Part IV

The Specification Language Z

86
 Overview of Z

• Z has a formal syntax and semantics

• a spec defines a model based on set theory, FOL, . . .

• a spec consists of a system of simple components (schemes)
• special cases and errors treated separately from general case
• structure of proofs based on structure of spec

Scheme:
• name

• signature: declaration and types of identifiers

• description of relations between notions by logic formulae

87
 Example: Bank Application in Z
Bank ΞBank

bal: Account −→ IN ∆Bank

bal0 = bal

Bank0 InitBank

bal0 : Account −→ IN Bank

∀ i: Account • bal(i) = 0

ˆ Bank ∧ Bank0
∆Bank =

88
 State Transformations

• Z schemes can also describe state transformations, error

treatment, refinements
Transfer1

∆Bank
amount?: IN
from?, to?: Account
from? 6= to?
bal0 = bal ⊕ {from? 7→ bal(from?) − amount?,
to? 7→ bal(to?) + amount?}
bal(from?)≥amount?

89
 Error Treatment
Ok Insufficient

output!: Message ΞBank

output! = ”OK” amount?: IN
from?: Account
SameAccount
output!: Message
ΞBank bal(from?) < amount?
from?, to?: Account output! = ”balance insufficient”
output!: Message
from? = to?
output! = ”same account”

ˆ (Transfer1 ∧ Ok) ∨ SameAccount ∨ Insufficient

Transfer =
ˆ (Withdraw1 ∧ Ok) ∨ Insufficient
analogously: Withdraw =

90
 Proving System Properties
Theorem
after transfer: bal’(from?) + bal’(to?) = bal(from?) + bal(to?)

Proof (by case distinction).

1) case SameAccount or Insufficient:

by ΞBank we get: bal0 = bal; the proposition follows trivially
2) case Transfer1:
bal0 (from?) = bal(from?) − amount?
bal0 (to?) = bal(to?) + amount?
by adding the equations we can finish the proof

• the structure of the proof depends on the structure of the spec

91
 Example: Refinement Z → Java
int quantity = 42; RTransfer1
int accountNo[] = new int[quantity];
∆RBank
int balance[] = new int[quantity];
amount?: IN
RBank from?, to?: Account
quantity: IN from? 6= to?
accountNo: IN −→ Account (∃ k:0..quantity-1 • accountNo(k) = to? ∧
balance: IN −→ IN (∃ j:0..quantity-1 • accountNo(j) = from? ∧
amount? ≤ balance(j) ∧
balance0 = balance ⊕
Abs {j 7→ balance(j) − amount?,
k 7→ balance(k) + amount?} ))
Bank
accountNo0 = accountNo
RBank
quantity0 = quantity
bal = { i: IN | i < quantity •
accountNo(i) 7→ balance(i)}

92
 Soundness Proof
Theorem
bal0 = {accountNo0 (i) 7→ balance0 (i) | i:0..quantity0 -1}
Abs
RBank Bank

RTransfer1 Transfer1
Abs
RBank’ Bank’

Proof.

bal0 = bal ⊕ {from? 7→ bal(from?) − amount?, to? 7→ bal(to?) + amount?}

= {accountNo(i) 7→ balance(i) | i:0..quantity−1} ⊕
{from? 7→ bal(from?) − amount?, to? 7→ bal(to?) + amount?}
= {accountNo(i) 7→ balance(i) | i:0..quantity−1, i6= j, i6=k} ⊕
{accountNo(j) 7→ balance(j) − amount?, accountNo(k) 7→ balance(k) + amount?}
= {accountNo0 (i) 7→ balance0 (i) | i:0..quantity0 − 1}
93
 Implementation
class Bank{
protected int quantity = 42;
protected int accountNo[] = new int[quantity];
protected int balance[] = new int[quantity];

public void transfer(int from, int to, int amount){

int i; int j;
if (from == to) {System.out.println("same account"); return;}
// quantifier as loop
for(i=0; i<quantity && accountNo[i] != from; i++);
for(j=0; j<quantity && accountNo[j] != to; j++);
if (balance[i] < amount) {
System.out.println("balance insufficient"); return;}
balance[i] = balance[i] - amount;
balance[j] = balance[j] + amount;
System.out.println("OK");
}
}
94