saima zareen. formal specification of a system formal specification describes the system behavior...
TRANSCRIPT
Saima Zareen
Formal Specification of a SystemFormal Specification describes the
System behavior Operations of system
Problem with formal specification is large amount of detailed information which is required for accurate system specification.
A structured approach is required.The basic building block of a specification is
abstract machine. Large specification can be constructed from smaller
ones. AMN (abstract Machine Notation ) is used.
Compositional structuringThe combination of abstract machine is also an
abstract machine permitting hierarchical specification.
Abstract MachinesIt is the specification of a system.It contains pieces of information, that describes
various aspects of the specification.Specification must describe what the component
should do?(Operations,Functions).Operations/Functions
Take inputs from the user Supply outputs to the user. Affect any change within the component.
Interface Collection of operations by which machine interacts with
environment.Components/parts of Abstract machines
It is required by the machine to maintain or process information.
For this a local state is required.State is mentioned by the local variables.State variables are listed under VARIABLES heading.INVARIANT
Their types and any other information are listed. The information which must be true of the state. For example type of variable must not be changed during
the execution.
INITIALISATION Represents initial state
Machine Name Machine must have a name ,so that other machines
can refer to it. The name is given under the heading MACHINE. Machine
It is not like an object in object oriented sense. It has a name, internal state, and set of operations
as do objects. It may be considered as a black box with buttons on
the side corresponding to the operations, and a set of state variables inside.
Abstract machineInteraction must be through these buttons.
Example of abstract machineConsider the example of ticket dispenser,
which is used in shop to order the queue. On entry to the shop customer takes a numbered ticket from the dispenser. When a sales assistant is ready to serve, a display indicates the number of the customer who is to be served next. Customers wait until it is their turn to be served. The system is pictured in figure
A ticketing System
The behavior of ticket system can be represented using abstract machine.
First of all name the machine as
MACHINE Ticket
VARIABLESTo maintain the state of a system we define variables,
a variable should be of the type which is suitable to express kind of value it can store.
How the systems are understood rather than implemented.
In terms of values, sets, relations, sequences .A variable can be of the type N, natural numbers
set(0,1,2,…..).In the example we have two kind of tickets Ticket number being servedNumber of Next ticket to be dispensed.We can model with variables:
next serve
VARIABLES serve, nextINVARIANT
Provides information about the variables of the machineIt gives type of values of variableRestrictions on their possible valuesRelationships to each otherValues of variables may change but it describes the
properties of the variables which must be true during execution process.
Type of variable is expressed as: Either an element of a set var € TYPE Subset of a set var⊑ TYPE. Var=expression
At least one invariant clause should be defined for each variable. Listed Next € N Sreve € N
Furthure restrictions imposed by the operation can also be added
In Ticket machine number being served must be less than the number of the ticket to be given out. server≤next
INVARIANT serve € N ⋀ next € N ⋀ serve ≤ next
OPERATIONSIt has following parts
The name of the operation Input parameters Output parameters What the operation requires.(restrictions, conditions) What the operation modifies (variables that are modified) The effects or behavior of the operation(what the
operation does). In B, operation is described in a structured way
Name, input, output parameters of an operation are given by an operation header
Outputs ⃖ name(inputs) Where name refers to operation name, outputs is a list
of output and inputs is a list of inputs
Name must be givenInputs and outputs are optional parameters.Ticket machine will offer two operations
One to serve customer and update the indicator board To provide the customer with the next ticket. Ss ⃖serve_next tt ⃖take_ticketOperation has precondition, It states that what
the operation requires in order to behave correctly.Information of all input variables.Assumptions/state of the inputs
The requirements on the user to ensure that the requirements are met whenever the operation is called.
For example, the serve_next operation will be called when the sales assistant has finished serving a customer.
In this case serve must be less than next.If the shop is empty, then the value of serve will be the
same as next.Thus the precondition will be serve ≤nextBody of the operation, describes what the operation
achieves.It must assign some value to one of the outputs.Output should be in terms of initial state and input values.Update the state of the variable
In case of serve_next, Serve should be incremented Output should be incremented to show state serve.
In AMN assignment is written as x:=E (pronounced x becomes E) Serve:= serve+1 Output of this operation is assigned the same value Ss, serve:=serve+1,serve+1. Body shows the states, there is no intermediate
statement in the operation, therefore multiple assignments must be shown in simultaneous assignment, rather than a sequence of assignments one after the other.
The complete specification of the operation serve_next is as follows
Type of the output variable ss is given by the assignment, there is no need to declare its type.
It is determined from the operation.After the execution of operation it must
guarantee that the invariant is still true on the updated state.
Then the operation is consistent.Is the operation serve_next consistent with the
inavriant?If the precondition is weaker then there will be
the chance of inconsistency with its variant.
Strengthening the precondition of serve_next to serve<next imposes more constraints on the user.
Then the operation becomes consistent.Operation take_ticket
If a precondition is true, it may be dropped from the specification
Is consistent with the invariant of the Ticket machine?
INITIALISATIONDescribes possible initial state of the machine.All variables listed must be initialised.The Ticket machine should start with 0 on the
display board,0 is the number of the first ticket to be taken.
INITIALISATION serve, next:=0,0INITILISATION can only be consistent if initial
states are correct with respect to the invariant.
complete Specification of Ticket machine
Set TheoryThe B method makes use of the language of set
theory and logic with in AMN in order to express these requirements in a formal and precise way.
SetCollection of entities of some sort.Notation for set membership is e € S, pronounced
e is a member of S for a set S and element e.Finite setNaming Convention of set in B
Names of given sets are in upper case SMALLSQUARE={4, 16, 0, 1,9}
Empty set{}
Set comprehensionSet can be defined as a collection of elements
of some type which meet a particular property.SMALLSQUARE
Segment of the natural numbers can be expressed using the notation m…n, which defines the set of numbers between m and n
SubsetIf all the members S are also the members of
another set then S is said to be a subset of TS ⊑T
Set combinationsIf S and T are both sets ,then their union S⊔ T
is another set which contains elements that appear in either S or T..
Generalized union ⊔ SS over set of SS. Elements that appear in any set S€ SS.
Intersection The intersection of S∩T of two sets is the set of elements
that are in both S and T. Generalized intersection ∩SS over a set of sets SS. The set of elements that appear in every set S€ SS. If S∩T={} then S and T are said to be disjoint
Set SubtractionS-T is used to obtain the set of members of S which
are not members of T.For example CHESS_GO is the set of all chess
players who do not play GO.Subset
Sets which contain only elements from S.Empty set {} is always one such set.SET={alice,bob}
{} {alice} {bob} {alice, bob}
Power setThe collection of subsets of S is called power set
and written as
Cartesian ProductS x T of two sets S and T will be the set of
ordered pairs of elements (s, t)In which s€ S for the first element of the pair,
andT€ T for the second element.
The Cartesian product is the set of all possible pairings of such elements.
For example{alice, bob} and {home, work}
{alice, home} {alice, work} {bob, home} {bob, work} The Cartesian product of two sets is given by
Set theoretic notation
The size or cardinality of set s is written card(S).
It is the number of elements it contains.For example
Card({alice, bob}) = 2Task