Analysis and Specification of
Information Systems
Winter 2007
Session 7: Formal Specification
with Zed
Eran Toch
http://www.technion.ac.il/~erant
Specification and Analysis of Information Systems Spring 2005 1

Agenda
• Introduction
• Hello World
• Schema Specification
• Schema Operations
Intro | Hello World | Schema | Operations 2

Motivation for Formal Specification
: ShooppingCart
customer
addProduct (p)
• Was the product really added?
• Were there any side affects?
• What was the state of the shopping cart before
and after the operation?
Intro | Hello World | Schema | Operations 3

Motivation – cont’d
/ cart := Empty
S addProduct(p) | cart := cart + p
• What is the type of cart? What is the type of p?
• Is “cart := cart + p” a legal operation?
• Do we cover all possibilities? What if p is null?
• Why are these questions interesting at all?
Intro | Hello World | Schema | Operations 4

Motivation: Ariane 5
• A European satellite
launch rocket
• Development time:
10 years
• Development costing
€7 billion
• Cargo + rocket costing
€500 million
Intro | Hello World | Schema | Operations 5

Ariane 5 First launch
A data conversion from 64-bit floating point to 16-bit
signed integer value had failed.
Intro | Hello World | Schema | Operations 6

What are Formal Specification Methods?
Σ
1 c
2 e
3
4
5
d
b
a
Pre / post
1. Mathematical 2. Well-defined 3. Clear Behavior
notation data structures: specification,
• Sets based on logical
• Relations expressions
• Functions
Intro | Hello World | Schema | Operations 7

Reasoning
Reasoning over
System
Properties
• Examples:
– Prove that all actions will result in a discrete set of states.
– Prove that some system properties are bounded.
– Prove that error states are unreachable.
– Prove that certain states are reachable.
Intro | Hello World | Schema | Operations 8

Using Zed in System Development
Formal
Design Implementation
Specification
Design
Validation
Documents
Z Testable
(UML)
Schemas System
Verification
9

Advantages of Formal Specification
Specification
Design and
Implementation
Validation
Without With formal
fromal specification
specification
Intro | Hello World | Schema | Operations 10

Zed Specification Language
• Based on typed set theory
Z
• The most widely-used formal
specification language
• Built upon schemas
– Basic building blocks
– Allow modularity
– Easier to understand by using
graphical presentation
• pronounced “Zed”
Intro | Hello World | Schema | Operations 11

Agenda
• Introduction
• Hello World
• Schema Specification
• Schema Operations
12

Z Schema
Schema name
Container
contents: N Schema signature
capacity: N
Schema
contents ≤ capacity
predicates
• Schema predicates are always true
• Predicates can refer only to elements in the signature
Intro | Hello World | Schema | Operations 13

Type definitions
• Built-in types:
– Z - Integers (…,-3,-2,-1,0,1,2,3,…)
– N == {n : Z | n ≥ 0} (positive integers)
– N1 == {n : Z | n > 0} (positive, non-zero, integers)
– R – Real numbers
– Char - characters
• Types may be defined by enumeration
– Sem_model_types = { relation, entity, attribute }
• Some entities may be ‘given’ and defined later
– [NAME, DATE, PERSON]
• Schemas can be used as types
Intro | Hello World | Schema | Operations 14

An indicator specification
Indicator
light : { off, on }
reading: N
danger_level: N
light = on ⇔ reading ≤ danger_level
Intro | Hello World | Schema | Operations 15

Storage tank specification
Storage_tank
Container
Indicator
reading = contents
capacity = 5000
danger_level = 50
Intro | Hello World | Schema | Operations 16

Specifying Complex Operations
Exceptional 1
Normal operation
Exceptional 2
Combined operation
Intro | Hello World | Schema | Operations 17

A partial spec. of a fill operation
Delta (∆): the operation changes the state of the
attribute
Fill_OK
? represents an input
∆Storage_tank
amount?: N
contents + amount? ≤ capacity
contents’ = contents + amount?
Dash (N’), represents the value
after an operation
Intro | Hello World | Schema | Operations 18

Storage tank fill operation
Xi (Ξ) means that the defined
operation does not change the
values of state variables
OverFill
Ξ Storage_tank
amount?: N ! represents an output
r!: seq CHAR
capacity < contents + amount?
r! = “Insufficient tank capacity – Fill canceled”
Intro | Hello World | Schema | Operations 19

The Fill Operation
Fill
Fill_OK ∨ OverFill
Operations may be specified
incrementally as separate schema
then the schema combined to
produce the complete specification
Intro | Hello World | Schema | Operations 20

Agenda
• Introduction
• Hello World
• Schema Specification
• Schema Operations
21

Data dictionary specification
• A data dictionary is part of a CASE system and is
used to keep track of system names
• Data dictionary structure
– Item name
– Description
– Type. Assume in these examples that the allowed types are
those used in E/R models
– Creation date
Intro | Hello World | Schema | Operations 22

Example: Data dictionary entry
[NAME, DATE]
sem_model_types = { relation, entity, attribute }
DataDictionaryEntry
name: NAME
type:
sem_model_types
creation_date: DATE
description : seq Char
#description ≤ 2000
Intro | Hello World | Schema | Operations 23

Data dictionary modeling
• A data dictionary may be thought of as a
mapping from a name (the key) to a value (the
description in the dictionary)
• Operations are
– Add. Makes a new entry in the dictionary or
replaces an existing entry
– Lookup. Given a name, returns the description.
– Delete. Deletes an entry from the dictionary
– Replace. Replaces the information associated with an entry
Intro | Hello World | Schema | Operations 24

Basic Data Representation
DataDictionary
ddict: NAME → DataDictionaryEntry
Names Entries
Intro | Hello World | Schema | Operations 25

Function Summary
Name Symbol dom f One-to- ran f
one?
Total function → =X ⊆Y
Partial function → ⊆X ⊆Y
Injection (total) → =X Yes ⊆Y
Surjection (total) → =X =Y
Bijection → =X Yes =Y
Intro | Hello World | Schema | Operations 26

Data dictionary initialization
Init_DataDictionary
∆ DataDictionary
ddict’ = φ
Intro | Hello World | Schema | Operations 27

Add and lookup operations
Add_OK
∆ DataDictionary Accessing sub
entry?: DataDictionaryEntry elements
entry?.name ∉ dom ddict
ddict’ = ddict ∪ { entry?.name → entry? }
Lookup_OK
Ξ DataDictionary
name?: NAME
entry!: DataDictionaryEntry
name? ∈ dom ddict
entry! = ddict(name?)
Intro | Hello World | Schema | Operations 28

Add and lookup operations
Add_Error
Ξ DataDictionary
entry?: DataDictionaryEntry
error!: seq char
entry?.name ∈ dom ddict
error! = “Name already in dictionary”
Lookup_Error
Ξ DataDictionary
name?: NAME
error!: seq char
name? ∉ dom ddict
error! = “Name not in dictionary”
Intro | Hello World | Schema | Operations 29

Function over-riding operator
• ReplaceEntry uses the function overriding
operator (written ⊕). This adds a new entry or
replaces and existing entry.
– phone = { Ian → 3390, Ray → 3392, Steve → 3427}
– The domain of phone is {Ian, Ray, Steve} and the range is
{3390, 3392, 3427}.
– newphone = {Steve → 3386, Ron → 3427}
– phone ⊕ newphone = { Ian → 3390, Ray → 3392, Steve
→ 3386, Ron → 3427}
Intro | Hello World | Schema | Operations 30

Replace operation
Replace_OK
∆ DataDictionary
entry?: DataDictionaryEntry
entry?.name ∈ dom ddict
ddict’ = ddict ⊕ { entry?.name → entry? }
Intro | Hello World | Schema | Operations 31

Deleting an entry
• Uses the domain subtraction operator
(written ) which, given a name, removes that
name from the domain of the function
– phone = { Ian d
– {Ian} phone = {Ray a 3392, Steve v 3427}
Intro | Hello World | Schema | Operations 32

Delete entry
Delete_OK
∆ DataDictionary
name?: NAME
name? ∈ dom ddict
ddict’ = { name? } ddict
Intro | Hello World | Schema | Operations 33

Specifying ordered collections
• Specification using sets does not allow ordering to
be specified
• Sequences are used for specifying ordered
collections
• A sequence is a function mapping consecutive
integers to associated values
Intro | Hello World | Schema | Operations 34

The Extract operation
Extract
DataDictionary
rep!: seq DataDictionaryEntry
in_type?: Sem_model_types
∀n ∈dom ddict: ddict(n).type = in_type? ⇒ ddict(n) ∈ rng rep!
∀ 1 ≤ i ≤ #rep!: rep!(i).type = in_type?
∀1 ≤ i ≤ #rep!: rep!(i) ∈ rng ddict
∀i,j∈dom rep!: (i < j) ⇒ rep!(i).name <NAME rep!(j).name
Intro | Hello World | Schema | Operations 35

Extract predicate
• For all entries in the data dictionary whose type is
in_type?, there is an entry in the output sequence
• The type of all members of the output sequence is
in_type?
• All members of the output sequence are members
of the range of ddict
• The output sequence is ordered by entry name
Intro | Hello World | Schema | Operations 36

Agenda
• Introduction
• Hello World
• Schema Specification
• Schema Operations
37

Schema Operators: ∧, ∨, ¬, ⇒, ⇔
• For any of the binary types to be allowed, its two
arguments must have type compatible signatures.
• I.e., the types of arguments with the same name
must be identical
– X ∧ Y – conjunction of X,Y predicates
– X ∨ Y – disjunction of X,Y predicates (good for
normal/exception situations)
¬X – negation of a schema
– X⇒Y – if X predicates are true, then Y predicates are true
– X ⇔Y - iff
Intro | Hello World | Schema | Operations 38

- Hiding
• The hiding operation S (x1,…,xn) removes from the
schema S the components x1,…,xn explicitly listed
• These components must exist
• Useful for situations in which we want to discuss
partial elements of the schema
– X (limit) ∧ Y
Intro | Hello World | Schema | Operations 39

- projection
• S  T hides all the components of S except those
that are also components of T.
• The schemas S and T must be type compatible,
• But T may have components that are not shared by
S
• The signature of the result is the same as the
signature of T
Intro | Hello World | Schema | Operations 40

Composition
• If Op1 and Op2 are schemas describing two
operations, then Op1,
• Then Op1 ; Op2 is a schema which describes their
sequential composition
• Composition is legal only if:
– Each dashed component in Op1 must match an undashed
component with the same name
– Each elements with the same name must have the same type
Intro | Hello World | Schema | Operations 41

Composition - Example
What would Inc ; Inc do?
Intro | Hello World | Schema | Operations 42

pre
• The “pre” operator allows us to discuss schemas
before they were executed
• If S is a schema, and x1’,…,xn’ are the components
of S that have the ‘ decoration y1!,…,yn! are the
components that have the decoration !,
• then the schema “pre S” is the result of hiding these
variables of S, so that,
– Pre S = S (x1’,…,xn’, y1!,…,yn!)
Intro | Hello World | Schema | Operations 43

Example: State Machine
• A state machine has:
E0 – States
– An initial state
S-1 • From where the machine
start from
– Final states:
E1 | a1
• If the machine reaches the
final state, it halts and
S-2 E3 | a2
“accept”
– Given a state and an event, a
E2 | a1 transition will perform an
optional action and move to
the destination state
• An action is performed by
Example outputting the name of the
action
44