Formal Approaches to Computing and Information Technology

Springer-Verlag London Ltd.

Also in this series:

Constructing Correct Software: the basics J. Cooke ISBN 3-540-76156-X

Formal Methods in Human-Computer Interaction P. Palanque and F. Paterno (Eds) ISBN 3-540-76158-6

Proof in VDM: Case Studies J.C. Bicarregui (Ed.) ISBN 3-540-76186-1

Program Development by Refinement E. Sekerinski and K. Sere (Eds) ISBN 1-85233-053-8

High-Integrity System Specification and Design Jonathan P. Bowen and Michael G. Hinehey (Eds) ISBN 3-540-76226-4

Industrial-Strength Formal Methods in Practice M.G. Hinehey and J.P. Bowen (Eds) ISBN 1-85233-640-4

Software Specification Methods: An Overview Using a Case Study Mare Frappier and Henri Habrias (Eds) ISBN 1-85233-353-7

J ohn Derrick and Eerke Boiten

Refinement in Z and Object-Z Foundations and Advanced Applications

f Springer

John Derrick, BSc, DPhil Eerke Boiten, Ir, PhD Computing Laboratory, University ofKent at Canterbury, Canterbury, Kent CT2 7NF, UK

Series Editor Professor S.A. Schuman, BSc, DEA, CEng

British Library Cataloguing in Publication Data Derrick, John

Refinement in Z and Object-Z : foundations and advanced applications. - (Formal approaches to computing and information technology) 1. Z (Computer program language) 1. Title II. Boiten, Eerke 005.1'33

ISBN 978-1-85233-245-7 ISBN 978-1-4471-0257-1 (eBook) DOI 10.1007/978-1-4471-0257-1

Library of Congress Cataloging-in-Publication Data Derrick, John, 1963-

Refinement in Z and Object-Z : foundations and advanced applications I John Derrick and Eerke Boiten.

p. cm. - (Formal approaches to computing and information technology, ISSN 1431-9683) Includes bibliographical references and index. ISBN 978-1-85233-245-7 1. Z (Computer program language) 2. Object-oriented programming (Computer

science) I. Boiten, Eerke, 1966- II. Title. III. Series. QA76.73.Z2 D47 2001 005.13'3-dc21

2001020204

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the pubJishers, or in the case of reprographie reproduction in accordance with the terms of licences issued by the Copyright Lieensing Agency. Enquiries eoncerning reproduction outside those terms should be sent to the publishers.

FACIT series ISSN 1431-9683

http://www.springer.co.uk

© Springer-Verlag London 2001 Originally published by Springer-Verlag London Limited in 2001

The use of registered names, trademarks etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant laws and regulations and therefore free for general use.

The publisher makes no representation, express or implied, with regard to the aceuracy of the information contained in this book and cannot accept any legal responsibiJity or liabiJity for any errors or omissions that may be made.

Typesetting: Camera ready by authors

34/3830-543210 Printed on acid-free paper SPIN 10749020

To our families

Preface

What is Refinement?

Refinement is one of the cornerstones of a formal approach to software en­gineering. The traditional purpose of refinement is to show that an imple­mentation meets the requirements set out in an initial specification. Armed with such a methodology, program development can then begin with an ab­stract specification and proceed via a number of steps, each step producing a slightly more detailed design which is shown to be a refinement of the previous specification.

In order to help verify refinements, different notations use different ap­proaches, and in Z, Object-Z and other state-based languages, the techniques of downward and upward simulations have emerged as the standard method of verifying refinements. Their use over the last 10 years has led to increasing numbers of applications and understanding of the nature of refining a formal specification. During the last few years the use of refinement in a number of domains has led to research on new applications and generalisations. The purpose of this book is to bring together that work in one volume.

Z and Object-Z

Refinement has been studied in many notations and contexts, however in this book we will concentrate on Z and Object-Z.

Z is a formal specification language, which uses mathematical notation (set theory and logic) to describe the system under consideration. Z, along with Object-Z, Band VDM, is often called a state-based language because it specifies a system by describing the states it can be in, together with a description of how the state evolves over time. In effect a specification builds a model of the system.

Object-Z is an object-oriented extension of Z, which adds the notion of class as an additional structuring device, enabling an Object-Z specification to represent a number of communicating objects.

The importance of Z for refinement is that Z specifications are abstract and often loose, allowing refinement to many different implementations. In this book we discuss some of the techniques for doing so.

vii

viii Preface

Structure of the Book

The book is structured into a series of parts, each focusing on a particular theme.

In Part I we provide an introduction to data refinement, and look at its applicability in Z. This leads to the formalisation of both downward and up­ward simulations in the Z schema calculus. We then discuss how refinements can be calculated and look at the application of this work to the derivation of tests from formal specifications. We also show how we can derive a single complete simulation rule by using possibility mappings.

Part II looks at recent generalisations of refinement which allow refine­ment of the interface and atomicity of operations. The standard presentation of refinement requires that the interface (i.e., input/output) of an operation remains unchanged, however for a variety of applications this is unsuitable and there is a need for more general refinements which this part discusses. The refinement of an interface is intimately tied up with the problem of non­atomic refinement, i.e., where we decompose a single abstract operation into a number of concrete operations upon refinement. This part discusses this problem in some detail, presenting refinement rules for specifications con­taining internal operations, as well as the general approach to non-atomic refinement in Z.

In Part III we look at how the theory of refinement can be used in an 00 context. To do so we introduce the Object-Z specification language as a canonical example, and show how refinement between classes (and collections of classes) can be verified. We also discuss the relationship between refinement and inheritance and look at the formalisation of interface refinement and non­atomic refinement in Object-Z.

Finally, in Part IV we turn our attention to combining notions of state and behaviour when specifying and refining systems. The use of Object-Z provides a notion of state, which we combine with the notion of behaviour that is provided by the process algebra esp.

In a concluding chapter we also briefly discuss a number of related for­malisms, like Band VDM.

The dependencies between the chapters of the book are shown in Fig­ure 0.1.

Readership

The book is intended primarily as a monograph aimed at researchers in the field of formal methods, academics, industrialists using formal methods, and postgraduate researchers. By including an introduction to the languages and notations used, the book is self contained, and should appeal to all those with an interest in formal methods and formal development.

Preface IX

The book is also relevant to a number of courses, particularly at post­graduate level, on software engineering, formal methods, object-orientation and distributed systems.

There is an associated web page to accompany this book:

http://www.cs.ukc.ac.uk/people/staff/jdl/books/refine/

Fig. 0.1. Chapter dependencies.

x Preface

Acknowledgements

Fragments of Chapter 3 and some later chapters were reprinted from: Pro­ceedings of Mathematics of Program Construction 2000, R.C. Backhouse and J.N. Oliveira (Eds), Lecture Notes in Computer Science 1837, E.A. Boiten and J. Derrick, "Liberating data refinement", pp 144-166, copyright (2000), with permission from Springer Verlag.

Fragments of Chapter 5 were reprinted from: Information and Software Technology, Volume 41, J. Derrick and E.A. Boiten, "Calculating upward and downward simulations of state-based specifications", pp 917-923, copyright (1999), with permission from Elsevier Science.

Fragments of Chapter 7 are reproduced with permission from: Software Testing, Verification and Reliability, Volume 9, J. Derrick and E.A. Boiten, "Testing refinements of state-based formal specifications", pp 27-50, 1999 © John Wiley & Sons Limited.

Fragments of Chapter 8 were reprinted from: The Journal of Logic and Computation, Volume 10, Number 5, J. Derrick, "A single complete simula­tion rule in Z", pp 663-675, copyright (2000), with permission from Oxford University Press.

Fragments of Chapter 9 were reprinted from: International Refinement Workshop fj Formal Methods Pacific '98, J. Grundy, M. Schwenke and T. Vickers (Eds), Series in Discrete Mathematics and Theoretical Computer Science, E.A. Boiten and J. Derrick, "Grey box data refinement", pp 45-60, copyright (1998), with permission from Springer-Verlag.

Fragments of Chapter 11 were reprinted from: Formal Aspects of Com­puting, Volume 10, J. Derrick, E.A. Boiten, H. Bowman and M.W.A. Steen, "Specifying and refining internal operations in Z", pp 125-159, copyright (1998), with permission from Springer-Verlag.

Fragments of Chapter 12 were reprinted from: FM'99 World Congress on Formal Methods in the Development of Computing Systems, J.M. Wing and J.C.P. Woodcock and J. Davies (Eds) , Lecture Notes in Computer Science 1708, J. Derrick and E.A. Boiten, "Non-atomic refinement in Z", pp 1477-1496, copyright (1999), with permission from Springer-Verlag.

Many people have contributed to this book in a variety of ways. We have had numerous discussions on aspects of specification and refinement and ben­efited from related work in this area with other researchers induding: Ralph Back, Richard Banach, Christie Bolton, Howard Bowman, Michael Butler, David Cooper, Jim Davies, Clemens Fischer, Lindsay Groves, Ian Hayes, Martin Henson, Karl Lermer, Peter Linington, Ernst-Ruediger Olderog, Steve Schneider, Kaisa Sere, Maarten Steen, Susan Stepney, Ketil Stoelen, Marina Walden, and Jim Woodcock.

Thanks are especially due to Behzad Bordbar, Rob Hierons, Ralph Mi­arka, Graeme Smith, Chris Taylor, Ian Toyn, Helen Treharne, and Heike Wehrheim, for their careful reading of earlier drafts of this book and helpful

Preface Xl

suggestions. Thanks also to the reviewers of the book, in particular Perdita Stevens, for their useful comments.

We also wish to thank Rosie Kemp from Springer-Verlag and the FACIT series editor, Steve Schuman, for their help and guidance in preparing this book.

Finally, thanks to our friends and families who have provided love and support throughout this project. We would not have completed this book without them.

Contents

Part I. Refining Z Specifications

1. An Introduction to Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Z: A Language for Specifying Systems. . . . . . . . . . . . . . . . . . . . . 3 1.2 Predicate Logic and Set Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Types, Declarations and Abbreviations. . . . . . . . . . . . . . . . . . . . 7

1.3.1 Types........................................... 7 1.3.2 Axiomatic Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3.3 Abbreviations.................................... 10

1.4 Relations, Functions, Sequences and Bags ................. 10 1.4.1 Relations........................................ 11 1.4.2 Functions....................................... 14 1.4.3 Sequences....................................... 16 1.4.4 Bags............................................ 18

1.5 Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 18 1.5.1 Schema Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 19 1.5.2 Schema Inclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 20 1.5.3 Decorations and Conventions ...................... 21 1.5.4 States, Operations and ADTs . . . . . . . . . . . . . . . . . . . . .. 22 1.5.5 The Schema Calculus. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 25 1.5.6 Schemas as Declarations .......................... 33 1.5.7 Schemas as Predicates. . . . . . . . . . . . . . . . . . . . . . . . . . .. 35 1.5.8 Schemas as Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35 1.5.9 Schema Equality ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37

1.6 An Example Refinement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37 1.7 What Does a Z Specification Mean? ...................... 42 1.8 The Z Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 42 1.9 Tool Support .......................................... 44 1.10 Bibliographical Notes. . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . .. 44

2. Simple Refinement.. . . . . . . .. . . . . . . ... . . . . . .. . . . . .. . . .. . .. 47 2.1 What is Refinement? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 47 2.2 Operation Refinement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 50 2.3 From Concrete to Abstract Data Types ................... 55 2.4 Establishing and Imposing Invariants ..................... 55

xiii

XIV Contents

2.4.1 Establishing Invariants. . . . . . . . . . . . . . . . . . . . . . . . . . .. 56 2.4.2 Imposing Invariants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 57

2.5 Example: London Underground. . . . . . . . . . . . . . . . . . . . . . . . .. 57 2.6 Bibliographical Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 61

3. Data Refinement and Simulations. . . . . . . . . . . . . . . . . . . . . . .. 63 3.1 Programs and Observations for ADTs . . . . . . . . . . . . . . . . . . . .. 63 3.2 Upward and Downward Simulations. . . . . . . . . . . . . . . . . . . . . .. 67 3.3 Dealing with Partial Relations ........................... 75 3.4 Bibliographical Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 82

4. Refinement in Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 85 4.1 The Relational Basis of a Z Specification ..... . . . . . . . . . . . .. 85 4.2 Deriving Downward Simulation in Z ...................... 88 4.3 Deriving Upward Simulation in Z. . . . . . . . . . . . . . . . . . . . . . . .. 92 4.4 Embedding Inputs and Outputs . . . . . . . . . . . . . . . . . . . . . . . . .. 94 4.5 Deriving Simulation Rules in Z - Again ...... . . . . . . . . . . . .. 97 4.6 Examples .............................................. 102 4.7 Reflections on the Embedding ............................ 113

4.7.1 Alternative Embeddings ........................... 113 4.7.2 Programs, Revisited .............................. 115

4.8 Proving and Disproving Refinement ....................... 115 4.9 A Pitfall: Name Capture ................................ 116 4.10 Bibliographical Notes ................................... 118

5. Calculating Refinements .................................. 119 5.1 Downward Simulations .................................. 122

5.1.1 N on-Functional Retrieve Relations .................. 126 5.2 Upward Simulations .................................... 131 5.3 Calculating Common Refinements ........................ 136 5.4 Bibliographical Notes ................................... 140

6. Promotion ................................................ 141 6.1 Example: Multiple Processors ............................ 141 6.2 Example: A Football League ............................. 143 6.3 Free Promotions and Preconditions ....................... 146 6.4 The Refinement of a Promotion .......................... 148

6.4.1 Example: Refining Multiple Processors .............. 148 6.4.2 Refinement Conditions for Promotion ............... 150

6.5 Commonly Occurring Promotions ........................ 152 6.6 Calculating Refinements ................................. 159 6.7 Upward Simulations of Promotions ..................... " 159 6.8 Bibliographical Notes ................................... 160

Contents xv

7. Testing and Refinement ........ '" .... " ................. 161 7.1 Deriving Tests from Specifications ........................ 162 7.2 Testing Refinements and Implementations ................. 168

7.2.1 Calculating Concrete Tests ........................ 169 7.2.2 Calculating Concrete States ....................... 171

7.3 Building the Concrete Finite State Machine. . . . . . . . . . . . . . .. 172 7.3.1 Using a Functional Retrieve Relation ............... 172 7.3.2 Using a Non-Functional Retrieve Relation ........... 178

7.4 Refinements due to Upward Simulations ................... 181 7.5 Bibliographical Notes ................................... 186

8. A Single Simulation Rule ................................. 189 8.1 Powersimulations ....................................... 191 8.2 Application to Z ....................................... 195 8.3 Calculating Powersimulations ............................ 200 8.4 Bibliographical Notes ................................... 203

Part II. Interfaces and Operations: ADTs Viewed in an Environment

9. Refinement, Observation and Modification ................ 207 9.1 Grey Box Data Types ................................... 209 9.2 Refinement of Grey Box Data Types ...................... 213 9.3 Display Boxes .......................................... 218 9.4 Bibliographical Notes ................................... 223

10. 10 Refinement ............................................ 225 10.1 Examples of 10 Refinement: "Safe" and "Unsafe" ........... 226 10.2 An Embedding for 10 Refinement ........................ 229 10.3 Intermezzo: 10 Transformers ............................. 232 10.4 Deriving 10 Refinement ................................. 237

10.4.1 Initialisation ..................................... 237 10.4.2 Finalisation ...................................... 239 10.4.3 Applicability ..................................... 240 10.4.4 Correctness ...................................... 241

10.5 Conditions of 10 Refinement ............................. 243 10.6 Further Examples ...................................... 248 10.7 Bibliographical Notes ................................... 251

11. Weak Refinement ......................................... 253 11.1 Using Stuttering Steps .................................. 254 11.2 Weak Refinement ....................................... 257

11.2.1 The Relational Context ........................... 257 11.2.2 The Schema Calculus Context ..................... 259

XVI Contents

11.2.3 Further Examples ................................ 263 11.3 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

11.3.1 Weak Refinement is Not a Pre-Congruence .......... 272 11.3.2 Internal Operations with Output ................... 273

11.4 Upward Simulations .................................... 274 11.5 Removing Internal Operations ........................... 278 11.6 Divergence ............................................ 283 11.7 Bibliographical Notes ................................... 284

12. Non-Atomic Refinement .................................. 287 12.1 Non-Atomic Refinement via Stuttering Steps ............... 288

12.1.1 Semantic Considerations .......................... 289 12.1.2 Using the Schema Calculus ........................ 291

12.2 Non-Atomic Refinement Without Stuttering ............... 294 12.3 Using 10 'Transformations ............................... 297

12.3.1 Semantic Considerations Again ..................... 298 12.3.2 The Z Characterisation ........................... 300

12.4 Further Examples ...................................... 302 12.5 Varying the Length of the Decomposition .................. 307 12.6 Upward Simulations .................................... 311 12.7 Properties and Discussion ............................... 312

12.7.1 Non-Interference ................................. 312 12.7.2 Interruptive ..................................... 315 12.7.3 Interleaving ...................................... 316 12.7.4 Further Non-Atomic Refinements ................... 317

12.8 Bibliographical Notes ................................... 317

13. Case Study: A Digital and Analogue Watch .............. 319 13.1 The Abstract Design ............................. " ..... 319 13.2 Grey Box Specification and Refinement ................... 321 13.3 An Analogue Watch: Using 10 Refinement ................. 323 13.4 Adding Seconds: Weak Refinement ....................... 324 13.5 Resetting the Time: Using Non-Atomic Refinement ......... 326

14. Further Generalisations ................................... 331 14.1 Alphabet Extension ..................................... 331 14.2 Alphabet 'Translation ................................... 333 14.3 Compatibility of Generalisations .......................... 334 14.4 Bibliographical Notes ................................... 334

Contents xvii

Part III. Object-Oriented Refinement

15. An Introduction to Object-Z ............................. 337 15.1 Classes ................................................ 338

15.1.1 The Object-Z Schema Calculus ..................... 341 15.1.2 Late Binding of Operations ........................ 342 15.1.3 Preconditions .................................... 343

15.2 Inheritance ............................................ 343 15.2.1 Example: A Bank Account ........................ 343

15.3 Object Instantiation .................................... 346 15.3.1 Modelling Aggregates ............................. 347 15.3.2 Example: A Bank ................................ 349 15.3.3 Object Containment .............................. 350

15.4 Communicating Objects ................................. 351 15.5 Semantics ............................................. 352

15.5.1 Polymorphism and Generic Parameters .............. 354 15.6 Example: A Football League ............................. 354 15.7 Bibliographical Notes ................................... 356

16. Refinement in Object-Z ................................... 359 16.1 The Simulation Rules in Object-Z ........................ 359 16.2 Weak Refinement in Object-Z ............................ 365 16.3 Grey Box, 10, and Non-Atomic Refinement in Object-Z ..... 367

16.3.1 Non-Atomic Refinement ........................... 368 16.4 Refinement, Subtyping and Inheritance .................... 373 16.5 Bibliographical Notes ................................... 374

17. Class Refinement ......................................... 377 17.1 Objects and References ................................. 377

17.1.1 Understanding Object Evolution ................... 380 17.1.2 Verifying the Bank Refinement ..................... 381

17.2 Class Simulations ....................................... 383 17.3 Issues of Compositionality ............................... 396

17.3.1 Promoting Refinements Between Object-Z Classes .... 400 17.4 Bibliographical Notes ................................... 403

Part IV. Modelling State and Behaviour

18. Combining CSP and Object-Z ............................ 407 18.1 An Introduction to CSP ................................. 407

18.1.1 The Semantics of CSP ............................ 411 18.2 Integrating CSP and Object-Z ........................... 415

18.2.1 A Common Semantic Model ....................... 415

xviii Contents

18.3 Combining CSP Processes and Object-Z Classes ............ 416 18.4 Combining Object-Z Classes using CSP Operators .......... 420 18.5 Bibliographical Notes ................................... 424

19. Refining CSP and Object-Z Specifications ................ 427 19.1 Refinement in CSP ..................................... 427

19.1.1 Using Simulations with CSP Refinement ............ 429 19.2 Refinement of CSP Components .......................... 430 19.3 Refinement of Object-Z Components ...................... 431

19.3.1 Example: The Lift Specification .................... 433 19.4 Structural Refinements .................................. 436 19.5 Bibliographical Notes ................................... 437

20. Conclusions ............................................... 439

Glossary of Notation ......................................... 443

Bibliography . ................................................. 449

Index ......................................................... 461