CS 501: Software Engineering Fall 2000AdministrationFormal SpecificationSlide 4Mathematical SpecificationSpecification of Programming LanguagesFormal Specification Using DiagramsTwo RulesExample: Z Specification LanguageExample: AlgorithmExample: ProgramFinite State MachineSlide 13State Transition DiagramState Transition TableZ SpecificationZ Specification (continued)SchemasLibSys: An Example of ZLibSys: OperationsLibSysSchemas Describing OperationsOperation: Issue a BookDomain and RangeSlide 25Operation: Issue a Book (continued)LibSys: Schema for Abstract StatesSchema InclusionSchema Inclusion (continued)Schema DecorationSlide 31The Schema CalculusCS 501: Software EngineeringFall 2000Lecture 10Formal SpecificationAdministrationNomadic laptops• Study of student useNext MondayDiscussion about the first presentationFormal SpecificationWhy?• Precise standard to define and validate softwareWhy not?• May be time consuming• Methods not suitable for all applicationsFormal SpecificationBen Potter, Jane Sinclair, David Till,An Introduction to Formal Specification and Z(Prentice Hall) 1991Jonathan JackyThe Way of Z(Cambridge University Press) 1997Mathematical SpecificationExample of specificationB1, B2, ... Bk is a sequence of m x m matrices1, 2, ... k is a sequence of m x m elementary matrices B1-1 = 1B2-1 = 21Bk-1 = k ... 21The numerical accuracy must be such that, for all k, BkBk-1 - I < Specification of Programming Languages<unsigned number> ::= <unsigned integer> | <unsigned real><unsigned integer> ::= <digit> {<digit>}<unsigned real> ::= <unsigned integer> . <digit> {<digit>} | <unsigned integer> . <digit> {<digit>} E <scale factor> | <unsigned integer> E <scale factor><scale factor> ::= <unsigned integer> | <sign> <unsigned integer><sign> ::= + | -Pascal number syntaxFormal Specification Using Diagramsdigitunsigned integerdigit.E+-unsigned integerunsigned integerunsigned numberTwo Rules• Formal specification does not guarantee correctness• Formal specification does not prescribe the implementationInformal: The function intrt(a) returns the largest integer whose square is less than or equal to a.Formal (Z):intrt: N N a : N • intrt(a) * intrt(a) < a < (intrt(a) + 1) * (intrt(a) + 1)Example: Z Specification LanguageExample: Algorithm1 + 3 + 5 + ... (2n - 1) = n2Example: Programint intrt (int a)/* Calculate integer square root */{ int i, term, sum; term = 1; sum = 1; for (i = 0; sum <= a; i++) { term = term + 2; sum = sum + term; } return i;}Finite State MachineA broadly used method of formal specification:• Event driven systems (e.g., games)• User interfaces• Protocol specificationetc., etc., ...Finite State MachineExample: Therapy control console[informal description]State Transition DiagramPatientsFieldsSetup ReadyBeamonEnter EnterStartStopSelect fieldSelect patient(interlock)(ok)State Transition TableSelectPatientSelectFieldEnterokStart StopinterlockPatientsFieldsSetupReadyBeamonFieldsFieldsFieldsPatientsPatientsPatientsSetupSetupSetupReadyBeamonReadyZ SpecificationSTATE ::= patients | fields | setup | ready | beam_onEVENT ::= select_patient | select_field | enter | start | stop | ok | interlockFSM == (STATE X EVENT) STATE no_change, transitions, control : FSMContinued on next slideZ Specification (continued)control = no_change transitionsno_change = { s : STATE; e : EVENT • (s, e) s }transitions = { (patients, enter) fields, (fields, select_patient) patients, (fields, enter) setup, (setup, select_patient) patients, (setup, select_field) fields, (setup, ok) ready, (ready, select_patient) patients, (ready, select_field) fields, (ready, start) beam_on, (ready, interlock) setup, (beam_on, stop) ready, (beam_on, interlock) setup }SchemasSchema:• The basic unit of formal specification.• Describes admissible states and operations of a system.LibSys: An Example of ZLibrary system: • Stock of books• Registered users.• Each copy of a book has a unique identifier.• Some books on loan; other books on shelves available for loan.• Maximum number of books that any user may have on loan.LibSys: Operations• Issue a copy of a book to a reader.• Reader return a book.• Add a copy to the stock.• Remove a copy from the stock.• Inquire which books are on loan to a reader.• Inquire which readers has a particular copy of a book.• Register a new reader.• Cancel a reader's registration.LibSysLevel of Detail:Assume given sets: Copy, Book, ReaderGlobal constant: maxloansSchemas Describing OperationsNaming conventions for objects:Before: plain variables, e.g., rAfter: with appended dash, e.g., r'Input: with appended ?, e.g., r?Output: with appended !, e.g., r!Operation: Issue a Book• Inputs: copy c?, reader r?• Copy must be shelved initially: c? shelved• Reader must be registered: r? readers• Reader must have less than maximum number of books on loan: #(issued {r?}) < maxloans• Copy must be recorded as issued to the reader: issued' = issued {c? r?}• The stock and the set of registered readers are unchanged: stock' = stock; readers' = readersDomain and Rangedom mX Yxran mym : X Ydom m = { x X : y Y x y}ran m = { y Y : x X x y}Operation: Issue a Book stock, stock' : Copy Bookissued, issued' : Copy Readershelved, shelved': F Copyreaders, readers' : F Readerc?: Copy; r? :Reader [See next slide]IssueOperation: Issue a Book (continued)[See previous slide]Issueshelved dom issued = dom stockshelved' dom issued' = dom stock'shelved dom issued = Ø; shelved' dom issued' = Øran issued readers; ran issued' readers'r : readers - #(issued {r}) maxloansr : readers' - #(issued' {r}) maxloansc? shelved; r? readers; #(issued {r?}) < maxloansissued' = issued {c? r?}stock' = stock; readers' = readers<<LibSys: Schema for Abstract StatesLibrarystock : Copy Bookissued : Copy Readershelved : F Copyreaders: F Readershelved dom issued = dom stockshelved dom issued = Øran issued readersr : readers • #(issued {r})
View Full Document
Unlocking...