assignments instrument? : Platform_Instrumentschannel? : Communications_Channels
instrument? active_instrumentschannel? available#(assigned_to > {instrument?}) < Max_Channelschannel? -> instrument? assigned_to
Post-Conditions
Desired post-conditions -- the operator actions :• assure no change is made to the active state of the
instrument (instrument remains active)• add the assignment pair to the assigned_to relation• (special case) if this assignment increases the
number of instruments assigned to this channel to the maximum allowed, then the channel must be removed from the available channel set and placed in the busy channel set
Schema with Post-Conditions Added
Make_An_Assignment0
IO_Channel_Assignments instrument? : Platform_Instrumentschannel? : Communications_Channels
instrument? active_instrumentschannel? available#(assigned_to > {instrument?}) < Max_Channelschannel? -> instrument? assigned_to
active_instruments' = active_instrumentsassigned_to' = assigned_to {channel?->instrument?}
[#({channel?} < assigned_to) < Max_Instruments-1] \/ [#({channel?} < assigned_to) = Max_Instruments-1 /\ available' = available - {channel?}
/\ busy' = busy {channel?}]
Error Conditions
• Errors should be reported whenever one of the preconditions fail (which means the operation cannot take place)
• Schemas can be defined for each error condition• The final schema will combine the operator
schema and the error schema condition schemas using or operators
Sample Error Condition Schema
Instrument_Not_Active
IO_Channel_Assignments instrument? : Platform_Instrumentsmessage! : Possible_Message
instrument? active_instrumentsmessage! = instrument_not_active
Completed Make_Assignment Schema
Assuming three more error schemas are complete the definition of the Make_An_Assignment operation appears below. (\/ = logical or)
Make_An_Assignment == Make_An_Assignment0
\/ Instrument_Not_Active\/ Channel_Not_Available\/ Maximum_Channels_Assigned\/ Assignment_Already_Made