Model-Based Specification CIS 376 Bruce R. Maxim UM-Dearborn

Model-Based Specification Overview System model defined using well-understood mathematical entities like sets and functions System state is not hidden like it is in algebraic specification State changes are straight forward to define VDM and Z are the most widely used model- based specification languages

Z Formal Language Based on set theory and first-order predicate logic Strongly typed Declarative language Makes use of a graphical construction known as a schema –provide an effective low level structuring facility –are useful as specification building blocks –can be understood fairly easily

Schemas Include –a unique name or identifier –a signature that declares entities and their types –a predicate part that defines invariants involving these entities Schemas can be included in other schemas and act as type definitions Names are local to the schema in which they are defined

Schema: Declaration Part Contains local declarations (types and variables) Can import other types by listing their names Anonymous schemas (name omitted) are used to make global declarations Anonymous schemas usually do not contain a predicate part

Schema: Predicate Part Statements about the entities defined in the declaration part of the schema These statements must be true at all times Multiple statements are assumed to be implicitly connected by a logical and Other logical connectives (e.g. or, implies, equivalent, etc.) can be used explicitly in compound statements

Z specification examples were posted on the World Wide Web by Ken Abernathy Furman University

Example Schema The symbol P is used to indicate the power set of a type, and the symbol  is used to define a relation between two types (i.e. a set of ordered pairs from the Cartesian product of the two types). IO_Channel_Assignments Basic_Types active_instruments : P Platform_Instruments assigned_to : Communications_Channels  Platform_Instruments available, busy: P Communications_Channels range assigned_to [subset of] active_instruments available  busy = 

Z Lexical Elements Character set includes all keyboard characters and special mathematical symbols Identifiers must begin with a letter and may contain any number of digits, letters (upper and lower case), and the underscore _ Identifiers may have suffixes ? = input variable ! = output variable ` = new value for variable following a state change

Z Types and Declarations Built-in types –the integers denoted by Z –natural numbers {0, 1, 2, …} denoted by N –positive integers denoted by N 1 –the reals are not a built-in type Free types = similar to enumerated types in C++ Basic types (aka unspecified types)

Z Operators - part 1 Operator # denotes the cardinality of a finite set Operator < is used to extract ordered pairs from a relation having specified first coordinate values Example: #({channel?} < assigned_to) < 5 This statement asserts that the number of pairs from the relation assigned_to whose first coordinates equal the value of the input variable channel? is less than 5.

Z Operators - part 2 The operator > functions almost like < except it extracts pairs from a relation based on the value of the second coordinate. Example: #(assigned_to > {instrument?}) < 3 This states that the number of ordered pairs from the relation assigned_to whose second coordinates equal the value of the input variable instrument? is less than 3.

Z Operators - part 3 The notation a- > b is used to denote a specific potential pair in a relation -- instead of the more standard ordered pair notation (a,b) The following notation is used for the relational image operator | {range set} | Example:assigned_to (| {channel?} |) In this example, the relational image operator returns the image (in the range set)of the value of the variable channel? for the relation assigned_to.

Creating New Schemas from Existing Schemas The prefix  (Delta) is used to create a new schema from an existing one. –A Delta schema is obtained by combining the before and after specifications of a state. The prefix  (Xi) is also used to create a new schema from an existing one. –Similar to a Delta schema, an Xi schema is obtained by combining the before and after specifications of a state. – However, this schema is used to define specifications of operations (such as inquiries) that do not change the state of a structure.

Delta Schema Example  IO_Channel_Assignments Basic_Types active_instruments, active_instruments' : P Platform_Instruments assigned_to, assigned_to' : Communications_Channels  Platform_Instruments available, available', busy, busy' : P Communications_Channels ran assigned_to [subset of] active_instruments ran assigned_to' [subset of] active_instruments' available  busy =  available'  busy' = 

Xi Schema Example  IO_Channel_Assignments Basic_Types active_instruments, active_instruments' : P Platform_Instruments assigned_to, assigned_to' : Communications_Channels  Platform_Instruments available, available', busy, busy' : P Communications_Channels ran assigned_to [subset of] active_instruments available  busy =  active_instruments' = active_instruments assigned_to' = assigned_to available' = available busy' = busy

Operation Specification Options Operations may be specified incrementally as separate schema and then combined to produce a complete specification Define a ‘normal’ operation as a schema Define schemas for exceptional situations Combine all schemas using a disjunctive or operator

Importing Delta and Xi Schemas Importing  and  schemas into operation specifications provides a way to record the intended impact of the operations on state variables and predicate Provides a built-in check on the result of an operation

Z Specification Process

Example Problem A space platform contains a number of instruments. Several communications channels are provided allowing both input and output instrument communications. Platform instruments may be placed in active or inactive states. Only active instruments may be assigned to I/O-channels. Active instruments may be assigned to more than one I/O-channel, up to some maximum number of I/O-channels per instrument. I/O-channels may be shared by several active instruments, up to some maximum number of instruments shared per I/O-channel.

Basic Variables and Invariants IO_Channel_Assignments Basic_Types active_instruments : P Platform_Instruments assigned_to : Communications_Channels  Platform_Instruments available, busy: P Communications_Channels range assigned_to [subset of] active_instruments available  busy = 

Schema for Making an Assignment - part 1 The schema is to define the basic operator to assign a channel to an instrument The schema will later be combined using logical or’s with a number of message reporting schemas to complete the definition Schema  IO_Channel_Assignments should be imported in the declaration part of the new schema since this operator will potentially change the system state

Schema for Making an Assignment - part 2 The declaration part of the schema should also declare two variables -- one representing the instrument and one representing the channel to be included in the assignment The predicate part of the schema should consist of the conjunction (logical and’ing) of several pre-conditions assuring that the input variables satisfy conditions for a legal assignment to be made, and several post-conditions defining the state changes that will complete the assignment

Preconditions Desired pre-conditions on the input variables : instrument must be active channel must be available (i.e. not already have the maximum allowed instruments assigned to it) instrument must have assigned to it fewer than the allowed maximum number of channels the candidate assignment pair must not already exist in the relation assigned_to

Schema with Precondition Added Make_An_Assignment 0  IO_Channel_Assignments instrument? : Platform_Instruments channel? : Communications_Channels instrument?  active_instruments channel?  available #(assigned_to > {instrument?}) < Max_Channels channel? -> instrument?  assigned_to

Post-Conditions Desired post-conditions -- the operator actions : assure no change is made to the active state of the instrument (instrument remains active) add the assignment pair to the assigned_to relation (special case) if this assignment increases the number of instruments assigned to this channel to the maximum allowed, then the channel must be removed from the available channel set and placed in the busy channel set

Schema with Post-Conditions Added Make_An_Assignment 0  IO_Channel_Assignments instrument? : Platform_Instruments channel? : Communications_Channels instrument?  active_instruments channel?  available #(assigned_to > {instrument?}) < Max_Channels channel? -> instrument?  assigned_to active_instruments' = active_instruments assigned_to' = assigned_to  {channel?->instrument?} [#({channel?} < assigned_to) < Max_Instruments-1] \/ [#({channel?} < assigned_to) = Max_Instruments-1 /\ available' = available - {channel?} /\ busy' = busy  {channel?}]

Error Conditions Errors should be reported whenever one of the preconditions fail (which means the operation cannot take place) Schemas can be defined for each error condition The final schema will combine the operator schema and the error schema condition schemas using or operators

Sample Error Condition Schema Instrument_Not_Active  IO_Channel_Assignments instrument? : Platform_Instruments message! : Possible_Message instrument?  active_instruments message! = instrument_not_active

Completed Make_Assignment Schema Assuming three more error schemas are complete the definition of the Make_An_Assignment operation appears below. ( \/ = logical or) Make_An_Assignment == Make_An_Assignment 0 \/ Instrument_Not_Active \/ Channel_Not_Available \/ Maximum_Channels_Assigned \/ Assignment_Already_Made