Algebraic Specification Software Specification Lecture 34 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Overview Algebraic Specification involves specifying operations on an object in terms of their interrelationships. Particularly appropriate for specifying the interfaces between systems. First proposed by GUTTAG (1977) for the specification of abstract data types. Easiest to scale-up when an object-oriented design approach is taken.

Four Specification Components Introduction – defines the sort (abstract data type) and declares other specifications that are used (“imported”). Description – informally describes the operations on the sort.

Four Specification Components (cont’d) Signature – defines the syntax of the operations in the interface and their parameters. Axioms – defines the operation semantics by defining axioms which characterize behavior.

Graphical Representation sort < name > imports < LIST OF SPECIFICATION NAMES > Informal Description of the sort and its operations Operation signatures setting out the names and the types of the parameters to (and the results of) the operations Axioms defining the operations over the sort SPECIFICATION NAME (Generic Parameter) (Introduction)

--------------------------------------------- Types of Operations Constructor operations: operations which create / modify entities of the type Inspection operations: operations which evaluate entities of the type being specified --------------------------------------------- Rule of Thumb for Defining Axioms: define an axiom which sets out what is always true for each inspection operation over each constructor.

Operations on a Generic “ARRAY” Abstract Data Type Constructor operations: Create, Assign Inspection operations: First, Last, Eval

ARRAY ( Elem: [Undefined → Elem]) sort Array imports INTEGER Arrays are collections of elements of generic type Elem. They have a lower and upper bound (discovered by the operations First and Last). Individual elements are accessed via their numeric index. Create takes the array bounds as parameters and creates the array, initializing its values to Undefined. Assign creates a new array which is the same as the input with the specified element assigned the given value. Eval reveals the value of a specified element. If an attempt is made to access a value outside the bounds of the array, the value is undefined. Create (Integer, Integer) → Array Assign (Array, Integer, Elem) → Array First (Array) → Integer Last (Array) → Integer Eval (Array, Integer) → Elem First (Create (x, y)) = x First (Assign (a, n, v)) = First (a) Last (Create (x, y)) = y Last (Assign (a, n, v)) = Last (a) Eval (Create (x, y), n) = Undefined Eval (Assign (a, n, v), m) = if m < First (a) or m > Last (a) then Undefined else if m = n then v else Eval (a, m)

Informal Description of Array Arrays are collections of elements of generic type Elem. They have a lower and upper bound (discovered by the operations First and Last). Individual elements are accessed via their numeric index.

Informal Description of Array (cont’d) Create takes the array bounds as parameters and creates the array, initializing its values to Undefined. Assign creates a new array which is the same as the input with the specified element assigned the given value. Eval reveals the value of a specified element. If an attempt is made to access a value outside the bounds of the array, the value is undefined.

Array Signatures Create (Integer, Integer) → Array Assign (Array, Integer, Elem) → Array First (Array) → Integer Last (Array) → Integer Eval (Array, Integer) → Elem

Note RECURSIVE definition Array Axioms First (Create (x, y)) = x First (Assign (a, n, v)) = First (a) Last (Create (x, y)) = y Last (Assign (a, n, v)) = Last (a) Eval (Create (x, y), n) = Undefined Eval (Assign (a, n, v), m) = if m < First (a) or m > Last (a) then Undefined else if m = n then v else Eval (a, m) Note RECURSIVE definition

Example Let: A1 := Assign (Create (1, 3), 3, c) A2 := Assign (A1, 2, b) A2 = [Undefined, b, c] 1 2 3 What is the value of: Eval (Assign (A2, 1, a), 2) ? b Use axiom 6 to prove this.

Proof By axiom 6, Eval (Assign (A2, 1, a), 2) = if 2 < First (A2) = 1 or 2 > Last (A2) = 3 then Undefined else if 2 = 1 then a else Eval (A2, 2) = Eval (A2, 2) = Eval (Assign (A1, 2, b), 2)

Proof (cont’d) Again, by axiom 6, Eval (Assign (A1, 2, b), 2) = if 2 < First (A1) = 1 or 2 > Last (A1) = 3 then Undefined else if 2 = 2 then b else Eval (A1, 2) = b

More generally… Can you prove that the axioms allow one to deduce appropriate values of First, Last, and Eval for any syntactically correct sequence of constructor operations? In other words, can you prove that the algebraic specification of sort Array is complete w.r.t. our understanding of how arrays work? If so, how?

More Examples What are the values of the following operation sequences: Eval (Assign (Create (-3, 0), -2, a), -2)

A Visual Interpretation of Operation Effects Eval (Assign (Create (-3, 0), -2, a), -2) (Undefined, Undefined, Undefined, Undefined) -3 -2 -1 0 (Undefined, a , Undefined, Undefined) -3 -2 -1 0 a

More Examples What are the values of the following operation sequences: Eval (Assign (Create (-3, 0), -2, a), -2) = a Eval (Assign (Create (5, 5), 5, b), 5) = b Eval (Assign (Create (3, -2), 1, c), 1) = Undefined

Why “Undefined”? By axiom 6, Eval (Assign (Create (3, -2), 1, c), 1) = if 1< 3 or 1 > -2 then Undefined else… = Undefined

Exercise 1 Modify the definition of sort ARRAY to allow use (via Assigns and Evals) of arrays such as Create (3, -2).

Specification Instantiation A simple form of reuse. An existing specification utilizing a generic parameter is instantiated with some other sort, e.g.: CHAR_ARRAY: ARRAY sort Char_array instantiates Array (Elem:=Char) imports INTEGER

Exercise 2 Write an algebraic specification for an abstract data type representing a STACK with operations: New – Bring a stack into existence Push – Add an element to the top of a stack Top – Evaluate the top element of a stack (without removing it) Retract – Remove the top element from a stack and return the modified stack Is_Empty – True if and only if there are no elements on a stack

Key Points Algebraic specifications should be constructed by identifying constructor operations which create instances of the type or class, and inspection operations which inspect the values of these instances. The semantics of each inspection operation should be defined for each constructor.

Key Points (cont’d) It can be difficult to prove that algebraic specifications are complete and consistent. Formal specifications should always have an associated informal description to make the formal semantics more understandable.

Algebraic Specification Software Specification Lecture 34 Prepared by Stephen M. Thebaut, Ph.D. University of Florida