236368 emilia katz, shahar dag 1 formal specifications for complex systems (236368) tutorial #13...
TRANSCRIPT
![Page 1: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/1.jpg)
236368 Emilia Katz, Shahar Dag
1
Formal Specifications for Complex Systems (236368)
Tutorial #13
Algebraic Specification and Larch
![Page 2: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/2.jpg)
236368 Emilia Katz, Shahar Dag
2
Today:
• Larch Specification Language
• Initial and Final Algebras
• Larch Interface Language
• Examples
![Page 3: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/3.jpg)
236368 Emilia Katz, Shahar Dag
3
General Structure
trait_name : trait //data stucture behavior, properties
includes trait1 rename_list, trait2 rename_list, …
Introduces //operations declaration
operator_list
Asserts //axioms – operations definition
predicate_list
var_type generated by operator_list
var_type partitioned by observer_list
implies additional_claims
implies converts operation_list
implies converts operation_list exempting special_cases
![Page 4: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/4.jpg)
236368 Emilia Katz, Shahar Dag
4
Example (includes)trait1 : trait
introduces:__ ↔ __: T, T → bool
asserts∀x:T x↔x
trait2 : traitintroduces:
__ R __: T, T → boolasserts
∀x, y, z:T (x R y ∧ y R z) ⇒ x R z
trait3: traitincludes trait1 ( ≤ for ↔ ), trait2 ( ≤ for R )
What is the meaning of these traits?
trait1: reflexive relationtrait2: transitive relation
trait3: pre-order
What operations are defined for this trait?
≤ instead of ↔ , R
![Page 5: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/5.jpg)
236368 Emilia Katz, Shahar Dag
5
Example - Set
Want to be able to:
• Create a new set• Add / remove elements from a set• Check whether an element is in the set• Get the size of the set• Get a union / intersection of two sets
![Page 6: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/6.jpg)
236368 Emilia Katz, Shahar Dag
6
Example – Set (cont.)
settrait : traitintroduces
{} : → set_ ∈ _ : E , set → boolinsert : E , set → setdelete : E , set → setsize : set → int_ ∪ _ : set , set → set_ ⋂ _ : set , set → set
// to be continued…
can write “E x set” instead of “E, set” (another notation…)
![Page 7: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/7.jpg)
236368 Emilia Katz, Shahar Dag
7
Example – Set (contd.2)
Define operations and connections between them:
• What does a newly created set look like?• What is the effect of adding / removing elements from a
set?• How is the size of a set defined?• What is a union / intersection of two sets?
![Page 8: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/8.jpg)
236368 Emilia Katz, Shahar Dag
8
Example – Set (contd.3)
asserts∀ e , e1 : E , s , s1 : S¬( e ∈ {} );e ∈ insert(e1 , s) == e = e1 ⋁ e ∈ s;size( {} ) == 0;size( insert(e , s)) == if e ∈ s then size(s) else size(s) +
1;delete( e , {} ) == {};delete(e, insert(e1, s)) ==
if e=e1 then delete(e, s) else insert(e1, delete(e, s));s ∪ {} == s;s ∪ insert( e , s1 ) == insert( e , s ∪ s1 );s ⋂ {} == {};s ⋂ insert( e , s1 ) ==
if e ∈ s then insert( e , s ⋂ s1 ) else s ⋂ s1;
![Page 9: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/9.jpg)
236368 Emilia Katz, Shahar Dag
9
Example – Set (contd.4)
generated by:set generated by {} , insert
partitioned by:set partitioned by ∈
Well-definedness of operations of the trait:
implies converts {} , ∈, insert, delete, size, ∪, ⋂ (all the operations are well-defined, no special cases)
![Page 10: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/10.jpg)
236368 Emilia Katz, Shahar Dag
10
Example – Set (contd.5)
delete(5 , insert(7 , insert(5 , {}))) == insert(7 , delete(5 , insert(5 , {}))) ==insert(7 , delete(5 , {})) ==insert(7 , {})
Is the following true?
set implies delete(5 , insert(7 , insert(5 , {}))) = insert(7 , {})
// axiom 2 about delete, the “else” part// axiom 2 about delete, the “then” part// axiom 1 about delete
=> The statement is true!
![Page 11: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/11.jpg)
236368 Emilia Katz, Shahar Dag
11
Example – Set (contd.6)
Is the following true?
set implies insert(7 , insert(5 , {})) = insert(5 , insert(7 , {}))
No axioms to help us decide!
![Page 12: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/12.jpg)
236368 Emilia Katz, Shahar Dag
12
Initial and Final Algebras
Initial algebra:
insert(7 , insert(5 , {})) insert(5 , insert(7 , {})) since they cannot be proven equal from the axioms of set
Final algebra:
insert(7 , insert(5 , {})) = insert(5 , insert(7 , {})) since they cannot be distinguished by the observers
Larch keeps the decision open for the user of the trait (by the addition of partitioned by)
![Page 13: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/13.jpg)
236368 Emilia Katz, Shahar Dag
13
Initial and Final Algebras
Question:What would the following statement mean:- set partitioned by size
Answer:We claim that two sets are equal if they are of the same size.
Is this good?No! it would mean that insert(5 , {}) = insert(7 , {}) which “breaks” the algebra as we can now prove false claims!-5 ∈ insert(5 , {}) -insert(5 , {}) = insert(7 , {})-=> 5 ∈ insert(7 , {}) -=> 5 ∈ {} !
![Page 14: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/14.jpg)
236368 Emilia Katz, Shahar Dag
14
Larch Interface Language - LCL
• second layer of a Larch specification
• we will only show some of the main features of LCL
• termination requirement is implicit
• may use any sorts and operations defined in LSL traits
• the mapping of types to sorts (E for set…) is done when introducing the
used traits, by renaming the sorts to the correct types: uses trait (type
for sort, …)
• LCL manipulates objects (variables). They can be:
• mutable: its value can be changed (specified by var)
• immutable: its guaranteed to stay constant.
![Page 15: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/15.jpg)
236368 Emilia Katz, Shahar Dag
15
LCL – The general formuses traits with [rename_list]procedure headerrequires Pmodifies Lensures Q
P – the precondition of the I/O assertion• Contains restrictions on the input • Prevents calls with illegal values• Must be fulfilled by the caller
L – the list of changeable objectsQ – the post condition
• Relating final values [primed (‘) version] to initial ones.• Must be established by the procedure
Note – implicit condition: the function must terminate!
![Page 16: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/16.jpg)
236368 Emilia Katz, Shahar Dag
16
Exampleuses settrait with [set for set, integer for E]
procedure setinit(var s : set)modifies sensures s’ = {}
procedure setinsert(e : integer; var s : set)requires size( insert( e , s ) ) ≤ 100modifies sensures s’ = insert( e , s )
procedure setrem(e : integer; var s : set; var f : bool)modifies s , fensures s’ = delete( e , s ) ∧ f’ = ( e ∈ s)
function choose(s : set; var e : integer) : boolmodifies e , chooseensures if size( s ) > 0 then ( choose’ ∧ (e’ ∈ s)) else (¬choose’ ∧ (e’ = e))
Use Pascal-like syntax
corresponds to {} of settrait
corresponds to insert; add a restriction: size ≤100
Delete an element; report if it was in the set before
combination of delete and
return an arbitrary element
no corresp. operation
![Page 17: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/17.jpg)
236368 Emilia Katz, Shahar Dag
17
setדוגמא ממבחן -
setבהינתן
והפעולות האריתמטיות (כמו שראינו)
וגם סימני היחס (<, <=, <, ...)
יש להגדיר:
maxהאיבר המקסימאלי בקבוצה -
secondהאיבר השני בגודלו -
![Page 18: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/18.jpg)
236368 Emilia Katz, Shahar Dag
18
(המשך) setדוגמא ממבחן –
(פיתרון של סטודנט)maxניסיון ראשון לפיתרון
max: S → E max(s) = e . e∈S ∧ ¬∃a∈S . a>e
האם זה הוא פיתרון טוב?
לא(נתעלם מהרישום המקורב בו השתמשנו לדוגמא)
אנחנו רוצים הגדרה אינדוקטיבית בדומה לפעולות האחרות,כדי שנוכל להשתמש בה בהוכחות באינדוקציה ובאקסיומות
== max( insert( e , s ) )אחרות (ולא פיתרון מלוגיקה)if size(s)=0 then eelse if max(s) > e then max(s) else e
implies converts max exempting max( {} )
![Page 19: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/19.jpg)
236368 Emilia Katz, Shahar Dag
19
(המשך) setדוגמא ממבחן –
כבר צריך להיות קלsecondעכשיו לפתור את
second: S → E
second( s ) == max( delete( max( s ) , s ) ) (*)
implies converts second exemptingsecond( {} ),∀e∈E second( insert( e , {} ) )
האם השורה המסומנת ב * לא משנה את הקבוצה שלנו ?
לא, אנחנו רק מתארים כאן את הפעולות, שפת הממשק תדאג לקבוצה
![Page 20: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/20.jpg)
מועד א2013שאלה ממבחן –
236368 Emilia Katz, Shahar Dag
20
![Page 21: 236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch](https://reader033.vdocuments.us/reader033/viewer/2022051316/5697bf761a28abf838c80bc7/html5/thumbnails/21.jpg)
מועד א2013שאלה ממבחן –
236368 Emilia Katz, Shahar Dag
21
מופיע באתר תחת מבחנים משנים קודמות פתרון: