CAVENDISH CAMPUS

School of Informatics

Modular Undergraduate Programme

Second Semester 2006 – 2007

Module Code: 3SFE618

Module Title: Formal Methods

Date: Friday, 1st June 2007

Time: 10:00 – 12:00

Instructions to Candidates:
Answer ALL questions in Section A and TWO
questions from Section B. Section A is worth a
total of 50 marks. Each question in section B is
worth 25 marks. You may wish to consult Ap-
pendix C.

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 1 of 16
MODULE TITLE: Formal Methods

Section A
Answer ALL questions from this section

Question 1
Given the following Z schemas:

First
x, y : N
A, B : P N
x <y
x ∈A
A⊆B

Second
z :N
B, C : P N
z ∈B
B ⊆C

(a) State and explain the formal definitions of ∆S and ΞS for any schema S .
[5 marks]

(b) Give the expanded version of ∆First. [3 marks]

(c) Give the expanded version of ΞSecond . [4 marks]

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 2 of 16
MODULE TITLE: Formal Methods

Question 2
The textual definition of the generic Z function domain anti-restriction −
C is:

Definition: The domain anti-restriction operation S C − R of a relation R to a

set S relates x to y if and only if R relates x to y and x is not a member
of S .

Give a formal definition of −

C using a generic schema. [8 marks]

Question 3

(a) In relation to the type of a Z schema, explain what a binding is and how
it is used to define a schema type. [10 marks]

(b) Given the following schema:

S
x :N
y :N
A : PN
x <y
x ∈A
y 6∈ A

give the schema type of schema S , and two bindings for S , one that
satisfies it and one that does not. [6 marks]

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 3 of 16
MODULE TITLE: Formal Methods

Question 4
Given the following type declarations and abbreviations:

Day == 1 . . 31

Month ::= Jan | Feb | Mar | Apr | May | Jun

| Jul | Aug | Sep | Oct | Nov | Dec

ThirtyDayMonths == { Apr , Jun, Sep, Nov }

ThirtyOneDayMonths == { Jan, Mar , May, Jul , Aug, Oct, Dec }

Year == 2000 . . 2100

(a) Define a Date schema that represents a valid date, i.e., day, month & year.
The dates must be valid in that the day value must not exceed the number
of days for the month. For example, for Apr that is 30 and for Jan that
is 31, but you can ignore leap years and assume that Feb has at most 28
days. [5 marks]

(b) Use your Date schema to declare a global variable called today and assign
it today’s date. (See front page of the exam paper.) [3 marks]

(c) Use your Date schema to declare a global variable called FirstExamWeek
that represents the dates that make up this year’s first exam week from
Monday to Friday, i.e., 14 May 2007 to 18 May 2007. [6 marks]

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 4 of 16
MODULE TITLE: Formal Methods

Section B
Answer TWO questions from this section

Question 5
The following is part of a Library specification.
The following definitions represent the set of books, copies (i.e. instances) of
books and borrowers.

[ BOOK , COPY , BORROWER ]

maxloans : N

LibraryDataBase
stock : COPY → 7 BOOK
registeredborrowers : F BORROWER

LibraryLoans
onloan : COPY → 7 BORROWER
inlibrary : F COPY
∀ b : BORROWER • #(onloan B { b }) ≤ maxloans
inlibrary ∩ dom onloan = ∅

Library
LibraryDataBase
LibraryLoans
dom stock = inlibrary ∪ dom onloan
ran onloan ⊆ registeredborrowers

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 5 of 16
MODULE TITLE: Formal Methods

IssueBook
∆Library
c? : COPY
b? : BORROWER
c? ∈ inlibrary
stock 0 = stock
inlibrary 0 = inlibrary \ { c? }
#(onloan B { b? }) < maxloans
registeredborrowers 0 = registeredborrowers
b? ∈ registeredborrowers
onloan 0 = onloan ⊕ { c? 7→ b? }

(a) Explain in “plain English” (i.e. do not give a literal translation) the meaning
of each line of the following schemas:

(i) LibraryLoans [3 marks]

(ii) Library [3 marks]

(b) Explain in “plain English” the meaning of each line of the constraint part
of the IssueBook schema and the role it plays in the specification of the
operation. [7 marks]

(c) Specify the ReturnBook operation which is used when a borrower returns
a book to the library. The specification of this operation must be total and
output appropriate success and error reports. In addition the specification
should be as modular as possible and make full use of the schema calculus.
[12 marks]

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 6 of 16
MODULE TITLE: Formal Methods

Question 6
Write a Z specification for a buffer of items that has a maximum length.
Your specification should deal with error handling where required and should
include the following:

(a) Any types, states and invariants that the buffer requires. [6 marks]

(b) The buffer operations:

(i) Insert – add an item to the end of the buffer. [8 marks]

(ii) Remove – remove an item from the front of the buffer. [7 marks]
(iii) InBuffer – reports via a suitable message whether a particular item
is in the buffer or not. [4 marks]

Question 7
The partial Z specification of a VDU screen which allows cursor key movements
is given in Appendix A.

(a) Discuss how the two Z tools ZTC and ZANS assist in the development of
a Z specification? [4 marks]

(b) The ZTC type checker output for the cursor key specification is given
in Appendix B. For each error give an explanation and the necessary
corrections. [11 marks]

(c) Once all of the errors detailed in part (b) have been eliminated from the
cursor keys specification, explain what additions and modifications must
be made to the specification to permit it to be animated by ZANS. [10 marks]

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 7 of 16
MODULE TITLE: Formal Methods

Appendix A. Cursor Keys Specification

A.1 ZTC Box Style Version
1 specification
2
3 XY_COORDINATE == N & N
4
5 | numbcols, numbrows : N1
6
7 KEY ::= DownKEY | LeftKey | CurrentPositionKey
8
9 ERROR ::= OnLastRow_CanNotMove_Down
10 | AtHome_CanNotMove_Left
11
12 REPORT ::= Success | error << ERROR >>
13
14 | SCREEN : N <-> N
15
16 | HomePosition : XY_COORDINATE ;
17
18 --- Cursor --------------------------------------
19 | position : XY_COORDINATE
20 |-------------------------------
21 | position subseteq SCREEN
22 -------------------------------------------------
23
24 --- InitialCursor -------------------------------
25 | Cursor
26 |-------------------------------
27 | position = HomePosition
28 -------------------------------------------------
29
30 ReportSuccess =^= [ report! : REPORT | report! = Success ]
31
32 Pressed_DownKey =^= [ key? : KEY | key? = DownKey ]
33
34 --- Down_NotLastRow -----------------------------
35 | Delta Cursor
36 |--------------------
37 | second(position) < numbrows

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 8 of 16
MODULE TITLE: Formal Methods

38 | position’ = ( first(position), second(position) + 1 )

39 -------------------------------------------------
40
41 --- Down_OnLastRow_CanNotMove -------------------
42 | Xi Cursor ;
43 | report! : REPORT
44 |---------------------------
45 | second(position) = numbrows ;
46 | report! = OnLastRow_CanNotMove_Down
47 -------------------------------------------------
48
49 Down_Success =^= Down_NotLastRow /\ ReportSuccess
50
51 Down_Errors =^= Down_OnLastRow_CanNotMove
52
53 Down =^= Pressed_DownKey /\ ( Down_Success \/ Down_ERRORS )
54
55 Pressed_LeftKey =^= [ key? : KEY | key? = LeftKey ]
56
57 --- Left_NotFirstColumn -------------------------
58 | Delta Cursor
59 |---------------------------
60 | first(position) > 1 ;
61 | position’ = { first(position) - 1, second(position) }
62 -------------------------------------------------
63
64 --- Left_FirstColumnNotFirstRow -----------------
65 | Cursor ;
66 |---------------------------
67 | first(position) = 1 ;
68 | second(position) > 1 ;
69 | position’ = ( numbcols, second(position) - 1 )
70 -------------------------------------------------
71
72 --- Left_AtHome_CanNotMove ----------------------
73 | Xi Cursor ;
74 | report : REPORT
75 |---------------------------
76 | position = HomePosition ;
77 | report! = error(AtHome_CanNotMove_Left)
78 -------------------------------------------------

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 9 of 16
MODULE TITLE: Formal Methods

79
80 Left_Success =^= ( Left_NotFirstColumn
81 \/ Left_FirstColumnNotFirstRow )
82 /\ ReportSuccess
83
84 Left_Errors =^= Left_AtHome_CanNotMove
85
86
87 Left =^= Pressed_LeftKey
88 /\ ( Left_Success \/ Left_Errors )

A.2 LATEX 2ε Version

XY COORDINATE == N × N

numbcols, numbrows : N1

KEY ::= DownKEY | LeftKey | CurrentPositionKey

ERROR ::= OnLastRow CanNotMove Down | AtHome CanNotMove Left

REPORT ::= Success | error hhERRORii

SCREEN : N ↔ N

HomePosition : XY COORDINATE

Cursor
position : XY COORDINATE
position ⊆ SCREEN

InitialCursor
Cursor
position = HomePosition

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 10 of 16
MODULE TITLE: Formal Methods

b [report! : REPORT | report! = Success]

ReportSuccess =
Pressed DownKey = b [key? : KEY | key? = DownKey]

Down NotLastRow
∆Cursor
second (position) < numbrows
position 0 = (first(position), second (position) + 1)

Down OnLastRow CanNotMove

ΞCursor
report! : REPORT
second (position) = numbrows
report! = OnLastRow CanNotMove Down

b Down NotLastRow ∧ ReportSuccess

Down Success =
Down Errors =
b Down OnLastRow CanNotMove
b Pressed DownKey ∧ (Down Success ∨ Down ERRORS )
Down =

b [key? : KEY | key? = LeftKey]

Pressed LeftKey =

Left NotFirstColumn
∆Cursor
first(position) > 1
position 0 = {first(position) − 1, second (position)}

Left FirstColumnNotFirstRow
Cursor
first(position) = 1
second (position) > 1
position 0 = (numbcols, second (position) − 1)

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 11 of 16
MODULE TITLE: Formal Methods

Left AtHome CanNotMove

ΞCursor
report : REPORT
position = HomePosition
report! = error (AtHome CanNotMove Left)

b (Left NotFirstColumn ∨ Left FirstColumnNotFirstRow )

Left Success =
∧ ReportSuccess
Left Errors =
b Left AtHome CanNotMove
b Pressed LeftKey ∧ (Left Success ∨ Left Errors)
Left =

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 12 of 16
MODULE TITLE: Formal Methods

Appendix B. ZTC Type Check Log File

... Initializing.
... Loading Z mathematical tools library: math0.zbx
Parsing main file: cursor.zbx
... Type checking Equivalence definition: XY_COORDINATE. "cursor.zbx" Line 3
... Type checking Axiom box. "cursor.zbx" Line 5
... Type checking Free type definition: KEY. "cursor.zbx" Line 7
... Type checking Free type definition: ERROR. "cursor.zbx" Lines 9-10
... Type checking Free type definition: REPORT. "cursor.zbx" Line 12
... Type checking Axiom box. "cursor.zbx" Line 14
... Type checking Axiom box. "cursor.zbx" Line 16
... Type checking Schema box: Cursor. "cursor.zbx" Lines 18-21
--- Typing error. "cursor.zbx" Line 21. Type mismatch: Infix relation.
... Type checking Schema box: InitialCursor. "cursor.zbx" Lines 24-27
... Type checking Schema definition: ReportSuccess. "cursor.zbx" Line 30
... Type checking Schema definition: Pressed_DownKey. "cursor.zbx" Line 32
--- Typing error. "cursor.zbx" Line 32. Undefined name: DownKey
... Type checking Schema box: Down_NotLastRow. "cursor.zbx" Lines 34-38
--- Typing error. "cursor.zbx" Line 37. Mapping expected:
... Type checking Schema box: Down_OnLastRow_CanNotMove. "cursor.zbx" Lines 41-46
--- Typing error. "cursor.zbx" Line 46. Type mismatch:
... Type checking Schema definition: Down_Success. "cursor.zbx" Line 49
... Type checking Schema definition: Down_Errors. "cursor.zbx" Line 51
--- Syntax error. "cursor.zbx" Line 53, near "Down_ERRORS"
... Type checking Schema definition: Pressed_LeftKey. "cursor.zbx" Line 55
... Type checking Schema box: Left_NotFirstColumn. "cursor.zbx" Lines 57-61
--- Typing error. "cursor.zbx" Line 61. Type mismatch:
... Type checking Schema box: Left_FirstColumnNotFirstRow. "cursor.zbx" Lines 64-69
--- Typing error. "cursor.zbx" Line 69. Undefined name: position’
... Type checking Schema box: Left_AtHome_CanNotMove. "cursor.zbx" Lines 72-77
--- Typing error. "cursor.zbx" Line 77. Undefined name: report!
... Type checking Schema definition: Left_Success. "cursor.zbx" Lines 80-82
... Type checking Schema definition: Left_Errors. "cursor.zbx" Line 84
--- Reached the end of the main file while parsing.
... Type checking Schema definition: Left. "cursor.zbx" Lines 87-88
End of main file: cursor.zbx
Log written in "cursor.log"

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 13 of 16
MODULE TITLE: Formal Methods

Appendix C. Table of Z Syntax

This appendix contains the Z notation for: sets, logic, ordered pairs, relations,
functions, sequences, bags and schemas.

C.1 Sets
Notation Description
N Set of natural numbers from 0
N1 Set of natural numbers from 1
Z Set of integers
x ∈S x is an element of S
x 6∈ S x is not an element of S
S ⊆T S is a subset of T
∅, { } Empty set
PS Power set of S
FS Finite power set of S
F1 S Non-empty finite subsets of S
S ∪T Union of S and T
S ∩T Intersection of S and T
S \T Set difference of S and T
#S Number of elements in set S
{D |P •t } Set comprehension
S
SS Distributed union of SS
T
SS Distributed intersection of SS

C.2 Logic
Notation Description
¬P not P
P ∧Q P and Q
P ∨Q P or Q
P ⇒Q P implies Q
P ⇔Q P is equivalent to Q
∀x : T • P All elements x of type T satisfy P
∃x : T • P There exists an element x of type T which satisfies P

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 14 of 16
MODULE TITLE: Formal Methods

C.3 Ordered Pairs

Notation Description
X ×Y Cartesian product of X and Y
(x , y) Ordered pair
x 7→ y Ordered pair, (maplet)
first(x , y) Ordered pair projection function
second (x , y) Ordered pair projection function

C.4 Relations
Notation Description
X ↔Y Set of relations between X and Y
dom R Domain of relation R
ran R Range of relation R
S CR Domain restriction of R to the set S
S−CR Domain anti-restriction of R to the set S
RBS Range restriction of R to the set S
R− BS Range anti-restriction of R to the set S
R1 ⊕ R2 R1 overridden by relation R2
R o9 Q Relational composition
R(| S |) Relational Image of the set S of relation R
id X Identity relation
R −1 Inverse relation
R+ Transitive closure of R
R∗ Reflexive-transitive closure of R

C.5 Functions
Notation Description
→
7 Partial function
→ Total function
 7 Partial injection
 Total injection
→
→ 7 Partial surjection
→
→ Total surjection
→ Bijection
( λx : T | P • E ) Lambda Expression
( µx : T | P • E ) Mu Expression

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 15 of 16
MODULE TITLE: Formal Methods

C.6 Sequences
Notation Description
seq X Finite sequences of type X
seq1 X Non-empty finite sequences of type X
iseq X Injective finite sequences of type X
hi Empty sequence
s at Concatenation of the sequences s and t
head s First element of a non empty sequence
tail s All but first element of a non empty sequence
last s Last element of a non empty sequence
front s All but last element of a non empty sequence
rev s Sequence Reverse
squash s Sequence Compaction
s prefix t s is a prefix of t
s suffix t s is a suffix of t
s in t s is a sub-sequence of t

C.7 Bags
Notation Description
bag X Bag of type X
[[ ]] Empty bag
x@ −B Bag membership
x@ 6− B Bag non-membership
B1 v B2 Sub-bag
B1 @ B2 Strict Sub-bag
B1 ] B2 Bag Union
B1 ∪- B2 Bag Difference
count B x Bag Count of x
B ]x Bag Count of x
n ⊗B Bag Scaling
items s Bag of the sequence s

c University of Westminster 2007

MODULE CODE: 3SFE618 Page 16 of 16
MODULE TITLE: Formal Methods

C.8 Schemas
Schema Type Schema Box

declarations
Axiom
constraints

[X , . . .]
Generic declarations
constraints

Linear b [declarations | constraints]

S=

S
State/Operation declarations
constraints

S [X , . . .]
Generic State/Operation declarations
constraints

C.8.1 Schema Calculus

Notation Description
[S ; declarations | constraints] schema inclusion
S0 schema decoration
∆S Delta S
ΞS Xi S
S ∧T S and T
S ∨T S or T
S o9 T S composed with T
pre S pre-conditions of S
S [new /old ] variable renaming
S \ (a) variable hiding
S  (a) variable projection

c University of Westminster 2007