236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch

236368 Emilia Katz, Shahar Dag

1

Formal Specifications for Complex Systems (236368)

Tutorial #13

Algebraic Specification and Larch


2

Today:

• Larch Specification Language

• Initial and Final Algebras

• Larch Interface Language

• Examples


3

General Structure

trait_name : trait //data stucture behavior, properties

includes trait1 rename_list, trait2 rename_list, …

Introduces //operations declaration

operator_list

Asserts //axioms – operations definition

predicate_list

var_type generated by operator_list

var_type partitioned by observer_list

implies additional_claims

implies converts operation_list

implies converts operation_list exempting special_cases


4

Example (includes)trait1 : trait

introduces:__ ↔ __: T, T → bool

asserts∀x:T x↔x

trait2 : traitintroduces:

__ R __: T, T → boolasserts

∀x, y, z:T (x R y ∧ y R z) ⇒ x R z

trait3: traitincludes trait1 ( ≤ for ↔ ), trait2 ( ≤ for R )

What is the meaning of these traits?

trait1: reflexive relationtrait2: transitive relation

trait3: pre-order

What operations are defined for this trait?

≤ instead of ↔ , R


5

Example - Set

Want to be able to:

• Create a new set• Add / remove elements from a set• Check whether an element is in the set• Get the size of the set• Get a union / intersection of two sets


6

Example – Set (cont.)

settrait : traitintroduces

{} : → set_ ∈ _ : E , set → boolinsert : E , set → setdelete : E , set → setsize : set → int_ ∪ _ : set , set → set_ ⋂ _ : set , set → set

// to be continued…

can write “E x set” instead of “E, set” (another notation…)


7

Example – Set (contd.2)

Define operations and connections between them:

• What does a newly created set look like?• What is the effect of adding / removing elements from a

set?• How is the size of a set defined?• What is a union / intersection of two sets?


8


asserts∀ e , e1 : E , s , s1 : S¬( e ∈ {} );e ∈ insert(e1 , s) == e = e1 ⋁ e ∈ s;size( {} ) == 0;size( insert(e , s)) == if e ∈ s then size(s) else size(s) +

1;delete( e , {} ) == {};delete(e, insert(e1, s)) ==

if e=e1 then delete(e, s) else insert(e1, delete(e, s));s ∪ {} == s;s ∪ insert( e , s1 ) == insert( e , s ∪ s1 );s ⋂ {} == {};s ⋂ insert( e , s1 ) ==

if e ∈ s then insert( e , s ⋂ s1 ) else s ⋂ s1;


9


generated by:set generated by {} , insert

partitioned by:set partitioned by ∈

Well-definedness of operations of the trait:

implies converts {} , ∈, insert, delete, size, ∪, ⋂ (all the operations are well-defined, no special cases)


10


delete(5 , insert(7 , insert(5 , {}))) == insert(7 , delete(5 , insert(5 , {}))) ==insert(7 , delete(5 , {})) ==insert(7 , {})

Is the following true?

set implies delete(5 , insert(7 , insert(5 , {}))) = insert(7 , {})

// axiom 2 about delete, the “else” part// axiom 2 about delete, the “then” part// axiom 1 about delete

=> The statement is true!


11


Is the following true?

set implies insert(7 , insert(5 , {})) = insert(5 , insert(7 , {}))

No axioms to help us decide!


12

Initial and Final Algebras

Initial algebra:

insert(7 , insert(5 , {})) insert(5 , insert(7 , {})) since they cannot be proven equal from the axioms of set

Final algebra:

insert(7 , insert(5 , {})) = insert(5 , insert(7 , {})) since they cannot be distinguished by the observers

Larch keeps the decision open for the user of the trait (by the addition of partitioned by)


13

Initial and Final Algebras

Question:What would the following statement mean:- set partitioned by size

Answer:We claim that two sets are equal if they are of the same size.

Is this good?No! it would mean that insert(5 , {}) = insert(7 , {}) which “breaks” the algebra as we can now prove false claims!-5 ∈ insert(5 , {}) -insert(5 , {}) = insert(7 , {})-=> 5 ∈ insert(7 , {}) -=> 5 ∈ {} !


14

Larch Interface Language - LCL

• second layer of a Larch specification

• we will only show some of the main features of LCL

• termination requirement is implicit

• may use any sorts and operations defined in LSL traits

• the mapping of types to sorts (E for set…) is done when introducing the

used traits, by renaming the sorts to the correct types: uses trait (type

for sort, …)

• LCL manipulates objects (variables). They can be:

• mutable: its value can be changed (specified by var)

• immutable: its guaranteed to stay constant.


15

LCL – The general formuses traits with [rename_list]procedure headerrequires Pmodifies Lensures Q

P – the precondition of the I/O assertion• Contains restrictions on the input • Prevents calls with illegal values• Must be fulfilled by the caller

L – the list of changeable objectsQ – the post condition

• Relating final values [primed (‘) version] to initial ones.• Must be established by the procedure

Note – implicit condition: the function must terminate!


16

Exampleuses settrait with [set for set, integer for E]

procedure setinit(var s : set)modifies sensures s’ = {}

procedure setinsert(e : integer; var s : set)requires size( insert( e , s ) ) ≤ 100modifies sensures s’ = insert( e , s )

procedure setrem(e : integer; var s : set; var f : bool)modifies s , fensures s’ = delete( e , s ) ∧ f’ = ( e ∈ s)

function choose(s : set; var e : integer) : boolmodifies e , chooseensures if size( s ) > 0 then ( choose’ ∧ (e’ ∈ s)) else (¬choose’ ∧ (e’ = e))

Use Pascal-like syntax

corresponds to {} of settrait

corresponds to insert; add a restriction: size ≤100

Delete an element; report if it was in the set before

combination of delete and

return an arbitrary element

no corresp. operation


17

setדוגמא ממבחן -

setבהינתן

והפעולות האריתמטיות (כמו שראינו)

וגם סימני היחס (<, <=, <, ...)

יש להגדיר:

maxהאיבר המקסימאלי בקבוצה -

secondהאיבר השני בגודלו -


18

(המשך) setדוגמא ממבחן –

(פיתרון של סטודנט)maxניסיון ראשון לפיתרון

max: S → E max(s) = e . e∈S ∧ ¬∃a∈S . a>e

האם זה הוא פיתרון טוב?

לא(נתעלם מהרישום המקורב בו השתמשנו לדוגמא)

אנחנו רוצים הגדרה אינדוקטיבית בדומה לפעולות האחרות,כדי שנוכל להשתמש בה בהוכחות באינדוקציה ובאקסיומות

== max( insert( e , s ) )אחרות (ולא פיתרון מלוגיקה)if size(s)=0 then eelse if max(s) > e then max(s) else e

implies converts max exempting max( {} )


19

(המשך) setדוגמא ממבחן –

כבר צריך להיות קלsecondעכשיו לפתור את

second: S → E

second( s ) == max( delete( max( s ) , s ) ) (*)

implies converts second exemptingsecond( {} ),∀e∈E second( insert( e , {} ) )

האם השורה המסומנת ב * לא משנה את הקבוצה שלנו ?

לא, אנחנו רק מתארים כאן את הפעולות, שפת הממשק תדאג לקבוצה

מועד א2013שאלה ממבחן –


20

מועד א2013שאלה ממבחן –


21

מופיע באתר תחת מבחנים משנים קודמות פתרון:

Documents

236368 Emilia Katz, Shahar Dag 1 Formal Specifications for Complex Systems (236368) Tutorial #13 Algebraic Specification and Larch