1 מפרטים פורמאליים תירגול מספר 13 מפרטים פורמאליים - תירגול שחר דג LARCH הרמה הראשונה - הרחבת ההגדרה הבסיסית דוגמא – set Initial and Final algebras הרמה השנייה - שפת ממשק (interface language) דוגמא – ממשק דמוי פסקל ל set

2 מפרטים פורמאליים - תירגול שחר דג מבנה עקרוני trait_name : trait includes trait1 rename_list, trait2 rename_list, … introduces operator_list asserts predicate_list var_type generated by operator_list var_type partitioned by observer_list implies converts // see the slide for details traitתכונה, התנהגות exemptingחוץ מ

3 מפרטים פורמאליים - תירגול שחר דג includes includes trait1 rename_list, trait2 rename_list, … where: rename _list is a list of the form new_name for old_name, … meaning: creating a union of traits lets us combine behaviors the rename list is the way to bring all components to unique naming space when it is clear that all the time we will rename some names, we can define them as arguments of the trait

4 מפרטים פורמאליים - תירגול שחר דג includes (example) reflective : trait introduces: __ ↔ __: T, T → bool asserts ∀ x:T x↔x transitive : trait introduces: __ R __: T, T → bool asserts ∀ x, y, z:T (x R y ∧ y R z) ⇒ x R z preorder: trait includes reflective ( ≤ for ↔ ) transitive ( ≤ for R )

5 מפרטים פורמאליים - תירגול שחר דג generated by sort generated by constructor1, constructor2, … meaning: all possible elements of the sort, can only be generated by a combination of the listed constructors. for example in the stack trait (shown in class) we can add S generated by new, push we can see that every operation that changes a stack only adds a finite number of elements, this means that we can’t create infinite stack we can use the generated by, for proving by induction. generated by divides the operations into generators (the operation that are listed in the clause) and extensions (all the rest)

6 מפרטים פורמאליים - תירגול שחר דג The Stack (from lecture) Stack : trait introduces push: ST x E --> ST pop: ST --> ST top: ST --> E new: --> ST asserts for s  ST and i  E pop( push( s, i )) = s top( push( s, i )) = i [ pop( new ) = undefined ] [ top( new ) = undefined ] ST generated by new, push

7 מפרטים פורמאליים - תירגול שחר דג partitioned by sort partitioned by observer1, observer2, … meaning: any two values in the sort that can’t be distinguished by the observers in the list are considered equal this is similar for the final algebra approach (but only relative to the defined observers). for example the operator ∈ can distinguish sets.

8 מפרטים פורמאליים - תירגול שחר דג implies implies additional_claims defines additional claims the claim is derived from the already defined claims once proved, the new claim can serve for reasoning about additional claims implies converts operation_list this means that the listed operations are well defined (and non ambiguous) for all possible values implies converts operation_list exempting special_cases exclude special cases, such as singular points where the operation is not defined errors are handled separately.

9 מפרטים פורמאליים - תירגול שחר דג Example – the set settrait : trait introduces {}: → set _ ∈ _ : E, set → bool insert: E, set → set delete: E, set → set size: set → int _ ∪ _ : set, set → set _ ⋂ _ : set, set → set asserts // continued on next page

10 מפרטים פורמאליים - תירגול שחר דג Example – the set (cont.) // continues previous page asserts ∀ e, e1 : E, s, s1 : S ¬( e ∈ {} ); e ∈ insert(e1, s) == e = e1 ⋁ e ∈ s; size( {} ) == 0; size( insert(e, s)) == if e ∈ s then size(s) else size(s) + 1; delete( e, {} ) == {}; delete(e, insert(e1, s)) == if e=e1 then delete(e, s) else insert(e1, delete(e, s)); s ∪ {} == s; s ∪ insert( e, s1 ) == insert( e, s ∪ s1 ); s ⋂ {} == {}; s ⋂ insert( e, s1 ) == if e ∈ s then insert( e, s ⋂ s1 ) else s ⋂ s1;

11 מפרטים פורמאליים - תירגול שחר דג Initial and Final algebras because: delete(5, insert(7, insert(5, {}))) == // the else of (2) insert(7, delete(5, insert(5, {}))) ==// the then (2) insert(7, delete(5, {})) ==// (1) insert(7, {}) we can view traits as defining a logical theory (first order logic) every thing is defined in the traits we know only what the trait defines & all the consequences from it in the set definition we have: (1) delete( e, {} ) == {}; (2) delete(e, insert(e1, s)) == if e=e1 then delete(e, s) else insert(e1, delete(e, s)); we can conclude that: delete(5, insert(7, insert(5, {}))) = insert(7, {})

12 מפרטים פורמאליים - תירגול שחר דג Initial and Final algebras (cont.) Larch keeps this open for the user of the trait is the following true ? insert(7, insert(5, {})) = insert(5, insert(7, {})) in the initial algebra approach, they are different since they cannot be proven equal from the axioms of set in the final algebra approach, they are equal since they cannot be distinguished by the axioms of set (you can’t contradict it)

13 מפרטים פורמאליים - תירגול שחר דג דוגמא ממבחן - set בהינתן set והפעולות האריתמטיות (כמו שראינו) וגם סימני היחס (>, >=, <,...) יש להגדיר: max- האיבר המקסימאלי בקבוצה second- האיבר השני בגודלו

14 מפרטים פורמאליים - תירגול שחר דג דוגמא ממבחן – set (המשך) ניסיון ראשון לפיתרון max (פיתרון של סטודנט) max: S → E max(s) = e. e ∈S ∧ ¬∃a∈S ∧ a>e האם זה הוא פיתרון טוב?

15 מפרטים פורמאליים - תירגול שחר דג דוגמא ממבחן – set (המשך) עכשיו לפתור את second כבר צריך להיות קל second: S → E

16 מפרטים פורמאליים - תירגול שחר דג Larch Interface Language - LCL it is the second layer of a Larch specification we will only show some of the main features of LCL termination requirement is implicit may use any sorts and operations defined in LSL traits the mapping of types to sorts is done when introducing the used traits, by renaming the sorts to the correct types: uses trait (type for sort, …) objects are places where values are stored the state of the program is a mapping from objects to values

17 מפרטים פורמאליים - תירגול שחר דג LCL – The general form uses traits procedure header requires P modifies L ensures Q P is the usual precondition of an input / output assertion, in the terms of formal parameters from the header. restrictions on the input appear in P if we want to prevent a call with illegal values, we will put a restriction in P L is the list of changeable objects Q is the usual post condition, relating final values to initial ones. the values after the operation will be primed (‘) version of the values before the operation. error conditions appear in Q. we will handle exceptions & generate error messages

18 מפרטים פורמאליים - תירגול שחר דג LCL – some observations the specification divides the responsibility between the user and the implementer of the functions. the users must establish the requires clause (the pre condition) (otherwise the behavior is not constrained) the function must not change any object not in the modifies list. the function must terminate. the function must establish the ensures conditions at its final stage.

19 מפרטים פורמאליים - תירגול שחר דג Example uses settrait procedure set-init(var s : set) modifies s ensures s’ = {} procedure set-insert(var s : set; e : integer) requires size( insert( e, s ) ) ≤ 100 modifies s ensures s’ = insert( e, s ) procedure set-rem(var s : set; var f : bool; e : integer) modifies s, f ensures s’ = delete( e, s ) ∧ f’ = ( e ∈ s) function choose(s : set; var e : integer) : bool modifies e, choose ensures if size( s ) > 0 then ( choose’ ∧ (e’ ∈ s) else (¬choose’ ∧ (e’ = e))

20 מפרטים פורמאליים - תירגול שחר דג Example (cont.) the example is written in a Pascal like syntax set-init corresponds to the trait operation {} set-inserts corresponds to the trait insert operation with the restriction that the result should be no longer then 100 set-rem combines the delete & the membership function from the set trait choose however does not correspond to any trait operation and chooses a set element arbitrarily.