Formal Methods in Software

Lecture 4. Z Notation

Vlad PatryshevSCU2014

you may need Chrome browser to view these slides

Z Notation, a Specification Language● Vaguely based on typed version of Zermelo-Fraenkel set theory● Uses set-theoretic notation for algorithm description● Software tools exist(ed) that could, arguably, verify algorithms● Related to computational logic● Partially replaced these days by Coq and Agda● ISO standard: ISO/IEC 13568:2002● WSDL definition uses it● Lives in an ideal world, not very good for programming with effects● But is related to Agda

The Logic of Z● Propositional logic

○ predicates; true/false○ connectives: a∧b, a∨b,¬a, a⇒b, a⇔b

● Quantifiers○ ∀x • q○ ∃x • q○ ∃1x • q (“exists unique”)

● Many laws (but nothing unusual)

Z has types and constraintsa:T - a is of type Tq a - a satisfies a constraint (a predicate) q

E.g.a,b: Humanx: Dog

likes(a,x)likes(b,x)loves(x,a)loves(x,b)

Signature

Predicates (constraints)

Z uses typed sets● ∅[T] - empty set of elements of type T● {Peter, Paul, James} - a set of people; elements must be of the same type● order does not matter; repetitions make no sense● x∈S - x is an element of S e.g. William ∉ {Jonathan, Jane, Alice, Emma}● P∪Q - union● P∩Q - intersection● P\Q - complement ({x∈P|x∉Q})● P ⊆ Q - P is a subset of Q (P∩Q=P)● P- - complement of P, all members of type that do not belong to P (P-=T\P)

E.g. T-=∅[T] and ∅[T]-=T

● ∪{A,B,C,...} = A∪B∪C∪…

● ∩{A,B,C,...} = A∩B∩C∩…

Set Comprehension{x∈T|P(x)} - a set of all such x that P(x) is true

Properties:● {x:T |p}∩{x:T |q}={x:T |p∧q}● {x:T |p}∪{x:T |q}={x:T |p∨q}● {x:T |p}− ={x:T |¬p}● {x:T |p}⊆{x:T |q} ≡ p⇒q● {x:T |p}={x:T |q} ≡ p⇔q● ∅[T]={x:T |false}● T={x:T |true}

Cartesian ProductIf T and U are types, T×U is the type of pairs (t,u), where t:T, u:U

If P and Q are sets, P×Q = {p:T; q:U|p∈P∧q∈Q • (p,q)}

(meaning, take ps from P, qs from Q, produce all pairs (p,q))

PowersetX∈ℙS ≡ X⊆S

E.g.ℙ∅ = {∅}; ℙ{a} = {∅,{a}}

Finite subsets of S: FSℙ1S = {X∈ℙS | X!=∅}

F1S = {X∈FS | X!=∅}

Binary Relations

R⊆P×QNotation: given a relation R, pRq means (p,q)∈R Alternative notation for pairs (p,q): p↦qE.g. authors = {Bjarne ↦ Cpp, Guido ↦ Python, Martin ↦ Scala}

Set of all relations T ↔ U == ℙ(T × U)E.g. authors ∈ Humans ↔ Languages

Domain and RangeR ∈ T ↔ U

dom R = {x:T |(∃y:U•(x,y)∈R)} - not a very good idea, actually

ran R = {y:U |(∃x:T•(x,y)∈R)} - an even worse idea

E.g.

dom authors = {Bjarne, Guido, Martin}

ran authors = {Cpp, Python, Scala}

Inverse RelationEvery relation has an inverse

R∼ = {y:U;x:T|(x,y)∈R}

E.g. authors = {Bjarne↦Cpp, Guido↦Python, Martin↦Scala}authors~ = {Cpp↦Bjarne, Python↦Guido, Scala↦Martin}

Obviously,● ran(R∼ ) = dom R● dom(R∼ ) = ran R● (R∼)∼ = R

Functions are Relations● Partial Function f: A�B ≡

∀x:A ∀y1,y2:B (x,y1)∈f∧(x,y2)∈f⇒y1=y2

● Total function f: A→B ≡ f is p.f. and ∀x:A ∃y:B (x,y)∈f

● Injection f: A↣B ≡ f is function, and ∀x1,x2:A (x1,y)∈f∧(x2,y)∈f⇒x1=x2

● Surjection f: A↠B: f is function, and ∀y:B ∃x:A (x,y)∈f

● Partial injection, partial surjection● Finite partial function, A�B

● Identity id A = {(x,x):T×T|x∈A}● RTL Composition Q∘R = {(z,x):T×V|∃y:U•(y,x)∈R∧(z,y)∈Q}● Domain restriction A◁R = {(x,y):T×U|(x,y)∈R∧x∈A}● Domain anti-restriction A�R = {(x,y):T×U|(x,y)∈R∧x∉A}● Range restriction A▷R = {(x,y):T×U|(x,y)∈R∧y∈A}● Range anti-restriction A�R = {(x,y):T×U|(x,y)∈R∧y∉A}● Image R(|A|) = {y:U|∃x:T•(x,y)∈R∧x∈A● Inverse R~● Iteration iter n R = R∘(iter (n-1) R); iter 0 R = id● Overriding Q⨁R = (dom R � Q) ∪ R

Operations on Relations

Numbers● ℤ - all integers● ℕ = {x∈ℤ|x≥0}● _+_, _-_, _*_, _div_, _mod_, -_● _≥_, _>_, _≤_, _<_● max(<nonempty set>), min

Axiomatic Description● new operator

● new data with constraint

abs : Z → Z

∀n:Z•

n ≤ 0 ⇒ abs n = −n ∧ n ≥ 0 ⇒ abs n = n

n:ℕ

n<10

Iteration etc● Introduce succ=={0↦1,1↦2,...}; pred==succ~ ● succ = ℕ◁(_+1)

● Rn=R∘R∘...∘R

e.g. succn = ℕ◁(_+n)● Number range a..b={n:ℕ|a≤n≤b}● Cardinality of set S ∈ F T , #S

(For a set to be ‘finite’, it must be in bijection with 1..n for some n.)

Introducing New Types● Just by naming, [A]● data type (like enum): Friends ::= Peter|John|James● recursively, e.g. ℕ ::= zero | succ⟨⟨ℕ⟩⟩

Sequencesseq T =={s:ℕ�T |∃n:ℕ • dom s = 1..n}

● ⟨⟩ - empty sequence● Nonempty sequence seq1 T == seq T \ {⟨⟩}● Injective sequence iseq T == {f: seq T| injective f}● ⟨’a’,’b’,’c’⟩● concatenation: ⟨’a’,’b’,’c’⟩◠⟨’d’,’e’,’f’⟩● prefix ⟨’a’,’b’⟩ ⊆ ⟨’a’,’b’,’c’⟩● head s = s(1); last s = s(#s); tail s; front s● rev ⟨⟩ = ⟨⟩, rev ⟨x⟩ = ⟨x⟩, rev(s◠t) = rev(t)◠rev(s)

SchemasExample:

alternatively,Book≘[author:People;title:seq CHAR; readership: ℙ People;rating:0..10 | readership = dom rating]

author:Peopletitle: seq CHARreadership: ℙ Peoplerating: ↠ 0..10

readership = dom rating

Book

State Machine: Operational SchemaOperation ≘ [ x1:S1;...;xn:Sn; // current state

x1′:S1;...;xn′:Sn; // new state

i1?:T1;...;im?:Tm; // input

o1!:U1;...;op!:Up // output

|

Pre(i1?,...,im?,x1,...,xn); // preconditions

Inv(x1,...,xn); // invariants

Inv(x1′,...,xn′); // invariants

Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function

]

Example of Operational SchemaAddBirthday ≘ [

known : ℙ NAME;

birthday : NAME � DATE

known′ : ℙ NAME;

birthday′ : NAME � DATE

name? : NAME;

date? : DATE;

|

name? ∉ known;

known = dom birthday;

known′ = dom birthday′;

birthday′ = birthday ∪ {name? ↦ date?}

]

Δ: Operational Schemas ReuseStateSpace ≘ [ x1:S1;...;xn:Sn | Inv(x1,...,xn) ]

Operation ≘ [ Δ StateSpace; // encapsulates changing state

i1?:T1;...;im?:Tm; // input

o1!:U1;...;op!:Up // output

|

Pre(i1?,...,im?,x1,...,xn); // preconditions

Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function

]

Example of Δ inclusionAddBirthday ≘ [ Δ BirthdayBook;

name? : NAME;

date? : DATE;

|

name? ∉ known;

birthday′ = birthday ∪ {name? ↦ date?}

]

Operations that don’t change StateOperation ≘ [ x1:S1;...;xn:Sn; // current state

x1′:S1;...;xn′:Sn; // new state

i1?:T1;...;im?:Tm; // input

o1!:U1;...;op!:Up // output

|

Pre(i1?,...,im?,x1,...,xn); // preconditions

Inv(x1,...,xn); // invariants

Inv(x1′,...,xn′ ); // invariants

(x1’=x1∧x2’=x2∧...∧xn’=xn); // state does not change

Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function

]

Ξ: Operational Schemas ReuseGreek letter Ξ, pronounced as /ˈzaɪ/ or /ˈksaɪ/

Operation ≘ [ Ξ StateSpace; // encapsulates unchanging state

i1?:T1;...;im?:Tm; // input

o1!:U1;...;op!:Up // output

|

Pre(i1?,...,im?,x1,...,xn); // preconditions

Op(i1?,...,im?,x1,...,xn,x1′ ,...,xn′ ,o1!,...,op!) // step function

]

Example of Ξ inclusionFindBirthday ≘ [ Ξ BirthdayBook;

name? : NAME;

date! : DATE;

|

name? ∈ known;

date! = birthday(name?)

]

And more...● Can compose schema states● Can connect schemas (output to input)● Can include schemas

WSDLhttp://www.w3.org/TR/wsdl20/wsdl20-z.html

ServiceComponents ≘ [ ComponentModel1; serviceComps : ℙ Service; endpointComps : ℙ Endpoint;|

serviceComps = { x : Service |service(x)∈components }

endpointComps = { x : Endpoint | endpoint(x)∈components }

]

Referenceshttp://images4.wikia.nocookie.net/formalmethods/images/4/4e/Zbook.pdfISO/IEC 13568:2002W3C WSDL standardWikipedia