A Specifier’s Introduction to Formal Methods

Download Report

Transcript A Specifier’s Introduction to Formal Methods 

Tabular Representation
Based on:
Ryszard Janicki, David L. Parnas, and Jeffery Zucker.
Tabular Representations in Relational Documents.
Relational Methods in Computer Science, Springer-Verlag, 1996.
1
Outline
• Motivation
• Simple tabular notation (raw table)
• Full tabular notation (well-done table)
– Cell connection graph
– Table predicate rule
– Table relation rule
2
Motivation---Modeling Requirements
• Monitored vs. controlled environmental quantities
– Abstracted to mathematical variables whose values changed
over time, i.e., time function.
– Monitored: to be measured by the system (mi)
– Controlled: to be controlled by the system (ci)
• Requirements documented with two relations
– NAT: describes the environment
• dom (NAT): set of vectors of time-function m’s
• ran (NAT): set of vectors of time-function c’s
• (m, c)  NAT iff the environment allows
– REQ: describes the effect of the system
• dom (REQ): set of vectors of time-function m’s
• ran (REQ): set of vectors of time-function c’s considered permissible
• (m, c)  REQ iff the system should permit
3
Motivation---Modeling Requirements
• Monitored vs. controlled environmental quantities
– Abstracted to mathematical variables whose values changed
over time, i.e., time function.
– Monitored: to be measured by the system (mi)
– Controlled: to be controlled by the system (ci)
Requirements can
• Requirements documented withbetwo
relations
documented
– NAT: describes the environment
as mathematical
• dom (NAT): set of vectors of time-function m’s
relationsc’sor
• ran (NAT): set of vectors of time-function
functions!
• (m, c)  NAT iff the environment allows
– REQ: describes the effect of the system
• dom (NAT): set of vectors of time-function m’s
• ran (NAT): set of vectors of time-function c’s considered permissible
• (m, c)  NAT iff the system should permit
4
Motivation
• Describe the following function in Z and OCL
f(x,y) =
0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
5
Motivation
• Describe the following function in Z and OCL
f(x,y) =
0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
6
In Z
f(x,y) = 0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
f: Z  Z  Z
7
In Z
f(x,y) = 0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
f: Z  Z  Z
 x: Z, y: Z
(x  0  y = 10  f(x,y) = 0) 
(x < 0  y = 10  f(x,y) = x) 
(x  0  y > 10  f(x,y) = y2 ) 
(x  0  y < 10  f(x,y) = -y2) 
(x < 0  y > 10  f(x,y) = x + y) 
(x < 0  y < 10  f(x,y) = x – y)
8
In OCL
f(x,y) = 0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
context Math::f(x: Integer, y: Integer): Integer
pre: true
post: result = if x >= 0 and y = 10 then 0 else
if x < 0 and y = 10 then x else
if x >= 0 and y > 10 then y*y else
if x >= 0 and y < 10 then –y*y else
if x < 0 and y > 10 then x + y else
if x < 0 and y < 10 then x – y else 0
endif endif endif endif endif endif
9
In OCL
f(x,y) = 0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
context Math::f(x: Integer, y: Integer): Integer
pre: true
post: result = if x >= 0 and y = 10 then 0 else
if x < 0 and y = 10 then x else
if x >= 0 and y > 10 then y*y else
if x >= 0 and y < 10 then –y*y else
if x < 0 and y > 10 then x + y else
Not very
if x < 0 and y < 10 then x – y else 0
readable or
checkable!
endif endif endif endif endif endif
10
f(x,y) = 0
x
y2
-y2
x+y
x–y
Use a Table?
y = 10
y > 10
y < 10
x0
x
y2
x+y
x<0
x
-y2
x-y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
11
Tabular Representation
Elements
• Header: an indexed set of cells, H = {hi | i  I}, where I = {1,2, …, k}
• Grid indexed by headers H1, …, Hn, with Hj = {hij | i  Ij}, j = 1,.., n:
an indexed set of cells G = {g | g I}, where I = I1  …  In
Raw table skeleton
• A collection of headers plus a grid indexed by this collection
H1 = {hi1 | i = 1, 2, 3}
H2 =
{hi2
| i = 1, 2}
h11
h21
h31
h12
g11
g21
g31
h22
g12
g22
g32
G = {gij | i = 1, 2, 3 and j = 1, 2}
12
Why Tabular Representations of
Relations?
• Conventional math descriptions
– Too complex to parse to be really useful
– Lengthy and hard to read and understand
• Digital system
– Not continuous <-> continuous function of
analog
– Domain and range: tuple of distinct types
13
Exercise
Using the tabular notation, specify a program that reserves a golf tee time.
• The standard green fee is $65 on weekdays (Monday-Friday) and $80 on
weekend (Saturday and Sunday).
• However, an El Paso resident pays a reduced green fee of $45 and $60 on
weekdays and weekend, respectively.
• A senior (of age 60+) pays only $40 and $50 on weekdays and weekend,
respectively.
• A junior (of age <17) pays only $20 and $30 on weekdays and weekend,
respectively.
14
Sample Solution
weekdays
weekend
age < 17
$20
$30
17  age < 60
and resident
$45
$60
17  age < 60
and non-resident
$65
$80
age  60
$40
$50
Q: Nested tables for resident/non-resident (thanks to Elsa)?
15
Exercise
• Specify the following function.
g(x,y) =
x + y if (x < 0  y  0)  (x < y  y < 0)
x - y if (0  x < y  y  0)  (y  x < 0  y < 0)
y - x if (x  y  y  0)  (x  0  y < 0)
16
Inverted Table
• A header specifies the output of the
function.
H2
x+y
x-y
y-x
H1
y0
x<0
0x<y
xy
G
y<0
x<y
yx<0
x0
17
Cell Connection Graph (CCG)
• Characterizes information flow, i.e., where do I start
reading the table and where do I get the result?
• A relation interpreted as an acyclic directed graph
– Each arch must either start from or end at the grid G.
H1
H2
G
H1
H3
H2
G
H3
H1
H1
H2
G
H3
H2
G
H3
18
Cell Connection Graph (CCG)
• Characterizes information flow, i.e., where do I start
reading the table and where do I get the result?
• A relation interpreted as an acyclic directed graph
– Each arch must either start from or end at the grid G.
H1
H2
G
H3
But, how the domain
and values
of the
H1
relation specified are
Hdetermined?
G
HE.g.,
2
3
how to combine the
cells?
H1
H1
H2
G
H3
H2
G
H3
19
Well-Done Table Skeleton
• Table skeleton with
– Table predicate rule, PT specifying the domain
– Table relation rule, RT specifying the relation
H1  H2
G
H2
H1
G
PT(H1,H2) = H1  H2
RT(G) = G
20
Exercise
• Write the PT and RT of the following table and
explain how to interpret the table.
G
H1  H2
H2
H1
G
21
Example
f(x,y) = 0
x
y2
-y2
x+y
x–y
if x  0  y = 10
if x < 0  y = 10
if x  0  y > 10
if x  0  y < 10
if x < 0  y > 10
if x < 0  y < 10
H1  H2
H2
G
y = 10
y > 10
y < 10
x0
x
y2
x+y
x
-y2
x-y
x<0
H1
G
22
Exercise
Using the full tabular notation, specify a program that reserves a golf tee time.
• The standard green fee is $65 on weekdays (Monday-Friday) and $80 on
weekend (Saturday and Sunday).
• However, an El Paso resident pays a reduced green fee of $45 and $60 on
weekdays and weekend, respectively.
• A senior (of age 60+) pays only $40 and $50 on weekdays and weekend,
respectively.
• A junior (of age <17) pays only $20 and $30 on weekdays and weekend,
respectively.
23
Exercise
1. Using Z and the tabular notation, specify a program that hires an
employee for a company. The program takes an employee’s name,
gender, SSN, job position, and salary, and adds the employee to the
company’s employee database. It should detect when some of the
employee’s information is missing or invalid:
–
–
–
–
when
when
when
when
the gender is not specified
the job position is not specified
the salary is less than 0
there already exists an employee with the same SSN
2. Compare the Z specification and the tabular specification. Is there
any significant difference, and if so, which is better and why?
24
Solution
Assume a state variable emps, an input e and an output r.
ALL_ERR denotes {n_err, s_err, g_err, p_err}.
H1
H1  H2  H3  H4
G
e.salary  0
e.salary > 0
Incomplete
H3
e.ssn ok
emps’ = emps  {e}
 r = ok
emps’ = emps 
r  {s_err, g_err}
e.pos  
e.ssn not ok
emps’ = emps 
r  {n_err, p_err}
emps’ = emps 
r  ALL_ERR
e.pos = 
H2
e.gener  
e.gender = 
G
H4
25
Solution
H1
G
salary > 0 
gender ok
salary < 0 
(gender ok)
salary  0 
gender ok
salary  0 
(gender ok)
ssn ok 
pos ok
es’ = es  {e} 
r = ok
es’ = es 
r  {g_err}
es’ = es 
r  {s_err}
es’ = es 
r  {g_err, s_err}
ssn ok 
(pos ok)
es’ = es 
r  {p_err}
es’ = es 
r  {p_err, g_err}
es’ = es 
r  {p_err, s_err}
es’ = es 
r  {p_err, g_err,
s_err}
es’ = es 
r  {n_err}
es’ = es 
r  {n_err, g_err}
es’ = es 
r  {n_err, s_err}
es’ = es 
r  {n_err, g_err,
s_err}
es’ = es 
r  {n_err, p_err}
es’ = es 
r  {n_err, p_err,
g_err}
es’ = es 
r  {n_err, p_err,
s_err}
es’ = es 
r  {n_err, p_err,
g_err, s_err}
H1  H2
(ssn ok) 
pos ok
(ssn ok) 
(pos ok)
H2
G
26