M'Sc Computing Science Software Engineering Lecture 10

1
M.Sc Computing Science Software Engineering
Lecture 10

• Niki Trigoni
• Department of Computer Science
• and Information Systems
• Birkbeck College, University of London
• Email niki_at_dcs.bbk.ac.uk
• Web Page http//www.dcs.bbk.ac.uk/niki

2
Review of lecture 9

• Architectural analysis is concerned with
  identifying and resolving non-functional
  requirements (in the context of functional ones).
• Architectural analysis is concerned with the big
  picture of the system (high-level factors about
  the system and its subsystems).
• There are several views to architectural
  analysis, e.g. logical, process, use-case,
  implementation etc.
• The logical view of architectural analysis is
  concerned with the logical organization of system
  into layers and subsystems.
• In the UP, the document that describes
  architectural factors and decisions for several
  views of the system is the SAD.

3
Formal methods

• Software Engineering. Ian Sommerville. 5th
  edition, chapt. 9 and 11.
• For system applications where safety, reliability
  or security is paramount, formal specification
  and analysis are effective ways of increasing
  confidence that the system meets its
  requirements.
• For a large class of systems, their use is not
  cost-effective, but for a smaller class of safety
  critical systems, it is essential.
• Software engineers have been reluctant to make
  use of formal specification techniques because of
• lack of training in discrete maths
• customers unwillingness to pay specification
  activities
• formal methods not suitable for
  interactive/concurr. applic.
• little tool support available

4
Advantages of formal specification

• It provides insights into the software
  requirements and design
• Mathematical analysis demonstrates specification
  consistency and completeness. Possible to prove
  that the implementation corresponds to the
  specification (i.e. verification becomes trivial)
• May be used to guide the tester of the component
  in identifying appropriate test cases
• Formal specifications may be processed with
  software tools (e.g. to animate the specification
  to provide a software prototype)

5
Specifying functional abstractions

• The simplest specification is function
  specification (no need to be concerned with
  global state)
• Functions accept inputs and return a result, but
  are stateless. Previous inputs do not affect the
  result which they return.
• Functions may be specified using pre-conditions
  and post-conditions.
• A pre-condition is a specification of a condition
  which always holds for the functions inputs.
• A post-condition is a specification of the
  corresponding condition for the functions
  outputs.
• Pre- and post- conditions are predicates (Boolean
  expressions) over the inputs and outputs of a
  function, and specify a function.

6
Predicates in pre-/post-conditions

• Predicates may include operators such as , gt, lt,
  gt, lt, and, or, not and quantifiers such as
  for_all (universal) and exists (existential). The
  operator in can be used to select the range over
  which the quantifier applies.
• A function can be specified using the
  pre-condition and post-condition predicates.
• Examples of predicates
• AgtB and CgtD
• exists i,j,k in M..N i2j2k2
• for_all i in 1..10 exists j in 1..10 ArrayX(i)
  j2

7
Stages of function specification

• Establish the range of the input parameters over
  which the function should behave correctly
• Specify a predicate defining a condition which
  must hold on the output of the function if it
  behaves correctly
• Establish what changes (if any) are made to the
  functions input parameters and specify these. A
  pure mathematical function should not change its
  inputs, but programming languages usually allow
  function inputs to be modified by passing them by
  reference
• Combine these into pre- and post-conditions for
  the function

8
Function specification examples

• We would like to specify a function that searches
  for the index (position) of an array where an
  element is stored. The array must always contain
  the searched element.
• function Search(X IntegerArray, Key Integer)
  Integer
• Pre exists i in firstIndexOfX..lastIndexOfX
  X(i)Key
• Post X(Search(X,Key))Key and XX
• Error Search(X,Key) lastIndexofX1

9
Discussion about function specification

• The notion of pre- and post- conditions is a
  fundamental one in formal specification.
• However, specifications based on these conditions
  do not scale up to large or medium-sized systems.
  The reason for this is the inherent complexity of
  the pre- and post- conditions when system state
  is considered.
• Two approaches to formal specification are used
  instead
• Algebraic approach the system is described in
  terms of operations and their relationships.
• Model-based approach a model of the system is
  constructed using well-understood mathematical
  entities such as sets and sequences

10
Model-based specification

• Formal specification of software by developing a
  mathematical model of the system
• The system specification is expressed as a state
  model.
• The state of the system is not hidden.
• State changes are straightforward to define
• The state model is constructed using
  well-understood mathematical entities, e.g. sets
  and functions.
• Operations are specified by defining how they
  affect the state of the model.

11
Z specification language

• Notations for developing model-based
  specifications are VDM and Z.
• Z specification language is based on typed set
  theory
• Z is probably the most widely-used specification
  language
• The building block used in Z is the schema.
• A schema includes
• A name identifying the schema
• A signature introducing entities and their types
• A predicate part defining invariants over these
  entities
• Schemas can be included in other schemas

12
Z schema examples
Schema name
Container
Schema signature
contents N capacity N contents lt capacity
Schema predicate
Indicator
light off,on reading N danger_level
N light_on ?reading ltdanger_level
13
Combining schemata

• We can combine the schemata container and
  indicator
• What would an expanded full specification of a
  storage tank look like?

Storage_tank
Container Indicator readingcontents capacity500
0 danger_level 50
14
Expanded schema specification

• Storage tank without using previous schemata

Storage_tank
contents N capacity N reading N danger_level
N light off,on contentsltcapacity lighton ?
readinglt danger_level readingcontents capacity5
000 danger_level 50
15
Z language conventions

• A variable name decorated with a quote mark (e.g.
  N) represents the value of the state variable N
  after an operation (N is decorated with a dash).
• A schema name decorated with a quote mark
  introduces (only) the dashed values of all names
  defined in the schema.
• A variable name decorated with a ! represents an
  output.
• A variable name decorated with a ? represents an
  input.
• A schema name prefixed by the Greek letter ?
  means that the defined operation does not change
  the values of state variables
• A schema name prefixed by the Greek letter ?
  means that the operation changes some or all of
  the state variables introduced in that schema.

16
Operation specification

• An operation is specified incrementally as a
  schema
• An exceptional situation is also defined as a
  schema

Fill-OK
? Storage_tank amount? N contents amount? lt
capacity contents contents amount?
OverFill
? Storage_tank amount? N r! seq CHAR
contents amount? gt capacity r!
Insufficient tank capacity Fill cancelled
17
Operation specification

• We combine the previous two schemas using the
  disjunction (or) operator
• The complete specification of the method (Fill)
  was built by
• Defining a partial specification for the normal
  case
• Defining further specification for the
  exceptional case
• Combining these specifications to fully define
  the Fill method

Fill
Fill-OK V OverFill
18
The Z specification process
Write informal specification
Decompose system
Specify system components
Compose component specification
Define given sets and types
Define state variables
Define initial state
Define correct operations
Define exceptional operations
Combine operation schemas
19
Data dictionary specification with Z

• Example data dictionary that keeps track of
  system names
• Data dictionary structure
• Item name
• Description
• Type assume in these examples that the allowed
  types are those used in logical data models
• Creation date
• The first stage in the specification process is
  to introduce given sets and types.

20
Type definitions

• There are a number of build-in types (e.g.
  INTEGER) in Z.
• Other types may be defined by enumeration
• Sem_Model_Types relation, entity, attribute
• Schemas may also be used for type definition.
  Their predicates serve as constraints on the type

21
Specification using functions

• A function is a mapping from an input value to an
  output value
• SmallSquare1?1, 2?4, 3?9, 4?16
• The domain of a function is the set of inputs
  over which the function has a defined result
• dom (SmallSquare) 1, 2, 3, 4
• The range of a function is the set of results
  which the function can produce
• rng (SmallSquare) 1, 4, 9, 16

22
Data dictionary modeling

• A data dictionary can be thought of as a mapping
  from a name (the key) to a value (the description
  in the dictionary)
• Operations are
• Add Makes a new entry in the dictionary or
  replaces an existing entry
• Lookup Given a name, returns the description
• Delete Deletes an entry from the dictionary
• Replace Replaces the information associated with
  an entry

23
Schema defining a dictionary entry

• Each entry includes a key, a description, a type
  and a creation_date. The descriptions should not
  exceed 2000 characters
• seq char sequence of characters
• sequence collection of elements where each
  element is referenced by its position in the
  sequence
• cardinality

DataDictionaryEntry
name NAME desc seq CHAR type
Sem_Model_Types creation_date DATE desc lt
2000
24
Schema defining a dictionary as a function

• Functions allow one value to be mapped onto
  another. They can therefore be used to define a
  data dictionary, where a name is mapped onto a
  data dictionary entry.
• ? indicates a partial function
• ddict partial function from NAME to
  DataDictionaryEntry

DataDictionary
DataDictionaryEntry ddict NAME ?
DataDictionaryEntry
25
Initial state of data dictionary
Init-DataDictionary
DataDictionary ddict O

• DataDictionary state of the data dictionary
  after initialization
• O represents an empty set

26
Correct partial add and lookup operations
Add-OK
? DataDictionary name? NAME entry?
DataDictionaryEntry name? dom ddict ddict
ddict name??entry?
Lookup-OK
? DataDictionary name? NAME entry!
DataDictionaryEntry name? dom ddict entry!
ddict(name?)
27
Add and lookup operations with input error
Add-Error
? DataDictionary name? NAME error! seq
CHAR name? dom ddict error! Name
already in dictionary
Lookup-Error
? DataDictionary name? NAME error! seq
CHAR name? dom ddict error! Name not in
dictionary
28
Add and lookup operations
Add
Add-OK V Add-Error
Lookup
Lookup-OK V Lookup-Error
29
Replace operation
Replace-OK
? DataDictionary name? NAME entry?
DataDictionaryEntry name? dom ddict ddict
ddict name?? entry?)
function over-riding operator
Replace
Replace-OK V Lookup-Error
30
Delete operation
Delete-OK
? DataDictionary name? NAME name? dom
ddict ddict name? ddict
domain subtraction operation
Delete
Delete-OK V Lookup-Error
31
Specifying ordered collections

• Specification using functions does not allow
  ordering to be specified
• Sequences are used for specifying ordered
  collections (e.g. sequences of characters seq
  CHAR)
• A sequence is a mapping from consecutive integers
  to associated values

32
Data dictionary extract operation

• The Extract operation extracts from the data
  dictionary all those entries whose type is the
  same as the type input to the operation
• The extracted list is presented in alphabetical
  order
• A sequence is used to specify the ordered output
  of Extract

33
The Extract operation
Extract
DataDictionary rep! seq DataDictionaryEntry in_typ
e? Sem_model_types n dom ddict
ddict(n).typein_type? ? ddict(n) rng rep!
i1ltiltrep! rep!(i).type in_type?
i1ltiltrep! rep!(i) rng ddict i,
j dom rep! (iltj) ? rep.name(i)ltNAMErep.name
(j)

• For each entry in the dictionary with type
  in_type?, the entry must also be in the range of
  the rep! (in the reply list).
• Each index i of the reply list must host an entry
  with type in_type?
• Each index i of the reply list must host an entry
  that is also in the dictionary
• Entries in the reply list must be ordered by the
  entrys name (ascend. Order)

34
Data dictionary specification
The-Data-Dictionary
DataDictionary Init-DataDictionary Add Lookup Dele
te Replace Extract
35
Summary of lecture 10

• Model-based specification relies on building a
  system model using well-understood mathematical
  entities.
• Z specifications are made up of mathematical
  model of the system state and a definition of
  operations on the state.
• A Z specification is presented as a number of
  schemas.
• Schemas may be combined to make new schemas.
• Operations are specified by defining their effect
  on the system state.
• Operations may be specified incrementally.
• Z functions are a set of pairs, where the domain
  of the function is the set of valid inputs. The
  range is the set of associated outputs.
• A sequence is a special type of function whose
  domain is the consecutive integers.