lectures 9,10

Software Engineering, COMP201 Slide 1

Lectures 9,10

Formal Specifications


Formal Specification - Techniques for the unambiguous specification of software

Objectives:

To explain why formal specification techniques help discover problems in system requirements

To describe the use of • algebraic techniques (for interface specification) and • model-based techniques(for behavioural specification)

To introduce Abstract State Machine Model


Formal methods

Formal specification is part of a more general collection of techniques that are known as ‘formal methods’ COMP313 “Formal Methods”

These are all based on mathematical representation and analysis of

software Formal methods include

• Formal specification• Specification analysis and proof• Transformational development• Program verification


Acceptance of formal methods

Formal methods have not become mainstream software development techniques as was once predicted• Other software engineering techniques have been successful at

increasing system quality. Hence the need for formal methods has been reduced

• Market changes have made time-to-market rather than software with a low error count the key factor. Formal methods do not reduce time to market

• The scope of formal methods is limited. They are not well-suited to specifying and analysing user interfaces and user interaction

• Formal methods are hard to scale up to large systems


Use of formal methods Their principal benefits are in reducing the number of

errors in systems so their main area of applicability is critical systems:• Air traffic control information systems,• Railway signalling systems• Spacecraft systems• Medical control systems

In this area, the use of formal methods is most likely to be cost-effective

Formal methods have limited practical applicability


Specification in the software process

Specification and design are inextricably mixed.

Architectural design is essential to structure a specification.

Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.


Specification and design

Architecturaldesign

Requirementsspecification

Requirementsdefinition

Softwarespecification

High-leveldesign

Increasing contractor involvement

Decreasing client involvement

Specification

Design


Specification in the software process

Requirementsspecification

Formalspecification

Systemmodelling

Architecturaldesign

Requirementsdefinition

High-leveldesign


Specification techniques

Algebraic approach• The system is specified in terms of its operations and

their relationships Model-based approach

• The system is specified in terms of a state model that is constructed using mathematical constructs such as sets and sequences.

• Operations are defined by modifications to the system’s state


Formal specification languages

ASML - Abstract State Machine Language

Yuri. Gurevich, Microsoft Research, 2001


Use of formal specification

Formal specification involves investing more effort in the early phases of software development

This reduces requirements errors as it forces a detailed analysis of the requirements

Incompleteness and inconsistencies can be discovered and resolved !!!

Hence, savings as made as the amount of rework due to requirements problems is reduced


Development costs with formal specification

Specification

Design andImplementation

Validation

Specification

Design andImplementation

Validation

Cost

Without formalspecification

With formalspecification


1. Interface specification Large systems are decomposed into subsystems

with well-defined interfaces between these subsystems

Specification of subsystem interfaces allows independent development of the different subsystems

Interfaces may be defined as abstract data types or object classes

The algebraic approach to formal specification is particularly well-suited to

interface specification


Sub-system interfaces

Sub-systemA

Sub-systemB

Interfaceobjects


The structure of an algebraic specification

sort < name >imports < LIST OF SPECIFICATION NAMES >

Informal descr iption of the sor t and its operations

Operation signatures setting out the names and the types ofthe parameters to the operations defined over the sort

Axioms defining the operations over the sort

< SPECIFICATION NAME > (Gener ic Parameter)

introduction

description

signature

axioms


Behavioural specification

Algebraic specification can be cumbersome when the object operations are not independent of the object state

Model-based specification exposes the system state and defines the operations in terms of changes to that state


OSI reference model

Application

Presentation

Session

Transport

Network

Data link

Physical

7

6

5

4

3

2

1

Communica tions medium

Network

Data link

Physical

Application

Presentation

Session

Transport

Network

Data link

Physical

ApplicationModel-based specification

Algebraic specification


Abstract State Machine Language (AsmL)

AsmL is a language for modelling the structure and behaviour of digital systems

AsmL can be used to faithfully capture the abstract structure and step-wise behaviour of any discrete systems, including very complex ones such as:Integrated circuits, software components, and devices that combine both hardware and software


Abstract State An AsmL model is said to be abstract because it

encodes only those aspects of the system’s structure that affect the behaviour being modelled

The goal is to use the minimum amount of detail that accurately reproduces (or predicts) the

behaviour of the system Abstraction helps us reduce complex problems into

manageable units and prevents us from getting lost in a sea of details

AsmL provides a variety of features that allow you to describe the relevant state of a system in

a very economical, high-level way


Abstract State Machine and Turing Machine

An abstract state machine is a particular kind of mathematical machine, like the Turing machine (TM)

But unlike a TM, ASMs may be defined a very high level of abstraction

An easy way to understand ASMs is to see them as defining a succession of states that may follow an initial state


State transitions

The behaviour of a machine (its run) can always be depicted as a sequence of states linked by state transitions

• Moving from state A to state B is a state transition

paint in green

paint in redA B


Configurations Each state is a particular “configuration” of

the machine

The state may be simple or it may be very large, with complex structure

But no matter how complex the state might be, each step of the machine’s operation can be seen as a well-defined transition from one particular state to another


Evolution of state variables

paint in green

paint in redA B

We can view any machine’s state as a dictionary of

(Name, Value) pairs, called state variables

(Colour, Red) is a variable, where “Colour” is the name of variable, “Red” is the value


Evolution of state variables Names are given by the machine’s symbolic

vocabulary Values are fixed elements, like numbers and

strings of characters

The run of a machine is a series of

states and state transitions that

results form applying operations

to each state in succession


ExampleDiagram shows the run of a machine that models how orders might be processed

S1

Mode = “Initial”

Orders = 0

Balance = £0

Initialise Process All Orders

S3

Mode = “Final”

Orders = 0

Balance = £500

S2

Mode = “Active”

Orders = 2

Balance = £200

Each transition operation: • can be seen as the result of invoking the machine’s

control logic on the current state • calculates the subsequence state as output


Control LogicThe machine’s control logic

behaves like a fix set of transition rules that say how state may evolve

We can think of the control logic as a text that precisely specifies, for any given state, what the values of the machine’s variables will be in the following step

Typical form of the operational text is:

“ if condition then update ”


Control Logic as a Black Box

The two dictionaries S1 and S2 have the same set of keys, but the values associated with each variable name may differ between S1 and S2

The Machine’s Control Logic

…

if mode = “Initial”

then mode := “Active”

mode “Initial”

orders 0

balance £0

Mode “Active”

orders 2

balance £200

input

output

• The machine control logic is a black box that takes as input a state dictionary S1 and gives as output a new dictionary S2


Run of the Machine The run of the machine can be seen as what happens

when the control logic is applied to each state in turn The run starts form initial state

S1 S2 S3 …S1 is given to the black box yielding S2, processing S2 results in S3,

and so on …

When no more changes to state are possible, the run is complete


Update operations We use the symbol

“: =” (reads as “gets”) to indicate the value that a name will have in the resulting state

For example: mode:=“Active”

Update can be seen only during the following step (this is in contrast to Java, C, Pascal, …)

All changes happen simultaneously, when you moving from one step to another. Then, all updates happen at once.(atomic transaction)


Programs

Example 1. Hello, world

Main()

step WriteLine(“hello, world!”)

ASML uses indentations to denote block structure, and blocks can be places inside other blocks

Statement block affect the scope of variables

Whitespace includes blanks and new-line character, ASML does not recognize tab character for indentation !!!!!!!

An operation names Main() gives the top-level operational definition of the model (Main() is like main() in Java and C )


The Executable Specification Language - ASML

Compiler

asmlc [name of the program]

!!! Use D drive at the University Laboratories !!!

Example

D:\>asmlc test.asml

D:\> test.exe

D:\> test.exe >output_file.txt


I. StepsThe general syntax for steps is

Step [label] [stopping-condition] statement block a statement block consists of

indented statement that follow a label is an optional string,

number of identifier followed by a colon (“:”)

stopping condition is any these forms:

until fixpointuntil expressionwhile expression

A step can be introduced independently or as part of sequence of steps in the form:

step …

step …


Stopping for fixed point “until fixed point”enum EnumMode Initial Started Finishedvar mode = Initialvar count = 0

Main() step until fixpoint if mode = Initial then mode :=Started count:=1 if mode = Started and count < 10 then count:= count+1 if mode = Started and count >=10 then mode:= Finished

Initial

Started

Finished

if count < 10 then count:= count+1

count 10

count:= 1


Stopping for conditions “while” & “until”

while expression until expressionvar x as Integer = 1Main() step while x < 10 WriteLine(x) x:= x + 1

var x as Integer = 1Main() step until x > 9 WriteLine(x) x:= x + 1

Running each of these examples produces nine steps. It will print numbers: 1,2,3,4,5,6,7,8 and 9 as output

Either while or until may be used to give an explicit stopping condition for iterated sequential steps of the machine.


Conditions

eq =ne lt <gt >in notin subset superset subseteq superseteq


Sequences of steps

The syntax step … step … indicates a sequence of steps that will be performed in order

• Labels after the “step” keyword are optional but helpful as documentation.


Be wary ! Be wary of introducing unnecessary steps

This can occur if two operations are really not order-dependent but are given as two sequential steps, regardless

It is very easy to fall into this trap, since most people are used to the sequential structures used by other programming languages


Iteration over collections

Another common idiom for iteration is to do one step per element in some finite collection such as a set or sequence

step foreach ident1 in expr1, ident2 in expr2 … statement-block

myList = [1,2,3]Main() step foreach i in myList WriteLine (i)

Sequential, step-based iteration is available for sets as well as sequences, but in the case of sets, the order is not specified


Guidelines for using steps

Situation You choose …

operations occur in a fixed order

sequence of steps

each operation must be done in order

iterated steps with stopping condition “while”,“until”

operations must be done in sequence, one after another

iteration over collection

“foreach”

operations can be done without order

iteration over collection “forall”

Repeat an operation until no more changes occur

fixed-point stopping condition “until fixed point”


II. Updates “How are variables updated?”

A program defines state variables and operations

The most important concept is that state is a dictionary of (name,value) pairs

Each name identifies an occurrence for state variables

• Operations may propose new values for state variables

• But effect of these changes is only visible in subsequent step


The update statementUpdate symbol “: =” (reads as “gets”)

var x = 0var y = 1Main() step WriteLine(“In the first step, x =” + x) // x is 0 WriteLine (“In the first step, y =” + y) // y is 1 x:=2 step // updates occur here WriteLine(“In the second step, x =” + x)//x is 2 WriteLine(“In the second step, y =” + y)//y is 1


Delayed effect of updates

Updates don’t actually occur until the step following the one in which they are written

var x = 0var y = 1Main() step WriteLine(“In the first step, x =” + x) // x is 0 WriteLine(“In the first step, y =” + y) // y is 1 step x:=2 WriteLine (“In the second step, x =” + x) // x is 0 step WriteLine (“In the third step, x =” + x) // x is 2


When updates occur

in C, Java in ASML

temp = x

x = y

y = temp

step

x:= y

y:=x

Swapping values

All updates given within a single step occur simultaneously at the end of the step.

Conceptually, the updates are applied “in between” the steps.


Consistency of updates• The order within a step does not matter, but all of

updates in the step must be consistent• None of the updates given within a step may contradict

each other• If updates do contradict, then they are called

“inconsistent updates” and an error occur

Inconsistent update Error: CLASH

in the update set

step

x:=1

x:=2

we don’t know which of the two should take effect


Total and partial updates

An update of the variable can either be total or partial

Total update is a simple replacement of variable’s value with a new value

Partial updates apply to variables that have structure

The left hand side of the update operation

“ X : = val ”

indicates whether the update is total or partial


Total update of a set-valued variable

1. The variable Students was, initially, an empty set2. It was then updated to contain the names of the four

students3. Update became visible in the second step as the finial

roster

var Students as Set of String = {}Main() step WriteLine (“The initial roster is = ” + Students) Students := {“Bill”, “Carol”, “Ted”, “Alice”} step WriteLine (“The final roster is = ” + Students)


Partial update of a set-valued variable

“ X : = val ” is update operation If X ends with an index form, then the update is partial If X ends with a variable name, then the update is total

var Students as Set of String = {}Main() step WriteLine (“The initial roster is = ” + Students) Students(“Bill”) := true Students(“Carol”) := true Students(“Ted”) := true Students(“Alice”) := truestep WriteLine (“The final roster is = ” + Students)


Updating a set-valued variable

Updating the set Students with updating statement (*) removes “Bill ” from the set

The update is partial in the sense that other students may be added to the set Students in the same step without contradiction

var Students as Set of String = {}Main() step WriteLine (“The initial roster is = ” + Students) Students := {“Bill”, “Carol”,

“Ted”, “Alice”}step WriteLine (“The current roster is = ” + Students) Students ( “Bill”) := false // ( * ) step WriteLine (“The final roster is = ” + Students)

lectures 9,10

Documents