© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

2.4 The Z Notation

[Reference: M. Spivey: The Z Notation, Prentice Hall]

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

2

Formal Languages

A language is formal if its syntax and semantics are formally defined (mathematically)

(e.g. Petri Nets, Finite Automata, Predicate Logic)

Formal languages allow for the design, the development, the verification, the testing and the maintenance of a system: remove ambiguities and introduce precision, structure information at an appropriate abstraction level. support the verification of design properties, are supported by tools and systems.

Using mathematics (and formal methods) may appear to be expensive, but in the long run it pays off (and how!).

14.11.2011The Z Notation

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

3The Z Notation

Properties of Z

Is a very expressive formal language.

Based on first-order logic with equality and typed set-theory.

Has a mathematical toolkit: a library of mathematical definitions and abstract data-types (sets, lists, bags, …).

Supports the structured modeling of a system, both static and dynamic: modeling/specification of data of the system, functional description of the system (state transitions).

Is supported by several tools and systems.14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

4The Z Notation

Z and other Formal Languages/Methods A number of successfully employed Formal Methods are

based on first order logic with type-theory, e.g. VDM („Vienna Development Method“, 80‘s), B (applied extensively in France)

Other formal languages: Equational logic or Horn logic (in algebraic specifications), Higher-order logic (HOL).

Z: Applied successfully since 1989 (Oxford University Computing

Laboratory), e.g. British government requires Z-specifications for security-critical systems.

Is an ISO standard.

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

5The Z Notation

The Birthday Book Example

A system which records people’s birthdays System issues a reminder when the birthday comes around

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

6The Z Notation

The Birthday Book Example - Schema

Variable declaration

BirthdayBookknown: P NAME

birthday: NAME → DATE

known = dom birthday

One instance satisfying the invariant:

known = {John, Mike, Susan}

birthday= {John → 25. Mar, Mike → 20. Dec, Susan → 20. Dec.}

Invariants (variable relationships)

Schema name

14.11.2011

|

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

7

Z syntax overview

A specification in Z is presented as a collection of schemas

Each schema consists of: Schema name Variable declaration (static description part)

• Identification of variables Invariants (dynamic part)

• Definition of operations• Input/Output relation• State changes

Z uses only rigourous mathematical notations from (typed) set theory and first order logic

14.11.2011The Z Notation

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

8The Z Notation

The Birthday Book Example – Details to BirthdayBook

P: power set, → : partial function dom domain

The set known is the same as the domain of the function birthday – the set of names to which it can be validly applied.

Facts about dom (examples of the laws obeyed by mathematical data types):

• dom(f g) = (dom f ) (dom g)• dom {a → b} = {a}

14.11.2011

BirthdayBookknown: P NAME

birthday: NAME → DATE

known = dom birthday

|

|

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

9The Z Notation

AddBirthday∆ BirthdayBookname? : NAMEdate? : DATE

name? known birthday‘ = birthday {name? → date?}

∆ introduces a schema describing a change Introduces variables: known, birthday (state before change) known‘, birthday‘ (state after the change) ? Input variables ! output variables Constraint: All variables with the same name have the same type

The Birthday Book Example - Operation

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

10The Z Notation

A simple proof of a system property Expectation: set of known names will be augmented with the new name

Property: known‘ = known {name?}

Proof:

known‘ = dom birthday‘ [invariant after]

= dom (birthday {name? → date?} [spec. of AddBirthday]

= dom birthday dom {name? → date?} [fact about ‘dom’]

= dom birthday {name?} [fact about ‘dom’]

= known {name?} □ [invariant before]

Proof based on mathematical laws and axioms

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

11The Z Notation

Find operation

Finds birthday (date) for a given name Ξ introduces a schema without a change Constraint: all variables with the same name are of the

same type

FindBirthdayBirthdayBookname? : NAMEdate! : DATE

name? known date! = birthday (name?)

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

12The Z Notation

Remind BirthdayBook today? : DATE cards! : P NAME

cards! = { n : known birthday (n) = today? }

Remind operation

Finds people who have birthday on a given date (to send them birthday cards)

No precondition!

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

13The Z Notation

InitBirthdayBook BirthdayBook

known =

Initial state

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

14The Z Notation

Strengthen the specification (1/2) What is the problem with this spec?

Assumes everything works according to plan No provision for mistake

• What happens if user attempts to add a birthday for someone already known to the system?

• Or if we try to find a birthday of someone not known to the system?

• Should the system ignore such behavior?

• Should the system break down by displaying rubbish?

Does this mean we should write a brand new spec?

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

15The Z Notation

Strengthen the specification (2/2) How to strengthen the specification?

Combine separate schema• Add an extra output (or report) to each operation on the system• Outputs can be:

• Ok

• Already-known

• Not-known

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

16The Z Notation

Success result!: REPORT

result! = ok

Success Operation

To combine schema use conjunction or disjunction: AddBirthday Success is a schema which produces an entry

in the birthday book (for correct inputs) and reports success The result is an operation which, for correct input, both acts as

described by AddBirthday and produces the result ok.

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

17The Z Notation

AlreadyKnown BirthdayBookname? : NAMEresult! : REPORT

name? known result! = already_known

AlreadyKnown Operation

Define a schema for each possible error in the input RAddBirthday = (AddBirthday Success) v

AlreadyKnown

^

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

18The Z Notation

RAddBirthday∆ BirthdayBookname? : NAMEdate? : DATEresult! : REPORT

(name? known birthday‘ = birthday {name? → date?} result! = ok) (name? known birthday‘ = birthday result! = already_known)

A robust version of AddBirthday

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

19The Z Notation

A robust version of FindBirthday

RFindBirthday = (FindBirthday Success) v NotKnown

NotKnownBirthdayBookname? : NAMEresult! : REPORT

name? known result! = not_known

^

14.11.2011

© F

achg

ebie

t S

oftw

aret

echn

ik,

Hei

nz N

ixdo

rf I

nstit

ut,

Uni

vers

ität

Pad

erbo

rn

20

A robust version of FindBirthday It is not enforced that output values are set

cf. http://spivey.oriel.ox.ac.uk/mike/zrm/zrm.pdf page 20 RFindBirthday checks whether a given name is present,

returning a report and, if possible, the date itself

The Z Notation 14.11.2011