Checking the consistency of Object-Z formal specification based on theorem proof

Abstract

A software formal specification is useful if and only if it is consistent or non-conflictive. However, checking the correctness or consistency of a formal specification is a difficult task. This paper proposes a method to prove its consistency or correctness by generating relevant theorem proofs. Checking the correctness and consistency of Object-Z formal specification is the main goal, which can make the specifier to get confident. Because Object-Z has inheritance property, this paper discusses it from different aspects, and focuses on the reuse of theorem proof. Finally, theorem prover Z/EVES is used to analyze and verify the Object-Z theorem proofs (semi-)automatically.

Keywords

Object-Z elevator system formal specification Z/EVES theorem proof

1. Introduction

In software development process, the combination of object-oriented and formal method has become a tendency. Object-Z [1] is an extension of process-oriented formal specification language Z, that is able to describe large scale object-oriented formal specification. Mathematical logic and set theory are its theoretical foundation. Therefore, we can reason the behaviors and attributes of formal specification easily. Verification including theorem proving and mode checking can ensure the consistency and correctness for an Object-Z formal specification.

There have been many researches on theorem proof and formal verification at home and abroad that it is able to reason about the properties of formal specification. In paper [6], relevant inference rules and methods for Object-Z formal specification have been proposed. Generally, Object-Z class properties can be represented as a sequential form: A:: $d\mid\Psi\vdash\Phi$ , where $A$ represents a class name, $d$ is a declarative sequence, $\Psi$ and $\Phi$ are a sequence of predicates. The proof sequence is valid, that is, the declared property is correct only if only at least one of formula $\Phi$ is true when given the declarations $d$ and predicates $\Psi$ in class $A$ . The predicates in formula $\Psi$ and $\Phi$ are only defined according to variables and constants which are accessible in the class $A$ or declarations in $d$ . A:: $d\mid\Psi\vdash\Phi$ is checking the consistency or correctness principle for Object-Z formal specification.

There are two parts of the work to check a formal specification: firstly, generating relevant theorem proofs (TP, i.e., extracting theorems), which express certain properties of a specification; secondly, checking these TPs by certain existing excellent theorem prover (semi-)automatically, such as Z/EVES [7, 8] (i.e., proving the theorems). In this paper, a method of checking the consistency or correctness for Object-Z formal specification by theorem proof is presented systematically. Finally, we will make full use of theorem prover Z/EVES to validate it [9, 10, 11].

In this section, a brief introduction to Object-Z will be introduced. The structure of Object-Z formal specification is composed of global definitions and class definitions. The set of global variables can be shared by all class definitions. The global definitions and the paragraphs in each class can be described with Z notation. The structure of Object-Z formal specification for a class definition is shown as follows:

A class structure of Object-Z may contain parameters, encapsulates types, constants, variables, operations, inherit property and so on.

2. Elevator operation systems

In this paper, as an example to illustrate check the consistency of Object-Z formal specification based on theorem proof, it can be described by an elevator operation system through. This elevator operation system includes state schema, initial state, and request operation, run operation and so on. This is the main parts of formal specifications of the elevator operation system as follows.

2.1 State schema

According to Object-Z syntax, this is the state schema of an elevator operation system as follows:

2.2 Initial state

This is the initial state of elevator operation system as follows:

2.3 Request operation

Request operation can be divided into two request operations (i.e. outrequest operation and inrequest operation), including press inside or outside keys of the elevator, hoping go to a certain floor.

2.3.1 The outrequest operation

The outrequest operation may be divided into up and down direction operations:

The Outrequest operation is composed of Outuprequest and Outdownrequest operations. Thus, it has: Outrequest $=$ Outuprequest[]Outdownrequest.

2.3.2 The inrequest operation

The inrequest operation of elevator is the request inside the elevator, hoping go to the floor.

Thus, the request operation may be composed of inrequest operation and outrequest operation, i.e. Request $=$ Inrequest[]Outrequest.

2.4 Run operation

The run operation of elevator is composed of up-runing operation and down-runing operation:

Thus, the run operation has: Run $=$ Uprun[]Downrun.

3. Theorem proof

Theorem proof has been applied in order to check the consistency or correctness of the developed formal system in paper [12, 13, 14]. In this section, we will generate relevant theorem proofs from a base class or operation of a formal specification. In order to check specification’s consistency, we should consider the specification is not conflictive first. Otherwise, the specification hasn’t any significance because it is conflictive. In this case, it is not taken into account in paper [9] at all. It is regarded as compatibility and non-confliction acquiescently. In addition to this, we will consider the partial functions or operators whether they are complete in this specification.

3.1 Consistency of Object-Z specification

If the invariant is consistent, there is at least one state space. An operation can transform one state into another in a state space. It is necessary to check the consistency between an operation and its state space. Therefore, if a formal specification itself is conflictive, there may be no state space or initial state. Furthermore, operations including initial operation may not be compatible with the state space.

3.1.1 State space existence

According to Object-Z syntax and semantics, there may be global or local definitions in a class, including constants, variables, types, function definitions and so on, which all can be regarded as context information identified as Context. Note that variables defined in the state schema cannot be considered as context information. Generally, the Context is assumed to be consistent. Variables defined in a state schema can be represented as $x$ of type $X$ simply. In this p, the state invariant is expressed as Invariant(x) and the operation is expressed as OP.

If an invariant of an Object-Z class is not conflictive, there exists a state space at least. From the context information, it may be true:

TP1: Context $\vdash\exists$ x: X $\bullet$ Invariant(x).

If this inference relationship does not exist, the invariant is conflictive. Hence, the theorem proof is true:

TP1’: Context $\vdash\exists$ upset,downset:FA $\bullet$ upset $\cap$ downset $=\Phi$

Here, Context $=$ [A $=$ 1..maxfloor].

3.1.2 Initial state existence

Initial state is a state in a state space of Object-Z class. If an Object-Z specification is consistent or correct, the initial state should exist and satisfy its state invariant. There is a theorem proof:

TP2: Context $\vdash\exists$ x: X $\bullet$ Invariant(x) $\wedge$ Init(x)

There into, the context of initial state is: Context $=$ [A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]. Thus, it should check the existence of initial state:

[A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]

TP2’: $\vdash\exists$ upset, downset: PA; tag: Flag; story: A; number: B; door: State $\bullet$

upset $\cap$ downset $=\Phi\wedge$ upset $=\Phi\wedge$ downset $=\Phi$

$\wedge$ tag $=$ zero $\wedge$ story $=$ 1 $\wedge$ number $=$ 0 $\wedge$ door $=$ close

3.1.3 Operation feasibility

In a state space, an operation can transform one state into another. If an operation is feasible in the formal specification, there should be a pre- and post-position state satisfying its invariant. Otherwise, the operation is incompatible or inconsistent with itself invariant. Invariant is implicitly included into any operation. Therefore, a theorem proof can be produced for each operation:

TP3: Context $\vdash\exists$ x, x’: X; y: Y $\bullet$ Invariant(x) $\wedge$ OP(x, x’, y) $\wedge$ Invariant(x’)

In TP3, $\textit{OP}(x,x^{\prime},y)$ represents the predicate portion of operation OP. Expression $x^{\prime}$ and Invariant(x’) denote variable $x$ ’s post-state and the invariant post-state. Expression $y$ of type $Y$ denotes the local variables of operation OP, i.e., its input or output variables.

About the operation Outuprequest above, it may be true:

[A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]

TP3’: $\vdash$

$\exists$ s?:N;tag:Flag;door,door’:State;upset,upset’,downset,downset’:FA $\bullet$

((tag $=$ zero $\vee$ tag $=$ up) $\wedge$ ran(s?) $=$ 1 $\wedge$ dom(s?) $=$ story $\wedge$ door $=$ close $\wedge$ door’ $=$ open

$\wedge$ upset’ $=$ upset $\wedge$ downset’ $=$ downset) $\vee$ (tag $=$ up $\wedge$ dom(s?)-story $>$ 0 $\wedge$ ran(s?) $=$ 1

$\wedge$ downset’ $=$ downset $\wedge$ upset’ $=$ upset $\cup$ {dom(s?)} $\wedge$ door’ $=$ door)

About the operation Outdownrequest above, it may be true:

[A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]

TP3’: $\vdash$

((tag $=$ zero $\vee$ tag $=$ down) $\wedge$ ran(s?) $=-$ 1 $\wedge$ dom(s?) $=$ story

$\wedge$ door $=$ close $\wedge$ door’ $=$ open

$\wedge$ upset’ $=$ upset $\wedge$ downset’ $=$ downset)

$\vee$ (tag $=$ down $\wedge$ story-dom(s?) $>$ 0 $\wedge$ ran(s?) $=-$ 1

$\wedge$ downset’ $=$ downset

$\wedge$ upset’ $=$ upset $\cup$ {dom(s?)} $\wedge$ door’ $=$ door)

Hence, if the inference relationship of above theorem proof does not exist, it means that the operation Outuprequest or Outdownrequest with this invariant may be conflictive. Other operations are similar.

3.2 Checking precondition or postcondition

Let the invariant of an Object-Z class be Invariant(x), here, x:X is the state variables and their corresponding types. The possible input & output variables and the corresponding types in an operation are input:INPUT, output:OUTPUT. Due to state invariant including in an operation implicitly, the precondition and postcondition of an operation may be regarded as two theorem proofs:

TP4: OP.pre $=\exists$ x’:X; output:OUTPUT $\bullet$ OP(x, x’, input, output) $\wedge$ Invariant(x) $\wedge$ Invariant(x’)

TP5: OP.post $=\exists$ x’:X; output:OUTPUT $\bullet$ OP(x’, output) $\wedge$ Invariant(x’)

If an Object-Z formal specification is correctness or non-conflictive, there may exist pre- & post-conditions for each operation. Thus, the pre- & post-conditions of each operation above, for the outuprequest operation are:

[A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]

TP: $\vdash$

$\exists$ door’:State; s?: A $\times$ { $-$ 1,1}; story:A; tag:Flag $\bullet$

((tag $=$ zero $\vee$ tag $=$ up) $\wedge$ ran(s?) $=$ 1 $\wedge$ dom(s?) $=$ story

$\wedge$ door $=$ close) $\vee$ (tag $=$ up $\wedge$ dom(s?)-story $>$ 0 $\wedge$ ran(s?) $=$ 1)

4. Generating TPs for relevant properties

For an Object-Z formal specification, there may hold several obvious properties. For example, for the Elevator operation system, there are two operations in class Elevator: Uprun and Downrun. If the operation Uprun may be executed first and the operation Downrun later, the story of floor should be unchanged, i.e., story” $=$ story. This is one of the properties that class Elevator should have. It should have:

TP6_1: Context $\vdash\forall$ x,x’,x”:X $\bullet$ (Uprun $\wedge$ Downrun $\Rightarrow$ story” $=$ story)

Implicitly, invariant of a class can be included into every operation. Thus, the theorem proof TP6_1 above is simplified as the theorem proof TP6’:

TP6_1’: Context $\vdash\forall$ x,x’,x”:X;y:Y $\bullet$ Invariant(x) $\wedge$ Uprun(x,x’,y)

$\wedge$ Invariant(x’) $\wedge$ Downrun(x’,x”,y) $\wedge$ Invariant(x”)

$\Rightarrow$ story” $=$ story

Hence, this theorem proof is equivalent to:

[A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]

TP6_1’: $\vdash$

$\forall$ x,x’,x”:X;y:Y $\bullet$ Invariant(x) $\wedge$ Uprun(x,x’,y)

$\wedge$ Invariant(x’) $\wedge$ Downrun(x’,x”,y) $\wedge$ Invariant(x”)

$\Rightarrow$ story” $=$ story

For another example, when the elevator runs up or down, the door of the elevator is closed. Therefore, there is:

TP6_2: Context $\vdash\forall$ x,x’,x”:X $\bullet$ (Uprun $\vee$ Downrun $\Rightarrow$ door $=$ close)

Hence, this theorem proof is equivalent to:

[A $=$ 1..maxfloor; B $=$ 0..maxsize; Flag:: $=$ up $|$ zero $|$ down; State:: $=$ open $|$ close]

TP6_2’: $\vdash$

$\forall$ x,x’,x”:X;y:Y $\bullet$ Invariant(x) $\wedge$ Uprun(x,x’,y)

$\wedge$ Invariant(x’) $\wedge$ Downrun(x’,x”,y) $\wedge$ Invariant(x”)

$\Rightarrow$ door $=$ close

According to this method, we can generate relevant theorem proofs for other operations. Other properties are similar.

5. Checking TPs in Z/EVES automatically

According to theory foundation above, relevant theorem proofs for Object-Z formal specification can be generated in order to checking its consistency or correctness. In this section, a method is presented to generate theorem proof and export it to theorem prover Z/EVES [7] to be checked. Prover Z/EVES is a very excellent theorem prover, with general theorem proving function, and can prove non-Z theorems that should accord to Z/EVES syntax. Z/EVES have two styles: explorative and planned.

This section illustrates how to generate theorem proofs (TPs) from Object-Z formal specification and can be directly imported to theorem prover Z/EVES to be proved directly. In the process of explorative proof, a user without knowing how to prove, it begins with a certain target to prove. If lucky, the goal can be proved when various proof commands can be used to explore the proof space. In the process of planned proof, users need to spend some time before starting to work the Z/EVES to make informal evidence of their goals. Generally, checking a theorem proof can use planned proof method. That is to say, it requires manual interventions that need to do several works before proving it.

The theorem proofs generated in previous sections have been checked in prover Z/EVES. TP2 will be used to show how to check it.

5.1 Editing a theorem proof

First, we should edit the theorem to be proved in theorem prover Z/EVES. When we run the theorem prover Z/EVES, the main window (specification window) is displayed first shown in Fig. 2. Of course, the main window (specification window) is blank at first. Choosing the “New paragraph” command from “Edit” menu shown in Fig. 2, we can enter the edit window shown in Fig. 1 and type content. When input is finished, choosing the “Done” command from “File” menu can enter the main window. According to this, we can edit the theorem proofs that need to be proved in it.

Figure 1.

Edit window.

5.2 Analyzing a theorem proof

In theorem prover Z/EVES, planned proof methods may be used, so it can suppose $A$ be 1..30 and $B$ be 0..10. Theorem TP2 is edited in Fig. 1, named theorem Initial_state. The contents about this theorem proof TP2 are all shown in Fig. 2.

After editing, we can use the prover Z/EVES to prove this theorem step and step. First, it can select “Check all paragraphs” from the “Command” menu to check whether its syntax meets the requirements. The “Y” notation in the syntax column indicates no syntax or type errors. The “N” notation in the “proof” column indicates that this theorem needs proof. In Fig. 2, the theorem Initial_state is checked, and the syntax status bar holds “Y” because there are no syntax or type errors, but the “Proof” column will hold “N”. We will prove this theorem in Section 5.3.

Figure 2.

Specification window.

5.3 Checking a theorem proof

In proof window, there are three functions: inspection and modification of proof script, interactive construction proof and proof browsing shown in Fig. 3. In this section, we will prove the initial_state theorem in Z/EVES. The proof window will be displayed shown in Fig. 3, when we select the initial_ state theorem proof and choose “show proof” from the pop-up menu in Fig. 2.

Here, in order to prove this theorem proof Initial_state, the used commands are prove and prove by reduce. The proof steps are shown as follows:

Automatically proof:

(1)
prove
(2)
prove by reduce $\blacksquare$

Figure 3.
Proof window.

When running these two commands step by step, the notation “true” will be displayed in the formula window finally, indicating that the theorem Initial_state has been verified and the run status bar holds a “Y” for every command. So, the experiments with Z/EVES show that the theory above is correct.
6. Conclusion

A software formal specification is useful if and only if it is consistent or non-conflictive. However, in the development process formal specifications may not be consistent or conflictive. Moreover, formal specifications are generally not executable. Runtime syntax and semantic detection are not suitable. However, checking the correctness or consistency of formal specifications is a difficult task. This paper proposes a method to prove its consistency or correctness by generating relevant theorem proofs, requiring that the specification itself is not conflictive first. Next, it needs to verify some attribute. Finally, theorem prover Z/EVES is used to analyze and verify the theorem proofs that ensure the formal specification is consistent or non-conflictive.

References

Smith

, The Object-Z Specification Language, Advances in Formal Methods, Kluwer Academic Publishers, 2000.

Woodcock

and Davies

, Using Z: Specification, Proof and Refinement, Prentice Hall International Series in Computer Science, 1996.

Liu

Deng

et al., Modeling and verification of services oriented cyber physical systems, Journal of Computer Applications 34(6) (2014), 1770–1773.

Hou

Zhou

Chang

and Wang

, Software formal modeling and verification method based on time STM, Journal of Software 26(2) (2015), 223–238.

Guidotti

Leofante

and Tacchella

, Improving reliability of myocontrol using Formal Verification, IEEE Transactions on Neural Systems and Rehabilitation Engineering 27(4) (2019), 564–571.

Liang

and Li

, Formal modeling and verification of resource-oriented internet of things systems, Journal of Chinese Computer Systems 39(1) (2018), 140–145.

Meisels

and Saaltink

, The Z/EVES 2.0 reference manual, ORA Canada, 1999.

Freitas

and Woodcock

, Checking the CICS file control API with Z/EVES: an experiment in the verified software repository, Science of Computer Programming 74(4) (2009), 197–218.

Ribeiro

and Larsen

P.G.

, Theorem proof generation and discharging for recursive definitions in VDM, Formal Methods and Software Engineering (2010), 40–55.

10.

Katz

and Rashid

, From aspectual requirements to theorem proofs for aspect-oriented systems, in: 12th IEEE International (RE’04), 2004, pp, 48–57.

11.

Hallerstede

, On the purpose of Event-B theorem proofs, Abstract State Machines, B and Z (2008), 125–138.

12.

Zhang

and Duan

, Formal transformation and verification of UML model based on specification Z, Computer Engineering and Design 34(6) (2013), 2031–2035.

13.

Miao

Cao

and Hu

, Automatic test case generator for Object-Z specification, Journal of Software 22(6) (2011), 1155–1168.

14.

Dong

and Gao

, Method for generating formal interlocking software model based on scenario, Computer Science 42(1) (2015), 193–195+226.