F oundations of Soft w a re Engineering/Europ ean Soft w a re Engineering Conference, Zurich, Sep 97
Subt yp es fo r Sp eci�cations John Rushb y Computer Science Lab o rato ry SRI International Menlo P a rk, CA J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 1
F o rmal Metho ds and Calculation � F o rmal metho ds contribute useful mental framew o rks, notations, and systematic metho ds to the design, do cumentation, and analysis of computer systems � But the p rima ry b ene�t from sp eci�cally fo rmal metho ds is that they allo w certain questions ab out a design to b e answ ered b y symb olic calculation (e.g., fo rmal deduction, mo del checking) � These symb olic calculations can b e used fo r debugging and design explo ration as w ell as p ost-ho c veri�cation � Compa rable to the w a y computational �uid dynamics is used in the design of airplanes and jet engines J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 2
Co rolla ries � T o ols a re not the most imp o rtant thing ab out fo rmal metho ds � They a re the only imp o rtant thing � Just lik e any other engineering calculations, it's to ols that mak e fo rmal calculations feasible and useful in p ractice � Sp eci�cation languages should b e designed so that they supp o rt e�cient calculation (i.e., deduction) � E.g., based on higher-o rder logic, not set theo ry � The topic of another talk. . . � Sp eci�cation languages can also b e designed to exploit the e�cient calculations p rovided b y to ols � E.g., to b etter detect erro rs in sp eci�cations � The topic of this talk J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 3
Erro rs in F o rmal Sp eci�cations � Most fo rmal sp eci�cations a re full of erro rs � A sp eci�cation ma y fail to sa y what is intended � Must b e examined b y p roving challenge theo rems, \execution," and insp ection � A sp eci�cation ma y fail to sa y anything at all � Because it is inconsistent � Can avoid inconsistencies using de�nitional st yles of sp eci�cation that gua rantee \conservative extension" � But these a re often restrictive o r inapp rop riate (to o constructive) � So a w o rthwhile goal is to increase the exp ressiveness and convenience of the pa rt of the sp eci�cation language fo r which w e can gua rantee conservative extension J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 4
Exploiting Deduction T o Increase the P o w er of T yp echecking � T yp e systems fo r p rogramming languages gua rantee that certain erro rs will not o ccur during execution � W e should exp ect the t yp e system fo r a sp eci�cation language also to gua rantee absence of certain kinds of erro rs � E.g., inconsistency � T yp e systems fo r p rogramming languages a re traditionally restricted to those fo r which t yp e co rrectness is trivially decidable � But sp eci�cation languages should b e used in environments where p o w erful theo rem p roving is available, so supp ose t yp echecking could use theo rem p roving. . . J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 5
Subt yp es � Subt yp es can allo w mo re concise and mo re p recise sp eci�cations � When t yp es a re interp reted as sets of values � There is a natural asso ciation of subt yp e with subset � E.g., natural is a subt yp e of integer � But ho w do w e cha racterize those integers that a re also naturals? � Could add an axiom nat_ax: AXIOM 8 (n: nat): n � 0 � But this is not tightly b ound to the subt yp e: reduces the opp o rtunit y fo r automation, and ma y allo w inconsistencies J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 6
Predicate Subt yp es � Are those where a cha racterizing p redicate is tightly b ound to subt yp e de�nitions � F o r example (in the notation of PVS) nat: TYPE = f i: int | i � 0 g � Then w e can write nat_prop: LEMMA 8 (i, j: nat): i+j � i ^ i+j � j And the p rover can easily establish this result b ecause the necessa ry info rmation is reco rded with the t yp e fo r i and j � This is concise and e�cient � No w let's see where erro r detection comes in J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 7
Nonemptiness Pro of Obligations fo r Predicate Subt yp es � Subt yp es ma y b e empt y , so a constant decla ration c: nat W ould intro duce an inconsistency unless w e ensure that its t yp e is nonempt y � Generate a p ro of obligation called a t yp e co rrectness condition (TCC) to do this c_TCC1: OBLIGATION 9 (x: nat): TRUE � Sp eci�cations a re not considered t yp echeck ed until their TCCs have b een discha rged J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 8
Some PVS Notation � The examples use the notation of PVS � A veri�cation system freely available from SRI � Sp eci�cation language is a simply-t yp ed higher-o rder logic � Augmented with dep endent t yp es and p redicate subt yp es � Sets and p redicates a re equivalent in higher-o rder logic � Predicates a re functions of return t yp e bool , written as nat?(i:int): bool = i � 0 � Rega rded as a p redicate, memb ership is written nat?(x) � Rega rded as a set, it is written x 2 nat? � A p redicate in pa rentheses denotes the co rresp onding subt yp e � (nat?) is the same t yp e as nat given ea rlier � PVS has theo ry-level pa rameterization � setof[nat] is the t yp e of sets of natural numb ers J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 9
An Example: The Minimum of a Set of Naturals � W e can sp ecify the minimum a set axiomatically as a value satisfying t w o p rop erties � It is a memb er of the given set � It is no greater than any other memb er � In PVS, this is min(s: setof[nat]): nat simple_ax: AXIOM 8 (s:setof[nat]): min(s) 2 s ^ 8 (n: nat): n 2 s � min(s) � n � Unfo rtunately , this sp eci�cation is inconsistent J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 10
The Inconsistency � The p roblem is that the a rgument s to min could b e an empt y set � But the �rst conjunct to simple ax asserts that min(s) is a memb er of this set J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 11
Detecting the Erro r With Predicate Subt yp es � Using p redicate subt yp es, it is natural to facto r the �rst conjunct into the return t yp e fo r min min(s: setof[nat]): (s) (Observe that this is a dep endent t yp e) � In higher-o rder logic, functions a re just constants of \higher" t yp e, so PVS fo rces us to p rove that the co rresp onding t yp e is not empt y min_TCC1: OBLIGATION 9 (x: [s: setof[nat] ! (s)]): TRUE � A (total) function t yp e is nonempt y if either � Its range t yp e is nonempt y , o r � Both its domain and range t yp es a re empt y Here, domain t yp e is nonempt y , but the range t yp e ma y b e � So the TCC is false, and the inconsistency is revealed J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 12
Fixing the Sp eci�cation � Must either w eak en p rop erties of the value returned b y min � Or restrict its a rgument to b e a nonempt y set � The p redicate that tests fo r nonemptiness is nonempty?[nat] � So the revised signature is min(s: (nonempty?[nat]) ): (s) And the TCC b ecomes min_TCC: OBLIGATION 9 (x: [s: (nonempty?[nat]) ! (s)]): TRUE Which is true and p rovable � The second conjunct of the de�ning axiom can also b e facto red into the t yp e min(s: (nonempty?[nat]) ): f x: (s) | 8 (n: (s)): x � n g J. Rushb y FSE97: Subt yp es fo r Sp eci�cations 13
Recommend
More recommend
