CS 501: Software Engineering
Lecture 10
Requirements 4
1
CS 501 Spring 2005
Course Administration
Presentations, March 9-10
Read the instructions on the Assignments web
page
Reserve a time slot by sending email to
anat@cs.cornell.edu. Time slots are listed on the
home page of the web site. First-come-firstserved.
2
CS 501 Spring 2005
Formal Specification
Why?
• Precise standard to define and validate software.
Why not?
• May be time consuming
• Methods are not suitable for all applications
3
CS 501 Spring 2005
Remember
Formal specification does not prescribe the implementation
With formal specification it is possible, at least theoretically,
to generate code automatically from the specification, but this
may not be the most effective way:
•
Writing the generator may be a very large programming
task.
•
The resulting code may perform badly.
Formal specification does not guarantee correctness
•
4
If the specification is wrong, the system will be wrong.
CS 501 Spring 2005
Formal Specification using
Mathematical Notation
Mathematical requirements can be specified formally.
Example: requirements from a mathematical package:
B1, B2, ... Bk is a sequence of m x m matrices
1, 2, ... k is a sequence of m x m elementary matrices
B1-1 = 1
B2-1 = 21
Bk-1 = k ... 21
The numerical accuracy must be such that, for all k,
BkBk-1 - I < 
5
CS 501 Spring 2005
Formal Specification Using Diagrams
Example: Pascal number syntax
unsigned integer
digit
unsigned number
unsigned integer
+
.
digit
unsigned integer
E
-
6
CS 501 Spring 2005
Formal Specification of Programming
Languages
Example: Pascal number syntax
<unsigned number> ::= <unsigned integer> | <unsigned real>
<unsigned integer> ::= <digit> {<digit>}
<unsigned real> ::= <unsigned integer> . <digit> {<digit>} |
<unsigned integer> . <digit> {<digit>} E <scale factor> |
<unsigned integer> E <scale factor>
<scale factor> ::= <unsigned integer> | <sign> <unsigned integer>
<sign> ::= + | -
7
CS 501 Spring 2005
Formal Specification using Z ("Zed")
Z is a specification language developed by the
Programming Research Group at Oxford University
around 1980. Z is used for describing and modeling
computing systems. It is based on axiomatic set
theory and first order predicate logic.
Ben Potter, Jane Sinclair, David Till,
An Introduction to Formal Specification and Z
(Prentice Hall) 1991
Jonathan Jacky
The Way of Z
(Cambridge University Press) 1997
8
CS 501 Spring 2005
Example: Specification using Z
Informal: The function intrt(a) returns the largest integer
whose square is less than or equal to a.
Formal (Z):
intrt: N
N
a : N•
intrt(a) * intrt(a) < a < (intrt(a) + 1) * (intrt(a) + 1)
9
CS 501 Spring 2005
Example: Implementation of intrt
Static specification does not describe the
design of the system.
A possible algorithm uses the mathematical
identity:
1 + 3 + 5 + ... (2n - 1) = n2
10
CS 501 Spring 2005
Example: Program for intrt
int intrt (int a)
/* Calculate integer square root */
{
int i, term, sum;
term = 1; sum = 1;
for (i = 0; sum <= a; i++)
{
term = term + 2;
sum = sum + term;
}
return i;
}
11
CS 501 Spring 2005
Formal Specification of Finite State
Machine Using Z
A finite state machine is a broadly used method of
formal specification:
• Event driven systems (e.g., games)
• User interfaces
• Protocol specification
etc., etc., ...
12
CS 501 Spring 2005
State Transition Diagram
Select field
Enter
Patients
Enter
Fields
Start
(lock off)
Setup
Beam
on
Ready
Stop
(lock on)
Select patient
13
CS 501 Spring 2005
State Transition Table
Select Select
Enter lock off Start
Patient Field
Patients
Fields Patients
Setup Patients Fields
Ready Patients Fields
Beam
on
14
Stop
lock on
Fields
Setup
Ready
Beam
on
Setup
Ready Setup
CS 501 Spring 2005
Z Specification
STATE ::= patients | fields | setup | ready | beam_on
EVENT ::= select_patient | select_field | enter | start | stop
| lock_off | lock_on
FSM == (STATE X EVENT)
STATE
no_change, transitions, control : FSM
Continued on next slide
15
CS 501 Spring 2005
Z Specification (continued)
control = no_change
transitions
no_change = { s : STATE; e : EVENT • (s, e)
transitions = { (patients, enter)
s}
fields,
(fields, select_patient)
patients, (fields, enter)
setup,
(setup, select_patient)
(setup, lock_off)
patients, (setup, select_field)
ready,
fields,
(ready, select_patient) patients, (ready, select_field) fields,
(ready, start) beam_on, (ready, lock_on) setup,
(beam_on, stop)
16
ready, (beam_on, lock_on)
setup }
CS 501 Spring 2005
Schemas
Schema:
• The basic unit of formal specification.
• Enables complex system to be specified as
subsystems
• Describes admissible states and operations of a
system.
17
CS 501 Spring 2005
LibSys: An Example of Z
Library system:
• Stock of books.
• Registered users.
• Each copy of a book has a unique identifier.
• Some books on loan; other books on shelves
available for loan.
• Maximum number of books that any user may
have on loan.
18
CS 501 Spring 2005
LibSys: Operations
•
•
•
•
•
•
•
•
19
Issue a copy of a book to a reader.
Reader returns a book.
Add a copy to the stock.
Remove a copy from the stock.
Inquire which books are on loan to a reader.
Inquire which readers has a particular copy of a book.
Register a new reader.
Cancel a reader's registration.
CS 501 Spring 2005
LibSys: Modeling
Formal Specifications are models. As with all
models, it is necessary to decide what should be
included and what can be left out.
Level of detail
Assume given sets:
Copy, Book, Reader
Global constant:
maxloans
20
CS 501 Spring 2005
Domain and Range
X
dom m
x
m:X
21
m
ran m
y
Y
Y
domain:
dom m = { x  X :  y  Y  x
y}
range:
ran m = { y  Y :  x  X  x
y}
CS 501 Spring 2005
LibSys: Schema for Abstract States
Name
Library
Declaration
part
Predicate
22
stock : Copy
Book
issued : Copy
Reader
shelved : F Copy
readers: F Reader
finite
subset
shelved  dom issued = dom stock
shelved  dom issued = Ø
ran issued  readers
r : readers • #(issued  {r}) < maxloans
CS 501 Spring 2005
Schema Inclusion
LibDB
stock : Copy
Book
readers: F Reader
LibLoans
issued : Copy
Reader
shelved : F Copy
r : Reader • #(issued  {r}) < maxloans
shelved  dom issued = Ø
23
CS 501 Spring 2005
Schema Inclusion (continued)
Library
LibDB
LibLoans
dom stock = shelved  dom issued
ran issued  readers
24
CS 501 Spring 2005
Schemas Describing Operations
Naming conventions for objects:
Before: plain variables, e.g., r
After: with appended dash, e.g., r'
Input: with appended ?, e.g., r?
Output: with appended !, e.g., r!
25
CS 501 Spring 2005
Operation: Issue a Book
• Inputs: copy c?, reader r?
• Copy must be shelved initially: c?  shelved
• Reader must be registered: r?  readers
• Reader must have less than maximum number of books on loan:
#(issued  {r?}) < maxloans
• Copy must be recorded as issued to the reader:
issued' = issued  {c?
r?}
26
• The stock and the set of registered readers are unchanged:
stock' = stock; readers' = readers
CS 501 Spring 2005
Operation: Issue a Book
Issue
stock, stock' : Copy
Book
issued, issued' : Copy
Reader
shelved, shelved': F Copy
readers, readers' : F Reader
c?: Copy; r? :Reader
[See next slide]
27
CS 501 Spring 2005
Operation: Issue a Book (continued)
Issue
[See previous slide]
shelved  dom issued = dom stock
shelved'  dom issued' = dom stock'
shelved  dom issued = Ø; shelved'  dom issued' = Ø
ran issued  readers; ran issued'  readers'
r : readers  #(issued  {r}) < maxloans
r : readers'  #(issued'  {r}) < maxloans
c?  shelved; r?  readers; #(issued  {r?}) < maxloans
issued' = issued  {c?
r?}
stock' = stock; readers' = readers
28
CS 501 Spring 2005
Schema Decoration
Issue
Library
Library'
c? : Copy; r? : Reader
c?  shelved; r?  readers
#(issued  {r?}) < maxloans
issued' = issued  {c?
r?}
stock' = stock; readers' = readers
29
CS 501 Spring 2005
Schema Decoration
Issue
Library
c? : Copy; r? : Reader
c?  shelved; r?  readers
#(issued  {r?}) < maxloans
issued' = issued  {c? r?}
stock' = stock; readers' = readers
30
CS 501 Spring 2005
The Schema Calculus
Schema inclusion
Schema decoration
Schema disjunction:
^ AddKnownTitle  AddNewTitle
AddCopy =
Schema conjunction:
^ EnterNewCopy  AddCopyAdmin
AddCopy =
Schema negation
Schema composition
31
CS 501 Spring 2005
Z in Practice
In carefully monitored industrial use, Z has been shown to
improve the timeliness and accuracy of software development,
yet it is widely used in practice.
 Complexity of notation makes communication with client
difficult.
 Few software developers are comfortable with the underlying
axiomatic approach.
 Heavy notation is awkward to manipulate with conventional
tools, such as word processors.
32
CS 501 Spring 2005