UNIVERSITY OF WESTMINSTER” ELECTRONICS AND COMPUTER SCIENCE 2010-2011 Code: 3SFE618 Title: Formal Methods Date: 12 May 2011 Time: 14:00 Duration: 2 Hours INSTRUCTIONS TO CANDIDATES Answer ALL questions in Section A and TWO questions from Section B. Section A is worth a total of 50 marks Each question in section B is worth 25 marks. You may wish to consult Appendix D. Information sheets and additional stationery supplied: © University of Westminster 2017MODULE CODE: 3SFE618 Page 1 of 21 MODULE TITLE: Formal Methods Section A Answer ALL questions from this section Question 1 Given the following Z schemas: irs - (a) State and explain the formal definitions of AS and SS for any schema [5 marks] 8. (b)_ Give the expanded version of A First. [3 marks] (c)_ Give the expanded version of SSecond. [4 marks} University of Westminster 2011MODULE CODE: 3SFE618 Page 2 of 21 MODULE TITL Formal Methods Question 2 The following, is part of a specification for the Bikephane Shed mobile phone shop. The following types representing individual phones, mobile manufacturers and unique mobile serial numbers. MOBILE ‘mobile | mobile? | mobiled | ‘MANUFACTURER Nokia | Apple | Blackberry | HTC | SERIAL_NO = MP0012 | MP0008 | MP0099 | The state schema. Bikephone Shed stock manufacturers : serialnumb make price (a) Copy the Bikephone._Shed state schema and complete the definitions of the following state variables: ‘* stock are the mobile phones waiting to be sold. ‘# manufacturers are the chosen phone manufacturers, e.g., Nokia, Ap- ple, HTC, etc, whose phones Bikephone Shed sells. * serialnumb maps cach mobile to its unique serial number ‘* make maps each mobile to its make. ‘price maps each phone to price in pounds. In addition, include the state invariant that Bikephone Shed only sells phones that are made by its chosen manufacturers. [12 marks] © Univesity of Westminster 2011MODULE CODE: 35FE618 Page 3 of 21 MODULE TITLE: Formal Methods {b) Define an initial Bikephone Shed state schema for the following situation + There are two phones mobilel and mobile?. ‘* The chosen manufacturers are Nokia, HTC and Blackberry, «The registration numbers for mobilel is MPOOL2 and for snobile? is ‘MPOO099. # The make of mobile1 is Nokia and mobile? is HTC. ‘The price of each mobile is: mobile is £250 and mobile? is £175. [8 marks] Question 3 Define the generic Z operator range restriction “t>", using a generic schema. Its textual definition is given below. Definition: The range restriction, Rt A, of the relation Rs X e+ Y by the set A: PY is the relation that relates 2 to y, if and only if, R relates « to y and y is a member of the set A. [8 marks] Question 4 The following mulliply(3,6) = 18 subtract(24,9) = 15 incremeni(7) = 8 decremeni(3) = 2 are examples of the standard mathematical functions for multipliction, subtrac- tion, increment and decrement respectively, for natural numbers (N). Define the signatures of these functions. Note you are not required to give their definitions. [10 marks] © University of Westminster 2011MODULE CODE: 3SFE618 Page 4 of 21 MODULE TITLE: Formal Methods nB Answer TWO questions from this section Sect Question 5 (a) When developing a Z specification of a system itis necessary to distinguish between invalid, valid and initial system states. Describe the relationship between these different system states and explain the role of system invariants in this relationship. Illustrate this relationship using a diagram, [7 marks] (b) Assume the general state of a system to be specified in Z consists of n objects - Object-1, .., Object_n, as follows: SystemState (ome) 3) (i) Give a brief description of how this system’s general state schema should be structured. Mlustrate this structure by means of suitable Z schemas [6 marks] Give a brief description of how this system's initial state schema should be structured. IMustrate this structure by means of suitable Z schemas, [7 marks] [Continued Overleaf] © University of Westminster 2011MODULE CODE: 3SFE618 Page 5 of 21 MODULE TITLE: Formal Methods (iii) The following operation is specified only in terms of Object-1 — Operationon Objet A Object_1_State Input Variables Output Variables PreConditions Object’ = New_Object1 Outputs Briefly explain how this operation could be re-used to define an op- eration on the whole of the system state using the technique known as operation promotion. Mustrate this by means of a diagram. In addition, give the Z schema that represents the promoted operation ‘on the whole state. [5 marks] © Universi of Westminster 2011MODULE CODE: 3SFE6i8 Page 6 of 21 MODULE TITLE: Formal Methods Question 6 The following is part of a Library specification. The following definitions represent the set of books, copies (i.e. instances) of books and borrowers. [ BOOK, COPY, BORROWER | ‘masrloans : N _— LibraryDataBase stock : COPY + BOOK registeredborrowers : F BORROWER. _— labraryLoans onloan : COPY » BORROWER inlibrary : F COPY b: BORROWER e #f(onloan > { b }) < mazloans inlibrary dom onloan = @ — Library LibraryDataBase LibraryLoans dom stock = inlibrary U dom onloan ran onloan © registeredborrowers: [Continued Overleaf] © University of Westminster 2011MODULE CODE: 3SF&618 Page 7 of 21 MODULE TITLE: Formal Methods (b) (©) — IssueBook Abibrary 2: COPY 0? BORROWER c? € inlibrary stock’ = stock inlibrary’ = inlibrary \ { ¢? } #(onloan & { 0? }) < masloans regiateredborrowers! = registeredborrowers 87 € reqisteredborrowers onloan! = onloan © { c? > 6? } Explain in “plain English” (i.e. do not give a literal translation) the meaning, of each line of the following schemas: ()—LibraryLoans (i) Library Explain in "plain English” the meaning of each line of the constraint part of the IssueBook schema and the role it plays in the specification of the operation, Specify the ReturnBook operation which is used when a borrower returns a book to the libraty. The specification of this operation must be total and output appropriate success and error reports. In addition the specification should be as modular as possible and make full use of the schema calculus. © University of Westminster 2011 [3 marks] [3 marks] [7 marks] [12 marks}MODULE CODE: 3SFE618 Page 8 of 21 MODULE TITLE: Formal Methods Question 7 Part of a Z specification for a University's Computing degree course in particular module registration and de-registration is given in Appendix A. (a) The ZTC type checker output for the Module specification is given in Appendix B. For each error reported give an explanation and the necessary corrections, (b) Once all of the errors detailed in part (a) have been eliminated from the Module specification, explain what additions and modifications must be made to the specification to permit it to be animated by the ZANS ani- mator. (c) Assuming all of the necessary modifications required in part (b) have been made, an attempt is made to animate the Module specification in ZANS. However, ZANS indicates Unat it can nol animate Uke lwo operations RogisterForModule_Ok and DeregisterFromModule_Ok, by reporting that they are “not explicit” Give a brief explanation of what “not explicit” means in this context and state what modifications need to be made to these two operation schemas to correct this problem. © University of Westminster 2011 [10 marks] [10 marks] [5 marks]MODULE CODE: 3SFE618 Page 9 of 21 MODULE TITLE: Formal Methods Appendix A. Module Specification A.l ZTC Box Style Version 1 specification 2 3 ( STUDENT 1 4 5 TITLE ::= Formal_Methods | Compilers | Networks 6 7 STAFF PHowells | ALLecturer | M_Mouse 8 3 REPORT ::= Success 10 ERROR_Already_Registered u | ERROR Module Full 12 | ERROR Not_Registerea 18 uu | NODULE.LIMIT : Ww 15 16 | ACADEMIG_STAFF : P STAFF wv 18 === Module ~ 19 { title : TITLE ; 20 1 leader : STAFF ; a | numbstudents : N ; 2 | students ; P STUDENT 23 1 m | leader in ACADEMIG_STAFF ; 2 | numbstudents <= MODULE_LINIT ; 2% | numbstudents = students ar - 8 29 30 Module 3h a2 title = Formal_Methods ; 38 leader = P_Howells ; i | i 1 34 { numbstudents = 0 ; | students = {} © University of Westminster 2012MODULE CODE: 3SFE618 Page 10 of 21 MODULE TITLE: Formal Methods 38 39 40 au 42 43 44 45 46 a7 48 49 50 51 52 53 54 55, 56 57 58 59 60 1 ReportSuccess ="= [ report! : REPORT | report! = Success J ~-- RegisterForModule_Ok Delta Module ; newstudent? ; STUDENT fl i i | newstudent? notin students ; | numbstudents < MODULE_LIMIT ; ' ' students’ = students || newstudent? ; numbstudents’ = numbstudents + 1 ; RegisterForModule Success ="= RegisterForNodule_Ok /\ ReportSuccess ~-- AlreadyRegistered Error | Xi Module ; | newstudent? : STUDENT ; | report! ; REPORT I I I newstudent? in students report! = ERROR_Already Registered --- ModuleFull_Error ~ Xi Module ; newstudent? : STUDENT ; report! : REPORT numbstudents = MODULE LIMIT ; report! = ERROR_Module Full RegisterForModule RegisterForModule Success \/ AlreadyRegistered_Error \/ ModuleFull_ERROR © University of Westminster 2011MODULE CODE: 3SFE618 Page 11 of 21 MODULE TITLE: Formal Methods i) 6 uw 78 9 80 sl 82, 83 84 85, 86 87. 88, 89 90 a 92 93 o4 95 96 97 98 99 00 101 102 103 104 105 106 107 108 --- DeregisterFromModule_Ok ~ Module ; deregstudent’? : STUDENT students’ = students \ { deregstudent? } ; \ \ \ | deregstudent? in students ; \ | numbstudents’ = numbstudents - 1 ; DeregisterFromModule Success “= DeregisterFromModule_Ok /\ ReportSuccess Student_Not Registered Error ~. Xi Module ; ' | deregstudent? : STUDENT ; | report! : REPORT \ \ \ deregetudent? = students ; report! = ERROR_Not_Registered DeregisterFromodule +"= DeregisterFromModule Success \/ Student _Not_Registered_Error --- PlacesLeftOnModule_Ok ~ | Xi Module ; | placesleft! : N MODULE LIMIT - numbstudents PlacesLeftOnModule ="= PlacesLeftOnModule_Ok /\ ReportSuccess © University of Westininater 2011MODULE CODE: 3SFE618 Page 12 of 21 MODULE TITLE: Formal Methods A.2~ Pretty-Printed Version [STUDENT] TITLE := Formal_Methods | Compilers | Networks STAFF :-= P_Howells | A_Leciurer | M-Mouse REPORT := Success | ERROR_Already Registered | ERROR Module Pull | BRROR_Not_Registered MODULE_LIMIT : N | ACADEMIC_STAPF : B STAFF. — Module. title : TITLE leader : STAFF numbstudents : N students : P.S'TUDENT ‘leader € ACADEMIC_STAFF numbstudents < MODULE-LIMIT numbstudents = students _— InitialModule Module title = Formal_Methods leader = P_Howells numbstudents = 0 students ReportSucces: report! : REPORT | report! = Success} © University of Westminster 2011MODULE CODE: 3SFE618 Page 13 of 21 MODULE TITLE: Formal Methods _— RegisterForModule_Ok AModiule newstudent? : 8/UDENT newstudent? ¢ students nurbstudents < MODULE LIMIT students! = students U newstudent? numbstudents! = numbstudents +1 RegisterForModule_ Sue RegisterPorModule_Ok A ReportSuccess Already Registered_Error a EModule newstudent? : STUDENT report! : REPORT newstudent? € students report! = ERROR_Already Registered _— Module Pull_Brror EModule newstudent? : STUDENT report! : REPORT numbstudents = MODULB_LIMIT ERROR Module Full RegisterRorModule * RegisterForModute Success V AlreadyRegistered_Error V ModulePill_ ERROR _— DeregisterFromModule_Ok Module deregstudent? : STUDENT deregstudent? € students students! = students \ { deregstudent?} numbstudents' = numbstudents — 1 © University of Westminster 2011MODULE CODE: 3sFE618 Page 14 of 21 MODULE TITLE: Formal Methods DeregisterPromModule Success = Deregister FromModule_Ok ‘A ReportSuccess _— Student_Not_Registered. Error fodlule deregstudent? : STUDENT. report! : REPORT. deregstudent? = students report! = ERROR. Not.-Registered DeregisterFromModule = DeregisterFromModule Success V Student_Not_Registered_Brror —PlacesheftOnModule-Ok fodule placesteft! : N placesleft = MODULE_LIMIT ~ numbstudents PlacesLeftOnModule = PlacesLeftOnModule.Ok \ ReportSuccess © University of Westminster 2011MODULE CODE: 3SFE6i8 Page 15 of 21 MODULE TITLI Formal Methods Appendix B. ZTC output for Module Specification The following, is part of the ZTC type checker output from the Module specifi cation. Parsing main file ‘Type checking Type checking . Type checking Type checking Type checking Type checking ‘Type checking --- Typing error ‘Type checking ‘Type checking Type checking, --- Typing error --- Typing error Type checking ‘Type checking --- Typing error Type checking syntax error. Type checking Typing error. --- Typing error: Type checking Type checking == Typing error. Type checking » Type checking Typing error « Type checking End of main file: modulo. 2bx Given set. “module.zbx" Line 3 Free type definition: TITLE. "module.zbx" Line 5 Free type definition: STAFF. "module.zbx" Line 7 Free type definition: REPORT. "nodule.zbx" Lines 9-12 Axiom box. "module.zbx" Line 14 Axiom box. "module.zbx" Line 16 Schema box: Module. “module.zbx" Lines 18-26 “module.zbx" Line 26. Type mismatch: Schema box: InitialModule. “module.zbx" Lines 29-35 Schema definition: ReportSuccess. "module.zbx" Line 38 Schema box: RegisterForHodule_Ok. “module.zbx” Lines 40-47 “module.zbx" Line 46. Type mismatch: Infix expression "module.zbx" Line 46, Type mismatch: Right-hand side Schema definition: RegisterForModule Success. "module.zbx" Lines 50-51 Schema box: AlreadyRegistered Error. "nodule.zbx" Lines 53-89 “module.zbx" Line 68. Mapping expected: Schema box: ModuleFull_Error. "module.zbx" Lines 62-68 “module.zbx" Line 73, near "ModuleFull_ERROR" Schema box: DeregisterFromModule_Ok. "module.zbx" Lines 75-81 "module.zbx" Line 80. Undefined name: students’ "nodule.zbx" Line 61. Undefined name: numbstudents? Schema definition:DeregisterFromModule_Success. "module.zbx" Lines 84-85 Schema box: Student Not_Registered Error. "module.zbx" Lines 87-93 “module.zbx" Line 92. Type mismatch: Schema definition: DeregisterFromModule. “nodule.zbx" Lines 96-98 Schema box: PlacesLeft(nModule_k. "module.zbx" Lines 100-104 “module.zbx" Line 104. Undefined name: placesleft Schama definition: PlacesLeftOnModule. "module.zbx" Lines 107-108 Reached the end of the main file while parsing module. 2bx © Universy of Westminster 2011MODULE CODE: 3SFE618 Page 16 of 21 MODULE TITLI Formal Methods Appendix C. ZANS output for Plane Specification The following is part of the ZANS animator output from the Plane specification. zans> load plane.zbx zans> animate . Initialization Looking for state-schema pragna No state-schema pragma found. Attempt auto-set. State schema: Plane State schema: InitialPlane Analyzing axiomatic definitions: not explicit . Analyzing schema Plane: state. Analyzing schema InitialPlane: state - Analyzing schema Board_OK: explicit Analyzing schema ReportSuccess: explicit. - Analyzing schema Board Succ: explicit Analyzing schema Board_AlreadyOnBoard: explicit Analyzing schema Board_PlaneFull: explicit. . Analyzing schema Board: explicit. Analyzing schema Disembark_OK: explicit Analyzing schema Disembark Succ: explicit Analyzing schema Disombark NotOnBoard: explicit analyzing schema Disembark PlaneEmpty: explicit Analyzing schoma Disembark: explicit Analyzing schema NumberOnBoard: explicit. Analyzing schema PersonOnBoard: explicit -+, Initializing global names. capacity: Undef Check initialization schemas Looking for init-schema pragma Wo init-schema pragma found. Attempt auto-set Initialization schema: ReportSuccess . Initializing ReportSuccess Execute schema: ReportSuccess Schoma: ReportSuccess report!: 0K anim> exit © University of Westminster 2012MODULE CODE: 3SFE618 MODULE TITLE: Formal Methods Appendix D. Table of Z Syntax This appendix contains the Z notation for: sets, logic, ordered pairs, relations, functions, sequences, bags, schemas and the schema calculus. D1 Sets Notation Description N Set of natural numbers from 0 Ni Set of natural numbers from 1 Zz Set of integers res ‘x is an element of S gS is not an element of S scot Sis a subset of T scT Sis a strict subset of T ay Empty set Power set of 5 fe power set of S La Non-empty finite subsets of S_ SUT Union of Sand T sar Intersection of Sand T S\t Set difference of $ and T | aS Number of elements in set 57 {D[Pet} Set comprehension USS Distributed union of SS Ass. Distributed intersection of SS ig Range of integers from @ to 7 inclusive disjoint (4, B, C) Disjoint sets A, B and C (CAB, C) partition 5 Sets A, B and C partition the set 5 © University of Westminster 2011 Page 17 of 21MODULE C MODULE T! D2 Logi Not ODE: 3SFF618 Page 18 of 21 ITLE: Formal Methods sic aP PAQ PVQ Pog PeQ Va TP ToT? All elements 7 of type 7 satisfy P D.3 Ordered Pairs Notation | Des Xx ¥ Cartesian product of X and Y [uy] Ordered pair rey Ordered pair, (maplet) ‘Firsila, y) | Ordered pair projection function second(z, 9) | Ordered pair projection function D4 Relations There exists an element x of type T which satisfies There exists a unique element + of type T which satisfies P Notation | Description P(X x ¥) | Set of relations between XY and Y X SY _|Set of relations between X and ¥ dom R | Domain of relation R ran R Range of relation R SR ___| Domain restriction of R to the set 5 Sa R__| Domain anti-restriction of R by the sat 5 Fee S| Range restriction of F to the set S Re S| Range anti-restriction of F by the set 5 Fi @ Re _| Ri overridden by relation Ra RQ Relational composition R{_S)__| Relational Image of the set 5 of relation R id X Identity relation — Rt Tnverse relation - Re Transitive closure of R ia Reflexive-transitive closure of R © Univesity of Westminster 2011MODULE CODE: 3SFE618 MODULE TITLI ‘ormal Methods D.5 Functions Notation | Description ‘| Finite function me __| Finite injection | =» __ | Partial function =| Total function > | Partial injection >= _| Total injection =» | Partial surjection = __| Total surjection =» _ | Bijection D.6 Sequences Notation | Description seqX __| Finite sequences of type sea, X__ | Non-empty finite sequences of type X iseq X | Inject ite sequences of type X Oo Empty sequence fan Coneatenation of the sequences » and 4 heads _| First element of a non empty sequence __ Tails All but first element of a non empty sequence lasts | Last element of a non empty sequence Jronts [All but last element of a non empty sequence revs ‘Sequence Reversal squash s_| Sequence Compaction S prefix t | 5 is a prefix of & ssuffix (| sis a suffix of & sint #15 a sub-sequence of ¢ © University of Westminster 2011 Page 19 of 21MODULE CODE: 3SFE618 MODULE TITLE: Formal Methods D.7 Bags Notation | Description’ bag X | Bag of type X Tl Empty bag 2=B__| Bag membership 2% B | Bag non-membership Bi CB, | Sub-bag Bic By _| Strict Sub-bag Bru By | Bag Union Bi By | Bag Difference count Ba | Bag Count of x Bia Bag Count of x n@B | Bag Scaling items S| Bag of the sequence s D.8 Schemas Page 20 of 21 © University of Westminster 2011 [ Schema Type ‘Schema Box declarations Axiom + ‘constraints Aix. Generic declarations constraints Linear 8 [declarations | constraints} —s State/Operation declarations constrainisMODULE CODE: 3SFE618 Page 21 of 21 MODULE TITLE: Formal Methods D.9 Schema Calculus Notation Description _ [S; declarations | constraints] | Schema inclusion Ey ‘Schema decoration aS & (Delta) Convention Eg = (Xi) Convention — SAT Schema Conjunction ($ and T) [svr Schema Disjunction (or 7) © University of Westminster 2011