(State) Model-Based Approaches I Software Specification Lecture 35 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Overview Algebraic specification involves specifying object operations in terms of their inter-relationships. This can be cumbersome when operations depend on object state (i.e., previous operations). Consider axiom 6 of the ARRAY specification. (State) Model-Based specification exposes system state and defines operations in terms of changes to that state.

Model-Based Approaches/Languages Specification via Pre- and Post-Conditions: Predicates are defined over a program’s state variables to reflect its intended functional behavior. Specification using “Z” (pronounced “Zed”): A mature notation for defining constraints and operations on state variables that incorporates informal descriptions and graphical highlighting.

Pre-and Post-Conditions The functional requirements of a program may be specified by providing: an explicit predicate on its state before execution (a pre-condition), and an explicit predicate on its state after execution (a post-condition). This serves to highlight the distinction between assumptions that an implementer is allowed to make, and obligations that must be met.

Pre-and Post-Conditions (cont’d) The language of pre- and post-conditions is the predicate calculus. Predicates denote properties of program variables or relations between them.

What is the Predicate Calculus? (A Brief Tutorial) Propositions and Propositional Logic Truth Tables Equivalence Predicates The Predicate Calculus

Propositions A proposition, P, is a statement of some alleged fact which must be either true or false, and not both. Which of the following are propositions? elephants are mammals France is in Asia go away 5>4 X>5

Propositional Logic Propositional Logic is a formal language that allows us to reason about propositions. The alphabet of this language is: { P, Q, R, ..., Λ, V, , , ¬ } P, Q, R,... denote the truth values of simple propositions. The other symbols, usually referred to as connectives, provide ways in which compound propositions can be built from simpler ones.

Truth Tables Truth tables provide a concise way of giving the meaning of compound forms in a tabular form. Example 1: Complete the truth table below to show all possible interpretations for the following sentences: AB, AB, and ¬AVB.

Truth Tables (cont’d) A B ¬A AB ¬AVB T T T F F T F F F T T F F F T T

Equivalence Two sentences are said to be equivalent if and only if their truth values are the same under every interpretation. If A is equivalent to B, we write A ≡ B using the metasymbol ≡. Example 2: Use the truth table of Exercise 1 to show: (A  B) ≡ (¬A V B)

Truth Tables (cont’d) A B ¬A AB ¬AVB T T T F F T F F F T T F F F T T

Equivalence (cont’d) Many users of logic slip into the habit of using  and ≡ interchangeably. However, A  B is written in the full knowledge that it may denote either True or False in some interpretation. Whereas A ≡ B is an expression of a “fact” – i.e., the writer thinks it is true.

Predicates Predicates are expressions containing one or more free variables (place holders) that can be filled by suitable objects to create propositions. For example, instantiating the value 2 for X in the predicate X>5 results in the (false) proposition 2>5. Note that a predicate itself has no truth value; it expresses a property or relation using variables.

Predicates (cont’d) There are TWO ways in which predicates can give rise to propositions: (1) As illustrated above, their free variables may be instantiated with the names of specific objects, and (2) They may be quantified. Quantification introduces two additional symbols:  and .

Predicates (cont’d)  and  are used to represent universal and existential quantification, respectively. x  duck(x) represents the proposition “every object is a duck.” x  duck(x) represents the proposition “there is at least one duck.”

Predicates (cont’d) x  Q(x,y) or x  Q(x,y) For a predicate with two free variables, quantifying over one of them yields another predicate with one free variable, as in x  Q(x,y) or x  Q(x,y)

Predicates (cont’d) i  {1,2,...,N}  A[i]>0 Where appropriate, a domain of interest may be specified which contains the objects for which the quantifier applies. For example, i  {1,2,...,N}  A[i]>0 represents the predicate “the first N elements of array A are all greater than 0.”

Predicate Calculus The addition of a deductive apparatus gives us a formal system permitting proofs and derivations which we will refer to as the predicate calculus. The system is based on providing rules of inference for introducing and removing each of the five connective symbols plus the two quantifiers.

Predicate Calculus (cont’d) A rule of inference is expressed in the form: A1, A2 , ..., An _______________ C and is interpreted to mean: (A1 Λ A2 Λ ... Λ An )  C

Examples of Deductive Rules A Λ B ________ A _______ AVB Examples of Deductive Rules ¬ ¬A ________ A A, A  B __________ B

Examples of Deductive Rules (cont’d) A  B __________ A  B A  B, B  A _______________ x  P(x) ___________________ P(1), P(2), …, P(n)

Specification Via Pre- and Post-Conditions Pre-condition: expresses properties of / relationships among program variables before program execution. An implementer may assume these will hold. Post-condition: expresses obligatory properties of / relationships among program variables after program execution. An implementer must make it so.

Exercise 3 For each of the following, give appropriate pre- and post-conditions for the function described. Set variable MAX to the maximum value of two integers, A and B. Set variable MIN to the minimum value in the unsorted, non-empty array A[1:N]. Set variable SUM to the sum of the elements in array A[1:N].

Exercise 3 (cont’d) Given three arrays A[1:N], B[1:N], and C[1:N], set each element of A equal to the sum of the corresponding elements of B and C. Set variable NPRIME to true if N is prime and to false otherwise. Set variable Y to the greatest common divisor of integers A and B.

Exercise 3 (cont’d) Set variable R to the remainder of dividing A by D. Set variable I to the index of the first instance of Y in the array A[1:N]. Perform integer subtraction using the arithmetic primitive "subtract 1" and a while loop. Let M be the minuend, S be the subtrahend, and D be the difference. Assume that the subtrahend is nonnegative.

Sample Solutions Set variable MAX to the maximum value of two integers, A and B. pre-condition: post-condition: (What can the implementer assume will be true before execution?) (What must the implementer make true after execution?)

Sample Solutions Set variable MAX to the maximum value of two integers, A and B. pre-condition: post-condition: { [(MAX=A Λ AB) V (MAX=B & B  A)] Λ A=A’ Λ B=B’ } (Note that A’ denotes the initial value of variable A.) { true } {MAX=A V MAX=B}

Sample Solutions (cont’d) Set variable MIN to the minimum value in the unsorted, non-empty array A[1:N]. pre-condition: post-condition: What does “unsorted” mean? { N>0 } { j  {1,2,...,N}  MIN  A[j] Λ  x  {1,2,...,N}  A[i]=MIN Λ A=A’ }

(State) Model-Based Approaches I Software Specification Lecture 35 Prepared by Stephen M. Thebaut, Ph.D. University of Florida