Formal Specifications for
Complex Systems (236368)
Tutorial #5
I/O specifications; Hoare Logic; OCL
1
I/O Assertions
Content
• What are I/O Assertions?
• What do I/O Assertions mean?
• Annotated programs.
• Using “logical” and “auxiliary” variables.
• Examples.
Assertion – ‫טענה‬
‫יכולה להיות נכונה או‬
‫שגויה‬
236368 Emilia Katz, Shahar Dag
2
What are I/O Assertions
•
Some notations are used:
(1) x=0, and x’=x+1 for some program S
(2) {x0  0}S{x  x0  1}
(3) {x  X }S{x  X  1}
‫זוהי לוגיקה ולכן מדובר‬
‫בשוויון ולא בהצבה‬
•
The last 2 examples are called “Hoare assertion”.
•
In flowcharts the assertions are added after the “START” and before the “END”
statements.
‫ נלמד במבוא לאימות‬Hoare
‫ לא נעסוק‬,‫תוכנה (לא לדאוג‬
)‫באימות‬
‫יתרון מודולאריות‬
<p>S<q> ‫< שקול ל‬p>S1;S2<q> ‫< שקול ל‬p>S1<p1>S2<q>
S2 ‫מתבצע‬
‫שלאחריו‬
S1 ‫הוא‬
S ‫כאשר‬
236368
Emilia Katz,
Shahar
Dag
3
What do I/O assertions mean
•
Initial assertions are assumptions made by the program, to be satisfied by the
environment.
•
Final assertions are requirements to be satisfied by the program, if and when
it terminates.
•
Every terminating computation that satisfies the initial assertion when it starts,
must satisfy the final assertion if it terminates.
•
Non-terminating computations and computations not satisfying the initial
assertion, satisfy the I/O specification “vacuously”.
•
This is called partial correctness and it is a kind of safety property.
Partial correctness is safety since it
guaranties that if something happens
(the program ends) then the condition is
true. 236368 Emilia Katz, Shahar Dag
4
Expressing properties with I/O
assertions
•
We restrict ourselves to first-order logic and common mathematical notation.
•
Sometimes certain (well known / standard) predicates can be left undefined ( for
example integer(x) ).
do we mean the
Look at the following specification (4)
mathematical un-bounded
version or the bounded
version of a computer
{x  X  integer( x)}
program?
S
{x  X  integer( y / x)  j. integer( j / x)  y  j}
•
•
What does it specify?
•
Which programs satisfy this specification?
•
It seems that we can express a requirement which can't be implemented.
•
What if we replace integer() with some bounded representation?
236368 Emilia Katz, Shahar Dag
5
‫דוגמאות – דוגמא מספר ‪1‬‬
‫מה הוא אוסף התוכניות שמקימות את המפרט‪:‬‬
‫} ‪{ true } S { false‬‬
‫‪6‬‬
‫‪236368 Emilia Katz, Shahar Dag‬‬
Annotated programs
•
Sometimes a program skeleton is provided, with assertions between
statements.
•
Each assertion, called a local invariant and it is supposed to hold
whenever the program’s control is at this location.
•
The assertions immediately before and after a statement (usually a placeholder for un-implemented code) are its I/O specification.
•
The implementation can be shown to satisfy the original specification by
using a proof method for correctness based on axioms and proof rules. (but
in this course we are not going to prove correctness)
For example
Is an instance of the axiom
{ y  1  8}x : y  1;{x  8}
x
{ p e }x : e;{ p}
the meaning of ‘;’
{P}S1{Q},{Q}S 2 {R}
And an example of a proof rule
{PDag
}S1 ; S 2 {R}
236368 Emilia Katz, Shahar
7
Using logical variables
•
Variables that appear only in the assertions are called “logical variables” (also
called “rigid variables” or “specification variables”).
(Sometimes in order to specify a property, we need variables not present in the
program.)
•
Their value doesn’t change during the execution of the program. A logical value
just represents some value, and can be quantified (with  or )
•
We saw logical variables in:
Logical variables appear
only in the assertions
We do not assign values
to logical variables
236368 Emilia Katz, Shahar Dag
8
Using auxiliary variables
•
We may add to a program “auxiliary variables” (new variables) and
statements that assign them values, to support the specification.
•
For example: we might add a Boolean variable flag (initialized to false) to
remember that a certain event has occurred, together with an assignment
flag := true at the point where the event occurs.
•
Auxiliary variables get their values only in the added assignment
statements, which don’t affect the original system variables.
•
The only references to auxiliary variables must be in the added assignment
and in assertions within the annotation of the program.
236368 Emilia Katz, Shahar Dag
9
‫דוגמאות – דוגמא מספר ‪2‬‬
‫יש לתת מפרט שיביע מניעה הדדית בין שני קטעים קריטיים (‪ )cs1, cs2‬בתוכנית המקבילית‬
‫הבאה (רמז‪ :‬העזר ב ‪)auxiliary variables‬‬
‫‪P1‬‬
‫‪P2‬‬
‫‪CS2‬‬
‫‪CS1‬‬
‫‪P :: P1 || P2‬‬
‫‪10‬‬
‫‪236368 Emilia Katz, Shahar Dag‬‬
‫דוגמאות – דוגמא מספר ‪3‬‬
‫תן מפרט קלט‪/‬פלט לפרוצדורה ‪ P‬המקבלת מספר טבעי ‪ n‬ומחזירה מספר טבעי ‪ m‬ומערך ]‪a[1..m‬‬
‫המכיל את כל המספרים הראשוניים שאינם גדולים מ ‪( n‬אבל לא מכיל אף מספר אחר)‪.‬‬
‫כל מספר יופיע במערך בדיוק פעם אחת‪.‬‬
‫‪11‬‬
‫‪236368 Emilia Katz, Shahar Dag‬‬
OCL
• Added to UML class diagrams or state-charts
• Example system specification:
LoyaltyProgram system
• Given: UML class diagram (see additional file)
236368 Emilia Katz, Shahar Dag
12
OCL – operations on collections
• This is the unusual part of notation
• Collections: Bag, Set, Sequence
Set
AsSet
AsSequence
Example:
AsSet
AsBag
Bag
Sequence
Bag{1,1,2,5}.AsSet() =
AsSequence
AsBag
236368 Emilia Katz, Shahar Dag
13
Operations on Collections - examples
• Set{account1,account2,account3,account4}.select(balance>100)
– Meaning:
• Set{1,2,3,4,5}.includes(6) =
• Set{1,2,3,4,5}.including(6) =
• Excludes, excluding – symmetric operations
• Set{{1,2},{2,3},{5,6}}.collect =
236368 Emilia Katz, Shahar Dag
14
OCL => Natural Language (1)
1. context Customer
inv title = (if isMale = true then ‘Mr.’
else ‘Ms.’ Endif)
Translation:
2. context LoyaltyProgram
inv serviceLevel-> includesAll(membership.actualLevel)
Translation:
236368 Emilia Katz, Shahar Dag
15
OCL => Natural Language (2)
3. context LoyaltyAccount
inv points>0 implies transaction->exists(points>0)
Translation:
4. context ProgramPartner
inv self.deliveredServices.transactions->
select(oclType=Burning)->collect(points)->sum
<=
self.deliveredServices.transactions->
select(oclType=Earning)->collect(points)->sum
Translation:
236368 Emilia Katz, Shahar Dag
16
Natural Language => OCL(1)
1. Customers must have a minimum age of 18 years
2. The CustomerCard’s “valid from” date must be earlier then the
“valid to” date
236368 Emilia Katz, Shahar Dag
17
Natural Language => OCL(2)
3. The printed name on the customer card must be a title
followed by the registered name of the customer
4. The number of service levels is exactly 2
236368 Emilia Katz, Shahar Dag
18
Pre- and Post-Conditions in OCL
1. For isEmpty() operation of LoyaltyAccount
(returns true iff there are no points in the account)
2. The Burn(integer i) operation of LoyaltyAccount
236368 Emilia Katz, Shahar Dag
19
Built-in OCL Types
• OclType
– Customer.name() =
– Customer.attributes() =
• OclAny
Example - s:Set
– s.oclType() =
– s.oclIsKindOf(Collection) =
– s.oclIsTypeOf(Collection) =
236368 Emilia Katz, Shahar Dag
20