Propositions have truthvalues Variables have types Sets have
´ ´ Propositions have truth-values. Variables have types. Sets have elements. Schema assert truths. What do ∆ and Ξ mean? 3
Combining schema This is so easy. Suppose we have schema A, B, B′: A a: a B a, b Z = 42 Write Aand. B a b B′ : Z = b +2 < 10 B : PZ 42 ∈ B = A ∧ B for the schema which asserts A and B! Aand. B a, b a : Z = 42 ∧ (a = (b + 2) ∧ b < 10) 4
Combining schema Of course! A and B establish a universe of discourse and assert some properties of it. So A and B just combines those universes and those truths. It’s just like in physics class, where we may describe the behaviour of a particle by a 4 -dimensional vector space plus its equations of motion (3 dimensions space, 1 dimension time). If we want to describe the behaviour of two particles, why, we just use a 7 -dimensional vector space plus the two equations of motion. 5
Combining schema But why stop at ∧? We have ∨, ⇒, and ⇔. The pattern is always the same: combine the universes of discourse (that’s the variables declared in the schema) and the predicates. Write Aimplies. B′ = A ⇒ B′ for Aimplies. B′ Try Aor. B a : Z, B : PZ a = 42 ⇒ (42 ∈ B) = A ∨ B. The possibilities are endless!!!!! 6
Recall: Club. State badminton : PSTUDENT hall ⊆ badminton #hall ≤ maxplayers This says: 7
Club. State • badminton is a set of students (I’d be guessing: the students that play badminton). • hall is a set of students (the students in the badminton hall, which has a capacity of 20? ). • Students in the hall must play badminton (so they’ve obviously got a man on the door checking? ). • . . . and you can’t have more people in the hall than its capacity. 8
Recall: Add. Member : PSTUDENT, badminton′ : PSTUDENT, newmember? : STUDENT badminton : PSTUDENT hall′ : PSTUDENT hall #hall ≤ maxplayers ⊆ badminton hall′ ⊆ badminton′ #hall′ ≤ maxplayers′ newmember? ∈ badminton′ = badminton ∪ {newmember? } hall′ = hall 9
Recall: Add. Member Or more succinctly: Add. Member ∆Club. State newmember? : STUDENT newmember? ∈ badminton′ = badminton ∪ {newmember? } hall′ = hall 10
Parenthetic note: Renaming What if you want to rename variables in a schema? S[x/a, y/b, z/c] represents S with a renamed to x — you can guess the rest. Club. State badminton hall Footy. Club : PSTUDENT ⊆ badminton #hall ≤ maxplayers hall : PSTUDENT pitch : PSTUDENT football ⊆ football #pitch ≤ maxplayers pitch 11
Recall: Add. Member So we can write ∆Club. State as Club. State ∧ Club. State[hall′/hall, badminton′/badminton]. 12
Refining Add. Member Remember: hall is just the students in the badminton club in the hall — hall ⊆ badminton hints at that. There may indeed be other people in the hall. What, you thought that badminton is so popular in this school that it can fill an entire sports hall? This specification has to be at least a little bit realistic. There are the rowers in the corner on their machines, the hockey players, the rock-climbers, maybe even a bit of ping-pong. If one of these non-badminton-players sees the empty futility of their non-badminton-player ways, they may join the badminton club. This epiphany might arrive at any time; while they’re in the hall, or even just while they’re outside the hall, perhaps studying Formal Spec. 13
Refining Add. Member LOCATION : : = inside | outside Add. Member. In. Hall Add. Member. Out. Hall ∆Club. State newmember? where? : STUDENT newmember? : LOCATION where? = inside newmember? ∈ badminton #hall < max. Players ′ badminton =badminton∪ {newmember? } ′ hall = hall ∪ new. Member? where? : STUDENT : LOCATION = outside newmember? ∈ badminton ′ badminton =badminton∪ {newmember? } ′ hall = hall 14
Refining Add. Member Then Add. Member. Anywhere = Add. Member. In. Hall ∨ Add. Member. Out. Hall. In effect, Add. Member. Anywhere describes a program which checks where the member is (inside, ouside) and does the right thing accordingly. Isn’t that a bit magic? This is a case-split. ∨ on schema is a case-split for schema. ∧ is like a parallel execution. But they are not. There is no notion of flow of control or execution here. Just specifications. 15
Initial State What’s the initial state of the badminton club (back in 1934, probably). Maybe something like this: Init. Club. State′ badminton′ hall′ = {} It’s just convention to use ‘after’ (with prime; with dash) state variables in initial state. 16
Initial State The initial state had better satisfy the conditions for Club. State. That is, hall′ ⊆ badminton′ and #hall′ ≤ maxplayers. So let’s check {} ⊆ {} and 0 ≤ maxplayers. 17
Totalising operations Add. Member ∆Club. State newmember? : STUDENT newmember? ∈ badminton′ = badminton ∪ {newmember? } hall′ = hall Note the precondition newmember? ∈ badminton. Add. Member specifies a PARTIAL function. If newmember? ∈ badminton then Add. Member is not defined, as a function on club states. 18
Totalising operations Suppose newmember? . ∈ badminton and somebody tries adding Somebody is either stupid, or playing a practical joke. . . or perhaps they purchased lifetime membership 30 years previously and just forgot. Perhaps they are a lecturer and their brain has been blasted by the howling winds of a thousand data projectors. How do we make this specification of a partial function, into a specification of a total function? 19
Totalising operations Recall the no-op: ΞClub. State ∆Club. State badminton′ = badminton hall′ = hall ΞClub. State badminton, hall : PSTUDENT badminton′, hall′ : PSTUDENT hall ⊆ badminton, #hall ≤ maxplayers hall′ ⊆ badminton′, #hall′ ≤ maxplayers′ hall′ = hall, badminton′ = badminton 20
Totalising operations MESSAGE : : = success | is. Member Is. Member Success. Message ΞClub. State outcome! : MESSAGE outcome! = SUCCESS new. Member? : STUDENT outcome! : MESSAGE new. Member? outcome! ∈ badminton = is. Member Totalise: Total. Add. Member Formal Spec F 22 HO 2, Lecture 5 = (Add. Member ∧ Success. Message) ∨ Is. Member. 21
Totalising operations A schema is total when the outcome is specified for all possible inputs. Programs in C and Java are total; they take an input, give an output. Specifications of these programs may be partial; we may only specify partial information. Go through the previous specs: Remove. Member, Enter. Hall, Leave. Hall, Not. In. Hall. Which of these are total? Totalise the ones that are not. Formal Spec F 22 HO 2, Lecture 5 22
Hiding S b is the schema obtained by existentially quantifying b in S. Best explained by example: A Hide. A a : Z a = 42 ∃ a : Z • a = 42 B a, b Hide. B : Z = b +2 b < 10 a a : Z ∃ b : Z • (a = b + 2 ∧ b Similarly for S Formal Spec F 22 HO 2, Lecture 5 < 10) a, b and so on. 23
Hiding Note that a < 12. ∃ b : Z. • (a = b + 2 ∧ b < 10) means the same thing as So we can equivalently write Hide. B as: Hide. B a : Z a < 12 Formal Spec F 22 HO 2, Lecture 5 24
Another example of hiding Define Add. Who = Add. Member new. Member? : Add. Who Add. Member ∆Club. State newmember? ∆Club. State : STUDENT newmember? ∈ badminton′ = badminton∪ {newmember? } hall′ = hall ∃newmember? : STUDENT • (newmember? ∈ badminton ∧ badminton ′ = badminton∪ {newmember? } ∧ hall ′ = hall) What does Add. Who do? Formal Spec F 22 HO 2, Lecture 5 25
Calculating preconditions Define Success. Add. Member Success. Message outcome! : MESSAGE Add. Member ∆Club. State newmember? = Add. Member ∧ Success. Message. : STUDENT newmember? ∈ badminton′ = badminton∪ {newmember? } hall′ = hall outcome! = SUCCESS What does this specification say? Let’s see. . . Formal Spec F 22 HO 2, Lecture 5 26
Partially expand the definition Success. Add. Member ∆Club. State newmember? : STUDENT outcome! : MESSAGE newmember? ∈ badminton′ = badminton ∪ {newmember? } hall′ = hall outcome! = success That’s a bit better — but not good enough. We want to expand more! Formal Spec F 22 HO 2, Lecture 5 27
Expand further Success. Add. Member Club. State badminton′, hall′ : PSTUDENT newmember? : STUDENT outcome! : MESSAGE hall′ ⊆ badminton′ #hall′ ≤ max. Players newmember? ∈ badminton′ = badminton ∪ {newmember? } hall′ = hall outcome! = success Formal Spec F 22 HO 2, Lecture 5 28
Calculating preconditions Recall: badminton′, hall′ : PSTUDENT are the state after. badminton′, hall′ : PSTUDENT are the state before. new. Member? is the input. output! is the output. That’s just our reading of the meaning of these variables, but it is a convention; ′ for after, ? for input, ! for output. Is Add. Member. Success defined for all possible inputs and input states? Formal Spec F 22 HO 2, Lecture 5 29
Success. Add. Member {badminton′, hall′, output!} pre Success. Add. Member Club. State newmember? : STUDENT ∃ badminton′, hall′ : PSTUDENT; outcome! : MESSAGE • hall′ ⊆ badminton′ ∧ #hall′ ≤ max. Players ∧ newmember? ∈ badminton ∧ badminton′ = badminton ∪ {newmember? } ∧ hall′ = hall ∧ outcome! = success = hall and drop outcome!. ∃ outcome! : MESSAGE • outcome! = success is true and we do not mention outcome! elsewhere. Set hall′ Formal Spec F 22 HO 2, Lecture 5 30
{badminton′, hall′, output!}, simplified Success. Add. Member pre Success. Add. Member Club. State newmember? : STUDENT ∃ badminton′ • ∧ newmember? ∈ badminton ′ ∧ badminton′ = badminton ∪ {newmember? } ∧ hall = hall We drop hall = hall and note that #hall ≤ max. Players, which was a condition on hall′, is now something that’s already in Club. State. Formal Spec F 22 HO 2, Lecture 5 31
{badminton′, hall′, output!}, simplified more Success. Add. Member pre Success. Add. Member Club. State newmember? : STUDENT ∃ badminton′ • ′ ∧ badminton′ = badminton ∪ {newmember? } ⊆ badminton by Club. State and badminton′ = badminton ∪ {newmember? }, so hall ⊆ badminton′ is guaranteed. Formal Spec F 22 HO 2, Lecture 5 32
Success. Add. Member more {badminton′, hall′, output!}, simplified even pre Success. Add. Member Club. State newmember? : STUDENT ∃ badminton′ • newmember? ∈ badminton ∧ badminton′ = badminton ∪ {newmember? } ∃ badminton′ • badminton′ = badminton ∪ {newmember? } is as useful as a barber shop on the steps of the guillotine; cut it off. Formal Spec F 22 HO 2, Lecture 5 33
Success. Add. Member lously {badminton′, hall′, output!}, simplified ridicu- pre Success. Add. Member Club. State newmember? : STUDENT newmember? ∈ badminton There’s your precondition: newmember? ∈ badminton. We found a bug!! The program fails if newmember? Formal Spec F 22 HO 2, Lecture 5 ∈ badminton. 34
pre Success. Add. Member The operation described by Success. Add. Member is not total. As a function from club states to club states taking input newmember? , output is not defined if newmember? ∈ badminton. Formal Spec F 22 HO 2, Lecture 5 35
Fact. pre distributes over disjunction: pre (S ∨ T) = pre S ∨ pre T. So to check if Total. Add. Member really is total, it suffices to calculate pre Is. Member and see if it is new. Member? ∈ badminton. Let’s do it: let our slogan be expand, hide, simplify. Formal Spec F 22 HO 2, Lecture 5 36
Expand, hide, simplify: Is. Member ΞClub. State new. Member? : STUDENT outcome! : MESSAGE new. Member? ∈ badminton outcome! = is. Member Formal Spec F 22 HO 2, Lecture 5 Is. Member Club. State badminton′, hall′ : PSTUDENT new. Member? : STUDENT outcome! : MESSAGE hall′ ⊆ badminton′ #hall′ ≤ max. Players new. Member? ∈ badminton outcome! = is. Member badminton′ = badminton hall′ = hall 37
Expand, hide, simplify: Is. Member pre Is. Member Club. Statenew. Member? : STUDENT ∃ badminton′, hall′ : PSTUDENT; outcome! : MESSAGE • hall′ ⊆ badminton′ ∧ #hall′ ≤ max. Players ∧ new. Member? ∈ badminton ∧ outcome! = is. Member ∧ badminton′ = badminton ∧ hall′ = hall Formal Spec F 22 HO 2, Lecture 5 38
Expand, hide, simplify: Is. Member pre Is. Member Club. State new. Member? : STUDENT ∃ outcome! : MESSAGE • hall ⊆ badminton ∧ #hall ≤ max. Players ∧ new. Member? ∈ badminton ∧ outcome! = is. Member (Don’t rush this. One step at a time. ) Formal Spec F 22 HO 2, Lecture 5 39
Expand, hide, simplify: Is. Member pre Is. Member Club. Statenew. Member? : STUDENT ⊆ badminton ∧ #hall ≤ max. Players ∧ new. Member? ∈ badminton hall Formal Spec F 22 HO 2, Lecture 5 40
Expand, hide, simplify: Is. Member pre Is. Member Club. Statenew. Member? : STUDENT ∈ badminton That’s it, we’re done. Total. Add. Member is total. pre Total. Add. Member = pre Success. Add. Member ∨ pre Is. Member = new. Member? ∈ badminton ∨ new. Member? ∈ badminton =T Formal Spec F 22 HO 2, Lecture 5 41
- Slides: 39
