1 Formal Specifications for Complex Systems (236368) Tutorial #5 I/O specifications; Hoare Logic; OCL

Emilia Katz, Shahar Dag2 I/O Assertions Content What are I/O Assertions? What do I/O Assertions mean? Annotated programs. Using “logical” and “auxiliary” variables. Examples. Assertion – טענה יכולה להיות נכונה או שגויה

Emilia Katz, Shahar Dag3 Some notations are used: (1)x=0, and x’=x+1 for some program S (2) (3) The last 2 examples are called “Hoare assertion”. In flowcharts the assertions are added after the “START” and before the “END” statements. What are I/O Assertions זוהי לוגיקה ולכן מדובר בשוויון ולא בהצבה Hoare נלמד במבוא לאימות תוכנה (לא לדאוג, לא נעסוק באימות) יתרון מודולאריות S1 S2 שקול ל S1;S2 שקול ל S כאשר S הוא S1 שלאחריו מתבצע S2

Emilia Katz, Shahar Dag4 What do I/O assertions mean Initial assertions are assumptions made by the program, to be satisfied by the environment. Final assertions are requirements to be satisfied by the program, if and when it terminates. Every terminating computation that satisfies the initial assertion when it starts, must satisfy the final assertion if it terminates. Non-terminating computations and computations not satisfying the initial assertion, satisfy the I/O specification “vacuously”. This is called partial correctness and it is a kind of safety property. Partial correctness is safety since it guaranties that if something happens (the program ends) then the condition is true.

Emilia Katz, Shahar Dag5 Expressing properties with I/O assertions We restrict ourselves to first-order logic and common mathematical notation. Sometimes certain (well known / standard) predicates can be left undefined ( for example integer(x) ). Look at the following specification (4) What does it specify? Which programs satisfy this specification? It seems that we can express a requirement which can't be implemented. What if we replace integer() with some bounded representation? do we mean the mathematical un-bounded version or the bounded version of a computer program?

Emilia Katz, Shahar Dag6 דוגמאות – דוגמא מספר 1 מה הוא אוסף התוכניות שמקימות את המפרט: { true } S { false }

Emilia Katz, Shahar Dag7 Annotated programs Sometimes a program skeleton is provided, with assertions between statements. Each assertion, called a local invariant and it is supposed to hold whenever the program’s control is at this location. The assertions immediately before and after a statement (usually a place- holder for un-implemented code) are its I/O specification. The implementation can be shown to satisfy the original specification by using a proof method for correctness based on axioms and proof rules. (but in this course we are not going to prove correctness) For example Is an instance of the axiom And an example of a proof rule the meaning of ‘;’

Emilia Katz, Shahar Dag8 Using logical variables Variables that appear only in the assertions are called “logical variables” (also called “ rigid variables ” or “ specification variables ”). (Sometimes in order to specify a property, we need variables not present in the program.) Their value doesn’t change during the execution of the program. A logical value just represents some value, and can be quantified (with  or  ) We saw logical variables in: Logical variables appear only in the assertions We do not assign values to logical variables

Emilia Katz, Shahar Dag9 Using auxiliary variables We may add to a program “auxiliary variables” (new variables) and statements that assign them values, to support the specification. For example: we might add a Boolean variable flag (initialized to false ) to remember that a certain event has occurred, together with an assignment flag := true at the point where the event occurs. Auxiliary variables get their values only in the added assignment statements, which don’t affect the original system variables. The only references to auxiliary variables must be in the added assignment and in assertions within the annotation of the program.

Emilia Katz, Shahar Dag10 דוגמאות – דוגמא מספר 2 יש לתת מפרט שיביע מניעה הדדית בין שני קטעים קריטיים (cs1, cs2) בתוכנית המקבילית הבאה (רמז: העזר ב auxiliary variables) P1 CS1 P2 CS2 P :: P1 || P2

Emilia Katz, Shahar Dag11 דוגמאות – דוגמא מספר 3 תן מפרט קלט/פלט לפרוצדורה P המקבלת מספר טבעי n ומחזירה מספר טבעי m ומערך a[1..m] המכיל את כל המספרים הראשוניים שאינם גדולים מ n (אבל לא מכיל אף מספר אחר). כל מספר יופיע במערך בדיוק פעם אחת.

Emilia Katz, Shahar Dag12 OCL Added to UML class diagrams or state-charts Example system specification: LoyaltyProgram system Given: UML class diagram (see additional file)

Emilia Katz, Shahar Dag13 OCL – operations on collections This is the unusual part of notation Collections: Bag, Set, Sequence Bag Set Sequence AsBag AsSet AsSequence Example: Bag{1,1,2,5}.AsSet() =

Emilia Katz, Shahar Dag14 Operations on Collections - examples Set{account1,account2,account3,account4}.select(balance>100) –Meaning: Set{1,2,3,4,5}.includes(6) = Set{1,2,3,4,5}.including(6) = Excludes, excluding – symmetric operations Set{{1,2},{2,3},{5,6}}.collect =

Emilia Katz, Shahar Dag15 OCL => Natural Language (1) 1. context Customer inv title = (if isMale = true then ‘Mr.’ else ‘Ms.’ Endif) Translation: 2. context LoyaltyProgram inv serviceLevel-> includesAll(membership.actualLevel) Translation:

Emilia Katz, Shahar Dag16 OCL => Natural Language (2) 3. context LoyaltyAccount inv points>0 implies transaction->exists(points>0) Translation: 4. context ProgramPartner inv self.deliveredServices.transactions-> select(oclType=Burning)->collect(points)->sum <= self.deliveredServices.transactions-> select(oclType=Earning)->collect(points)->sum Translation:

Emilia Katz, Shahar Dag17 Natural Language => OCL(1) 1. Customers must have a minimum age of 18 years 2. The CustomerCard’s “valid from” date must be earlier then the “valid to” date

Emilia Katz, Shahar Dag18 Natural Language => OCL(2) 3. The printed name on the customer card must be a title followed by the registered name of the customer 4. The number of service levels is exactly 2

Emilia Katz, Shahar Dag19 Pre- and Post-Conditions in OCL 1. For isEmpty() operation of LoyaltyAccount (returns true iff there are no points in the account) 2. The Burn(integer i) operation of LoyaltyAccount

Emilia Katz, Shahar Dag20 Built-in OCL Types OclType –Customer.name() = –Customer.attributes() = OclAny Example - s:Set –s.oclType() = –s.oclIsKindOf(Collection) = –s.oclIsTypeOf(Collection) =