´ ´

´ ´

Propositions have truth-values.

Variables have types.

Sets have elements.

Schema assert truths. What do ∆ and Ξ mean?

3

Combining schema

This is so easy. Suppose we have schema A, B, B′:

Aa : Za= 42

Ba,b : Za = b +2b< 10

B′B : PZ42 ∈ B

Write AandB = A ∧ B for the schema which asserts A and B!

AandB

a,b : Za= 42 ∧ (a = (b + 2) ∧ b < 10)

4

Combining schema

Of course! A and B establish a universe of discourse and assert someproperties of it. So A and B just combines those universes and thosetruths.

It’s just like in physics class, where we may describe the behaviour of aparticle by a 4-dimensional vector space plus its equations of motion (3dimensions space, 1 dimension time).

If we want to describe the behaviour of two particles, why, we just use a7-dimensional vector space plus the two equations of motion.

5

Combining schema

But why stop at ∧? We have ∨, ⇒, and ⇔. The pattern is always thesame: combine the universes of discourse (that’s the variables declaredin the schema) and the predicates.

Write AimpliesB′ = A ⇒ B′ for

AimpliesB′a : Z, B : PZa= 42 ⇒ (42 ∈ B)

Try AorB = A ∨ B.

The possibilities are endless!!!!!

6

Recall: ClubState

ClubState

badminton : PSTUDENThall : PSTUDENT

hall ⊆ badminton#hall ≤ maxplayers

This says:

7

ClubState

• badminton is a set of students (I’d be guessing: the students thatplay badminton).

• hall is a set of students (the students in the badminton hall, whichhas a capacity of 20?).

• Students in the hall must play badminton (so they’ve obviously got aman on the door checking?).

• ...and you can’t have more people in the hall than its capacity.

8

Recall: AddMember

AddMember

badminton : PSTUDENT, hall : PSTUDENT

hall′ : PSTUDENTbadminton′ : PSTUDENT,newmember? : STUDENT

hall ⊆ badminton #hall ≤ maxplayers

hall′ ⊆ badminton′ #hall′ ≤ maxplayers′newmember? ∈ badmintonbadminton′ = badminton ∪ {newmember?}hall′ = hall

9

Recall: AddMember

Or more succinctly:

AddMember∆ClubStatenewmember? : STUDENT

newmember? ∈ badmintonbadminton′ = badminton ∪ {newmember?}hall′ = hall

10

Parenthetic note: Renaming

What if you want to rename variables in a schema?

S[x/a,y/b,z/c] represents S with a renamed to x — you can guessthe rest.

ClubState

badminton : PSTUDENThall : PSTUDENT

hall ⊆ badminton

FootyClub

football : PSTUDENT

pitch : PSTUDENT

pitch ⊆ football#pitch ≤ maxplayers#hall ≤ maxplayers

11

Recall: AddMember

So we can write

∆ClubStateas

ClubState ∧ ClubState[hall′/hall,badminton′/badminton].

12

Refining AddMember

Remember: hall is just the students in the badminton club in the hall —hall ⊆ badminton hints at that.

There may indeed be other people in the hall. What, you thought thatbadminton is so popular in this school that it can fill an entire sports hall?

This specification has to be at least a little bit realistic.

There are the rowers in the corner on their machines, the hockeyplayers, the rock-climbers, maybe even a bit of ping-pong.

If one of these non-badminton-players sees the empty futility of theirnon-badminton-player ways, they may join the badminton club. Thisepiphany might arrive at any time; while they’re in the hall, or even justwhile they’re outside the hall, perhaps studying Formal Spec.

13

badminton =badminton∪badminton =badminton∪

hall = hall

hall = hall ∪ newMember?

Refining AddMember

LOCATION ::= inside | outsideAddMemberInHall

∆ClubStatenewmember? : STUDENT

where?where?

: LOCATION

= inside

AddMemberOutHall

∆ClubStatenewmember? : STUDENT

where?where?

: LOCATION

= outside

newmember? ∈ badminton′

{newmember?}′

newmember? ∈ badminton#hall < maxPlayers

′

{newmember?}′

14

Refining AddMember

ThenAddMemberAnywhere = AddMemberInHall ∨ AddMemberOutHall.

In effect, AddMemberAnywhere describes a program which checkswhere the member is (inside, ouside) and does the right thingaccordingly.

Isn’t that a bit magic?

This is a case-split. ∨ is a case-split. ∨ on schema is a case-split forschema. ∧ is like a parallel execution.

But they are not. There is no notion of flow of control or execution here.Just specifications.

15

Initial State

What’s the initial state of the badminton club (back in 1934, probably).Maybe something like this:

InitClubStateClubState′

badminton′ = {}hall′ = {}

It’s just convention to use ‘after’ (with prime; with dash) state variables ininitial state.

16

Initial State

The initial state had better satisfy the conditions for ClubState.

That is, hall′ ⊆ badminton′ and #hall′ ≤ maxplayers.

⊆ {} and 0 ≤ maxplayers.So let’s check {}

17

Totalising operations


newmember? ∈ badmintonbadminton′ = badminton ∪ {newmember?}hall′ = hall

Note the precondition newmember? ∈ badminton. AddMemberspecifies a PARTIAL function. If newmember? ∈ badminton thenAddMember is not defined, as a function on club states.

18


Suppose newmember? ∈ badminton and somebody tries addingnewmember?.

Somebody is either stupid, or playing a practical joke ...or perhaps theypurchased lifetime membership 30 years previously and just forgot.Perhaps they are a lecturer and their brain has been blasted by thehowling winds of a thousand data projectors.

How do we make this specification of a partial function, into aspecification of a total function?

19


Recall the no-op:

ΞClubStatebadminton,hall : PSTUDENTbadminton′,hall′ : PSTUDENT

hall ⊆ badminton, #hall ≤ maxplayershall′ ⊆ badminton′, #hall′ ≤ maxplayers′hall′ = hall, badminton′ = badminton

ΞClubState∆ClubStatebadminton′ = badmintonhall′ = hall

20


MESSAGE

IsMember

::= success | isMember

SuccessMessage

outcome!outcome!

: MESSAGE

= SUCCESS

ΞClubStatenewMember? : STUDENToutcome! : MESSAGE

newMember?

∈ badminton

outcome!

= isMember

Totalise:

= (AddMember ∧ SuccessMessage) ∨ IsMember.TotalAddMember

Formal Spec F22HO2, Lecture 5 21


A schema is total when the outcome is specified for all possible inputs.

Programs in C and Java are total; they take an input, give an output.

Specifications of these programs may be partial; we may only specifypartial information.

Go through the previous specs: RemoveMember, EnterHall, LeaveHall,NotInHall. Which of these are total? Totalise the ones that are not.


Hiding

S \ b is the schema obtained by existentially quantifying b in S. Bestexplained by example:

A

a : Za= 42

HideA

∃ a : Z•a = 42

B

a, b : Za = b +2b < 10

HideB

a : Z∃ b : Z•(a = b + 2 ∧b < 10)

\ a,b and so on.Similarly for S


Hiding

Note that ∃ b : Z. • (a = b + 2 ∧ b < 10) means the same thing asa < 12.

So we can equivalently write HideB as:

HideB

a : Za< 12


= badminton∪badminton

Another example of hiding

Define AddWho


newmember? ∈ badmintonbadminton′ = badminton∪

{newmember?}hall′ = hall

= AddMember \ newMember?:

AddWho∆ClubState∃newmember? : STUDENT•(newmember? ∈ badminton ∧

′

{newmember?} ∧hall ′ = hall)

What does AddWho do?


Calculating preconditions

Define SuccessAddMember

AddMember∆ClubState

newmember? : STUDENT

= AddMember ∧ SuccessMessage.

SuccessMessageoutcome! : MESSAGE

outcome! = SUCCESSnewmember? ∈ badmintonbadminton′ = badminton∪

{newmember?}hall′ = hall

What does this specification say? Let’s see ...


Partially expand the definition

SuccessAddMember∆ClubStatenewmember? : STUDENToutcome! : MESSAGE

newmember? ∈ badmintonbadminton′ = badminton ∪ {newmember?}hall′ = halloutcome! = success

That’s a bit better — but not good enough. We want to expand more!


Expand further

SuccessAddMemberClubState

badminton′,hall′ : PSTUDENTnewmember? : STUDENToutcome! : MESSAGE

hall′ ⊆ badminton′#hall′ ≤ maxPlayersnewmember? ∈ badmintonbadminton′ = badminton ∪ {newmember?}hall′ = halloutcome! = success


Calculating preconditions

Recall:

badminton′,hall′

badminton′,hall′

: PSTUDENT are the state after.

: PSTUDENT are the state before.

newMember? is the input.

output! is the output.

That’s just our reading of the meaning of these variables, but it is aconvention; ′ for after, ? for input, ! for output.

Is AddMemberSuccess defined for all possible inputs and input states?


SuccessAddMember \ {badminton′,hall′,output!}pre SuccessAddMember

ClubState


∃ badminton′, hall′ : PSTUDENT; outcome! : MESSAGE•hall′ ⊆ badminton′ ∧ #hall′ ≤ maxPlayers

∧ newmember? ∈ badminton

∧ badminton′ = badminton ∪ {newmember?}∧ hall′ = hall ∧ outcome! = success

Set hall′ = hall and drop outcome!. ∃ outcome! : MESSAGE • outcome! = success is

true and we do not mention outcome! elsewhere.


SuccessAddMember \ {badminton′,hall′,output!}, simplified

pre SuccessAddMemberClubState


∃ badminton′•

∧ newmember? ∈ badminton ′∧ badminton′ = badminton ∪ {newmember?}∧ hall = hall

We drop hall = hall and note that #hall ≤ maxPlayers, which was acondition on hall′, is now something that’s already in ClubState.


SuccessAddMember \ {badminton′,hall′,output!}, simplified more



∃ badminton′•′

∧ badminton′ = badminton ∪ {newmember?}

hall ⊆ badminton by ClubState and⊆ badminton′ isbadminton′ = badminton ∪ {newmember?}, so hall

guaranteed.


SuccessAddMember \ {badminton′,hall′,output!}, simplified evenmore



∃ badminton′•newmember? ∈ badminton∧ badminton′ = badminton ∪ {newmember?}

∃ badminton′ • badminton′ = badminton ∪ {newmember?} is asuseful as a barber shop on the steps of the guillotine; cut it off.


SuccessAddMember \ {badminton′,hall′,output!}, simplified ridicu-lously

pre SuccessAddMemberClubStatenewmember? : STUDENT

newmember? ∈ badminton

There’s your precondition: newmember? ∈ badminton.

∈ badminton.We found a bug!! The program fails if newmember?


pre SuccessAddMember

The operation described by SuccessAddMember is not total.

As a function from club states to club states taking input newmember?,output is not defined if newmember? ∈ badminton.


Fact

Fact. pre distributes over disjunction:

pre (S ∨ T) = pre S ∨ pre T.

So to check if TotalAddMember really is total, it suffices to calculatepre IsMember and see if it is newMember? ∈ badminton.

Let’s do it: let our slogan be expand, hide, simplify.


Expand, hide, simplify: IsMember

IsMemberClubState

badminton′,hall′ : PSTUDENTnewMember? : STUDENToutcome! : MESSAGE

hall′ ⊆ badminton′#hall′ ≤ maxPlayersnewMember? ∈ badmintonoutcome! = isMemberbadminton′ = badmintonhall′ = hall

IsMemberΞClubStatenewMember? : STUDENToutcome! : MESSAGE

newMember? ∈ badmintonoutcome! = isMember



pre IsMemberClubStatenewMember? : STUDENT

∃ badminton′,hall′ : PSTUDENT; outcome! : MESSAGE•hall′ ⊆ badminton′∧ #hall′ ≤ maxPlayers∧ newMember? ∈ badminton∧ outcome! = isMember∧ badminton′ = badminton∧ hall′ = hall




∃ outcome! : MESSAGE•hall ⊆ badminton∧ #hall ≤ maxPlayers∧ newMember? ∈ badminton∧ outcome! = isMember

(Don’t rush this. One step at a time.)




hall ⊆ badminton∧ #hall ≤ maxPlayers∧ newMember? ∈ badminton




newMember? ∈ badminton

That’s it, we’re done. TotalAddMember is total.

pre TotalAddMember

Formal Spec F22HO2, Lecture 5

= pre SuccessAddMember ∨ pre IsMember

= newMember? ∈ badminton ∨ newMember? ∈ badminton

= T

41

´ ´

Documents

Transcript of ´ ´