Z (Zed) Specification Model

Formal Modeling with Z: An Introduction
Luca Vigan` o Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg Spring 2002
Software Engineering
Luca Vigan` o
Overview
Today: Modeling with formal languages: why and how? A standard introductory example. The Z language rst denitions. Next classes: Z in detail, the mathematical toolkit, and applications.
Spring 2002
Luca Vigan` o
Modeling
Requirements Definition System and Software Design Implementation and Unit Testing Integration and System Testing Operation and Maintenance
Goal: specify the requirements as far as possible, but abstract as possible. Denition: A model is a construction or mathematical object that describes a system or its properties.
Spring 2002
Luca Vigan` o
Which Modeling Language?
There are hundreds! Dierences include: System view: static, dynamic, functional, object-oriented,... Degree of abstraction: e.g. requirements versus system architecture. Formality: informal, semi-formal, formal. Religion: OO-school (OOA/OOD, OMT, Fusion, UML), algebraic specication, Oxford Z/CSP-Sect, Church of HOL,... Examples: Function trees, data-ow diagrams, E/R diagrams, syntax diagrams, data dictionaries, pseudo-code, rules, decision tables, (variants of) automata, Petri-nets, class diagrams, CRC-cards, message sequence charts,... Why are UML or other semi-formal languages not enough?
Spring 2002
Luca Vigan` o
Disadvantages of Semi-Formal Languages
Modeling is detailed and intuitive (and simple, i.e. also for managers and laymen). Semantics of models/diagrams is often imprecise. Often only syntax.
Spring 2002
Luca Vigan` o
Example: Problems with E/R-Diagrams

RoomID Capacity Features
DayBeginDuration
contains
PreferredDayBeginDurations
(scheduling variant) n
RoomOffer
n
Day Begin
Duration
1
contains
contains
contains
1 1 contains 1
Instructor
participates in
EventOffer
EventAssignment
n
Name Rank
ResearchGroup
contains
EventOfferID Title Type Requirements
ExpectedAttendants Additional Information CSID
ClassSchedule
Are the relations directed? Several properties cannot be specied graphically (e.g. constraints). etc. We will employ Z to formalize semi-formal diagrams and models.
Software Engineering Spring 2002
Luca Vigan` o
Formal Languages
A language is formal if its syntax and semantics are dened formally (mathematically). Formal languages allow for the design, the development, the verication, the testing and the maintenance of a system: remove ambiguities and introduce precision, structure information at an appropriate abstraction level, support the verication of design properties, are supported by tools and systems.
Using mathematics (and formal methods) may appear to be expensive, but in the long run it pays o (and how!).
Spring 2002
Luca Vigan` o
Z (zed)
Is a very expressive formal language. Based on rst-order logic with equality (PL1=) and typed set-theory. Has a mathematical toolkit: a library of mathematical denitions and abstract data-types (sets, lists, bags, ...). Supports the structured modeling of a system, both static and dynamic: modeling/specication of data of the system, functional description of the system (state transitions). Is supported by several tools and systems.
Spring 2002
Luca Vigan` o
Z and other Formal Languages/Methods
A number of successfully employed Formal Methods are based on PL1= with type-theory, e.g. VDM (Vienna Development Method, 80s), B (applied extensively in France). Other formal languages: Equational logic or Horn logic (in algebraic specications), PL1=, Higher-order logic (HOL). Z: Applied successfully since 1989 (Oxford University Computing Laboratory), e.g. British government requires Z-specications for security-critical systems. Is (will soon be) an ISO standard.
Luca Vigan` o
An Example (1)
A mathematical model that describes the intended behavior of a system is a formal specication. Q: Why do we need such a specication if we can simply write a program? Why not directly implement the program? A: A program can be quite cryptic, and therefore we need a specication that describes formally the intended behavior at the appropriate abstraction level.
Spring 2002
Luca Vigan` o
10
An Example (2)
Example: What does the following simple SML-program do? fun int_root a = (* integer square root *) let val i = ref(0); val k = ref(1); val sum = ref(1); in while (!sum <= a) do (k := !k+2; sum := !sum + !k; i := !i+1); !i end;
Spring 2002
Luca Vigan` o
11
An Example (3)
The program is ecient, short and well-structured. The program name and the comment suggest that int_root simply computes the integer square root of the input, but is it really the case? Moreover: What happens in special input cases, e.g. when the input is 0 or -3? Such questions can be answered by code-review (or reverse-engineering), but this requires time and can be problematic for longer programs. The key is abstraction: understanding the code must be separated from understanding its function. For example, consider a VCR whose only documentation is the blue-print of its electronic.
Spring 2002
Luca Vigan` o
12
A Example (4)
Solution: we can specify the program in Z. Formalize what the system must do without specifying/prescribing how. We specify int_root in Z by means of a so-called axiomatic denition (or axiomatic description):
int root : Z N a : N let y = int root (a ) y y a < (y + 1) (y + 1) a : N \ {0} int root (a ) = 0
declaration predicate ... predicate
More about Z
implementation in a few weeks.

Spring 2002
Luca Vigan` o
13
An Introductory Example: The Birthdaybook

The Birthdaybook is a small database containing peoples names and their birthdays. A simple event-model:
AddBirthday Init
BirthdayBook
Remind
FindBirthday
A structured Z-specication in 3 steps: 1. Dene the (auxiliary) functions and types of the system. 2. Dene the state-space of the system. 3. Dene the operations of the system (based on the relations of the state-space).
Luca Vigan` o
14
The Birthdaybook: Z-Specication (1)

Step 1. Dene the (auxiliary) functions and types of the system: Basic types
[NAME , DATE ]
The precise form of names and dates is not important (e.g. strings, 06/03, 03/06, 6.3, 06.03, March 6, 6.Mar, or ...).
Spring 2002
Luca Vigan` o
15

Step 2. Dene the state-space of the system using a Z-schema:
Birthdaybook known : P NAME birthday : NAME DATE known = dom birthday
Name of schema declaration of typed variables (represent observations of the state) relationships between values of vars (are true in all states of the system and are maintained by every operation on it)
Notation and remarks: known is the set (symbol P) of names with stored birthdays, birthday is a partial function (symbol ), which maps some names to the corresponding birthdays, The relation between known and birthday is the invariant of the system: the set known corresponds to the domain (dom) of the function birthday.
Luca Vigan` o
16
Example of a possible state of the system: known birthday = {Susy, Mike, John} = {John 25.Mar , Susy 20.Dec , Mike 20.Dec}
Invariant known = dom birthday is satised: birthday stores a date for exactly the three names in known. N.B.: no limit on stored birthdays, no particular (prescribed) order of the entries, each person has only one birthday (birthday is a function), two persons can have the same birthday.
Spring 2002
Luca Vigan` o
17

Step 3. Dene the operations of the system (based on the relations of the state-space). Some operations modify the state and some leave it unchanged. Some operations have input and/or output:
in? System out!
Examples of operations: AddBirthday, FindBirthday, Remind (and Init).

AddBirthday Init
BirthdayBook
Remind
FindBirthday
Spring 2002
Luca Vigan` o
18

Add the birthday of a person, who is not yet known to the system:
AddBirthday BirthdayBook name ? : NAME date ? : DATE name ? known birthday = birthday {name ? date ?}
Name of operation (schema) structured import (symbol ) input of operation (symbol ?) input of operation (symbol ?) precondition for success of operation extend the birthday function (if precondition is satised)
This schema modies the state: it describes the state before (variables without ), and that after the operation (variables with ). Note that we do not specify what happens when the precondition is not satised. It is possible to extend (rene) the specication so that an error message is generated.
Luca Vigan` o
19
We expect that AddBirthday extends the set of known names with the new name: known = known {name ?} We can use the specication of AddBirthday to prove this, by exploiting the invariant of the state before and after the operation:
known
= = = = =
dom birthday dom(birthday {name ? date ?}) (dom birthday ) (dom{name ? date ?}) (dom birthday ) {name ?} known {name ?}
[invariant after] [spec of Addbirthday ] [fact about dom ] [fact about dom ] [invariant before]
Proving such properties ensures that the specication is correct: We can analyze the behavior of the system without having to implement it!
Luca Vigan` o
20

Find the birthday of a person known to the system:
FindBirthday BirthdayBook name ? : NAME date ! : DATE name ? known date ! = birthday (name ?)
Name of operation (schema) structured import (symbol ) input of operation (symbol ?) output of operation (symbol !) precondition for success of operation output of operation (if successfull)
This schema leaves the state unchanged and is equivalent to:

FindBirthday BirthdayBook name ? : NAME date ! : DATE known = known birthday = birthday name ? known date ! = birthday (name ?)
Spring 2002
Luca Vigan` o
21

Find out who has his birthday at some particular date: Remind BirthdayBook today ? : DATE cards ! : P NAME cards ! = { n known | birthday (n ) = today ? } cards ! is a set of names, to whom birthday-cards should be sent. Initial state of the system: InitBirthdayBook BirthdayBook known = known = implies birthday is also empty.
Luca Vigan` o
22
What does the Z-specication tell us about the implementation? It describes what the system does without specifying/prescribing how. For example, the Z-specication identies legal and illegal data and operations. Illegal operations are for instance: simultaneous addition of the birthdays of two persons, addition of the birthday of a person who is already known to the system (name ? known ). An operation ChangeBirthday is not specied and could be added, or only realized in the implementation. More in the next classes.
Spring 2002
Luca Vigan` o
23
Summary
Z is an expressive language (PL1= and typed set-theory). Z supports structured, static and dynamic, modeling. More about Z: http://archive.comlab.ox.ac.uk/z.html Tools and systems: see the course webpage. ZETA (an open environment, including a type-checker; emacs Zeta-Mode) /usr/local/zeta HOL-Z tool (an embedding of Z in the theorem prover Isabelle). Object-Z (an object-oriented extension of Z). Books about Z and LaTeX style-le.
Spring 2002

Z (Zed) Specification Model

Uploaded by

Z (Zed) Specification Model

Uploaded by

Formal Modeling with Z: An Introduction

Luca Vigan` o Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg Spring 2002

Which Modeling Language?

Disadvantages of Semi-Formal Languages

Example: Problems with E/R-Diagrams

ExpectedAttendants Additional Information CSID

Z and other Formal Languages/Methods

int root : Z N a : N let y = int root (a ) y y a < (y + 1) (y + 1) a : N \ {0} int root (a ) = 0

declaration predicate ... predicate

implementation in a few weeks.

An Introductory Example: The Birthdaybook

The Birthdaybook: Z-Specication (1)

The Birthdaybook: Z-Specication (2)

The Birthdaybook: Z-Specication (3)

The Birthdaybook: Z-Specication (4)

Examples of operations: AddBirthday, FindBirthday, Remind (and Init).

The Birthdaybook: Z-Specication (5)

The Birthdaybook: Z-Specication (6)

The Birthdaybook: Z-Specication (7)

This schema leaves the state unchanged and is equivalent to:

The Birthdaybook: Z-Specication (8)

The Birthdaybook: Z-Specication (9)

You might also like