Formal Methods in Software Engineering Saima Zareen

Formal Specification of a System Formal Specification describes the System behavior Operations of system Problem with formal specification is large amount of detailed information which is required for accurate system specification. A structured approach is required. The basic building block of a specification is abstract machine. Large specification can be constructed from smaller ones. AMN (abstract Machine Notation ) is used.

Compositional structuring Abstract Machines The combination of abstract machine is also an abstract machine permitting hierarchical specification. Abstract Machines It is the specification of a system. It contains pieces of information, that describes various aspects of the specification. Specification must describe what the component should do?(Operations,Functions). Operations/Functions Take inputs from the user Supply outputs to the user. Affect any change within the component.

Components/parts of Abstract machines Interface Collection of operations by which machine interacts with environment. Components/parts of Abstract machines It is required by the machine to maintain or process information. For this a local state is required. State is mentioned by the local variables. State variables are listed under VARIABLES heading. INVARIANT Their types and any other information are listed. The information which must be true of the state. For example type of variable must not be changed during the execution.

INITIALISATION Machine Name Represents initial state Machine must have a name ,so that other machines can refer to it. The name is given under the heading MACHINE. Machine It is not like an object in object oriented sense. It has a name, internal state, and set of operations as do objects. It may be considered as a black box with buttons on the side corresponding to the operations, and a set of state variables inside.

Abstract machine Interaction must be through these buttons.

Example of abstract machine Consider the example of ticket dispenser, which is used in shop to order the queue. On entry to the shop customer takes a numbered ticket from the dispenser. When a sales assistant is ready to serve, a display indicates the number of the customer who is to be served next. Customers wait until it is their turn to be served. The system is pictured in figure

A ticketing System

The behavior of ticket system can be represented using abstract machine. First of all name the machine as MACHINE Ticket

VARIABLES To maintain the state of a system we define variables, a variable should be of the type which is suitable to express kind of value it can store. How the systems are understood rather than implemented. In terms of values, sets, relations, sequences . A variable can be of the type N, natural numbers set(0,1,2,…..). In the example we have two kind of tickets Ticket number being served Number of Next ticket to be dispensed. We can model with variables: next serve

VARIABLES serve, next INVARIANT Provides information about the variables of the machine It gives type of values of variable Restrictions on their possible values Relationships to each other Values of variables may change but it describes the properties of the variables which must be true during execution process. Type of variable is expressed as: Either an element of a set var € TYPE Subset of a set var⊑ TYPE. Var=expression

INVARIANT serve € N ⋀ next € N ⋀ serve ≤ next At least one invariant clause should be defined for each variable. Listed Next € N Sreve € N Furthure restrictions imposed by the operation can also be added In Ticket machine number being served must be less than the number of the ticket to be given out. server≤next INVARIANT serve € N ⋀ next € N ⋀ serve ≤ next

OPERATIONS It has following parts The name of the operation Input parameters Output parameters What the operation requires.(restrictions, conditions) What the operation modifies (variables that are modified) The effects or behavior of the operation(what the operation does). In B, operation is described in a structured way Name, input, output parameters of an operation are given by an operation header Outputs⃖ name(inputs) Where name refers to operation name, outputs is a list of output and inputs is a list of inputs

Inputs and outputs are optional parameters. Name must be given Inputs and outputs are optional parameters. Ticket machine will offer two operations One to serve customer and update the indicator board To provide the customer with the next ticket. Ss⃖serve_next tt ⃖ take_ticket Operation has precondition, It states that what the operation requires in order to behave correctly. Information of all input variables. Assumptions/state of the inputs

The requirements on the user to ensure that the requirements are met whenever the operation is called. For example, the serve_next operation will be called when the sales assistant has finished serving a customer. In this case serve must be less than next. If the shop is empty, then the value of serve will be the same as next. Thus the precondition will be serve ≤next Body of the operation, describes what the operation achieves. It must assign some value to one of the outputs. Output should be in terms of initial state and input values. Update the state of the variable

In AMN assignment is written as x:=E (pronounced x becomes E) In case of serve_next, Serve should be incremented Output should be incremented to show state serve. In AMN assignment is written as x:=E (pronounced x becomes E) Serve:= serve+1 Output of this operation is assigned the same value Ss, serve:=serve+1,serve+1. Body shows the states, there is no intermediate statement in the operation, therefore multiple assignments must be shown in simultaneous assignment, rather than a sequence of assignments one after the other.

The complete specification of the operation serve_next is as follows

Type of the output variable ss is given by the assignment, there is no need to declare its type. It is determined from the operation. After the execution of operation it must guarantee that the invariant is still true on the updated state. Then the operation is consistent. Is the operation serve_next consistent with the inavriant? If the precondition is weaker then there will be the chance of inconsistency with its variant.

Strengthening the precondition of serve_next to serve<next imposes more constraints on the user. Then the operation becomes consistent. Operation take_ticket

If a precondition is true, it may be dropped from the specification

Is consistent with the invariant of the Ticket machine?

INITIALISATION serve, next:=0,0 Describes possible initial state of the machine. All variables listed must be initialised. The Ticket machine should start with 0 on the display board, 0 is the number of the first ticket to be taken. INITIALISATION serve, next:=0,0 INITILISATION can only be consistent if initial states are correct with respect to the invariant.

complete Specification of Ticket machine

Set Theory The B method makes use of the language of set theory and logic with in AMN in order to express these requirements in a formal and precise way. Set Collection of entities of some sort. Notation for set membership is e € S, pronounced e is a member of S for a set S and element e. Finite set Naming Convention of set in B Names of given sets are in upper case SMALLSQUARE={4, 16, 0, 1,9}

Empty set Set comprehension {} Set can be defined as a collection of elements of some type which meet a particular property. SMALLSQUARE

Segment of the natural numbers can be expressed using the notation m…n, which defines the set of numbers between m and n Subset If all the members S are also the members of another set then S is said to be a subset of T S ⊑T

Set combinations If S and T are both sets ,then their union S⊔ T is another set which contains elements that appear in either S or T.. Generalized union ⊔ SS over set of SS. Elements that appear in any set S€ SS. Intersection The intersection of S∩T of two sets is the set of elements that are in both S and T. Generalized intersection ∩SS over a set of sets SS. The set of elements that appear in every set S€ SS. If S∩T={} then S and T are said to be disjoint

Set Subtraction Subset S-T is used to obtain the set of members of S which are not members of T. For example CHESS_GO is the set of all chess players who do not play GO. Subset Sets which contain only elements from S. Empty set {} is always one such set. SET={alice,bob} {} {alice} {bob} {alice, bob}

Power set Cartesian Product The collection of subsets of S is called power set and written as Cartesian Product S x T of two sets S and T will be the set of ordered pairs of elements (s, t) In which s€ S for the first element of the pair, and T€ T for the second element.

The Cartesian product is the set of all possible pairings of such elements. For example {alice, bob} and {home, work} {alice, home} {alice, work} {bob, home} {bob, work} The Cartesian product of two sets is given by

Set theoretic notation

The size or cardinality of set s is written card(S). It is the number of elements it contains. For example Card({alice, bob}) = 2 Task