Formal Speciﬁcation and Documentation using Z

Slides for Formal Specification and Documentation using Z. Copyright c� 1996,1998 Jonathan Bowen. All rights reserved.A Brief Introduction to Z. (Schemas). Last updated: June 1998

Z Z Z Z Z Z Z Z Z Z

Formal Specification andDocumentation using Z:

A Case Study Approach

A Brief Introduction to Z. (Schemas)

Jonathan Bowen

Department of Computer ScienceUniversity of Reading

Email: [email protected]

URL:http://www.comlab.ox.ac.uk/oucl/users/jonathan.bowen/zbook.html

Z Z Z Z Z Z Z Z Z Z


Schemas

Boxed notation for structuring Z specifications.

Example:

Bookauthor � Peopletitle � seqCHARreadership � P Peoplerating � People ��

readership � domrating

Top half: defines named variables with constraining typeinformation.

Bottom half: constraining predicates.

1


‘Normalized’ schema:

Bookauthor � Peopletitle � P�Z�CHAR�readership � P Peoplerating � P�People�Z�

title � seqCHARrating � People �� readership � domrating

N.B., predicates on separate lines conjoined by default.

Mentally calculating normalized types can helpunderstanding a specification.

2


Schemas normally used for state spaces and operationsin mathematical modelling of systems.

Example:

StateSpacex� � S�x� � S�

...xn � Sn

Inv�x�� xn�

To save space:

StateSpacex� � S�� xn � Sn

Inv�x�� xn�

Horizontal form:

StateSpace d��x� � S�� xn � Sn j Inv�x�� xn�

3


State space: x�� xn are state variables; S�� Sn areexpressions.

ooo N.B.: x�� xn should not occur free in S�� Sn

If they do, they refer to other occurrences of variablesalready in scope.

Inv�x�� xn� is the state invariant.

Note that unlike in an ordered tuple,

Variables in a schema are unordered (cf., ordered tuple).

Variable names are not in scope until the bottom half ofthe schema, where any interdependencies should bedefined.

4


Example specification

‘Birthday Book’ – well known example fromSpivey’s Z Reference Manual.

Basic types (or given sets):

�NAME�DATE

State space:

BirthdayBookknown � PNAMEbirthday � NAME �� DATE

known � dombirthday

State variables: known and birthday

‘Invariant’ property: known � dombirthday(Every known person has a birth date.)

5


Identifier decorations

No decoration: current (before) stateState variable ending with prime (�): next (after) state

Variable ending with a question mark (): inputVariable ending with an exclamation mark (�): output

State change using an operation schema:

Operationx� � S�� xn � Sn

x�

�� S�� x�

n � Sn

i� � T�� im � Tm

o�� U�� op� � Up

Pre�i�� im�x�� xn�

Inv�x�� xn�

Inv�x�

�� x�

n�

Op�i�� im�x�� xn�x�

�� x�

n�o�� op��

6


Inputs: i�, � � � , imOutputs: o��, � � � , op�Precondition: Pre�i�� im�x�� xn�

State change �x�� xn� to �x�

�� x�

n�:

Op�i�� im�x�� xn�x�

�� x�


ooo N.B.: unconstrained before and after states may takeany value (cf. programming languages).Use x�

i � xi to retain the same value.

7


Operation schema:

AddBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname � NAMEdate � DATE

name �� knownknown � dombirthdayknown� � dombirthday�

birthday� � birthday�fname �� dateg

The entire state with its invariant is repeated for before(undashed) and after (dashed) states.Fortunately schemas may be ‘included’ in others.

Precondition: name �� known.

Operation part: birthday� � birthday�fname �� dateg

8


Schema inclusion - � conventionStateSpacex� � S�� xn � Sn

Inv�x�� xn�

Operation�StateSpacei�� T�� im� � Tm

o�� U�� op� � Up

Pre�i�� im��x�� xn�

Op�i�� im��x�� xn�x�

�� x�


abbreviates:


x�

�� S�� x�

n � Sn

i�� T�� im� � Tm


Inv�x�� xn�

Inv�x�

�� x�

n�


�� x�


9


Schema inclusion

Widely used structuring technique in Z.

Adds all state components and associated constrainingpredicates in included schema.

ooo Matching names merge and must be type-compatible.

Allows information hiding.

Enables emphasis on important details.

10


� example:

AddBirthday�BirthdayBookname � NAMEdate � DATE

name �� knownbirthday� � birthday�fname �� dateg

abbreviates:

AddBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname � NAMEdate � DATE

name �� knownknown � dombirthdayknown� � dombirthday�

birthday� � birthday�fname �� dateg

11


No change of state

E.g., status operations:


x�

�� S�� x�

n � Sn

i� � T�� im � Tm

o�� U�� op� � Up

Pre�i�� im�x�� xn�

Inv�x�� xn�

�x�

�� x� � � � � � x�

n � xn�

Op�i�� im�x�� xn�o�� op��

ooo Strictly, Inv�x�

�� x�

n� is also included, but isredundant.

Output produced, but state unchanged.

12


Status operation example:

FindBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname � NAMEdate� � DATE

name � knownknown � dombirthdayknown� � knownbirthday� � birthdaydate� � birthday�name�

Precondition: name � knownOperation part: date� � birthday�name�

13


�-inclusionStateSpacex� � S�� xn � Sn

Inv�x�� xn�

Operation�StateSpacei�� T�� im� � Tm

o�� U�� op� � Up



�� x�


abbreviates:


x�

�� S�� x�

n � Sn

i�� T�� im� � Tm

o�� U�� op� � Up


Inv�x�� xn�

�x�

� x� � � � � � x�

n xn�


�� x�


14


example:

FindBirthday�BirthdayBookname� � NAMEdate� � DATE

name� � known

date� birthday�name��

abbreviates:

FindBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname� � NAMEdate� � DATE

name� � knownknown dombirthdayknown� knownbirthday� birthdaydate� birthday�name��

15


Schema operators

Matching logical connectives: � , �, �, and Quantification: �, � and �

�

The schemas are first normalized.ooo Especially important for negation to negate hiddenconstaints in the signature.

ooo For binary connectives, there must be no conflictingdeclarations.

Schemas as types

E.g., state � StateSpaceComponent selection: state�x� returns component x�, etc.

16


Schema tuples

Cf., ordered tuple.ooo But components are named and unordered.

Notation: �StateSpaceAll named schema components x�� xn are included.

convention may be defined as follows:

StateSpace d��StateSpace j �StateSpace� � �StateSpace

17


Components may be hidden(i.e., existentially quantified).

Schema hiding: StateSpace n �x��x�� is the same as�x� � S�� x� � S� StateSpace

Components may be projected.

Schema projection: If ProjectSpace d� �x� � S�� x� � S� thenStateSpace � ProjectSpace hides all components inStateSpace except x� and x�.

Components may be renamed.

Schema renaming: StateSpace�y��x��y��x� returns anew schema with x� component replaced by y� and x�replaced by y�. Helps in avoiding name clashes.

Precondition of a schema: pre Operation existentiallyquantifies all after state and output components. I.e.,

�x�

�� S�� x�

n � Sn� o�� T�� op� � Tp Operation

18


Sequential composition (‘o�’)

Operationx� � S�� xp � Sp

z� � U�� zn � Un

z�

�� U�� z�

n � Un

Op�x�� xp�z�� zn�z�

�� z�

n�

Operation�y� � T�� yq � Tq

z� � U�� zn � Un

z�

�� U�� z�

n � Un

Op��y�� yq�z�� zn�z�

�� z�

n�

Operation o�Operation�

x� � S�� xp � Sp

y� � T�� yq � Tq

z� � U�� zn � Un

z�

�� U�� z�

n � Un

�z��

�� U�� z��

n � Un �

Op�x�� xp�z�� zn�z��

�� z��

n� �

Op��y�� yq�z��

�� z��

n�z�

�� z�

n�

19


AddThenFindBirthdayknown � PNAMEbirthday � NAME �� DATEknown� � PNAMEbirthday� � NAME �� DATEname� � NAMEdate� � DATEdate� � DATE

�known�� PNAME�birthday�� NAME �� DATE �

known dombirthday �known�� dombirthday��

name� �� known �birthday�� birthday�fname� �� date�g �known�� dombirthday��

known� known��

birthday� birthday��

name� � known��

date� birthday��name��

Also a similar schema piping operator matching outputs of 1stschema with inputs of 2nd.

20


Properties

AddThenFindBirthday � date� � date

If proved, provides an extra level of confidence.

Confirms intuitions (or otherwise!).

Finds errors earlier.

ooo No standard way to write theorems in Z.

A convention: � p where p is a predicate.

Alternatively: d � p where d represents universallyquantified declarations.

21


Conclusion

Extensive standard mathematical ‘toolkit’: set-theoreticdefinitions(See Spivey’s Z Reference Manual and Z Standard)

Further toolkit libraries possible(e.g., for real numbers)

ooo Z is based on first order logic.Common mistake: attempt to form relations and functionson predicates.No predefined Boolean type in Z; normally unnecessary.Binary valued type possible, but often better avoided.

Z type-checker – recommended for discovery of manyerrors.

Z has evolved. Lack of tools helped this!

De facto standard:Spivey’s Z Notation: A Reference ManualDevelopment of an ISO international standard.

22

Documents

Formal Speciﬁcation and Documentation using Z