Introduction to Z Copyright, 2002 © Jerzy R. Nawrocki Jerzy.Nawrocki@put.poznan.pl Models and...

Introduction to ZIntroduction to Z

Copyright, 2002 © Jerzy R. Nawrocki

Jerzy.Nawrocki@put.poznan.pl

www.cs.put.poznan.pl/jnawrocki/mse/models/

Models and Analysis of Software Models and Analysis of Software

Lecture 5Lecture 5

Models and Analysis of Software Models and Analysis of Software

Lecture 5Lecture 5

J. Nawrocki, Models & ...

UML and formal modelsUML and formal modelsUML and formal modelsUML and formal models

Reader

Admin

Look-up

Change

Add

Remove

Use-case diagram

J. Nawrocki, Models & ...

UML and formal modelsUML and formal modelsUML and formal modelsUML and formal models

PhoneDir

Init()

Add(name,no)

Lookup(name): Num

Delete(name)

Class diagram

1

J. Nawrocki, Models & ...

IntroductionIntroductionIntroductionIntroduction

• Model-based: basic types (integer, real, ..) and compound types (sets, sequences, ..)

• Implicit specification (what?). • No explicit specification (how?).

Z resembles VDM

J. Nawrocki, Models & ...

-- A prime number, n, is-- divisible only by 1 and n.

IsPrime (n: N1) res: B

post res k N1 (1 < k k < n)

n mod k 0

-- A prime number, n, is-- divisible only by 1 and n.

IsPrime (n: N1) res: B

post res k N1 (1 < k k < n)

n mod k 0

Quantifiers

From the previous lecture..From the previous lecture..From the previous lecture..From the previous lecture..

That’s reallydifferent from Pascal!

J. Nawrocki, Models & ...

Pre-conditions

From the previous lecture..From the previous lecture..From the previous lecture..From the previous lecture..

Quotient (-6, 2) = 3

Quotient (a, b: Z) res: Npre b 0post res = (abs a) div (abs b)

Quotient (a, b: Z) res: Npre b 0post res = (abs a) div (abs b)

J. Nawrocki, Models & ...

Sequences (I)

From the previous lecture..From the previous lecture..From the previous lecture..From the previous lecture..

-- CDs = sequence of Common Divisors

CDs (a, b: N1) res: N1+

post res = [k | k N1 a mod k = 0 b mod k = 0]

-- CDs = sequence of Common Divisors

CDs (a, b: N1) res: N1+

post res = [k | k N1 a mod k = 0 b mod k = 0]

J. Nawrocki, Models & ...

Plan of the lecturePlan of the lecturePlan of the lecturePlan of the lecture

From the previous lecture..

SetsCharacters and stringsType invariantsRecordsMiscellaneous

J. Nawrocki, Models & ...

B - Boolean (true, false)

N1 - positive integers (1, 2, 3, ..)

N - natural numbers (including 0)

Z - integers

Q - rationals

R - reals

B - Boolean (true, false)

N1 - positive integers (1, 2, 3, ..)

N - natural numbers (including 0)

Z - integers

Q - rationals

R - reals

SetsSetsSetsSets

Basic sets

x BasicSet x BasicSet

Basic setsor

basic types?

J. Nawrocki, Models & ...

T-set a finite set of values of type TT-set a finite set of values of type T

SetsSetsSetsSets

Finite sets

N-set a finite set of natural numbers

R-set a finite set of reals

R-set-set a finite set of finite sets of reals

N-set a finite set of natural numbers

R-set a finite set of reals

R-set-set a finite set of finite sets of reals

J. Nawrocki, Models & ...

{E | B1, B2, ..., Bn Boolean_condition }{E | B1, B2, ..., Bn Boolean_condition }

SetsSetsSetsSets

Set values

{ } empty set

{0, 2, 4} explicit set value

{2, ..., 5} = {2, 3, 4, 5}

{2n | nN n<3} = {0, 2, 4}

{ } empty set

{0, 2, 4} explicit set value

{2, ..., 5} = {2, 3, 4, 5}

{2n | nN n<3} = {0, 2, 4}

{[a, b] | aN, bN b = aa a 3}{[a, b] | aN, bN b = aa a 3}

Onlyfinitesets!

J. Nawrocki, Models & ...

SetsSetsSetsSets

Finite set operators (I)

x S belongs to

x S does not belong to

card S cardinality of S

S1 = S2 equals

S1 S2 does not equal

S1 S2 S1 is a subset of S2

S1 S2 S1 is a proper subset of S2

x S belongs to

x S does not belong to

card S cardinality of S

S1 = S2 equals

S1 S2 does not equal

S1 S2 S1 is a subset of S2

S1 S2 S1 is a proper subset of S2

Onlyfinitesets!

J. Nawrocki, Models & ...

SetsSetsSetsSets

Finite set operators (II)

S1 S2 union

S1 S2 intersection

S1\ S2difference

F S power set of S

S1 S2 union

S1 S2 intersection

S1\ S2difference

F S power set of S

Onlyfinitesets!

J. Nawrocki, Models & ...

SetsSetsSetsSets

A set of decimal digits of a number k

digit = {0, ..., 9}

digits1(k: N) res: digit-setpost res = {k mod 10} digits1(k div 10)

digit = {0, ..., 9}

digits1(k: N) res: digit-setpost res = {k mod 10} digits1(k div 10)

Doesnot

work!

J. Nawrocki, Models & ...

SetsSetsSetsSets

A set of decimal digits of a number k

digits2(k: N) res: digit-setpost (k=0 res { }) (k>0 res = {k mod 10} digits2(k div 10))

digits2(k: N) res: digit-setpost (k=0 res { }) (k>0 res = {k mod 10} digits2(k div 10))

Whatif

k=0?

digits3(k: N) res: digit-setpost (k=0 res = { 0 }) (k>0 res = digits2(k))

digits3(k: N) res: digit-setpost (k=0 res = { 0 }) (k>0 res = digits2(k))

J. Nawrocki, Models & ...

Plan of the lecturePlan of the lecturePlan of the lecturePlan of the lecture

From the previous lecture..Sets

Characters and stringsType invariantsRecordsMiscellaneous

J. Nawrocki, Models & ...

Characters and stringsCharacters and stringsCharacters and stringsCharacters and strings

char - alfanumeric characters

char* - possibly empty sequence of char

char+ - nonempty sequence of char

'a' - a character literal

"ABBA" - a string of chars (text)

char - alfanumeric characters

char* - possibly empty sequence of char

char+ - nonempty sequence of char

'a' - a character literal

"ABBA" - a string of chars (text)

"S. Covey" = ['S', '.', ' ', 'C', 'o', 'v', 'e', 'y']

"S. Covey"(1)= 'S'

"S. Covey" = ['S', '.', ' ', 'C', 'o', 'v', 'e', 'y']

"S. Covey"(1)= 'S'

J. Nawrocki, Models & ...

Characters and stringsCharacters and stringsCharacters and stringsCharacters and strings

-- Reversing a string of characters

reverse(t: char*) res: char*

post (t = [ ] res = [ ])

(t [ ] res = (tl t) [hd t]

-- Reversing a string of characters

reverse(t: char*) res: char*

post (t = [ ] res = [ ])

(t [ ] res = (tl t) [hd t]

Reversing a string

reverse("top") = "pot"

J. Nawrocki, Models & ...

Characters and stringsCharacters and stringsCharacters and stringsCharacters and strings

-- Reversing a string of characters

reverse(t: char*) res: char*

post (t = [ ] res = [ ])

(t [ ] res = reverse(tl t) [hd t]

-- Reversing a string of characters

reverse(t: char*) res: char*

post (t = [ ] res = [ ])

(t [ ] res = reverse(tl t) [hd t]

Reversing a string

reverse("top") = "pot" Important modification

J. Nawrocki, Models & ...

Characters and stringsCharacters and stringsCharacters and stringsCharacters and strings

Integer to text conversion

d_seq= ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9']

-- Integer to text conversion

i2t(i: N) t: char+ post (i=0 t="0") (i>0 t=i2t1(i))

i2t1(i: N) t: char* post (i=0 t= [ ]) (i>0 t=i2t1(i div 10) [d_seq(i mod 10 + 1)])

d_seq= ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9']

-- Integer to text conversion

i2t(i: N) t: char+ post (i=0 t="0") (i>0 t=i2t1(i))

i2t1(i: N) t: char* post (i=0 t= [ ]) (i>0 t=i2t1(i div 10) [d_seq(i mod 10 + 1)])

Can’tbe

simpler?

J. Nawrocki, Models & ...

Plan of the lecturePlan of the lecturePlan of the lecturePlan of the lecture

From the previous lecture..SetsCharacters and strings

Type invariantsRecordsMiscellaneous

J. Nawrocki, Models & ...

Type invariantsType invariantsType invariantsType invariants

Declaration of invariants

Id = T

inv Pattern Boolean_condition

Id = T

inv Pattern Boolean_condition

Bit = N

inv Bit 0 b b 1

Bit = N

inv Bit 0 b b 1

Bit = {b | b N 0 b b 1}Bit = {b | b N 0 b b 1}

0 b b 1resembles0 b 1

J. Nawrocki, Models & ...

Type invariantsType invariantsType invariantsType invariants

Defining prime numbers

Prime = N1

inv Prime i N1

(1<i i<a) a mod i 0

Prime = N1

inv Prime i N1

(1<i i<a) a mod i 0

is_prime(a: N1) res: Bpost res = i N1

(1<i i<a) a mod i 0

Prime = N1

inv Prime is_prime(a)

is_prime(a: N1) res: Bpost res = i N1

(1<i i<a) a mod i 0

Prime = N1

inv Prime is_prime(a)

Morereusable and

readable!

J. Nawrocki, Models & ...

Type invariantsType invariantsType invariantsType invariants

Using prime numbers

-- Checking if every even number between a and b-- can be represented as a sum of 2 prime numbers

goldbach(a,b: N1) res: Bpre a bpost res = i N1 (a i i b i mod 2 = 0) x,y: Prime i= x+y

-- Checking if every even number between a and b-- can be represented as a sum of 2 prime numbers

goldbach(a,b: N1) res: Bpre a bpost res = i N1 (a i i b i mod 2 = 0) x,y: Prime i= x+y

Here the defined type is used.

J. Nawrocki, Models & ...

Plan of the lecturePlan of the lecturePlan of the lecturePlan of the lecture

From the previous lecture..SetsCharacters and stringsType invariants

RecordsMiscellaneous

J. Nawrocki, Models & ...

RecordsRecordsRecordsRecords

Rec:: Field1 : T1

Field2 : T2

. . .

Fieldn : Tn

Rec:: Field1 : T1

Field2 : T2

. . .

Fieldn : Tn

Record definition

Worker:: FamilyN: char+

FirstN: char+

Hours: N

Worker:: FamilyN: char+

FirstN: char+

Hours: N

‘FamilyN’stands for

‘Family Name’

J. Nawrocki, Models & ...

RecordsRecordsRecordsRecords

Rec.FieldRec.Field

Field selection

WorkersFile = Worker*

total_hours(w: WorkersFile) res: Npost (w=[ ] res = 0) (w [ ] res = (hd w).Hours + total_hours(tl w)

WorkersFile = Worker*

total_hours(w: WorkersFile) res: Npost (w=[ ] res = 0) (w [ ] res = (hd w).Hours + total_hours(tl w)

Selecting the field ‘Hours’.

J. Nawrocki, Models & ...

Plan of the lecturePlan of the lecturePlan of the lecturePlan of the lecture

From the previous lecture..SetsCharacters and stringsType invariantsRecords

Miscellaneous

J. Nawrocki, Models & ...

UnionsUnionsUnionsUnions

T1 | T2

Enumerated types:Enumerated types:

Signal = RED | AMBER | GREEN

T1 | T2

Enumerated types:Enumerated types:

Signal = RED | AMBER | GREEN

J. Nawrocki, Models & ...

Optional typesOptional typesOptional typesOptional types

nil - absence of a value

Optional typeOptional type:

[ ] = | nil

Optional type operatorOptional type operator:

Expression = nil

nil - absence of a value

Optional typeOptional type:

[ ] = | nil

Optional type operatorOptional type operator:

Expression = nilif next(P) = nil ..if next(P) = nil ..

| nil

or

[ ]

| nil

or

[ ]

J. Nawrocki, Models & ...

Explicit functionsExplicit functionsExplicit functionsExplicit functions

func_name: T1 x T2 x .. x Tn T

func_name(Id1, Id2, .., Idn)

E

pre B

func_name: T1 x T2 x .. x Tn T

func_name(Id1, Id2, .., Idn)

E

pre B

max: x x max (x, y, z) if (y x) (z x) then x elseif (x y) (z y) then y else z

max: x x max (x, y, z) if (y x) (z x) then x elseif (x y) (z y) then y else z

J. Nawrocki, Models & ...

Polymorphic functionsPolymorphic functionsPolymorphic functionsPolymorphic functions

max [ @num ]: @num x @num x @num @num

max (x, y, z) if (y x) (z x) then x

elseif (x y) (z y) then y

else z

max [ @num ]: @num x @num x @num @num

max (x, y, z) if (y x) (z x) then x

elseif (x y) (z y) then y

else z

result = max [ ] (1, 2, 3)result = max [ ] (1, 2, 3)

result = max [ ] (1.1, 2.2, 3.3)result = max [ ] (1.1, 2.2, 3.3)

J. Nawrocki, Models & ...

StateStateStateState

state Id of

field_list

inv invariant_definition

init initialisation

end

state Id of

field_list

inv invariant_definition

init initialisation

end

state maximum of

max:

init mk_maximum(m) m=0

end

state maximum of

max:

init mk_maximum(m) m=0

end

J. Nawrocki, Models & ...

StateStateStateState

state Id of

field_list

inv invariant_definition

init initialisation

end

state Id of

field_list

inv invariant_definition

init initialisation

end state aircraft of

speed:

height:

inv mk_aircraft(-,h) (h 0.0)

init mk_aircraft(s,h) (s=0.0) (h= 0.0)

end

state aircraft of

speed:

height:

inv mk_aircraft(-,h) (h 0.0)

init mk_aircraft(s,h) (s=0.0) (h= 0.0)

end

Another exampleAnother example

J. Nawrocki, Models & ...

Implicit operationsImplicit operationsImplicit operationsImplicit operations

Op_name (Id1: T1, .., Idk:Tk) Idr: Tr

ext Access_vars

pre B

post B’

Op_name (Id1: T1, .., Idk:Tk) Idr: Tr

ext Access_vars

pre B

post B’

Access_vars:Access_vars:

rdrd or or wrwr prefix prefix

MAX3()ext rd x, y, z: wr max: post (x max) (y max) (z max) (max {x, y, z})

MAX3()ext rd x, y, z: wr max: post (x max) (y max) (z max) (max {x, y, z})

J. Nawrocki, Models & ...

Implicit operationsImplicit operationsImplicit operationsImplicit operations

Old state:Old state:

variable

Old state:Old state:

variable

MAX_NUM(n: ) ext wr max: post (n max) (max = max max = n)

MAX_NUM(n: ) ext wr max: post (n max) (max = max max = n)

J. Nawrocki, Models & ...

Error definitionsError definitionsError definitionsError definitions

PUT_YEAR(year: ) ext wr yr: pre year 1994 post yr = year errs yr2dXIX: 94 year year 99 yr= year+1900 yr2dXX: year < 94 yr = year+2000

PUT_YEAR(year: ) ext wr yr: pre year 1994 post yr = year errs yr2dXIX: 94 year year 99 yr= year+1900 yr2dXX: year < 94 yr = year+2000

J. Nawrocki, Models & ...

Explicit operationsExplicit operationsExplicit operationsExplicit operations

OPER_NAME: T1 x .. x Tn T

OPER_NAME (Id1, Id2, .., Idn)

Expression

pre B

OPER_NAME: T1 x .. x Tn T

OPER_NAME (Id1, Id2, .., Idn)

Expression

pre B

o

MAX_NUM: ()

MAX_NUM (n) if max < n then max:= n

else skip

MAX_NUM: ()

MAX_NUM (n) if max < n then max:= n

else skip

o

J. Nawrocki, Models & ...

ConditionalsConditionalsConditionalsConditionals

if B1 then ES1

elseif B2 then ES2

. . .

elseif Bn then ESn

else ES

if B1 then ES1

elseif B2 then ES2

. . .

elseif Bn then ESn

else ES

cases Es:

P1 ES1

. . .

Pn ESn

others ES

end

cases Es:

P1 ES1

. . .

Pn ESn

others ES

end

J. Nawrocki, Models & ...

Iteration statementsIteration statementsIteration statementsIteration statements

for Id= E1 to E2 by Inc do St for Id= E1 to E2 by Inc do St

for Id in Sq do St for Id in Sq do St

for Id in reverse Sq do St for Id in reverse Sq do St

for all Id E do St for all Id E do St

while B do St while B do St

J. Nawrocki, Models & ...

SummarySummarySummarySummary

Finite sets.

Character string = sequence.

Type invariants allow to define quite complicated types (e.g. prime numbers).

Records allow do specify database-like computations.

J. Nawrocki, Models & ...

HomeworkHomeworkHomeworkHomework

• Specify a function digit 5 that returns a sequence of decimal digits of a number k (see functions digits3 and digits2).

• Specify an example of a function that would be an implementation of a JOIN operation in a relational database.

• Specify a polymorphic projection and selection operation.

J. Nawrocki, Models & ...

Further readingsFurther readingsFurther readingsFurther readings

• A. Harry, Formal Methods Fact File, John Wiley & Sons, Chichester, 1996.

J. Nawrocki, Models & ...

Quality assessmentQuality assessmentQuality assessmentQuality assessment

1. What is your general impression? (1 - 6)

2. Was it too slow or too fast?

3. What important did you learn during the lecture?

4. What to improve and how?