Download presentation
Presentation is loading. Please wait.
1
27.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
2
Slide 2 H. Schlingloff, Logical Specification 27.5.2008 First-Order Predicate Logics FOL FOL ::= R ( V n ) | | (FOL FOL) | V FOL Typed FOL V : D FOL Typed FOL = (t 1 =t 2 ) special predicate (not expressible in FOL) 1 x stands for x( y( (y x) ¬ (y:=x)))
3
Slide 3 H. Schlingloff, Logical Specification 27.5.2008 Set theory Comprehension scheme {x: T| (x) ● expr(x)} - expr(x) is an expression of type D involving variable x of type T - The set of all values of expr(x) (in D U ) where the value of x (in T U ) satisfies (x) {x: T| (x)} stands for {x: T| (x) ● x} Set operations y {x: T| (x) ● expr(x)} stands for x:T ( (x) y=expr(x)) M 1 M 2 stands for x(x M 1 x M 2 ) etc. Power set operator M 1 ℙ M 2 if M 1 M 2 (but: set variables not available in FOL!)
4
Slide 4 H. Schlingloff, Logical Specification 27.5.2008 20.5.2008 Slide H. Schlingloff, Logical Specification Z Properties described in FOL (Q x:T| (x) (x)) - [quantifer][variable]:[type]|[constraint] [predicate] ( x:T| ) stands for x:T ( ∧ ) ( x:T| ) stands for x:T ( ) Z schemes: name, signature and formulas
5
Slide 5 H. Schlingloff, Logical Specification 27.5.2008 Z semantics Every Z scheme defines a set of (first-order) models M: (U,I,V) („each model being a function from names defined by the specification to values that those names are permitted to have by the constraints imposed on them in the specification“) U contains a domain for each type in the scheme (named and unnamed types), such that the set constraints are satisfied - e.g. ℙ M is the set of all subsets of M - e.g. ℤ is the set of integers I is an interpretation of function and relation symbols - built-in functions are interpreted as expected V is a first-order variable valuation, such that all specification formulae are satisfied - note: type names cannot be used as variables!
6
Slide 6 H. Schlingloff, Logical Specification 27.5.2008 Example defines the set of models Each section defines a set of section models
7
Slide 7 H. Schlingloff, Logical Specification 27.5.2008 The Z standard International standard 2002 Defines standard operations sets, powersets tuples, products, sequences functions, relations numbers Markup languages LaTeX, ASCII
8
Slide 8 H. Schlingloff, Logical Specification 27.5.2008 Sets, Powersets
9
Slide 9 H. Schlingloff, Logical Specification 27.5.2008 Tuples, Sequences
10
Slide 10 H. Schlingloff, Logical Specification 27.5.2008 Functions, Relations
11
Slide 11 H. Schlingloff, Logical Specification 27.5.2008 Numbers
12
Slide 12 H. Schlingloff, Logical Specification 27.5.2008
13
Slide 13 H. Schlingloff, Logical Specification 27.5.2008 Three Definitions of abs
14
Slide 14 H. Schlingloff, Logical Specification 27.5.2008 Slide H. Schlingloff, Logical Specification Z schemas – state changes delta abbreviation specifies extended models compare the propositional case unprimed variables: current state primed variables: next state
15
Slide 15 H. Schlingloff, Logical Specification 27.5.2008 General Form of Transition
16
Slide 16 H. Schlingloff, Logical Specification 27.5.2008 Z – Another Example The Steam Boiler Control Specification Problem Jean-Raymond Abrial, Egon Börger, and Hans Langmaack: Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control. Springer LNCS 1165, October 1996 (ISBN 3-540-61929-1) Purpose: control the level of water in a steamboiler The quantity of water present when the steamboiler is working has to be neither too low nor to high otherwise the steamboiler or the turbine sitting in front of it might be seriously affected More than 30 solutions available
17
Slide 17 H. Schlingloff, Logical Specification 27.5.2008 Z – Steam Boiler Example
18
Slide 18 H. Schlingloff, Logical Specification 27.5.2008 Z – Steam Boiler Example
19
Slide 19 H. Schlingloff, Logical Specification 27.5.2008 Z – Steam Boiler Example
20
Slide 20 H. Schlingloff, Logical Specification 27.5.2008 Z – Steam Boiler Example
21
Slide 21 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Variables Summary of various constants or physical variables of the system
22
Slide 22 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Control
23
Slide 23 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Control
24
Slide 24 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Operation The program operates in different modes, namely: initialization, normal, degraded, rescue, emergency stop The initialization mode is the mode to start with. The program enters a state in which it waits for the message STEAM- BOILER_WAITING to come from the physical units As soon as this message has been received the program checks whether the quantity of steam coming out of the steamboiler is really zero. If the unit for detection of the level of steam is defective, that is, when d is not equal to zero, the program enters the emergency stop mode. If the quantity of water in the steamboiler is above w max, the program activates the valve of the steamboiler in order to empty it. If the quantity of water in the steamboiler is below N w min, …
25
Slide 25 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Operation: Init
26
Slide 26 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Operation: Init
27
Slide 27 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Operation: Normal The normal mode is the standard operating mode in which the program tries to maintain the water level in the steamboiler between w min and w max with all physical units operating correctly. As soon as the water level is below w min or above w max the level can be adjusted by the program by switching the pumps on or off. The corresponding decision is taken on the basis of the information which has been received from the physical units. As soon as the program recognizes a failure of the water level measuring unit…
28
Slide 28 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Operation: Normal
29
Slide 29 H. Schlingloff, Logical Specification 27.5.2008 Steam Boiler Operation: Normal
30
Slide 30 H. Schlingloff, Logical Specification 27.5.2008 Reflection on Z State-based system, similar to finite automaton – Z may not be the ideal specification language High expressiveness by set theory and logic Possibility of under-specification in Z Modularity (but no object orientation) Well-suited for program verification Not well-suited for refinement (transformational program development) and/or test generation
31
Slide 31 H. Schlingloff, Logical Specification 27.5.2008 Yet Another Case Study 1. The subject is to invoice orders. 2. To invoice is to change the state of an order (to change it from the state "pending" to "invoiced"). 3. On an order, we have one and one only reference to an ordered product of a certain quantity. The quantity can be different to other orders. 4. The same reference can be ordered on several different orders. 5. The state of the order will be changed into "invoiced" if the ordered quantity is either less or equal to the quantity which is in stock according to the reference of the ordered product.
32
Slide 32 H. Schlingloff, Logical Specification 27.5.2008 Yet Another Case Study (2) 6. You have to consider the two following cases: (a) Case 1 All the ordered references are references in stock. The stock or the set of the orders may vary: - due to the entry of new orders or cancelled orders; - due to having a new entry of quantities of products in stock at the warehouse. However, we do not have to take these entries into account. This means that you will not receive two entry flows (orders, entries in stock). The stock and the set of orders are always given to you in a up-to-date state. (b) Case 2 You do have to take into account the entries of: - new orders; - cancellations of orders; - entries of quantities in the stock.
Similar presentations
