Title: Lectures 9,10
1Lectures 9,10
2Formal Specification - Techniques for the
unambiguous specification of software
- Objectives
- To explain why formal specification techniques
help discover problems in system requirements - To describe the use of
- algebraic techniques (for interface
specification) and - model-based techniques(for behavioural
specification) - To introduce Abstract State Machine Model
3Formal methods
- Formal specification is part of a more general
collection of techniques that are known as
formal methods COMP313 Formal Methods - These are all based on mathematical
representation and analysis of software - Formal methods include
- Formal specification
- Specification analysis and proof
- Transformational development
- Program verification
4Acceptance of formal methods
- Formal methods have not become mainstream
software development techniques as was once
predicted - Other software engineering techniques have been
successful at increasing system quality. Hence
the need for formal methods has been reduced - Market changes have made time-to-market rather
than software with a low error count the key
factor. Formal methods do not reduce time to
market - The scope of formal methods is limited. They are
not well-suited to specifying and analysing user
interfaces and user interaction - Formal methods are hard to scale up to large
systems
5Use of formal methods
- Their principal benefits are in reducing the
number of errors in systems so their main area of
applicability is critical systems - Air traffic control information systems,
- Railway signalling systems
- Spacecraft systems
- Medical control systems
- In this area, the use of formal methods is most
likely to be cost-effective - Formal methods have limited practical
applicability
6Specification in the software process
- Specification and design are inextricably mixed.
- Architectural design is essential to structure a
specification. - Formal specifications are expressed in a
mathematical notation with precisely defined
vocabulary, syntax and semantics.
7Specification and design
8Specification in the software process
9Specification techniques
- Algebraic approach
- The system is specified in terms of its
operations and their relationships - Model-based approach
- The system is specified in terms of a state model
that is constructed using mathematical constructs
such as sets and sequences. - Operations are defined by modifications to the
systems state
10Formal specification languages
11Use of formal specification
- Formal specification involves investing more
effort in the early phases of software
development - This reduces requirements errors as it forces
a detailed analysis of the requirements - Incompleteness and inconsistencies can be
discovered and resolved !!! - Hence, savings as made as the amount of rework
due to requirements problems is reduced
12Development costs with formal specification
131. Interface specification
- Large systems are decomposed into subsystems with
well-defined interfaces between these subsystems - Specification of subsystem interfaces allows
independent development of the different
subsystems - Interfaces may be defined as abstract data types
or object classes - The algebraic approach to formal specification
is particularly well-suited to interface
specification
14Sub-system interfaces
15The structure of an algebraic specification
lt SPECIFICA
TION NAME gt (Gener
ic P
ar
ameter)
sort
lt name gt
introduction
imports
lt LIST
OF SPECIFICA
TION NAMES gt
description
Inf
or
mal descr
iption of the sor
t and its oper
ations
Oper
ation signatures setting out the names and the
types of
signature
the parameters to the operations defined over the
sort
Axioms defining the oper
ations o
v
er the sor
t
axioms
16Behavioural specification
- Algebraic specification can be cumbersome when
the object operations are not independent of the
object state - Model-based specification exposes the system
state and defines the operations in terms of
changes to that state
17OSI reference model
Model-based specification
Application
Algebraic specification
18Abstract State Machine Language (AsmL)
- AsmL is a language for modelling the structure
and behaviour of digital systems - AsmL can be used to faithfully capture the
abstract structure and step-wise behaviour of any
discrete systems, including very complex ones
such as - Integrated circuits, software components, and
devices that combine both hardware and software
19Abstract State
- An AsmL model is said to be abstract because it
encodes only those aspects of the systems
structure that affect the behaviour being
modelled - The goal is to use the minimum amount of detail
that accurately reproduces (or predicts) the
behaviour of the system - Abstraction helps us reduce complex problems into
manageable units and prevents us from getting
lost in a sea of details - AsmL provides a variety of features that allow
you to describe the relevant state of a system in
a very economical, high-level way
20Abstract State Machine and Turing Machine
- An abstract state machine is a particular kind of
mathematical machine, like the Turing machine
(TM) - But unlike a TM, ASMs may be defined a very high
level of abstraction - An easy way to understand ASMs is to see them as
defining a succession of states that may follow
an initial state
21State transitions
- The behaviour of a machine (its run) can always
be depicted as a sequence of states linked by
state transitions
- Moving from state A to state B is a state
transition
22Configurations
- Each state is a particular configuration of the
machine - The state may be simple or it may be very large,
with complex structure - But no matter how complex the state might be,
each step of the machines operation can be seen
as a well-defined transition from one particular
state to another
23Evolution of state variables
- We can view any machines state as a dictionary
of - (Name, Value)
- pairs, called state variables
(Colour, Red) is a variable, where Colour is
the name of variable, Red is the value
24Evolution of state variables
- Names are given by the machines symbolic
vocabulary - Values are fixed elements, like numbers and
strings of characters
The run of a machine is a series of states and
state transitions that results form applying
operations to each state in succession
25Example
- Diagram shows the run of a machine that models
how orders might be - processed
- Each transition operation
- can be seen as the result of invoking the
machines control logic on the current state - calculates the subsequence state as output
26Control Logic
- The machines control logic
- behaves like a fix set of transition
- rules that say how state may evolve
Typical form of the operational text is if
condition then update
We can think of the control logic as a text
that precisely specifies, for any given state,
what the values of the machines variables will
be in the following step
27Control Logic as a Black Box
- The machine control logic is a black box that
takes as input a state dictionary S1 and gives as
output a new dictionary S2
input
mode Initial
orders 0
balance 0
output
Mode Active
orders 2
balance 200
- The two dictionaries S1 and S2 have the same set
of keys, but the values associated with each
variable name may differ between S1 and S2
28Run of the Machine
- The run of the machine can be seen as what
happens when the control logic is applied to each
state in turn - The run starts form initial state
- S1 ? S2 ? S3 ?
- S1 is given to the black box yielding S2,
processing S2 results in S3, - and so on
- When no more changes to state are possible, the
run is complete
29Update operations
- We use the symbol
- (reads as gets)
- to indicate the value that a name will have in
the resulting state - For example modeActive
- Update can be seen only during the following step
(this is in contrast to Java, C, Pascal, ) - All changes happen simultaneously, when you
moving from one step to another. Then, all
updates happen at once.(atomic transaction)
30Programs
- Example 1. Hello, world
- Main()
- step WriteLine(hello, world!)
ASML uses indentations to denote block structure,
and blocks can be places inside other
blocks Statement block affect the scope of
variables Whitespace includes blanks and new-line
character, ASML does not recognize tab character
for indentation !!!!!!! An operation names Main()
gives the top-level operational definition of the
model (Main() is like main() in Java and C )
31The Executable Specification Language - ASML
Compiler asmlc name of the program !!!
Use D drive at the University Laboratories
!!! Example D\gtasmlc test.asml D\gt
test.exe D\gt test.exe gtoutput_file.txt
32I. Steps
- The general syntax for steps is
- Step label stopping-condition
- statement block
- a statement block consists of indented statement
that follow - a label is an optional string, number of
identifier followed by a colon () - stopping condition is any these forms
- until fixpoint
- until expression
- while expression
A step can be introduced independently or as part
of sequence of steps in the form step step
33Stopping for fixed point until fixed point
enum EnumMode Initial Started
Finished var mode Initial var count
0 Main() step until fixpoint if mode
Initial then mode Started
count1 if mode Started and count lt 10 then
count count1 if mode Started
and count gt10 then mode Finished
34Stopping for conditions while until
Either while or until may be used to give an
explicit stopping condition for iterated
sequential steps of the machine.
while expression until expression
var x as Integer 1 Main() step while x lt 10
WriteLine(x) x x 1
var x as Integer 1 Main() step until x gt 9
WriteLine(x) x x 1
Running each of these examples produces nine
steps. It will print numbers 1,2,3,4,5,6,7,8
and 9 as output
35Conditions
eq ne ? lt lt gt gt in ? notin ?
subset ? superset ? subseteq ? superseteq ?
36Sequences of steps
- The syntax step step indicates a sequence
of steps that will be performed in order
- Labels after the step keyword are optional but
helpful as documentation.
37Be wary !
- Be wary of introducing unnecessary steps
- This can occur if two operations are really not
order-dependent but are given as two sequential
steps, regardless - It is very easy to fall into this trap, since
most people are used to the sequential structures
used by other programming languages
38Iteration over collections
Another common idiom for iteration is to do one
step per element in some finite collection such
as a set or sequence
step foreach ident1 in expr1, ident2 in expr2
statement-block
myList 1,2,3 Main() step foreach i in
myList WriteLine (i)
Sequential, step-based iteration is available for
sets as well as sequences, but in the case of
sets, the order is not specified
39Guidelines for using steps
Situation You choose
operations occur in a fixed order sequence of steps
each operation must be done in order iterated steps with stopping condition while,until
operations must be done in sequence, one after another iteration over collection foreach
operations can be done without order iteration over collection forall
Repeat an operation until no more changes occur fixed-point stopping condition until fixed point
40II. Updates How are variables updated?
- A program defines state variables and operations
- The most important concept is that state is a
dictionary of (name,value) pairs - Each name identifies an occurrence for state
variables
- Operations may propose new values for state
variables - But effect of these changes is only visible in
subsequent step
41The update statement
- Update symbol (reads as gets)
var x 0 var y 1 Main() step
WriteLine(In the first step, x x) // x is
0 WriteLine (In the first step, y y)
// y is 1 x2 step // updates occur here
WriteLine(In the second step, x x)//x
is 2 WriteLine(In the second step, y
y)//y is 1
42Delayed effect of updates
Updates dont actually occur until the step
following the one in which they are written
var x 0 var y 1 Main() step
WriteLine(In the first step, x x) // x is
0 WriteLine(In the first step, y y) //
y is 1 step x2 WriteLine (In the
second step, x x) // x is 0 step
WriteLine (In the third step, x x) // x
is 2
43When updates occur
- All updates given within a single step occur
simultaneously at the end of the step. - Conceptually, the updates are applied in
between the steps.
Swapping values
in C, Java in ASML
temp x x y y temp step x y yx
44Consistency of updates
- The order within a step does not matter, but all
of updates in the step must be consistent - None of the updates given within a step may
contradict each other - If updates do contradict, then they are called
inconsistent updates and an error occur
Inconsistent update Error CLASH in the update set
step x1 x2 we dont know which of the two should take effect
45Total and partial updates
- An update of the variable can either be total or
partial - Total update is a simple replacement of
variables value with a new value - Partial updates apply to variables that have
structure - The left hand side of the update operation
- X val
- indicates whether the update is total or
partial
46Total update of a set-valued variable
var Students as Set of String Main() step
WriteLine (The initial roster is
Students) Students Bill, Carol,
Ted, Alice step WriteLine (The final
roster is Students)
- The variable Students was, initially, an empty
set - It was then updated to contain the names of the
four students - Update became visible in the second step as the
finial roster
47Partial update of a set-valued variable
var Students as Set of String Main() step
WriteLine (The initial roster is
Students) Students(Bill) true
Students(Carol) true Students(Ted)
true Students(Alice) true step
WriteLine (The final roster is Students)
- X val is update operation
- If X ends with an index form, then the update is
partial - If X ends with a variable name, then the update
is total
48Updating a set-valued variable
var Students as Set of String Main() step
WriteLine (The initial roster is
Students) Students Bill, Carol, Ted,
Alice step WriteLine (The current roster
is Students) Students ( Bill)
false // ( ) step WriteLine
(The final roster is Students)
- Updating the set Students with updating statement
() removes Bill from the set - The update is partial in the sense that other
students may be added to the set Students in the
same step without contradiction