1 / 28

Formal Methods in Software Engineering

Formal Methods in Software Engineering. Saima Zareen. Data Refinement. Developing system specification towards executable codes. Refinement step carries the design decisions The B- Method supports the notion of stepwise refinement.

marcel
Download Presentation

Formal Methods in Software Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Methods in Software Engineering Saima Zareen

  2. Data Refinement • Developing system specification towards executable codes. • Refinement step carries the design decisions • The B- Method supports the notion of stepwise refinement. • In which the design of the system implementation may be carried out gradually. • The ultimate result is the executable code. • AMN specifications describe the what behavior of a system in terms of initial state and final state. • Executable codes on the other hand describe how • it should behave.

  3. We should describe AMN constructs which are suitable for describing implementation details. • Sequential composition • It allows one statement to be executed after one another. • The instructions used to execute the AMN statement S and then the AMN statement T is written as follows • S;T • S is executed first. • If it fails to execute/terminate then so does S;T and T is never executed.

  4. If the execution of S does terminate then T is executed from the resulting state. • Any state that T reaches will be the final state of the combination S;T. • If T does not terminate, then nor does the sequential composition. • Example • X:=x+2; x:=x+4 • Y:= x + y; x:=y-x • t:=x; x:=y; y:=t

  5. Weakest Precondition • [S;T]P= [S]([T]P) • This means S must guarantee to reach a state in which [T]P is true. • For example • x increases twice to achieve x>9 we calculate • [x:=x+2; x:=x+4] (x>9)

  6. For the sequential statement y≥ 5 ᴧ x ≤ 3 • Y:= x + y ; x:= y-x • For the sequential statement swapping x and y to establish x>6 ᴧ y<4 we calculate

  7. We find x and y meet the condition respectively

  8. Local Variables • Once sequences of operations are possible, then it is sometimes useful to declare local variables in order to achieve some computation without imposing on the overall state space. • This can be achieved with the VAR construct. • VAR t IN S END • S is the AMN statement to be executed. • The variable t is declared to be local, so it will be introduced for S to execute and will be discarded after S has finished executing.

  9. For example the swapping statement • VAR t IN t:=x; x:=y; y:=t END • In general a list of local variables can be declared for a statement. • They are simply listed within the VAR clause as follows: • VAR t1, t2, t3…….tn IN S END • All of these local variables should be assigned within S before they can be usd.

  10. Weakest precondition • [VAR t IN S END]P= • The post condition cannot refer to the local variables. • They do not appear in the initial and final state • They are used purely inside the execution. • For example swapping of values, we can evaluate the weakest precondition required for it to establish x= A ᴧ y=B:

  11. [ VAR t1, t2,…..tn IN S END] P=

  12. Data refinement • Users should not need to know anything about the way information is represented and handled within the computer. • The specification gives them particular expectations about how the machine will behave when they interact with it through its operations, providing input and obtaining output. • It is irrelevant to the user how the machine is actually implemented.

  13. On the other hand programmers need to be aware of the capabilities of the computer. • Conventional programming languages do not allow arbitrary mathematical structures such as sets and functions to appear in programs. • The system developer therefore has to make some design decisions about the best way to represent the information specified. • The user need to know about this information why?

  14. Data representation is provided in the B- Method is by the means of refinement machine. • It describes the design decisions that have been taken so far with regard to a particular specification. • It will describe the way that the abstract information is to be represented, by means of a linking invariant which relates the abstract states to the refinement states. • It will also describe how the initialization and the operations work with the new data representation.

  15. A refinement machine has the same operations as the abstract machine with exactly the same input and output parameters, each operation will have the same signature.

  16. A refinement is headed with a REFINEMENT clause giving its name and it must also state which machine it refines. • Refinement machine takes the name of the machine it refines appended with ‘R’. • For example • A refinement of the machine Team could be declared as follows • REFINEMENT TeamR

  17. Types of refinements • Two types of refinements • Procedural refinement • In which only the algorithm is refined. • This is like changing the algorithm • Data refinement • It involves the changing of the state of a Machine • We choose a new set of variables to model the behavior and of course we have to maintain the algorithm as well • B does not distinguish between procedural and data refinement

  18. Procedural refinement

  19. There is no state variable involved. • It simply asserts the property that the result should satisfy. • It does not give ant hint as how to calculate the result. • The first step of the refinement is the algorithm for computing the result. We will chose a variable yy to satisfy the predicate

  20. The choice cannot be made simply as the value chosen has to satisfy the two conjuncts. • This can be made easy if we use two variables in the arguments as • We can suggest an algorithm in which we can chose arbitrary initial values of yy and zz that can satisfy the above predicate and modify the yy and zz maintaining the above predicate and moving the values of yy and zz closer together until yy+1= zz,.

  21. At that point yy will satisfy the specification.

  22. Data refinement • Refinement of unique ID will be presented, in which the change of the state will be shown. • The refinement of the state of the machine is determined by the operations that need to be supported, as distinct operations that might be supported. • In many cases the operations do not need the full capability of the abstract state and a concrete state can be chosen that discards some of the abstractions. • In the case of the UNIQUEID machine shown in next slide.

  23. We have made the following observations • The abstract SET IDS can be replaced by set of natural numbers 1…..maxids. we then know identifiers are actually natural numbers • We do not need to allocate identifiers non deterministically, we can allocate them sequentially starting form 1. • Since there is no operation by which identifiers can be returned, we can simulate the set of used identifiers very simply. • We simply need a natural number variable that records the last allocated identifier. Then if that variable is the lastID the used IDS set is the implicity 1….. lastID

  24. The INVARIANT not only specifies an invariant on the state of the refining machine, but it also expresses the refinement relation between the state of this machine and the state of the refined machine. • The refinement relation shows how the refining machine models the refined machine. • In this case, the set usedIDS is simulated by the SET 1……lastID. • The initialization establishes the invariant. • The operations are now expressed as simple deterministic computations.

  25. Removing irrelevant information • The refinement relation is between machines at different levels of abstractions • a refinement need only maintain enough information to perform its operations in accordance with the specification. • Refinement may provide some alternative way to maintain the information required to perform its operations correctly. • It provides information clarity in the requirements. • Knowledge about how the information is to be used is also required.

  26. Reference link • http://books.google.com.pk/books?id=HcyCN24WCVkC&pg=PR7&lpg=PR7&dq=simple+data+refinement+example+using+B-Method&source=bl&ots=GJNo-QvplU&sig=-cu_fHesFv2HRglvstSf4zHUTg8&hl=en&sa=X&ei=6_2cT835LcyM4gTi4tGpDg&ved=0CEgQ6AEwBQ#v=onepage&q=simple%20data%20refinement%20example%20using%20B-Method&f=false

More Related