Formal Specification zTechniques for the unambiguous ...spiros/teaching/CS451/pdf/formal.pdf ·...
Transcript of Formal Specification zTechniques for the unambiguous ...spiros/teaching/CS451/pdf/formal.pdf ·...
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 1
Formal Specification
Techniques for the unambiguous specification of software
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 2
Specification in the Software ProcessSpecification and design are intermingled.Architectural design is essential to structure a specification.Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 3
Specification and Design
Architecturaldesign
Requirementsspecification
Requirementsdefinition
Softwarespecification
High-leveldesign
Increasing contractor involvement
Decreasing client involvement
Specification
Design
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 4
Formal Specification on TrialFormal techniques are not widely used in industrial software development.Given the relevance of mathematics in other engineering disciplines, why is this the case?
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 5
Why Aren’t Formal Methods Used?Inherent management conservatism. It is hard to demonstrate the advantages of formal specification in an objective way.Many software engineers lack the training in discrete math necessary for formal specification.System customers may be unwilling to fund specification activities.Some classes of software (particularly interactive systems and concurrent systems) are difficult to specify using current techniques.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 6
Why Aren’t Formal Methods Used?There is widespread ignorance of the applicability of formal specifications.There is little tool support available for formal notations.Some computer scientists who are familiar with formal methods lack knowledge of the real-world problems to which these may be applied and therefore oversell the technique.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 7
Advantages of Formal SpecificationIt provides insights into the software requirements and the design. Formal specifications may be analyzed mathematically for consistency. It may be possible to prove that the implementation satisfies the specification.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 8
Advantages of Formal SpecificationFormal specifications may be used to guide the tester of the component in identifying appropriate test cases.Formal specifications may be processed using software tools. It may be possible to animate the specification to provide a software prototype.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 9
Seven Myths of Formal MethodsPerfect software results from formal methods– Nonsense - the formal specification is a model of the
real-world and may incorporate misunderstandings, errors and omissions.
Formal methods means program proving– Formally specifying a system is valuable without formal
program verification as it forces a detailed analysis early in the development process.
Formal methods can only be justified for safety-critical systems.– Industrial experience suggests that the development costs
for all classes of system are reduced by using formal specification.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 10
Seven Myths of Formal MethodsFormal methods are for mathematicians– Nonsense - only simple math is needed.
Formal methods increase development costs– Not proven. However, formal methods definitely push
development costs towards the front-end of the life cycle.
Clients cannot understand formal specifications– They can if they are paraphrased in natural language.
Formal methods have only been used for trivial systems– There are now many published examples of experience
with formal methods for non-trivial software systems.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 11
The Verdict!The reasons put forward for not using formal specifications and methods are weak.However, there are good reasons why these methods are not used:– The move to interactive systems. Formal specification
techniques cannot cope effectively with graphical user interfacespecification.
– Successful software engineering. Investing in other software engineering techniques may be more cost-effective.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 12
Use of Formal MethodsThese methods are unlikely to be widely used in the foreseeable future. Nor are they likely to be cost-effective for most classes of system.They will become the normal approach to the development of safety critical systems and standards.This changes the expenditure profile through the software process.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 13
Development Costs with Formal Specification
Specification
Design andImplementation
Validation
Specification
Design andImplementation
Validation
Cost
Without formalspecification
With formalspecification
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 14
Specifying Functional AbstractionsThe simplest specification is function specification. There is no need to be concerned with global state.The formal specification is expressed as input and output predicates (pre and post conditions).Predicates are logical expressions which are always either true or false .Predicate operators include the usual logical operators and quantifiers such as for-all and exists.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 15
Specification with Pre and Post Conditions
Set out the pre-conditions– A statement about the function parameters stating what is
invariably true before the function is executed
Set out the post-conditions– A statement about the function parameters stating what is
invariably true after the function has executed
The difference between the pre and post conditions is due to the application of the function to its parameters. Together the pre and post conditions are a function specification.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 16
Specification DevelopmentEstablish the bounds of the input parameters. Specify this as a predicate.Specify a predicate defining the condition which must hold on the result of the function if it computes correctly.Establish what changes are made to the input parameters by the function and specify these as a predicate.Combine the predicates into pre and post conditions.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 17
The Specification of a Search
function Search ( X: array 1 .. N of INTEGER; Key: INTEGER )return INTEGER ;
Pre: ∃ 1 ≤ i ≤ N • X(i) = KeyPost: X’ (Search (X, Key)) = Key ∧ X = X’
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 18
Formal Specification ApproachesAlgebraic approach– The system is described in terms of interface operations and
their relationships.
Model-based approach– A model of the system acts as a specification. This model is
constructed using well-understood mathematical entities such as sets and sequences.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 19
Formal Specification Languages
Sequential ConcurrentAlgebraic Larch (Guttag et al., 1985) ,
OBJ (Futatsugi et al., 1985)Lotos (Bolognesi andBrinksma, 1987),
Model-based Z (Spivey, 1989)VDM (Jones, 1980)
CSP (Hoare, 1985)Petri Nets (Peterson, 1981)
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 20
Set Theory Review
teacher(Mary)student(John)
x ∈ T ⇔ teaches(x)x ∈ S ⇔ student(x)x ∈ O ⇔ ¬ teaches(x) ∧ ¬ student(x)
teacher(x) ⇒ ¬student(x)student(x) ⇒ ¬ teacher(x)teacher(x) ⇔ ¬ student(x) ∧ ¬ other(x)
Mary ∈ T ⇔ teaches(Mary)teaches(Mary) ⇒ ¬student(Mary)
⇔ ¬ student(Mary) ∧ ¬ other(Mary)
∃ x ∈ P • teaches(x)∀ x ∈ S • student(x)¬∃ x ∈ S • teaches(x) ~> ∀ x ∈ S • ¬ teaches(x)∀ x ∈ S • ∃ y ∈ T • student(x)
∧ teaches(y) ∧ supervises(y,x)
O = P – (T∪ S)
P
T
S
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 21
Implication
a = possibility of precipitation (p.o.p) > 50%b = take an umbrella
a ⇒ b If (p.o.p > 50%) then (take an umbrella)
a = 0 ∧ b = 0If (p.o.p ≤50%) then ¬ (take an umbrella)= 1
a = 0 ∧ b = 1If (p.o.p ≤ 50%) then (take an umbrella)= 1
a = 1 ∧ b = 0If (p.o.p > 50%) then ¬ (take an umbrella)= 0
a = 1 ∧ b = 1If (p.o.p > 50%) then (take an umbrella)= 1
So ⇒ informally means if the p.o.p is greater than 50% I will take an umbrella, but if the p.o.p is less than or equal to 50%, I may or may not take an umbrella
1 110
0 101
ab
a ⇒ b ≡ ¬ a ∨ b
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 22
Pre/Post Condition Examples
proc Reverse(a:array 0..9 of int, size:int)pre: ?post: ?
proc D_Sort(A:array 0..9 of int, size:int)pre: ?post: ?
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 23
Pre/Post Condition Examples(2)
proc Avg(A:array 0..9 of int, size:int, res:real)pre: ?post: ?
proc Init(A:array 0..9 of int, size:int)pre: ?post: ?
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 24
Pre/Post Condition Examples(3)proc m_mult(A:array 0..9,0..9 of int; a1, a2: int;
B:array 0..9,0..9 of int; b1, b2: int;M:array 0..9,0..9 of int; m1, m2: int)
pre: ?post: ?
=
×
i
A B M
111,00,122
1
1
0
1
228157
4432241243312311
4231
4231
ii
kk
k
BABAM
BA
⋅+⋅=
=
=
⋅+⋅⋅+⋅⋅+⋅⋅+⋅
=
×
∑=
⋅
a1 a2x b1 b2x m1 m2x
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 25
Pre/Post Condition Examples(4)
proc count(A:array 0..9 of int; size, e, count:int)pre: ?post: ?
Number of e’s in A
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 26
Pre/Post Conditions with Java (I)import java.util.*;
class Stack {private Vector v;
void push(Object obj) {pre: (obj ≠ null) ∧ (v ≠ null)post:
(v’.elementAt(v.size()) = obj)∧ (∀ 0 ≤ i < v.size() •
v’.elementAt(i) = v.elementAt(i))∧ v’.size() = v.size()+1
}
Object pop() {pre: v ≠ nullpost: (v.size > 0) ⇒ (pop’ = v’.elementAt(v.size()-1))∧ (v.size() ≤ 0) ⇒ (pop’ = null)∧ (∀ 0 ≤ i < v.size()-1 •
v’.elementAt(i) = v.elementAt(i))∧ (v’.size() = v.size()-1)
}
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 27
Pre/Post Conditions with Java (II) Object top() {
pre: v ≠ nullpost: (v.size ≤ 0) ⇒ (top’ = null)
∧ (v.size > 0) ⇒ (top’ = v.elementAt(v.size()-1)∧ ∀ 0 ≤ i < v.size()-1 • v’.elementAt(i) = v.elementAt(i)∧ v’.size() = v.size()
}
stack() {pre: truepost: (v ≠ null) ∧ ( v.size() = 0)
}}
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 28
Stack Implementation in Javaimport java.util.*;
class stack {private Vector v;
void push(Object obj) {v.addElement(Obj);}
Object pop() {if (v.size() > 0) {
Object res = v.elementAt(v.size()-1);
v.removeElementAt(v.size()-1);return res;
} else return null;}
Object top() {if (v.size > 0)
return v.elementAt(v.size()-1);else return null);}
Stack() {v = new Vector();v.removeAllElements();}
}
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 29
Pre/Post Conditions for C functionsstrlen()
In order to be able to work with C strings, We can introduce function: - isNullTerminated(s): returns True if the string s is null terminated and False otherwise.
int strlen(const char *s)
// The strlen() function returns the number of bytes in s, not including the terminating null character.
int strlen (const char *s)pre: isNullTerminated(s)post: (s’ = s) ∧
(strcmp(s’,s) = 0) ∧ (∃ 0 ≤ i · (s[i] = ‘\0’ ∧ (∀ 0 ≤ j < i · (s[j] ≠ ‘\0’ )) => strlen(s)=i ))
ia b c ‘\0’ ? ?0 1 2 3 4 5
j
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 30
Pre/Post Conditions for C functionsstrchr() solution
char *strchr(const char *s, int c)
// The strchr() function returns a pointer to the first occurrence of c// (converted to a char) in string s, or a null pointer if c does not occur // in the string.
char *strchr(const char *s, int c)pre: ?post: ?
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 31
Pre/Post Conditions for C functionsstrcmp()
int strcmp(const char *s1, const char *s2)
// The strcmp() function compares two strings byte-by-byte, according // to the ordering of your machine's character set. The function returns an // integer greater than, equal to, or less than 0, if the string pointed to // by s1 is greater than, equal to, or less than the string pointed to by s2 // respectively. The sign of a non-zero return value is determined by the // sign of the difference between the values of the first pair of bytes that // differ in the strings being compared. Bytes following a null byte are not // compared.
int *strcmp(const char *s1, const char *s2)pre: ?post: ?
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 32
Model-based Specification
Formal specification of software by developing a mathematical model of the system
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 33
Model-based SpecificationDefines a model of a system using well-understood mathematical entities such as sets and functions.The state of the system is not hidden (unlike algebraic specification).State changes are straightforward to define.VDM and Z are the most widely used model-based specification languages.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 34
Z as a Specification LanguageBased on typed set theory.Probably now the most widely-used specification language.Includes schemas, an effective low-level structuring facility.Schemas are specification building blocks.Graphical presentation of schemas make Z specifications easier to understand.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 35
Z SchemasIntroduce specification entities and defines invariant predicates over these entities.A schema includes:– A name identifying the schema.– A signature introducing entities and their types.– A predicate part defining invariants over these entities.
Schemas can be included in other schemas and may act as type definitions.Names are local to schemas.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 36
Z Schema Highlighting
contents <= capacity
Containercontents: capacity:
Schema name Schema signature Schema predicate
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 37
An Indicator Specification
light = on ⇔ reading >= danger_level
Indicator
light: {off, on}reading:danger_level:
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 38
Storage Tank Specification
reading = contentscapacity = 5000danger_level = 50
Storage_tank
ContainerIndicator
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 39
Full Specification of a Storage Tank
contents >= capacitylight = on ⇔ reading >= danger_levelreading = contentscapacity = 5000danger_level = 50
Storage_tank
contents:capacity:reading:danger_level:light: {off, on}
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 40
Z ConventionsA variable name decorated with a quote mark (N’) represents the value of the state variable N after an operation.A schema name decorated with a quote mark introduces the dashed values of all names defined in the schema.A variable name decorated with a ! represents an output.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 41
Z ConventionsA variable name decorated with a ? represents an input.A schema name prefixed by the Greek letter Xi (Ξ) means that the defined operation does not change the values of state variables.A schema name prefixed by the Greek letter Delta (∆) means that the operation changes some or all of the state variables introduced in that schema.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 42
Operation SpecificationOperations may be specified incrementally as separate schema then the schema combined to produce the complete specification.Define the “normal” operation as a schema.Define schemas for exceptional situations.Combine all schemas using the disjunction (or) operator.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 43
A Partial Specification of a Fill Operation
contents + amount? <= capacitycontents’ = contents + amount?
Fill-OK
∆ Storage_tankamount?:
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 44
Storage Tank Fill Operation
capacity < contents + amount?r! = “Insufficient tank capacity – Fill cancelled”
OverFill
Ξ Storage-tankamount?: Nr!: seq CHAR
Fill
Fill-OK OverFill
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 45
The Z Specification Process
Define givensets and types
Define statevariables
Define initialstate
Define‘correct’
operations
Defineexceptionaloperations
Combineoperationschemas
Write informalspecification
Decomposesystem
Specify systemcomponents
Composecomponent
specifications
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 46
Data Dictionary SpecificationA data dictionary will be used as an example. This is part of a CASE system and is used to keep track of system names.Data dictionary structure:– Item name– Description– Type– Creation date
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 47
Given SetsZ does not require everything to be defined at specification time.Some entities may be “given” and defined later.The first stage in the specification process is to introduce these given sets.– [NAME, DATE]– We don’t care about these representations at this stage.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 48
Type DefinitionsThere are a number of built-in types (such as INTEGER) in Z.Other types may be defined by enumeration– Sem_model_types = { relation, entity, attribute }
Schemas may also be used for type definition. The predicates serve as constraints on the type.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 49
Specification Using FunctionsA function is a mapping from an input value to an output value.– SmallSquare = {1 → 1, 2 → 4, 3 → 9, 4 → 16, 5 → 25,
6 → 36, 7 → 49 }
The domain of a function is the set of inputs over which the function has a defined result.– dom SmallSquare = {1, 2, 3, 4, 5, 6, 7 }
The range of a function is the set of results which the function can produce.– rng SmallSquare = {1, 4, 9, 16, 25, 36, 49 }
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 50
The Function SmallSquare
onetwo
threefourfivesix
seven
14916253649
Domain (SmallSquare) Range (SmallSquare)
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 51
Data Dictionary ModelingA data dictionary may be thought of as a mapping from a name (the key) to a value (the description in the dictionary).Operations are:– Add: Makes a new entry in the dictionary or
replaces an existing entry– Lookup: Given a name, returns the description.– Delete: Deletes an entry from the dictionary.– Replace: Replaces the information associated with an entry.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 52
Data Dictionary Entry
#description <= 2000
DataDictionaryEntry
entry: NAMEdesc: seq chartype: Sem_model_typescreation_date:DATE
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 53
Data Dictionary as a Function
DataDictionaryDataDictionaryEntryddict: NAME→ DataDictionaryEntry
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 54
Data Dictionary - Initial State
ddict’ = Ø
Init-DataDictionary
∆ DataDictionary
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 55
Add and Lookup Operations
name? ∉ dom ddictddict’ = ddict ∪ {name? → entry?}
Add_OK
∆ DataDictionaryname?:NAMEentry?: DataDictionaryEntry
name? ∈ dom ddictentry! = ddict (name?)
Lookup_OK
Ξ DataDictionaryname?:NAMEentry!: DataDictionaryEntry
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 56
Add and Lookup Operations
name? ∈ dom ddicterror! = “Name already in dictionary”
Add_Error
Ξ DataDictionaryname?: NAMEerror!: seq char
name? ∉ dom ddicterror! = “Name not in dictionary”
Lookup_Error
Ξ DataDictionaryname?: NAMEerror!: seq char
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 57
Function Overriding OperatorReplaceEntry uses the function overriding operator (written ⊕ ). This adds a new entry or replaces and existing entry.– phone = { Ian → 3390, Ray → 3392, Steve → 3427}– The domain of phone is {Ian, Ray, Steve} and the range is
{3390, 3392, 3427}.– newphone = {Steve → 3386, Ron → 3427}– phone ⊕ newphone = { Ian → 3390, Ray → 3392, Steve
→ 3386, Ron → 3427}
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 58
Replace Operation
name? ∈ dom ddictddict’⊕ {name? → entry?}
Replace_OK
∆ DataDictionaryname?: NAMEentry?: DataDictionaryEntry
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 59
Deleting an EntryUses the domain subtraction operator which, given a name, removes that name from the domain of the function.
– phone = { Ian → 3390, Ray → 3392, Steve → 3427}– {Ian} phone– {Ray → 3392, Steve → 3427}
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 60
Delete Entry
name? ∈ dom ddictddict’ = {name?} ddict
Delete_OK
∆ DataDictionaryname?: NAME
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 61
Specifying Ordered CollectionsSpecification using functions does not allow ordering to be specified.Sequences are used for specifying ordered collections.A sequence is a mapping from consecutive integers to associated values.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 62
A Z Sequence
1234567
149
16253649
Domain (SqSeq) Range (SqSeq)
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 63
Data Dictionary Extract OperationThe Extract operation extracts from the data dictionary all those entries whose type is the same as the type input to the operation.The extracted list is presented in alphabetical order.A sequence is used to specify the ordered output of Extract.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 64
The Extract Operation
∀ n : dom ddict • ddict(n). type = in_type? ⇒ ddict (n) ∈ rng rep!∀ i : 1 <= i <= #rep! • rep! (i).type = in_type?∀ i : 1 <= i <= #rep! • rep! (i) ∈ rng ddict∀ i , j: dom rep! • (i < j) ⇒ rep. name(i) < NAMErep.name (j)
Extract
DataDictionar yrep!: seq DataDictionaryEntryin_type?: Sem_model_types
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 65
Extract PredicateFor all entries in the data dictionary whose type is in_type?, there is an entry in the output sequence.The type of all members of the output sequence is in_type?All members of the output sequence are members of the range of ddict.The output sequence is ordered.
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 66
Data Dictionary Specification
The_Data_Dictionary
DataDictionaryInit-DataDictionaryAddLookupDelete_OKReplace_OKExtract
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 67
Z Examples
P1 →<F,H,M>P2 → <Ma, C, B>P3 →<>
QueuesFer.Por.
Serviced
∆Filling Station
∀ p: dom queues • queues’(p) = <>serviced’ = ∅
Init Filling Station
[pump CAR]
→queues: pump seq CARserviced: |P CAR
∀ p1,p2 : dom queues • p1 ≠ π2 ⇒ (rng queues(p1) ∩ rng queues(p2) = ∅
/* a car cannot be in 2 queues */
∀ p : dom queues • # queues(p) = #rng(queues(p))/* (length of queue of pump p) = number of diff cars
in queue of p and no duplicate cars in thesame queue */
∀ p : dom queues • (serviced ∩ rng(queues(p)) = ∅ )/* serviced cars are not in queue */
Filling Station
car? : CARp? : pump
p? : ∈ dom queues • car? ∉ rng queues(p?)queues’ = queues ⊕ {p? queues(p?) ∧ <car?>}serviced’ = serviced
→
Arrivals
Serviced Pump Seq Car
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 68
Z Examples (2)∆Filling Stationcar? : CARp? : pump
p? ∈ dom queuesqueues(p?) ≠ <>car? = head queues(p?)queues’ = queues ⊕ {p? tail queues(p?)}serviced’ = serviced ∪ {car?}
α
Serviced
∆FillingStationcar? : CARp?,q? : pump
p? ∈ dom queues ∧ q? ∈ dom queuesp? ≠ q?car? ∈ rng queues(p?)queues’ = queues ⊕ {p? squash(queue(p?) {car?}), q? queues(q?) ∩ <car?>}serviced’ = serviced
α α
Switches
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 69
Z Examples (3)
∆FillingStationcar? : CARp? : pump
p? ∈ dom queuescar? ∈ rng queues(p?)queues’ = queues ⊕ {p? squash(queues(p?)) {car?)}serviced’ = serviced
α
LeavesUnhappy
State
in = {}out = {}users = {}
InitState
ΞStatenew? : STAFF_IDmessage! : REPORT
new? ∈ usersmessage! = already_user
AlreadyUser
message! : REPORT
message! = OK
Successin, out, users: P STAFF_ID
in ∩ out = {}in ∪ out = users
State
∆Statenew? : STAFF_ID
new? ∉ usersin’ = inout’ = out ∪ {new?}users? = users ∪ {new}
AddOK
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 70
Z Examples (4)
∆Statestaff? : STAFF_ID
staff? ∈ inin’ = in \ {staff?}out’ = out ∪ {staff?}users’ = users
CheckOut
ΞState, staff? : STAFF_IDmessage! : REPORT
staff? ∈ inmessage! = “Already in”
StaffInΞState, staff? : STAFF_IDmessage! : REPORT
staff? ∉ usersmessage! = “Not a user”
NotUser∧
Add (AddOk ∧ Success) ∨ (AlreadyUser)=∧
RCheckIn (Checkin ∧ Success) ∨ CheckInError
CheckInError StaffIn ∨ NotUser
=∧
=∧
©Ian Sommerville 1995/2000 (Modified by Spiros Mancoridis 1999) Software Engineering, 6th edition. Chapter 9 Slide 71
Symbol Sheet
onto but not necessarily one-to-onePartial Mapping→
One-to-one and ontoFunctional mapping
{Ian} {Ian 3390, Ray 3392} = {Ray 3392}Domain Subtraction Operator
SchemaName Schema Definition Linear Schema Definition
{a,b} = {{},{a},{b}, {a,b}Power SetP
True if either a or b is trueOR∧
True if both a and b are trueAND∨
State Variables change∆
There exists at least oneExistential Quantifier∃
No state change occurs for the named state variableXiΞ
Such That•
Equivalent≡
{Ian 3390} ⊕ {Ray 3392} = {Ian 3390, Ray 3392}Function Overriding Operator⊕
{}Null Set∅
{a,b} ∩ {b,c} = {b}Intersection∩
{a} ∪ {b} = {a,b}Union∪
a is not an element of bnot an element of∉
a is an element of belement of∈
a if and only if bEquivalence⇔
if a then bImplication⇒
Summation∑
For all elements in a setUniversal Quantifier∀
=̂
α
=̂α α α
α ααα