Z SPECIFICATIONS

Formal Methods
BCS 2213
Semester 2 Session 2015/2016
 Schema Calculus
Allows us to structure specifications by
building large schemas from smaller ones.
Leads to separation of concerns:
 separating normal operations from error
handling
 separating access restrictions from
functional behaviors etc.

2
 Schema calculus
3

Provide operations for combining schemas, e.g.,

S1  S2
where S1 and S2 are schemas

Two main operations:

 - logical conjunction of the two predicate parts. Any
common variables of the two schemas are merged
V - the result is a schema in which the predicate part is
disjunction of the predicate parts of its two arguments.
Schema Calculus

 Merge declarations D and combine predicates P

S1 [D1 | P1]
S2 [D2 | P2]
S1  S2  [D1; D2 | P1  P2]

4
Example

5
 Race conditions
6

In BirthdayBook, we do not recognized a situation when a

user tries to add a birthday, which is already known to the
system, or tries to find a birthday of someone not known.

Lets handle this by adding an extra result! parameter to each

operation.

result! will have the free type REPORT

REPORT ::= ok| already_known | not_known

Further development of BirthdayBook
Freetype definition ::=
REPORT ::= ok| already_known | not_known
Using Logical Conjunction Operator
8

Lets combine by conjunction operator  two

schemas

AddBirthday  Success

The result is an schema which acts as

AddBirthday and produces the output ok
(for correct input).
 Strengthening AddBirthday

This declaration specifies that if error occurs, the state of the

system should not change. Output is already_known
Robust version of AddBirthday can be

Note, in CZT for the def. symbol we use ==

RAddBirthday
Strengthening FindBirthday and Remind
RFindBirthday and RRemind
REPORT ::= ok | already_known | not_known
Vocabulary System
Write a Z specification to describe a simple
Vocabulary System. The system should be able to:

1. Record pairs of words, where one word is a

native language and the other is a foreign
language.
2. Each word of a pair may serve as translation of
the other.
 Vocabulary System

14
 Vocabulary System - Operations
Operations, to be provided for the system:
• a pair of words may be added to the vocabulary;
• a pair of words may be deleted from the
vocabulary;
• a translation of a native word into the foreign
language may be requested;
• a translation of a foreign word into the native
language may be requested.

15
 Vocabulary System – Add a Pair

16
 Vocabulary System - Translation

17
 Vocabulary System - Translation

18
 Vocabulary System – the problem of
many possible translations

N2F = { (table, la mesa), (table, la table), (table, la lista) }

Native Foreign

la mesa

la table
table
la lista

If such a function possible?

19 N2F (table) == ?
 Vocabulary System – the problem of
many possible translations
N2F = { ( la mesa, table), (la table, table), (la lista, table) }
Native Foreign

la mesa

la table
table
la lista

N2F (la mesa) == table

N2F (la table) == table
N2F (la lista) == table
20
From Specification to Designs and
Implementation
 Previously, we learn how to use Z to specify a
problem domain (e.g. BirthdayBook)
 Now, lets use Z to design a program
 Key idea: data refinement
 Describe concrete data structures (vs abstract data in
specification)
 Derive descriptions of operations in terms of concrete
data structures
Data refinement leads to operations refinement
and algorithms development
 From specification to design
22

Data Refinement is the method to describe the

concrete data structures which the program will
use to represent the abstract data in the
specification, and to derive description of the
operations in terms of the concrete data
structures.

Direct Refinement is the method to go directly

from abstract specification to program in one step
Implementation of Birthday Book

 Representation in concrete data structures. A possible

representation in c language
NAME names[10];
DATE dates[10];
Concrete State Model - BirthdayBook1
 Arrays mathematically are functions

 names[i] as names(i)

hwm – amount of records

What does invariant sais here?
 Override operation ⊕
25

names’ = names  {i v};

It is the same as
names[i] := v;

the right side of this equation is a function which

takes the same value as names everywhere except
at the argument i, where it takes the value v.
Operation Refinement, AddBirthday1
 Manipulate names and dates arrays
Implementation of AddBirthday1
void addBirthday(NAME name, DATE date) {
hwm++;
names[hwm] = name;
dates[hwm] = date;
}
Data refinement of FindBirthday
 Example of Direct Refinement
29

DATE FindBirthday1(NAME name)

{
for (int i = 1; i < hwm; i++)
if (names[i] == name) return dates[i];
}
Refinement of Remind
Refinement of InitBirthdayBook

31
Abstraction Relation
 Relation between abstract state space and concrete
state space, BirthdayBook and BirthdayBook1
 Features Notation
33

 Is used to verify the specification

 Independent of program code
 Use mathematical model of data
 Allow to model a specification which can
directly lead to the code.
 Represent both static and dynamic aspects
of a system
 Features Notation
34

 Decompose specification into small pieces

(Schemas)
 Schemas are used to describe both static and
dynamic aspects of a system
 Data Refinement
 Direct Refinement
 You can ignore details in order to focus on the
aspects of the problem you are interested in
 ISO standard, ISO/IEC 13568:2002