1. 1 Z Schemas Chapter 7 Formal Specification using Z Example of Z specification Document

2. 2 Schemas A specification document in Z consists of narrative text interspersed with formal Z notation called schemas.  S _________  a,b: N  ________  a < b  __________ This schema is called S and it declares two variables a and b. It contains a constraining predicate which states that a must be less than b.

3. 3 Schemas The general form of a schema is.  SchemaName _____  Declarations  ________  Predicate  __________ A schema can also be written in a linear form: SchemaName == [ Declarations | Predicate] The previous example would be written in linear form as: S == [a,b: N | a<b]

4. 4 Schemas It is possible to have an anonymous schema, no name. It is possible to have a schema with no predicate. Variables are local to a schema. If you require variables from another schema you must include it in your current schema. Global variables are available to all schemas, they are introduced by axiomatic definition and cannot be changed by any operation. For example: | capacity: N If you wish to constrain a variable, the general form is  Declarations  ________  Predicate  __________

5. 5 Schemas For example  MaxOnCourse  ________  MaxOnCourse 6…30  __________ Schemas can make reference to capacity and MaxOnCourse without explicitly including their defining schemas.  Course _____  numberEnrolled:  ________  numberEnrolled MaxOnCourse  __________

6. 6 Schemas Each line of declaration part is separated by a semicolon. Each line of predicate part is connected with the ‘and’ operation  Class _____  lecturer: PERSON  student: P PERSON  ________  lecturer student  #student MaxOnCourse  __________ Is an abbreviation for:  Class _____  lecturer: PERSON;  student: P PERSON;  ________  lecturer student L  #student MaxOnCourse  __________

7. 7 Schema Calculus Schemas can be regarded as units and manipulated by various operators that are analogous to the logical operators ( L, v, ¬ etc. ) The schema name S decorated with a prime (S’) is defined to be the same as the schema S with all its variables decorated with a prime. It is used to signify the value of a schema after some operation. Before operation  S ______  a,b: N  ______  a < b  ______ _ After operation  S’ ______   a’,b’: N  ______  a’ < b’  _______ _

8. 8 Inclusion The name of a schema can be included in the declaration of another schema. When a schema is textually imported its declarations are merged with those of the including schema and its predicate part is conjoined (anded) with that of the including schema. Any variables that have the same name must have the same type.

9. 9 Inclusion Including a schema  IncludeS ___  c: N  S  ______  c < 10  _______ Is a short way of writing  includeS _  c: N  a,b: N   ______  c < 10  a < b  ________

10. 10 Schema Conjunction Definition of S  S ___  a,b: N  ______  a < b  _______ SandT == S L T  SandT _  a,b,c: N   ______  a < b  b < c  ________ Definition of T  T ___  b,c: N  ______  b < c  _____

11. 11 Schema Disjunction Definition of S  S ___  a,b: N  ______  a < b  _______ SorT == S v T  SandT ___  a,b,c: N   ______  ( a < b) v  ( b < c)  ________ Definition of T  T ___  b,c: N  ______  b < c  _____

12. 12 Delta Convention Definition of Delta S  D S ___  a,b: N  a’,b’: N  ______  a < b  a’ < b’  _______ The convention that a value of a variable before an operation is denoted by an undecorated name of the variable, and the value after an operation is decorated by a prime (‘) is used in the delta naming convention. A schema with a capital delta ( D often denotes some change) as the first character of its name is defined as:

13. 13 Xi Convention Definition of Xi S  X S ___  a,b: N  a’,b’: N  ______  a < b  a’ < b’  a’ = a  b’ = b  _______ The convention a schema with the Greek capital letter xi ( X ) as the first character of its name, such as X S, is defined as the same as D S but with the constraint that the new value of every variable is the same as the old. The state of does not change. For example a query is an operation that produces a result that should not change the state of a database.

14. 14 Schema Input Output Definition of Add  Add ___  a?,b?: N  sum!: N  ______  sum! = a? + b?  _______ Finishing variable names with a question mark (?) indicates input to the schema. Finishing variable names with a exclamation mark (!) indicates output from the schema.

15. 15 Schema Example KEY ::= home | return | left | right | up | down  numLines: N  numColumns: N  ______  1 numLines  1 numColumns  _______ A computer display shows lines of characters with each line consisting of a fixed number of columns containing a character in a fixed-width typeface. A cursor marks the current position of interest on the display. The user can press cursor-control keys on the keyboard, some of which directly control the position of the cursor.

16. 16 Schema Example The lines are numbered from 1 to numLines down the display and the columns are numbered 1 to numColumns across the display. 1 1 numLines numColumns line column cursor

17. 17 The State At any time the cursor is within the bounds of the display. The state of the cursor can be described by the schema Cursor.  Cursor ___  line: N  column: N  ______  line 1..numLines  column 1..numColumns  _______

18. 18 Home Key The operations for moving the cursor can be built up one at a time. The simplest is to respond to the home key. It causes the cursor to the top left corner of the display.  HomeKey ___  D cursor  key?: KEY  ______  key? = home  line’ = 1  column’ = 1  ________

19. 19 Home Key We are using the delta convention with D cursor defined as:  D cursor ___  line, line’ : N  column, column’ : N  ______  line 1..numLines  line’ 1..numLines  column 1..numColumns  column’ 1..numColumns  _______

20. 20 Down Key The operation for moving the cursor down, in the normal case, can be defined as:  DownKeyNormal ___  D cursor  key?: Key  ______  key? = down  line < numLines  line’ = line + 1  column’ = column  ________

21. 21 Down Key The operations for moving the cursor down, when the cursor is at the bottom of the display, can be defined as:  DownKeyAtBottom ___  D cursor  key?: KEY  ______  key? = down  line = numLines  line’ = 1  column’ = column  ________

22. 22 Down Key The operation for moving the cursor down is defined to ‘wrap round’ to the top of the display. The full behaviour is given by: DownKey == DownKeyNormal v DownKeyAtBottom The operation defined by oring the two behaviours.

23. 23 Return Key The response to the return key is to move the cursor to the leftmost column of the next line down or the top of the screen if the cursor is already on the bottom line. This can be defined as:  ReturnKey ___  D cursor  key?: KEY  ______  key? = return  column’ = 1  (( line < numLines L line’ = line’+1)  v  ( line’ = numLines L line’=1))  ________

24. 24 Right Key First we deal with the case where the cursor is not at the far right of the display:  RightKeyNormal ___  D cursor  key?: KEY  ______  key? = right  column < numColumns  column’ = column+1  line’ = line  ________

25. 25 Right Key Next we deal with the case where the cursor is at the far right of the display:  RightKeyAtEnd ___  D cursor  key?: KEY  ______  key? = right  column = numColumns  column’ = 1  line < numLines  line’ = line + 1  ________

26. 26 Right Key Finally we deal with the case where the cursor is at the far right of the bottom line of the display:  RightKeyAtBottom ___  D cursor  key?: KEY  ______  key? = right  column = numColumns  column’ = 1  line = numLines  line’ = 1  ________

27. 27 Right Key These three schemas can be combined to form one schema that defines the response of the cursor to the right key being pressed in all initial positions of the cursor: RightKey= RightKeyNormal v RightKeyAtEnd v RightKeyAtBottom

28. 28 Cursor-control key action The action of the cursor on pressing any of these cursor- control keys can be defined as: CursorControlKey= RightKey v HomeKey v ReturnKey UpKey v DownKey v LeftKey

29. 29 Schema Composition The composition of a schema S with schema T is written: S ; T and signifies the effect of doing S, and the doing T. For example, to show the effect of pressing the right-key and then the left-key on the display in this case using the definition of CursorControlKey PressRight == CursorControlKey L [k?=right] PressLeft == CursorControlKey L [k?=left] The composition of the two actions is written PressRight ; PressLeft

30. 30 Answer to Q7.1 Base types and initialization: [PERSON] the set of all uniquely identifiable persons RESPONSE ::=OK | AlreadyAUser | NotAUser | LoggedIn | NotLoggedIn  Computer ___  users, loggedIn :  PERSON  ______  loggedIn z users  ________  InitComputer ___  Computer’  ______  loggedIn’ =   users’ =   ________

31. 31 Answer to Q7.2 Add user [PERSON] the set of all uniquely identifiable persons RESPONSE ::=OK | AlreadyAUser | NotAUser | LoggedIn | NotLoggedIn  AddUser 0 ___   Computer  p? : PERSON  ______  p?  users  users’ = users  {p?}  loggenIn’ = loggedIn  ________

32. 32 Answer to Q7.2 Add user error [PERSON] the set of all uniquely identifiable persons RESPONSE ::=OK | AlreadyAUser | NotAUser | LoggedIn | NotLoggedIn  AddUserError ___   Computer  p? : PERSON  reply! : RESPONSE  ______  p?  users  reply! = AlreadyAUser  ________ AddUser == (AddUser 0  [reply!:RESPONSE | reply!=OK])  AddUserError

33. 33 Answer to Q7.3 Remove user [PERSON] the set of all uniquely identifiable persons RESPONSE ::=OK | AlreadyAUser | NotAUser | LoggedIn | NotLoggedIn  RemoveUser 0 ___   Computer  p? : PERSON  ______  p?  users  p?  loggenIn  users’ = users \ {p?}  loggenIn’ = loggedIn  ________

34. 34 Answer to Q7.3 Remove user error  RemoveUserError ___   Computer  p? : PERSON  reply! : RESPONSE  ______  ( p?  users   reply! = NotAUser)    ( p?  users   p?  loggedIn   reply! = LoggedIn)  ________ RemoveUser == (RemoveUser 0  [reply!:RESPONSE | reply!=OK])  RemoveUserError

35. 35 Answer to Q7.4 Log in [PERSON] the set of all uniquely identifiable persons RESPONSE ::=OK | AlreadyAUser | NotAUser | LoggedIn | NotLoggedIn  Login 0 ________   Computer  p? : PERSON  _________  p?  users  p?  loggenIn  users’ = users  loggenIn’ = loggedIn  {p?}  ________________

36. 36 Answer to Q7.4 Log in Error  LoginError ________   Computer  p? : PERSON  reply! : RESPONSE  _________  ( p?  users   reply! = NotAUser)    ( p?  users   p?  loggedIn   reply! = LoggedIn)  ________ Login == (Login 0  [reply!:RESPONSE | reply!=OK])  LoginError

37. 37 The overall structure of a Z specification A Z specification document consists of mathematical text in Z notation, interleaved with explanatory text in natural language. The text should be expressed in terms of the problem and should not refer directly to the mathematical formulation, however for tutorial work this restriction is relaxed.

38. 38 Sections of a Z specification Introduction. The types used. The state and its invariant properties An initialisation operation. Operations and queries. Error handling. Final versions of operations and enquiries.