COMP 2600: Formal Methods for Software Engineeing Specification in - PowerPoint PPT Presentation

COMP 2600: Formal Methods for Software Engineeing Specification in Z: Logical Analysis of Schemas Dirk Pattinson Australian National University Semester 2, 2013 Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 1 / 20

Brief Recap Given Types Containers for data without internal structure. Declaration: [ T 1 , T 2 , . . . , T n ] where T 1 , . . . , T n are the type names. Schemas Combination of declared variables and constraint . Name ( optional ) v 1 : T 1 ; . . . ; v n : T n ( alternatively line breaks for semicolons ) c 1 ; . . . ; c n ◮ types built from given types using type constructors ◮ constraints first-order formulae involving builtin functions/relations Conjunctive Reading: The constraint of the above schema is c 1 ∧ . . . ∧ c n . Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 2 / 20

Operations on Schemas Priming of Schemas If S is a schema, then S ′ is the schema with all variable names primed (in declaration and constraints). Delta and Xi If S is a schema, then ∆ S is the union of S and S ′ and Ξ S is the schema ∆ S together with v = v ′ for all declared variables v of S . Schema Import If R is a schema, then S R ; ( other declarations ) ( some constraints ) has the effect of adding all declared variables of R (to the declared variables) and adding all constraints of R (to the constraints). Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 3 / 20

Combination of Schemas Free Types A free type declaration is of the form T ::= C 1 | · · · | C n (which works like in Haskell). Logical Connectives If R and S are schemas so that all declared variables have the same type, then R ∧ S and R ∨ S are schemas. Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 4 / 20

Schema Consistency Problem: Schemas can easily be inconsistent ◮ just like prose specifications can be inconsistent . . . ◮ but we have tools to check formal specs: automated proof search! Example MangledCount c : Z c = c + 1 This is obviously inconsistent. But can we say inconsistent precisely ? Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 5 / 20

Inconsistencies, Formally Definition S v 1 : T 1 ; . . . ; v n : T n c 1 ; . . . ; c n A schema of the form above is inconsistent if the first-order formula ∃ v 1 : T 1 • . . . ∃ v n : T n • ( c 1 ∧ . . . ∧ c n ) is logically equivalent to false (i.e. constraint cannot be satisfied). Aside: Automation ◮ consistency conditions can be automatically generated. ◮ they can be passed to an automated theorem prover We may detect (some) inconsistencies already at the design phase! Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 6 / 20

Robustness of Specifications Basic Counter Cnt n : Z n ≥ 0 Two Variants of Decrement: What’s the difference? Dec 1 Dec 2 ∆ Cnt ∆ Cnt n > 0 ∧ n ′ = n − 1 n > 0 → n ′ = n − 1 Robustness is the property of covering all possible inputs . Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 7 / 20

Robustness of Specifications Basic Counter Cnt n : Z n ≥ 0 Two Variants of Decrement: What’s the difference? Dec 1 Dec 2 ∆ Cnt ∆ Cnt n > 0 ∧ n ′ = n − 1 n > 0 → n ′ = n − 1 Robustness is the property of covering all possible inputs . ◮ Dec1 does not cover the case cnt = 0 (it is not robust ) ◮ Dec2 allows an arbitrary value if cnt = 0 (it is robust ) Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 7 / 20

Robustness as Logical Property Definition S Op v : T ∆ S i ? : U ; o ! : V c d The operation Op of the form above is robust if the formulae c and ∃ v ′ : T • ∃ o ! : V • ( c ∧ c ′ ∧ d ) are logically equivalent (where c ′ is c with all variables primed). Informal Reading. The right formula signifies the set of state/input variables for which the operation can succeed as specified. Generalisation. In the general case, all output variables and all primed variables are existentially quantified and c , d are replaced by the conjunction of all constraints. Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 8 / 20

Robustness of Counters Basic Counter (in linear notation) Cnt � = [ n : Z | n ≥ 0 ] First Counter: Dec1 is not robust Dec 1 ∃ n ′ : Z • n ≥ 0 ∧ n ′ ≥ 0 ∧ n > 0 ∧ ∆ Cnt n ′ = n − 1 n > 0 ∧ n ′ = n − 1 is equivalent to n > 0. Second Counter: Dec2 is robust Dec 1 ∃ n ′ : Z • n ≥ 0 ∧ n ′ ≥ 0 ∧ ( n > 0 → ∆ Cnt n ′ = n − 1 ) n > 0 → n ′ = n − 1 is equivalent to n ≥ 0 Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 9 / 20

More Examples Another Counter Cnt Dec 3 Dec 4 n : Z ∆ Cnt ∆ Cnt n ′ = n ′ − 1 n ′ = n − 1 n ≥ 0 Robustness: Formulae to Consider ∃ n ′ : Z • n ≥ 0 ∧ n ′ ≥ 0 ∧ n ′ = n ′ − 1 For Dec3 . ∃ n ′ : Z • n ≥ 0 ∧ n ′ ≥ 0 ∧ n ′ = n − 1 For Dec4 . ◮ the first formula is equivalent to false - not robust. ◮ the second formula is equivalent to n > 0 – not robust(!) Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 10 / 20

Logical Operators on Schemas Propositional Logic We have seen ∧ and ∨ as operators – can we also have something like ∃ and ∀ ? Hiding of Variables Let S be a schema and v : T be a declaration of S . Then ∃ v : P • S is the schema with declarations those of S but without v : P constraint ∃ s : P • ( c 1 ∧ . . . ∧ c n ) where c 1 , . . . , c n are the constraints of S . (We have the same definition with ∀ in place of ∃ .) Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 11 / 20

Hiding – Example AddBirthday, Again AddBirthday ∆ BirthdayBook person ? : Person ; date ? : Date person ? �∈ known ; birthday ′ = birthday ∪ { person ? �→ date ? } ∃ known ′ : P Person , birthday ′ : Person � → Birthday • AddBirthday known : P Person ; birthday : Person � → Date person ? : Person ; date ? : Date ∃ known ′ : P Person , birthday ′ : Person � → Birthday • ( person ? �∈ known ∧ known = dom birthday ∧ known ′ = dom birthday ′ ∧ birthday ′ = birthday ∪ { person ? �→ date ? } ) Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 12 / 20

Understanding the Effect of Hiding Original Constraints ∃ known ′ : P Person , birthday ′ : Person � → Birthday • ( person ? �∈ known ∧ known = dom birthday ∧ known ′ = dom birthday ′ ∧ birthday ′ = birthday ∪ { person ? �→ date ? } ) Simplifying: Moving ∃ over independent parts person ? �∈ known ∧ known = dom birthday ∧ ∃ known ′ : P Person , birthday ′ : Person � → Birthday • ( known ′ = dom birthday ′ ∧ birthday ′ = birthday ∪ { person ? �→ date ? } ) Simplifying: Evaluating the Quantifier person ? �∈ known ∧ known = dom birthday This is the precondition of our manual translation! Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 13 / 20

In Terms of Equivalence Equivalent Schemas AddBirthday ∆ BirthdayBook person ? : Person ; date ? : Date person ? �∈ known ; birthday ′ = birthday ∪ { person ? �→ date ? } Given the above, the two schemas below are equivalent: ∃ known ′ : P Person , birthday ′ : Person � → Date • AddBirthday QuantifiedAddBirthday known : P Person ; birthday : Person � → Date person ? : Person ; date ? : Date person �∈ known ∧ known = dom birthday Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 14 / 20

From Z to Hoare, Systematically The Precondition Given a Schema that extends ∆ S (and specifies an operation): ◮ obtained by existentially quantifying output and primed variables ◮ together with equations v = V for every declared variable v (here specification variables are lower case ( v ) and logical variables are upper case ( V )) The Postcondition Obtained from the schema constraint by ◮ replacing primed variables v ′ by their non-primed counterparts ( v ) ◮ replacing non-primed variables v by their logical counterparts ( V ) at the same time !. Example: Check for Yourself This gives precisely what we had produced manually before! Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 15 / 20

Pre/Postconditions: Example Incrementing Counter – with intensional typo Cnt Inc n : Z ∆ Cnt n ′ = n ′ + 1 n ≥ 0 Precondition ∃ n ′ : Z • . . . ∧ n ′ = n ′ + 1 ∧ . . . equiv. to false (The postcondition simplifies to false , too.) Extracted Hoare Triple Program P satisfies Inc iff { false } P { false } is a valid Hoare-triple. ◮ this is valid for any program P (e.g. P = erase-hard-disk) ◮ so any program satisfies this specification – what’s wrong? Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 16 / 20

Precondition and Robustness Problem: Inc is not robust ◮ it does not specify after-values for all declared variables ◮ in fact, it specifies after-values for none of the variables (Check this, using the definition of robustness!) Intuitive Explanation S Op v : T ∆ S ; i ? : U ; o ! : V c d ◮ F = c ∧ c ′ ∧ d is a formula over before/after/input/output variables ◮ it describes all legal situations specified by Op ◮ so ∃ v ′ : T • ∃ o ! : V • ( c ∧ c ′ ∧ d ) are the situations for which output/after var’s are specified Dirk Pattinson (ANU) COMP 2600 Semester 2, 2013 17 / 20