Formal Specification of Systems:: Lecture 3A
Formal Specification of Systems:: Lecture 3A
Lecture 3A of Systems:
Dr. R. Mall
Organization of this Lecture:
Introduction
General concepts
Formal vs. Informal
specifications
Axiomatic specification
Algebraic specification
Summary
Requirements Analysis and
Specification
Software Requirements
Specification (SRS) Document:
serves as contract between the
customer and the developers.
The SRS Document
Formal specification
techniques enable us to:
precisely specify a system
verify that a system is
correctly implemented.
Introduction
We say a system is
correctly implemented:
when it satisfies its
specification.
Introduction
We will first discuss some
important concepts in formal
methods:
next we will examine the merits
and limitations of formal
techniques.
What is a Formal Technique?
A formal technique is a
mathematical method.
How is a formal technique useful?
this hierarchy:
an implementation Specification
Implementation
Implementation
Specification
Implementation
Life cycle model
The different stages:
requirements specification,
design,
coding,
testing, etc.
Formal Methods
Formal techniques can be
used:
at every stage of the system
development activity.
Formal Methods
The mathematical basis of a formal
method
provided by its specification language.
A formal specification language consists
of:
two sets syn and sem, and
a relation sat between them.
Syntax and Semantics
Syntax and Semantics
Swahili
(?)
English
Formal Methods
The set syn
is called the syntactic domain,
The set sem
is called the semantic domain
The relation sat
is called the satisfaction relation.
Formal Methods
For a given specification syn,
and model of the system sem, if
sat(syn, sem):
syn is said to be the specification
of sem
sem is the specificand of syn
Syntactic Domains
The syntactic domain of a formal
specification language consists of:
an alphabet of symbols
a set of formation rules to construct well-
formed formulas.
The well-formed formulas are used to
specify a system.
Semantic Domains
Formal techniques can have
different semantic domains:
Abstract data type specification
languages
languages for specification of
concurrent/distributed systems,etc.
Semantic Domains
In a model-oriented approach:
Define the basic operations, p
(produce) and c (consume).
Then state that
S ==>S1+p,
S1 ==> S+c.
Model-oriented approach
Model-oriented approaches
specify a program by writing
another simpler program.
Comparison
Property-oriented approaches
are suitable for requirements
specification:
model-oriented approaches are
more suited to use in later phases
of life cycle.
Comparison
Property-oriented approaches
specify a system:
as a conjunction of axioms,
make it easier to alter/augment
specifications at a later stage.
Comparison
Model-oriented methods do not
support logical conjunctions (and)
and disjunctions (or):
even minor changes to a specification
may lead to drastic changes to the
entire specification.
Operational Semantics
Operational semantics of a
formal method:
the way it represents
computations:
i.e. the exact sequence in which the
different computations are carried
out
Operational Semantics
There are different types of
operational semantics:
according to what is meant by a single
run of the system
how the runs are grouped together to
describe the behavior of the system.
Linear semantics
A run of a system:
described by a sequence (possibly
infinite) of events or states.
The concurrent activities are
represented by non-deterministic
interleavings of the atomic
actions.
Linear semantics - Example
A concurrent activity a parallel b
represented by the set of
sequential activities a;b and b;a.
This is simple:
but rather unnatural
representation of concurrency.
Branching semantics
The behavior of a system can be
represented by a directed
graph:
Nodes of the graph represent
the possible states in the
evolution of a system.
Branching semantics
Branching semantics
Structure of states:
satisfying a partial order relation
among the states (events).
Partial order semantics
The partial order represents a
precedence ordering among
events:
constrains some events to occur only
after some other events have
occurred;
while the occurrence of other events
is considered to be incomparable.
Partial order semantics
Merits of Formal Methods
Construction of a rigorous
specification clarifies several
aspects of system behavior:
which are not obvious in an
informal specification.
Merits of Formal Methods
Formal specifications:
do not replace informal
descriptions
but complement them.
Formal vs. Informal specification Methods
Comprehensibility of formal
specifications is greatly
enhanced:
when accompanied by an
informal description.
Formal vs. Informal specification Methods
General recommendation:
Mixed approach
use formal techniques as a
broad guideline for use of
informal techniques.
Mixed Approach
Pre-conditions:
What are the requirements on the
parameters of the function?
Post-conditions:
What are the requirements when
the function is completed?
Axiomatic Specification of a Function
Domain:
What sort of things it acts upon?
Co-domain (range):
What sort of answer does it give?
How to develop axiomatic specifications?
f(x:real) : real
Pre: x R
Post: {x<100 ^ (f(x)=x/2)} v
R
{x>100 ^ (f(x)=2*x)}
Example: Axiomatic Specification
To define a heterogeneous
algebra, we need to specify:
its signature,
the involved operations, and their
domains and ranges.
Algebraic Specification
Inspection Operations :
Operations which evaluate
attributes of the sort, e.g.,
eval, get, etc.
Developing Algebraic Specification
After simplification:
empty(push(newstack,e1))
false
Two important questions
Finite termination property:
Does application of rewrite rules
terminate after a finite number of
steps?
We might endlessly go on applying
rewrite rules without coming to any
conclusion?
Two important questions
Unique termination property:
Can different sequence in application
of the rewrite rules always give the
same answer?
If we choose to simplify different
terms of the expression in different
experiments:
shall we always get the same answer?
Algebraic Specification
For arbitrary algebraic
equations:
convergence is undecidable.
If the r.h.s. of each rewrite rule
has fewer terms than the left:
rewrite process must terminate.
Auxiliary Functions
Sometimes development of a
specification requires:
extra functions not part of the
system:
to define the meaning of some
interface procedures.
Auxiliary Functions: Example
To specify bounded stacks:
need to add a depth function:
push returns either a stack or
an exception “overflow” when
depth is exceeded.
Bounded stack
In order to specify a bounded
stack:
we need to make changes to
different sections to include
auxiliary functions.
Auxiliary Functions
Syntax:
push:
stack element ==> stack
depth:
stack integer
Auxiliary Functions
Equations:
depth(newstack)=0
depth(push(s,e))=depth(s)+1
push(s,e)=overflow if depth(s)
>= Max
Example 2: coord
Types:
sort coord
imports integer, boolean
Example: coord
Signature:
create(integer,integer) coord
X(coord) integer
Y(coord) integer
Eq(coord,coord) boolean
Example: coord
Rewrite rules:
X(create(x,y))=x
Y(create(x,y))=y
Eq(create(x1,y1),create(x2,y2))
= ((x1=x2) and (y1=y2))
Structured Specifications
Writing formal specifications is time
consuming.
To reduce effort, we need to reuse
specifications:
instantiation of generic specifications
incremental development of
specifications
Specification Instantiation
Take an existing
specification:
specified with some generic
parameter
Instantiate with some sort
Incremental Development
Develop specifications for
simple sorts:
using these specify more
complex entities.
Pros and Cons
Algebraic specifications have
a strong mathematical basis:
can be viewed as
heterogeneous algebra.
Pros and Cons
An important shortcoming of
algebraic specifications:
cannot deal with side effects
difficult to use with common
programming languages.
Pros and Cons
Algebraic specifications are hard
to understand:
also changing a single property of
the system
may require changing several
equations.
Summary