(State) Model-Based Approaches I Software Specification Lecture 35

(State) Model-Based Approaches I Software SpecificationLecture 35 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Overview • Algebraic specification involves specifying object operations in terms of their inter-relationships. • This can be cumbersome when operations depend on object state (i.e., previous operations). Consider axiom 6 of the ARRAY specification. • (State) Model-Based specification exposes system state and defines operations in terms of changes to that state.

Model-Based Approaches/Languages • Specification via Pre- and Post-Conditions: Predicates are defined over a program’s state variables to reflect its intended functional behavior. • Specification using “Z” (pronounced “Zed”): A mature notation for defining constraints and operations on state variables that incorporates informal descriptions and graphical highlighting.

Pre-and Post-Conditions • The functional requirements of a program may be specified by providing: • an explicit predicate on its state before execution (a pre-condition), and • an explicit predicate on its state after execution (a post-condition). • This serves to highlight the distinction between assumptions that an implementer is allowed to make, and obligations that must be met.

Pre-and Post-Conditions (cont’d) • The language of pre- and post-conditions is the predicate calculus. • Predicates denote properties of program variables or relations between them.

What is the Predicate Calculus?(A Brief Tutorial) • Propositions and Propositional Logic • Truth Tables • Equivalence • Predicates • The Predicate Calculus

Propositions • A proposition, P, is a statement of some alleged fact which must be either true or false, and not both. • Which of the following are propositions? • elephants are mammals • France is in Asia • go away • 5>4 • X>5

Propositional Logic • Propositional Logic is a formal language that allows us to reason about propositions. • The alphabet of this language is: { P, Q, R, ..., Λ, V, , , ¬ } • P, Q, R,... denote the truth values of simple propositions. • The other symbols, usually referred to as connectives, provide ways in which compound propositions can be built from simpler ones.

Truth Tables • Truth tables provide a concise way of giving the meaning of compound forms in a tabular form. Example 1: Complete the truth table below to show all possible interpretations for the following sentences: AB, AB, and ¬AVB.

Truth Tables (cont’d) AB¬AAB¬AVB T T T F F T F F F T T F F F T T T T T T

Equivalence • Two sentences are said to be equivalent if and only if their truth values are the same under every interpretation. • If A is equivalent to B, we write A ≡ B using the metasymbol ≡. Example 2: Use the truth table of Exercise 1 to show: (A  B) ≡ (¬A V B)

Truth Tables (cont’d) AB¬AAB¬AVB T T T F F T F F F T T F F F T T T T T T

Equivalence (cont’d) • Many users of logic slip into the habit of using  and ≡ interchangeably. • However, A  B is written in the full knowledge that it may denote either True or False in some interpretation. • Whereas A ≡ B is an expression of a “fact” – i.e., the writer thinks it is true.

Predicates • Predicates are expressions containing one or more free variables (place holders) that can be filled by suitable objects to create propositions. • For example, instantiating the value 2 for X in the predicate X>5 results in the (false) proposition 2>5. • Note that a predicate itself has no truth value; it expresses a property or relation using variables.

Predicates (cont’d) • There are TWO ways in which predicates can give rise to propositions: (1) As illustrated above, their free variables may beinstantiatedwith the names of specific objects, and (2) Theymay bequantified. Quantification introduces two additional symbols: and.

Predicates (cont’d) • andare used to represent universaland existential quantification, respectively. x  duck(x) represents the proposition “every object is a duck.” x  duck(x) represents the proposition “there is at least one duck.”

Predicates (cont’d) • For a predicate with two free variables, quantifying over one of them yields another predicate with one free variable, as in x  Q(x,y) or x  Q(x,y)

Predicates (cont’d) • Where appropriate, a domain of interest may be specified which contains the objects for which the quantifier applies. • For example, i {1,2,...,N}  A[i]>0 represents the predicate “the first N elements of array A are all greater than 0.”

Predicate Calculus • The addition of a deductive apparatus gives us a formal system permitting proofs and derivations which we will refer to as the predicate calculus. • The system is based on providing rules of inference for introducing and removing each of the five connective symbols plus the two quantifiers.

Predicate Calculus (cont’d) • A rule of inference is expressed in the form: A1, A2 , ..., An _______________ C and is interpreted to mean: (A1 Λ A2 Λ... Λ An )  C

Examples of Deductive Rules ¬ ¬A ________ A A, A B __________ B A Λ B ________ A A _______ AVB

Examples of Deductive Rules (cont’d) A  B __________ A  B A  B, B  A _______________ A  B x  P(x) ___________________ P(1), P(2), …, P(n)

Specification Via Pre- and Post-Conditions • Pre-condition: expresses properties of / relationships among program variables before program execution. An implementer may assume these will hold. • Post-condition: expresses obligatory properties of / relationships among program variables afterprogram execution. An implementer must make it so.

Exercise 3 For each of the following, give appropriate pre- and post-conditions for the function described. • Set variable MAX to the maximum value of two integers, A and B. • Set variable MIN to the minimum value in the unsorted, non-empty array A[1:N]. • Set variable SUM to the sum of the elements in array A[1:N].

Exercise 3 (cont’d) • Given three arrays A[1:N], B[1:N], and C[1:N], set each element of A equal to the sum of the corresponding elements of B and C. • Set variable NPRIME to true if N is prime and to false otherwise. • Set variable Y to the greatest common divisor of integers A and B.

Exercise 3 (cont’d) • Set variable R to the remainder of dividing A by D. • Set variable I to the index of the first instance of Y in the array A[1:N]. • Perform integer subtraction using the arithmetic primitive "subtract 1" and a while loop. Let M be the minuend, S be the subtrahend, and D be the difference. Assume that the subtrahend is nonnegative.

Sample Solutions • Set variable MAX to the maximum value of two integers, A and B. pre-condition: post-condition: (What can the implementer assume will be true before execution?) (What must the implementer make true after execution?)

Sample Solutions • Set variable MAX to the maximum value of two integers, A and B. pre-condition: post-condition: { [(MAX=A Λ AB) V (MAX=B & B  A)] Λ A=A’ Λ B=B’ } (Note that A’ denotes the initial value of variable A.) { true } {MAX=A V MAX=B}

Sample Solutions (cont’d) • Set variable MIN to the minimum value in the unsorted, non-empty array A[1:N]. pre-condition: post-condition: What does “unsorted” mean? { N>0 } { j {1,2,...,N}  MIN  A[j] Λx {1,2,...,N}  A[i]=MIN Λ A=A’ }

(State) Model-Based Approaches I Software SpecificationLecture 35 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

(State) Model-Based Approaches I Software Specification Lecture 35

(State) Model-Based Approaches I Software Specification Lecture 35

Presentation Transcript

State

State of the State

State-to-State benchmarking

State of Our State

State and Nation-state

Slavery State by State

State of the State

State of the State

State space Initial state

State of the State

State

State Name: State Nickname

State of the State

Sunflower State, Jayhawk State

State

State of the State

State of the State

State

State To State Movers

State to State Move