You are on page 1of 9

Part IV The Specification Language Z

86

. .Overview of Z • Z has a formal syntax and semantics • a spec defines a model based on set theory. • a spec consists of a system of simple components (schemes) • special cases and errors treated separately from general case • structure of proofs based on structure of spec Scheme: • name • signature: declaration and types of identifiers • description of relations between notions by logic formulae 87 . . FOL.

Example: Bank Application in Z Bank bal: Account −→ IN ΞBank ∆Bank bal = bal Bank bal : Account −→ IN InitBank Bank ∀ i: Account • bal(i) = 0 ∆Bank = Bank ∧ Bank ˆ 88 .

to? → bal(to?) + amount?} bal(from?)≥amount? 89 . error treatment.State Transformations • Z schemes can also describe state transformations. to?: Account from? = to? bal = bal ⊕ {from? → bal(from?) − amount?. refinements Transfer1 ∆Bank amount?: IN from?.

Error Treatment Ok output!: Message output! = ”OK” SameAccount ΞBank from?. to?: Account output!: Message from? = to? output! = ”same account” Transfer = (Transfer1 ∧ Ok) ∨ SameAccount ∨ Insufficient ˆ analogously: Withdraw = (Withdraw1 ∧ Ok) ∨ Insufficient ˆ Insufficient ΞBank amount?: IN from?: Account output!: Message bal(from?) < amount? output! = ”balance insufficient” 90 .

the proposition follows trivially 2) case Transfer1: bal (from?) = bal(from?) − amount? bal (to?) = bal(to?) + amount? by adding the equations we can finish the proof • the structure of the proof depends on the structure of the spec 91 .Proving System Properties Theorem after transfer: bal’(from?) + bal’(to?) = bal(from?) + bal(to?) Proof (by case distinction). 1) case SameAccount or Insufficient: by ΞBank we get: bal = bal.

.quantity-1 • accountNo(k) = to? amount? ≤ balance(j) balance = balance ⊕ Abs Bank RBank bal = { i: IN | i < quantity • accountNo(i) → balance(i)} {j → balance(j) − amount?. to?: Account from? = to? (∃ k:0. k → balance(k) + amount?} )) accountNo = accountNo quantity = quantity ∧ ∧ (∃ j:0.Example: Refinement Z → Java int quantity = 42.quantity-1 • accountNo(j) = from? ∧ 92 .. int balance[] = new int[quantity]. int accountNo[] = new int[quantity]. RBank quantity: IN accountNo: IN −→ Account balance: IN −→ IN RTransfer1 ∆RBank amount?: IN from?.

quantity−1..quantity -1} RBank RTransfer1 RBank’ Abs Abs Bank Transfer1 Bank’ Proof. bal = bal ⊕ {from? → bal(from?) − amount?... to? → bal(to?) + amount?} = {accountNo(i) → balance(i) | i:0. i=k} ⊕ {accountNo(j) → balance(j) − amount?. i= j.. accountNo(k) → balance(k) + amount?} = {accountNo (i) → balance (i) | i:0.quantity − 1} 93 .Soundness Proof Theorem bal = {accountNo (i) → balance (i) | i:0. to? → bal(to?) + amount?} = {accountNo(i) → balance(i) | i:0.quantity−1} ⊕ {from? → bal(from?) − amount?.

j<quantity && accountNo[j] != to. balance[j] = balance[j] + amount.println("OK"). protected int balance[] = new int[quantity].amount. for(j=0.out.out. i++).out. j++). protected int accountNo[] = new int[quantity]. int to. if (balance[i] < amount) { System. } } 94 . public void transfer(int from. return. int j.} balance[i] = balance[i] . if (from == to) {System. System.Implementation class Bank{ protected int quantity = 42.println("balance insufficient"). i<quantity && accountNo[i] != from. int amount){ int i. return.println("same account").} // quantifier as loop for(i=0.