Formal methods 4 - Z notation

Formal Methods in
Software
Lecture 4. Z Notation
Vlad Patryshev
SCU
2014
you may need Chrome browser to view these slides

Z Notation, a Specification Language
● Vaguely based on typed version of Zermelo-Fraenkel set theory
● Uses set-theoretic notation for algorithm description
● Software tools exist(ed) that could, arguably, verify algorithms
● Related to computational logic
● Partially replaced these days by Coq and Agda
● ISO standard: ISO/IEC 13568:2002
● WSDL definition uses it
● Lives in an ideal world, not very good for programming with effects
● But is related to Agda

The Logic of Z
● Propositional logic
○ predicates; true/false
○ connectives: a∧b, a∨b,¬a, a⇒b, a⇔b
● Quantifiers
○ ∀x • q
○ ∃x • q
○ ∃1
x • q (“exists unique”)
● Many laws (but nothing unusual)

Z has types and constraints
a:T - a is of type T
q a - a satisfies a constraint (a predicate) q
E.g.
a,b: Human
x: Dog
likes(a,x)
likes(b,x)
loves(x,a)
loves(x,b)
Signature
Predicates (constraints)

Z uses typed sets
● ∅[T] - empty set of elements of type T
● {Peter, Paul, James} - a set of people; elements must be of the same type
● order does not matter; repetitions make no sense
● x∈S - x is an element of S e.g. William ∉ {Jonathan, Jane, Alice, Emma}
● P∪Q - union
● P∩Q - intersection
● PQ - complement ({x∈P|x∉Q})
● P ⊆ Q - P is a subset of Q (P∩Q=P)
● P-
- complement of P, all members of type that do not belong to P (P-
=TP)
E.g. T-
=∅[T] and ∅[T]-
=T
● ∪{A,B,C,...} = A ∪B∪C∪…
● ∩{A,B,C,...} = A∩B∩C∩…

Set Comprehension
{x∈T|P(x)} - a set of all such x that P(x) is true
Properties:
● {x:T |p}∩{x:T |q}={x:T |p ∧q}
● {x:T |p}∪{x:T |q}={x:T |p ∨q}
● {x:T |p}− ={x:T |¬p}
● {x:T |p}⊆{x:T |q} ≡ p⇒q
● {x:T |p}={x:T |q} ≡ p ⇔q
● ∅[T]={x:T |false}
● T={x:T |true}

Cartesian Product
If T and U are types,
T×U is the type of pairs (t,u), where t:T, u:U
If P and Q are sets, P×Q = {p:T; q:U|p∈P∧q∈Q • (p,q)}
(meaning, take ps from P, qs from Q, produce all pairs (p,q))

Powerset
X∈ℙS ≡ X⊆S
E.g.
ℙ∅ = {∅}; ℙ{a} = {∅,{a}}
Finite subsets of S: FS
ℙ1
S = {X∈ℙS | X!=∅}
F
1
S = {X∈FS | X!=∅}

Binary Relations
R⊆P×Q
Notation: given a relation R, pRq means (p,q)∈R
Alternative notation for pairs (p,q): p↦q
E.g. authors = {Bjarne ↦ Cpp, Guido ↦ Python, Martin ↦
Scala}
Set of all relations T ↔ U == ℙ(T × U)
E.g. authors ∈ Humans ↔ Languages

Domain and Range
R ∈ T ↔ U
dom R = {x:T |(∃y:U•(x,y)∈R)} - not a very good idea, actually
ran R = {y:U |(∃x:T•(x,y)∈R)} - an even worse idea
E.g.
dom authors = {Bjarne, Guido, Martin}
ran authors = {Cpp, Python, Scala}

Inverse Relation
Every relation has an inverse
R∼
= {y:U;x:T|(x,y)∈R}
E.g. authors = {Bjarne↦Cpp, Guido↦Python, Martin↦Scala}
authors~
= {Cpp↦Bjarne, Python↦Guido, Scala↦Martin}
Obviously,
● ran(R∼
) = dom R
● dom(R∼
) = ran R
● (R∼
)∼
= R

Functions are Relations
● Partial Function f: A B ≡
∀x:A ∀y1
,y2
:B (x,y1
)∈f∧(x,y2
)∈f⇒y1
=y2
● Total function f: A→B ≡ f is p.f. and
∀x:A ∃y:B (x,y)∈f
● Injection f: A↣B ≡ f is function, and
∀x1
,x2
:A (x1
,y)∈f∧(x2
,y)∈f⇒x1
=x2
● Surjection f: A↠B: f is function, and
∀y:B ∃x:A (x,y)∈f
● Partial injection, partial surjection
● Finite partial function, A B

● Identity id A = {(x,x):T×T|x∈A}
● RTL Composition Q∘R = {(z,x):T×V|∃y:U•(y,x)∈R∧(z,y)∈Q}
● Domain restriction A◁R = {(x,y):T×U|(x,y)∈R∧x∈A}
● Domain anti-restriction A R = {(x,y):T×U|(x,y)∈R∧x∉A}
● Range restriction A▷R = {(x,y):T×U|(x,y)∈R∧y∈A}
● Range anti-restriction A R = {(x,y):T×U|(x,y)∈R∧y∉A}
● Image R(|A|) = {y:U|∃x:T•(x,y)∈R∧x∈A
● Inverse R~
● Iteration iter n R = R∘(iter (n-1) R); iter 0 R = id
● Overriding Q⨁R = (dom R Q) ∪ R
Operations on Relations

Numbers
● ℤ - all integers
● ℕ = {x∈ℤ|x≥0}
● _+_, _-_, _*_, _div_, _mod_, -_
● _≥_, _>_, _≤_, _<_
● max(<nonempty set>), min

Axiomatic Description
● new operator
● new data with constraint
abs : Z → Z
∀n:Z•
n ≤ 0 ⇒ abs n = −n ∧ n ≥ 0 ⇒ abs n = n
n:ℕ
n<10

Iteration etc
● Introduce succ=={0↦1,1↦2,...}; pred==succ~
● succ = ℕ◁(_+1)
● Rn
=R∘R∘...∘R
e.g. succn
= ℕ◁(_+n)
● Number range a..b={n:ℕ|a≤n≤b}
● Cardinality of set S ∈ F T , #S
(For a set to be ‘finite’, it must be in bijection with 1..n for some n.)

Introducing New Types
● Just by naming, [A]
● data type (like enum): Friends ::= Peter|John|James
● recursively, e.g. ℕ ::= zero | succ⟨⟨ℕ⟩⟩

Sequences
seq T =={s:ℕ T |∃n:ℕ • dom s = 1..n}
● ⟨⟩ - empty sequence
● Nonempty sequence seq1
T == seq T {⟨⟩}
● Injective sequence iseq T == {f: seq T| injective f}
● ⟨’a’,’b’,’c’⟩
● concatenation: ⟨’a’,’b’,’c’⟩◠⟨’d’,’e’,’f’⟩
● prefix ⟨’a’,’b’⟩ ⊆ ⟨’a’,’b’,’c’⟩
● head s = s(1); last s = s(#s); tail s; front s
● rev ⟨⟩ = ⟨⟩, rev ⟨x⟩ = ⟨x⟩, rev(s◠t) = rev(t)◠rev(s)

Schemas
Example:
alternatively,
Book≘[author:People;title:seq CHAR; readership: ℙ People;rating:0..10 |
readership = dom rating]
author:People
title: seq CHAR
readership: ℙ People
rating: ↠ 0..10
readership = dom
rating
Book

State Machine: Operational Schema
Operation ≘ [
x1
:S1
;...;xn
:Sn
; // current state
x1
′:S1
;...;xn
′:Sn
; // new state
i1
?:T1
;...;im
?:Tm
; // input
o1
!:U1
;...;op
!:Up
// output
|
Pre(i1
?,...,im
?,x1
,...,xn
); // preconditions
Inv(x1
,...,xn
); // invariants
Inv(x1
′,...,xn
′); // invariants
Op(i1
?,...,im
?,x1
,...,xn
,x1
′ ,...,xn
′ ,o1
!,...,op
!) // step function
]

Example of Operational Schema
AddBirthday ≘ [
known : ℙ NAME;
birthday : NAME DATE
known′ : ℙ NAME;
birthday′ : NAME DATE
name? : NAME;
date? : DATE;
|
name? ∉ known;
known = dom birthday;
known′ = dom birthday′;
birthday′ = birthday ∪ {name? ↦ date?}
]

Δ: Operational Schemas Reuse
StateSpace ≘ [ x1
:S1
;...;xn
:Sn
| Inv(x1
,...,xn
) ]
Operation ≘ [
Δ StateSpace; // encapsulates changing state
i1
?:T1
;...;im
?:Tm
; // input
o1
!:U1
;...;op
!:Up
// output
|
Pre(i1
?,...,im
?,x1
,...,xn
); // preconditions
Op(i1
?,...,im
?,x1
,...,xn
,x1
′ ,...,xn
′ ,o1
!,...,op
!) // step function
]

Example of Δ inclusion
AddBirthday ≘ [
Δ BirthdayBook;
name? : NAME;
date? : DATE;
|
name? ∉ known;
birthday′ = birthday ∪ {name? ↦ date?}
]

Operations that don’t change State
Operation ≘ [
x1
:S1
;...;xn
:Sn
; // current state
x1
′:S1
;...;xn
′:Sn
; // new state
i1
?:T1
;...;im
?:Tm
; // input
o1
!:U1
;...;op
!:Up
// output
|
Pre(i1
?,...,im
?,x1
,...,xn
); // preconditions
Inv(x1
,...,xn
); // invariants
Inv(x1
′,...,xn
′ ); // invariants
(x1
’=x1
∧x2
’=x2
∧...∧xn
’=xn
); // state does not change
Op(i1
?,...,im
?,x1
,...,xn
,x1
′ ,...,xn
′ ,o1
!,...,op
!) // step function
]

Ξ: Operational Schemas Reuse
Greek letter Ξ, pronounced as /ˈzaɪ/ or /ˈksaɪ/
Operation ≘ [
Ξ StateSpace; // encapsulates unchanging state
i1
?:T1
;...;im
?:Tm
; // input
o1
!:U1
;...;op
!:Up
// output
|
Pre(i1
?,...,im
?,x1
,...,xn
); // preconditions
Op(i1
?,...,im
?,x1
,...,xn
,x1
′ ,...,xn
′ ,o1
!,...,op
!) // step function
]

Example of Ξ inclusion
FindBirthday ≘ [
Ξ BirthdayBook;
name? : NAME;
date! : DATE;
|
name? ∈ known;
date! = birthday(name?)
]

And more...
● Can compose schema states
● Can connect schemas (output to input)
● Can include schemas

WSDL
http://www.w3.org/TR/wsdl20/wsdl20-z.html
ServiceComponents ≘ [ ComponentModel1; serviceComps :ℙ Service; endpointComps : ℙ Endpoint;|
serviceComps = { x : Service |service(x)∈components }
endpointComps = { x : Endpoint | endpoint(x)∈components }
]

References
http://images4.wikia.nocookie.net/formalmethods/images/4/4e/Zbook.pdf
ISO/IEC 13568:2002
W3C WSDL standard
Wikipedia

Formal methods 4 - Z notation

Formal methods 4 - Z notation

More Related Content

What's hot (20)

Similar to Formal methods 4 - Z notation (20)

More from Vlad Patryshev (20)

Recently uploaded (20)

Formal methods 4 - Z notation