Upcoming SlideShare
×

# Formal methods 4 - Z notation

2,652 views

Published on

My course of Formal Methods at Santa Clara University, Winter 2014.

Published in: Education, Technology
2 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here
• Be the first to comment

Views
Total views
2,652
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
223
0
Likes
2
Embeds 0
No embeds

No notes for slide

### Formal methods 4 - Z notation

1. 1. Formal Methods in Software Lecture 4. Z Notation Vlad Patryshev SCU 2014 you may need Chrome browser to view these slides
2. 2. Z Notation, a Specification Language ● Vaguely based on typed version of Zermelo-Fraenkel set theory ● Uses set-theoretic notation for algorithm description ● Software tools exist(ed) that could, arguably, verify algorithms ● Related to computational logic ● Partially replaced these days by Coq and Agda ● ISO standard: ISO/IEC 13568:2002 ● WSDL definition uses it ● Lives in an ideal world, not very good for programming with effects ● But is related to Agda
3. 3. The Logic of Z ● Propositional logic ○ predicates; true/false ○ connectives: a∧b, a∨b,¬a, a⇒b, a⇔b ● Quantifiers ○ ∀x • q ○ ∃x • q ○ ∃1 x • q (“exists unique”) ● Many laws (but nothing unusual)
4. 4. Z has types and constraints a:T - a is of type T q a - a satisfies a constraint (a predicate) q E.g. a,b: Human x: Dog likes(a,x) likes(b,x) loves(x,a) loves(x,b) Signature Predicates (constraints)
5. 5. Z uses typed sets ● ∅[T] - empty set of elements of type T ● {Peter, Paul, James} - a set of people; elements must be of the same type ● order does not matter; repetitions make no sense ● x∈S - x is an element of S e.g. William ∉ {Jonathan, Jane, Alice, Emma} ● P∪Q - union ● P∩Q - intersection ● PQ - complement ({x∈P|x∉Q}) ● P ⊆ Q - P is a subset of Q (P∩Q=P) ● P- - complement of P, all members of type that do not belong to P (P- =TP) E.g. T- =∅[T] and ∅[T]- =T ● ∪{A,B,C,...} = A ∪B∪C∪… ● ∩{A,B,C,...} = A∩B∩C∩…
6. 6. Set Comprehension {x∈T|P(x)} - a set of all such x that P(x) is true Properties: ● {x:T |p}∩{x:T |q}={x:T |p ∧q} ● {x:T |p}∪{x:T |q}={x:T |p ∨q} ● {x:T |p}− ={x:T |¬p} ● {x:T |p}⊆{x:T |q} ≡ p⇒q ● {x:T |p}={x:T |q} ≡ p ⇔q ● ∅[T]={x:T |false} ● T={x:T |true}
7. 7. Cartesian Product If T and U are types, T×U is the type of pairs (t,u), where t:T, u:U If P and Q are sets, P×Q = {p:T; q:U|p∈P∧q∈Q • (p,q)} (meaning, take ps from P, qs from Q, produce all pairs (p,q))
8. 8. Powerset X∈ℙS ≡ X⊆S E.g. ℙ∅ = {∅}; ℙ{a} = {∅,{a}} Finite subsets of S: FS ℙ1 S = {X∈ℙS | X!=∅} F 1 S = {X∈FS | X!=∅}
9. 9. Binary Relations R⊆P×Q Notation: given a relation R, pRq means (p,q)∈R Alternative notation for pairs (p,q): p↦q E.g. authors = {Bjarne ↦ Cpp, Guido ↦ Python, Martin ↦ Scala} Set of all relations T ↔ U == ℙ(T × U) E.g. authors ∈ Humans ↔ Languages
10. 10. Domain and Range R ∈ T ↔ U dom R = {x:T |(∃y:U•(x,y)∈R)} - not a very good idea, actually ran R = {y:U |(∃x:T•(x,y)∈R)} - an even worse idea E.g. dom authors = {Bjarne, Guido, Martin} ran authors = {Cpp, Python, Scala}
11. 11. Inverse Relation Every relation has an inverse R∼ = {y:U;x:T|(x,y)∈R} E.g. authors = {Bjarne↦Cpp, Guido↦Python, Martin↦Scala} authors~ = {Cpp↦Bjarne, Python↦Guido, Scala↦Martin} Obviously, ● ran(R∼ ) = dom R ● dom(R∼ ) = ran R ● (R∼ )∼ = R
12. 12. Functions are Relations ● Partial Function f: A B ≡ ∀x:A ∀y1 ,y2 :B (x,y1 )∈f∧(x,y2 )∈f⇒y1 =y2 ● Total function f: A→B ≡ f is p.f. and ∀x:A ∃y:B (x,y)∈f ● Injection f: A↣B ≡ f is function, and ∀x1 ,x2 :A (x1 ,y)∈f∧(x2 ,y)∈f⇒x1 =x2 ● Surjection f: A↠B: f is function, and ∀y:B ∃x:A (x,y)∈f ● Partial injection, partial surjection ● Finite partial function, A B
13. 13. ● Identity id A = {(x,x):T×T|x∈A} ● RTL Composition Q∘R = {(z,x):T×V|∃y:U•(y,x)∈R∧(z,y)∈Q} ● Domain restriction A◁R = {(x,y):T×U|(x,y)∈R∧x∈A} ● Domain anti-restriction A R = {(x,y):T×U|(x,y)∈R∧x∉A} ● Range restriction A▷R = {(x,y):T×U|(x,y)∈R∧y∈A} ● Range anti-restriction A R = {(x,y):T×U|(x,y)∈R∧y∉A} ● Image R(|A|) = {y:U|∃x:T•(x,y)∈R∧x∈A ● Inverse R~ ● Iteration iter n R = R∘(iter (n-1) R); iter 0 R = id ● Overriding Q⨁R = (dom R Q) ∪ R Operations on Relations
14. 14. Numbers ● ℤ - all integers ● ℕ = {x∈ℤ|x≥0} ● _+_, _-_, _*_, _div_, _mod_, -_ ● _≥_, _>_, _≤_, _<_ ● max(<nonempty set>), min
15. 15. Axiomatic Description ● new operator ● new data with constraint abs : Z → Z ∀n:Z• n ≤ 0 ⇒ abs n = −n ∧ n ≥ 0 ⇒ abs n = n n:ℕ n<10
16. 16. Iteration etc ● Introduce succ=={0↦1,1↦2,...}; pred==succ~ ● succ = ℕ◁(_+1) ● Rn =R∘R∘...∘R e.g. succn = ℕ◁(_+n) ● Number range a..b={n:ℕ|a≤n≤b} ● Cardinality of set S ∈ F T , #S (For a set to be ‘finite’, it must be in bijection with 1..n for some n.)
17. 17. Introducing New Types ● Just by naming, [A] ● data type (like enum): Friends ::= Peter|John|James ● recursively, e.g. ℕ ::= zero | succ⟨⟨ℕ⟩⟩
18. 18. Sequences seq T =={s:ℕ T |∃n:ℕ • dom s = 1..n} ● ⟨⟩ - empty sequence ● Nonempty sequence seq1 T == seq T {⟨⟩} ● Injective sequence iseq T == {f: seq T| injective f} ● ⟨’a’,’b’,’c’⟩ ● concatenation: ⟨’a’,’b’,’c’⟩◠⟨’d’,’e’,’f’⟩ ● prefix ⟨’a’,’b’⟩ ⊆ ⟨’a’,’b’,’c’⟩ ● head s = s(1); last s = s(#s); tail s; front s ● rev ⟨⟩ = ⟨⟩, rev ⟨x⟩ = ⟨x⟩, rev(s◠t) = rev(t)◠rev(s)
19. 19. Schemas Example: alternatively, Book≘[author:People;title:seq CHAR; readership: ℙ People;rating:0..10 | readership = dom rating] author:People title: seq CHAR readership: ℙ People rating: ↠ 0..10 readership = dom rating Book
20. 20. State Machine: Operational Schema Operation ≘ [ x1 :S1 ;...;xn :Sn ; // current state x1 ′:S1 ;...;xn ′:Sn ; // new state i1 ?:T1 ;...;im ?:Tm ; // input o1 !:U1 ;...;op !:Up // output | Pre(i1 ?,...,im ?,x1 ,...,xn ); // preconditions Inv(x1 ,...,xn ); // invariants ￼￼￼￼￼￼￼￼￼Inv(x1 ′,...,xn ′); // invariants Op(i1 ?,...,im ?,x1 ,...,xn ,x1 ′ ,...,xn ′ ,o1 !,...,op !) // step function ]
21. 21. Example of Operational Schema AddBirthday ≘ [ known : ℙ NAME; birthday : NAME DATE known′ : ℙ NAME; birthday′ : NAME DATE name? : NAME; date? : DATE; | name? ∉ known; known = dom birthday; known′ = dom birthday′; birthday′ = birthday ∪ {name? ↦ date?} ]
22. 22. Δ: Operational Schemas Reuse StateSpace ≘ [ x1 :S1 ;...;xn :Sn | Inv(x1 ,...,xn ) ] Operation ≘ [ Δ StateSpace; // encapsulates changing state i1 ?:T1 ;...;im ?:Tm ; // input o1 !:U1 ;...;op !:Up // output | Pre(i1 ?,...,im ?,x1 ,...,xn ); // preconditions Op(i1 ?,...,im ?,x1 ,...,xn ,x1 ′ ,...,xn ′ ,o1 !,...,op !) // step function ]
23. 23. Example of Δ inclusion AddBirthday ≘ [ Δ BirthdayBook; name? : NAME; date? : DATE; | name? ∉ known; birthday′ = birthday ∪ {name? ↦ date?} ]
24. 24. Operations that don’t change State Operation ≘ [ x1 :S1 ;...;xn :Sn ; // current state x1 ′:S1 ;...;xn ′:Sn ; // new state i1 ?:T1 ;...;im ?:Tm ; // input o1 !:U1 ;...;op !:Up // output | Pre(i1 ?,...,im ?,x1 ,...,xn ); // preconditions Inv(x1 ,...,xn ); // invariants ￼￼￼￼￼￼￼￼￼Inv(x1 ′,...,xn ′ ); // invariants (x1 ’=x1 ∧x2 ’=x2 ∧...∧xn ’=xn ); // state does not change Op(i1 ?,...,im ?,x1 ,...,xn ,x1 ′ ,...,xn ′ ,o1 !,...,op !) // step function ]
25. 25. Ξ: Operational Schemas Reuse Greek letter Ξ, pronounced as /ˈzaɪ/ or /ˈksaɪ/ Operation ≘ [ Ξ StateSpace; // encapsulates unchanging state i1 ?:T1 ;...;im ?:Tm ; // input o1 !:U1 ;...;op !:Up // output | Pre(i1 ?,...,im ?,x1 ,...,xn ); // preconditions Op(i1 ?,...,im ?,x1 ,...,xn ,x1 ′ ,...,xn ′ ,o1 !,...,op !) // step function ]
26. 26. Example of Ξ inclusion FindBirthday ≘ [ Ξ BirthdayBook; name? : NAME; date! : DATE; | name? ∈ known; date! = birthday(name?) ]
27. 27. And more... ● Can compose schema states ● Can connect schemas (output to input) ● Can include schemas
28. 28. WSDL http://www.w3.org/TR/wsdl20/wsdl20-z.html ServiceComponents ≘ [ ComponentModel1; serviceComps :ℙ Service; endpointComps : ℙ Endpoint;| serviceComps = { x : Service |service(x)∈components } endpointComps = { x : Endpoint | endpoint(x)∈components } ]
29. 29. References http://images4.wikia.nocookie.net/formalmethods/images/4/4e/Zbook.pdf ISO/IEC 13568:2002 W3C WSDL standard Wikipedia