27.5.2008 formal methods of systems specification logical specification of hard- and software prof....

27.5.2008

Formal Methods of Systems SpecificationLogical Specification of Hard- and Software

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

and

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

http://www.hu-berlin.de/index.html

27.5.2008 Slide 2H. Schlingloff, Logical Specification

First-Order Predicate Logics

•FOL FOL ::= R (Vn) | | (FOL FOL) | V FOL

•Typed FOL V:D FOL

•Typed FOL=

(t1=t2) special predicate (not expressible in FOL) 1x stands for x(y((yx)¬(y:=x)))


Set theory

• Comprehension scheme {x: T|(x) ● expr(x)}

- expr(x) is an expression of type D involving variable x of type T

- The set of all values of expr(x) (in DU) where the value of x (in TU) satisfies (x)

{x: T|(x)} stands for {x: T|(x) ● x}

• Set operations y{x: T|(x) ● expr(x)} stands for

x:T ((x) y=expr(x)) M1M2 stands for x(xM1xM2) etc.

• Power set operator M1ℙM2 if M1M2 (but: set variables not available in

FOL!)

27.5.2008 Slide 4H. Schlingloff, Logical Specification 20.5.2008 Slide H. Schlingloff, Logical Specification

Z

• Properties described in FOL (Q x:T|(x) • (x))

- [quantifer][variable]:[type]|[constraint]•[predicate]

(x:T| • ) stands for x:T ( ∧ ) (x:T| • ) stands for x:T ( )

• Z schemes: name, signature and formulas


Z semantics

• Every Z scheme defines a set of (first-order) models M: (U,I,V) („each model being a function from names defined by the specification to values that those names are permitted to have by the constraints imposed on them in the specification“) U contains a domain for each type in the scheme

(named and unnamed types), such that the set constraints are satisfied- e.g. ℙM is the set of all subsets of M- e.g. ℤ is the set of integers

I is an interpretation of function and relation symbols- built-in functions are interpreted as expected

V is a first-order variable valuation, such that all specification formulae are satisfied- note: type names cannot be used as variables!


Example

defines the set of models

Each section defines a set of section models


The Z standard

• International standard 2002

•Defines standard operations sets, powersets tuples, products, sequences functions, relations numbers

•Markup languages LaTeX, ASCII


Sets, Powersets


Tuples, Sequences


Functions, Relations


Numbers


Three Definitions of abs

27.5.2008 Slide 14H. Schlingloff, Logical Specification Slide H. Schlingloff, Logical Specification

Z schemas – state changes

•delta abbreviation

•specifies extended models compare the propositional case unprimed variables: current state primed variables: next state


General Form of Transition


Z – Another Example

The Steam Boiler Control Specification Problem

• Jean-Raymond Abrial, Egon Börger, and Hans Langmaack: Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control. Springer LNCS 1165, October 1996 (ISBN 3-540-61929-1)

• Purpose: control the level of water in a steamboiler The quantity of water present when the steamboiler is

working has to be neither too low nor to high otherwise the steamboiler or the turbine sitting in front of it might be seriously affected

• More than 30 solutions available


Z – Steam Boiler Example


Steam Boiler Variables

Summary of various constants or physical variables of the system


Steam Boiler Control


Steam Boiler Operation

• The program operates in different modes, namely: initialization, normal, degraded, rescue, emergency stop

• The initialization mode is the mode to start with. The program enters a state in which it waits for the message STEAM-BOILER_WAITING to come from the physical units As soon as this message has been received the program checks whether the quantity of steam coming out of the steamboiler is really zero. If the unit for detection of the level of steam is defective, that is, when d is not equal to zero, the program enters the emergency stop mode. If the quantity of water in the steamboiler is above wmax, the program activates the valve of the steamboiler in order to empty it. If the quantity of water in the steamboiler is below N wmin, …


Steam Boiler Operation: Init


Steam Boiler Operation: Normal

• The normal mode is the standard operating mode in which the program tries to maintain the water level in the steamboiler between wmin and wmax with all physical units operating correctly. As soon as the water level is below wmin or above wmax the level can be adjusted by the program by switching the pumps on or off. The corresponding decision is taken on the basis of the information which has been received from the physical units. As soon as the program recognizes a failure of the water level measuring unit…


Reflection on Z

• State-based system, similar to finite automaton – Z may not be the ideal specification language

• High expressiveness by set theory and logic• Possibility of under-specification in Z• Modularity (but no object orientation)• Well-suited for program verification

• Not well-suited for refinement (transformational program development) and/or test generation


Yet Another Case Study

1. The subject is to invoice orders.2. To invoice is to change the state of an order (to

change it from the state "pending" to "invoiced").

3. On an order, we have one and one only reference to an ordered product of acertain quantity. The quantity can be different to other orders.

4. The same reference can be ordered on several different orders.

5. The state of the order will be changed into "invoiced" if the ordered quantity is either less or equal to the quantity which is in stock according to the reference of the ordered product.


Yet Another Case Study (2)

6. You have to consider the two following cases:(a) Case 1

All the ordered references are references in stock. The stock or the set of the orders may vary:- due to the entry of new orders or cancelled orders;- due to having a new entry of quantities of products in stock at

thewarehouse.

However, we do not have to take these entries into account. This means that you will not receive two entry flows (orders, entries in stock). The stock and the set of orders are always given to you in a up-to-date state.

(b) Case 2You do have to take into account the entries of:- new orders;- cancellations of orders;- entries of quantities in the stock.

27.5.2008 formal methods of systems specification logical specification of hard- and software prof....

Documents