Formal Methods in SE

Introduction to Z Specification
 Outline

• Z language
• Specifications of Z language
• Z language
• Z language Schemas review
• Z language example
• Schema
• Schema theory
• Type of schemas
– State based schema
– Operation based schema
• Z Example: A Birthday Book
Formal Methods

• Formal Methods through an Introduction to

Z
• A notation for formal specification of
systems and a formal tool for precise design
of software
• Z (pronounced Zed), uses mostly familiar
mathematical notation and properties to
precisely specify the system under
description
Z Specification
– As all other formal methods, Z uses the
powerful notion of abstraction.

– Z specifies a system using:

– Mathematically defined data types

And Decompositions called Schemas

Z Specification
• A schema describes both the static and the dynamic
aspects of a system.
• Static
– Individual states
– Invariants maintained
• Dynamic
– State Transitions
– Events (operations)
– Transformations (relationship of input to output)
Z Specification
– The Z language also allows us to combine
and relate separately defined schemas in a
mathematically logical fashion.
–Z also permits a progression of
decomposition. We can construct a
progression of related specifications that
eventually arrives at the API or the equivalent
of the API of an implementation.
Z Specification
• To learn how to speak any language, we first need
to learn some vocabulary and some simple rules of
grammar. Both the vocabulary and the grammar of
Z should be largely familiar to you.

• Some of these symbols and concepts are unique to

Z but most are in general use elsewhere in
mathematics.

• In this treatment we use the ObjectZ dialect of Z,

one that allows for the notion of class, inheritance
and a few other OO “nice to have”s.
 Z Specification
Sets and Types
[X] Type X data type ::=m1|m2|…..|mn

X==Y Y stands for X Z Set of Integers

N Set of natural numbers (0)
N1 Set of positive integers (1)
t S t is an element of set S
t S t is not an element of set S
S T S is contained in T
 Z Specification
S\T Difference: elements that are in S but not in T
#S Size or cardinality: number of elements in S
disjoint Sq the sets in the sequence sq are disjoint
sq partition S the sets in sq partition the set S

Logic
true, false logical constants
P not P
 Z Specification
PQ conjunction: “P and Q”
PQ disjunction: “P or Q”
PQ implication: “If P then Q”
PQ equivalence: : “If P then Q and if Q then P”
t=r term t is equal to term r
tr term t is not equal to term r, that is: (t=r)
Predicates:
" x:T.P for all x of type T, P holds
x: T.P there exists an x of type T, for which P holds
 Z Specification
Relations:
XY the set of ordered pairs of X’s and Y’s
XY the set of relations from X to Y; = =P(XY)
xRy x is related to y by R; (x,y) R
dom R the domain of relation R; = ={x:X | (x:X . x R y) .
x}
ran R the range of a relation R; = ={y:Y | (x:X . x R y) . y}
SR the relation R is domain restricted to S
RS the relation R is range restricted to S
R~ the inverse of R
Z Specification
– Functions:
– XY the set of partial functions from
X to Y
= ={f:XY | (x:X | x dom f.
(1y:Y.x f y))}
– X Y the set of total functions from X
to Y
= ={f: X  Y| dom f = X.f}
– fx or f(x) function f is applied to x
 Z Specification

<x1,…xn>^<y1,…yn> concatenation
= = <x1,…xn,y1,…yn>
head S ==S1
last S = = S #S
tail S^S1 ==S
frontS^<x> = = S where <x>= =last S
rev S the sequence S in reverse order
 Z Specification
Schemas:
Class Schema:
Class Name[generic parameter]
type definitions
constant definitions
state schema
initial state schema
operation schemas

history invariant
 Z Specification
State Schema

items: seq T

#items  max

declaration predicate
 Z Specification

Initial State Schema:

INIT
items = = < >

Operational schemas
Operation name
declarations

predicates
 Z Specification
Schema decorations:

| name: T name is a constant of type T

item ?: T item is an input or accepts input
item !: T item is an output or holds an output
item’ new state of item after change
(item) the schema effects change on
item
(item) item is left unchanged by schema
 Summary
• WHAT IS Z
– Notational conventions for logic and simple
mathematics.
– Discrete mathematics with declarations and structure
(``paragraphs'').
– ``Model-based'', with states and operations.
– A notation, not a method.
– Not specialized for any application.
– Not a tool (but many tools available).
– Not executable --- Z is not a programming language!

22
 Z Specification
Schemas:
Class Schema:
Class Name[generic parameter]
inherited classes
type definitions
constant definitions
state schema
initial state schema
operation schemas

history invariant
 Z Specification
State Schema

items: seq T

#items  max

declaration predicate
Example

• A simple case example will help bring

these concepts together
– We will develop a specification for a
very simple library management
system. In this system, each book will
be assigned to a shelf location,
designated by a number. A shelf
location of course may house many
books.
 A Library System

We introduce the types we need: [BOOK], [SHELF]

We do not for the moment specify what exact type the book
variable would be. The book may be identified by an
alphanumeric string, such as by the book title; alphabetic, such as
by author’s name; numeric, such as by ISBN, etc. It does not
matter for the moment.

The shelf we decide is simply numbered from 1 to whatever.

[SHELF], SHELF ::=N1

A Library System
• So now we can think of an ordered pair of
[BOOK,SHELF] which is generic in with respect to
BOOK and specified wrt SHELF. This renders the
whole ordered pair structure generic, in that it would
have to be set to a type (book has to be set to a
type) before it can be instantiated.
• Now we can create a simple class, let us call it
Library. We do so by creating a class schema:
Library
onshelf : P BOOK
location: BOOK  SHELF

onshelf =dom location

A Library System

• Note that we have not placed a limit on the

number of records that may be stored nor
the order in which they are to be stored.

• Because location is in a functional

relationship with onshelf, there will always
be only one location for a book but many
books may be placed on the same shelf.

• But what can this simple system do? How

about adding a book/location pair?
 A Library System
AddtoLibrary
 Library
abook?: BOOK
aspot? : SHELF

abook?  onshelf
location’ = location {abook? aspot?}

• We have read two variables abook and

aspot and
 A Library System
A bit of proof (you probably don’t need to do this but it is a good simple demonstration
of the proof capability of Z):

Prove that onshelf’ = onshelf  {abook?}

Proof:
onshelf’ = dom location’ [by invariant after]
= dom (location  {abook?  aspot?} [Spec of
AddtoLibrary]
= dom location  dom{abook?  aspot?} [fact about dom]
= dom location  {abook?} [fact about functions]
= onshelf  {abook?} [invariant before}
 A Library System

• Let’s add another operation:

• Add an operation that given the name of a
book, it finds its shelf
FindLocation
Ξ Library
abook?: BOOK
aspot! : SHELF

abook?  onshelf
aspot! = location(abook?)
 A Library System
The new symbol Ξ indicates that the operation
FindLocation has induced no change of state. It is in
this sense mathematically equivalent to:

(onshelf’ = onshelf)  (location’ = location)

Which due to rules of precedence of symbols may be

written as:
(onshelf’ = onshelf)  (location’ = location)
 A Library System

• Another operation may be to find the

contents of a shelf. That is, given the
number of the shelf, find out what books are
on that shelf.
ShelfContents
Ξ Library
ashelf?: SHELF
books! : BOOK

ashelf?  dom location

books! = {n: onshelf | location(n) = ashelf?}
 Summary
– Z is a model-based notation.
– In Z you usually model a system by
representing its state -- a collection of state
variables and their values -- and some
operations that can change its state.
– A model that is characterized by the
operations it describes is called an abstract
data type (ADT).
– is not an executable notation.
– Z was designed for people, not machines
– Z actually includes two notations. The first is
the notation of ordinary discrete
34
mathematics. The second notation provides
Schema

• What is Schema???
– A representation of a plan or theory in the
form of an outline or model.
– a diagram, plan, or scheme. Synonyms:
outline, framework, model.
– an underlying organizational pattern or
structure; conceptual framework:
– A schema provides the basis by which
someone relates to the events he or she
experiences.
Model-Based Specification
• Z — like VDM, its main competitor — is a model-based
specification framework.
• The idea is to construct an abstract model of the system
we
This model is:
– high level;
– idealised;
– does not detail with implementation specifics.
• What does the model consist of?
– description of system state space;
– description of system operations.
• System state-space is the set of all states that the
system could be in.
• The state of a system describes the value of each
variable (and memory location).
Continue..
• The most fundamental operation we use is the assignment
statement, ‘:=’ . . . Such statements change the state of a
system.
• In Z, we represent the state space of a system as a collection
of functions, sets, relations, sequences, etc., together
with a collection of invariant properties on these objects.
• These invariant properties describe regularities between state
changes.
• How about operations? What level of abstraction we deal with
them? Lowest level would be assignment statement level.
• We start with more abstract descriptions.
• Operations are usually defined in terms of pre- and post-
conditions.
• Operations define acceptable state transitions.
State Space Schemas
• Here is an example state-space schema,
representing part of a system that records details
about the phone numbers of staff. (Assume that
NAME is a set of names, and PHONE is a set of
phone numbers.)
Continue..
– The declarations part of this schema introduces two
variables: known and tel.
– The value of known will be a subset of NAME, i.e., a set
of names.
– This variable will be used to represent all the names that
we know about — those that we can give a phone
number for.
– The value of tel will be a partial function from NAME to
PHONE, i.e., it will associate names with phone numbers.
– The declarations part is separated from the predicate part
by the horizontal line.
– The predicate part contains the following invariant:
– The domain of tel is always equal to the set known.
 Summary

• In this lecture, we introduce schemas, the

most distinctive feature of the Z specification
language.
• We show how a simple computer system
can be specified in Z.

40
Continue..
– The declarations part of this schema introduces two
variables: known and tel.
– The value of known will be a subset of NAME, i.e., a set
of names.
– This variable will be used to represent all the names that
we know about — those that we can give a phone
number for.
– The value of tel will be a partial function from NAME to
PHONE, i.e., it will associate names with phone numbers.
– The declarations part is separated from the predicate part
by the horizontal line.
– The predicate part contains the following invariant:
– The domain of tel is always equal to the set known.
Operation Schemas
• In specifying a system operation, we must consider:
–the objects that are accessed by the operation,
and of these:
∗ the objects that are known to remain
unchanged by the operation (cf. value
parameters);
∗ the objects that may be altered by the
operation (cf. variable parameter);
– the pre-conditions of the operation, i.e., the things
that must be true for the operation to succeed;
– the post-conditions — the things that will be true
after the operation, if the pre-condition was
satisfied before the operation.
Continue…
• Return to the telephone book example, and
consider the ‘lookup’ operation:
– We put a name in, and get a phone number out.
– this operation accesses the PhoneBook
schema;
– it does not change it;
– it takes a single ‘input’ — a name for which we
want to find a phone number;
– it produces a single output — a phone number.
– it has the pre-condition that
the name is known to the database.
– Here is a Z schema specifying
the lookup operation:
 Schema

This illustrates the following Z conventions:

• placing the name of the schema in the declarations part ‘includes’ that
schema — it is as if the variables were declared where the name is;
• ‘input’ variable names are terminated by a question mark;
• . . . the only input is name?
• ‘output’ variables are terminated by an exclamation mark;
• . . . the only output is phone!
• the Ξ (Xi) symbol means that the PhoneBook schema is not changed;
• if we have written a ∆ (delta) instead of Ξ, it would mean that the
PhoneBook schema did change.
• the pre-condition is that name? is a member of known;
• the post-condition is that phone! is set to tel(name?).
Another example

• Here is another schema: this one add’s a

name/phone pair to the phone book.

• This schema accesses PhoneBook and

does change it (hence the use of ∆ rather
that Ξ.)
Continue….
– Two inputs: a name (name?) and phone number
(phone?).
– Pre-condition: the name is not already in the
database.
– Post-condition: tel after the operation is the same
as tel before the operation with the addition of
maplet name? 7! phone?.
– Appending a 0 to a variable means ‘the
variable after the operation is performed’.
 Summary
– In this lecture, we introduce schemas, the
most distinctive feature of the Z specification
language.
– We show how a simple computer system can
be specified in Z.
– We discussed state based and operation
based schemas

47
Z Example: A Birthday
Book
 Description
 A system that records people’s birthdays and is able to
issue a reminder when the day comes around
 Spivey - Z Reference Manual, chapter one (pages 1-10)

 State Space Schema

48
States
 Initial State Schema

 In consequence, the function is empty too

What do the states

of this system look
like?

49
Operations
 Specify an operation to add a new birthday entry
 Consider: convention, inputs, and pre/post- condition

Add Birthday Operation

50
Operations (cont’d)
 Specify an operation to find (retrieve) a person’s birthd
 Consider: convention, inputs, outputs, and pre/post-

Find Birthday Operation

51
Operations (cont’d)
 Specify an operation to remind you who’s birthday is it
 Consider: convention, inputs, outputs, and pre/post-

Remind Operation

52
Considering All Scenarios
 An implementation of the Birthday Book specification
will work as long as there are no mistakes in the
input, i.e., if
the pre-conditions have been met.

 For completeness, we should also specify error cases:

 Adding the birthday of someone that is already
known
 Trying to find the birthday of someone that is not
known

 To help achieve this, a new type definition is

introduced to describe success and error conditions.
 53
Combining Schemas
 Z facilitates combining new schemas with
existing schemas, which promotes
modularization and reuse
 A reusable schema to describe successful
completion of an operation can first be
defined:

and then integrated through schema

conjunction. 54
Summary

• Development of Birthdaybook system with

Zed is discussed including error handling in
the system.
Community Z Tools (CZT)
 Community Z Tools Project:
http://czt.sourceforge.net/
 Built a set of tools for editing, type
checking, and animating Z specifications
 Supports some extensions of Z such as
Object-Z, Circus, and TCOZ
 Plugins available

56
Summary

• Real Software system implementation using

Z-Schema.
Thank You!!