Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Slide 2 H. Schlingloff, Logical Specification First-Order Predicate Logics FOL FOL ::= R ( V n ) | | (FOL FOL) | V FOL Typed FOL V : D FOL Typed FOL = (t 1 =t 2 ) special predicate (not expressible in FOL) 1 x stands for x( y( (y x) ¬ (y:=x)))
Slide 3 H. Schlingloff, Logical Specification Set theory Comprehension scheme {x: T| (x) ● expr(x)} - expr(x) is an expression of type D involving variable x of type T - The set of all values of expr(x) (in D U ) where the value of x (in T U ) satisfies (x) {x: T| (x)} stands for {x: T| (x) ● x} Set operations y {x: T| (x) ● expr(x)} stands for x:T ( (x) y=expr(x)) M 1 M 2 stands for x(x M 1 x M 2 ) etc. Power set operator M 1 ℙ M 2 if M 1 M 2 (but: set variables not available in FOL!)
Slide 4 H. Schlingloff, Logical Specification Slide H. Schlingloff, Logical Specification Z Properties described in FOL (Q x:T| (x) (x)) - [quantifer][variable]:[type]|[constraint] [predicate] ( x:T| ) stands for x:T ( ∧ ) ( x:T| ) stands for x:T ( ) Z schemes: name, signature and formulas
Slide 5 H. Schlingloff, Logical Specification Z semantics Every Z scheme defines a set of (first-order) models M: (U,I,V) („each model being a function from names defined by the specification to values that those names are permitted to have by the constraints imposed on them in the specification“) U contains a domain for each type in the scheme (named and unnamed types), such that the set constraints are satisfied - e.g. ℙ M is the set of all subsets of M - e.g. ℤ is the set of integers I is an interpretation of function and relation symbols - built-in functions are interpreted as expected V is a first-order variable valuation, such that all specification formulae are satisfied - note: type names cannot be used as variables!
Slide 6 H. Schlingloff, Logical Specification Example defines the set of models Each section defines a set of section models
Slide 7 H. Schlingloff, Logical Specification The Z standard International standard 2002 Defines standard operations sets, powersets tuples, products, sequences functions, relations numbers Markup languages LaTeX, ASCII
Slide 8 H. Schlingloff, Logical Specification Sets, Powersets
Slide 9 H. Schlingloff, Logical Specification Tuples, Sequences
Slide 10 H. Schlingloff, Logical Specification Functions, Relations
Slide 11 H. Schlingloff, Logical Specification Numbers
Slide 12 H. Schlingloff, Logical Specification
Slide 13 H. Schlingloff, Logical Specification Three Definitions of abs
Slide 14 H. Schlingloff, Logical Specification Slide H. Schlingloff, Logical Specification Z schemas – state changes delta abbreviation specifies extended models compare the propositional case unprimed variables: current state primed variables: next state
Slide 15 H. Schlingloff, Logical Specification General Form of Transition
Slide 16 H. Schlingloff, Logical Specification Z – Another Example The Steam Boiler Control Specification Problem Jean-Raymond Abrial, Egon Börger, and Hans Langmaack: Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control. Springer LNCS 1165, October 1996 (ISBN ) Purpose: control the level of water in a steamboiler The quantity of water present when the steamboiler is working has to be neither too low nor to high otherwise the steamboiler or the turbine sitting in front of it might be seriously affected More than 30 solutions available
Slide 17 H. Schlingloff, Logical Specification Z – Steam Boiler Example
Slide 18 H. Schlingloff, Logical Specification Z – Steam Boiler Example
Slide 19 H. Schlingloff, Logical Specification Z – Steam Boiler Example
Slide 20 H. Schlingloff, Logical Specification Z – Steam Boiler Example
Slide 21 H. Schlingloff, Logical Specification Steam Boiler Variables Summary of various constants or physical variables of the system
Slide 22 H. Schlingloff, Logical Specification Steam Boiler Control
Slide 23 H. Schlingloff, Logical Specification Steam Boiler Control
Slide 24 H. Schlingloff, Logical Specification Steam Boiler Operation The program operates in different modes, namely: initialization, normal, degraded, rescue, emergency stop The initialization mode is the mode to start with. The program enters a state in which it waits for the message STEAM- BOILER_WAITING to come from the physical units As soon as this message has been received the program checks whether the quantity of steam coming out of the steamboiler is really zero. If the unit for detection of the level of steam is defective, that is, when d is not equal to zero, the program enters the emergency stop mode. If the quantity of water in the steamboiler is above w max, the program activates the valve of the steamboiler in order to empty it. If the quantity of water in the steamboiler is below N w min, …
Slide 25 H. Schlingloff, Logical Specification Steam Boiler Operation: Init
Slide 26 H. Schlingloff, Logical Specification Steam Boiler Operation: Init
Slide 27 H. Schlingloff, Logical Specification Steam Boiler Operation: Normal The normal mode is the standard operating mode in which the program tries to maintain the water level in the steamboiler between w min and w max with all physical units operating correctly. As soon as the water level is below w min or above w max the level can be adjusted by the program by switching the pumps on or off. The corresponding decision is taken on the basis of the information which has been received from the physical units. As soon as the program recognizes a failure of the water level measuring unit…
Slide 28 H. Schlingloff, Logical Specification Steam Boiler Operation: Normal
Slide 29 H. Schlingloff, Logical Specification Steam Boiler Operation: Normal
Slide 30 H. Schlingloff, Logical Specification Reflection on Z State-based system, similar to finite automaton – Z may not be the ideal specification language High expressiveness by set theory and logic Possibility of under-specification in Z Modularity (but no object orientation) Well-suited for program verification Not well-suited for refinement (transformational program development) and/or test generation
Slide 31 H. Schlingloff, Logical Specification Yet Another Case Study 1. The subject is to invoice orders. 2. To invoice is to change the state of an order (to change it from the state "pending" to "invoiced"). 3. On an order, we have one and one only reference to an ordered product of a certain quantity. The quantity can be different to other orders. 4. The same reference can be ordered on several different orders. 5. The state of the order will be changed into "invoiced" if the ordered quantity is either less or equal to the quantity which is in stock according to the reference of the ordered product.
Slide 32 H. Schlingloff, Logical Specification Yet Another Case Study (2) 6. You have to consider the two following cases: (a) Case 1 All the ordered references are references in stock. The stock or the set of the orders may vary: - due to the entry of new orders or cancelled orders; - due to having a new entry of quantities of products in stock at the warehouse. However, we do not have to take these entries into account. This means that you will not receive two entry flows (orders, entries in stock). The stock and the set of orders are always given to you in a up-to-date state. (b) Case 2 You do have to take into account the entries of: - new orders; - cancellations of orders; - entries of quantities in the stock.