The illumination is canceled when an elevator visits the floor and then : imoves in the desired direction.. state and elevator button e.f is pressed event and el evator e is not visi ti
Trang 1J Ports Also, many-to-many-t o-many relationshi ps are possi bl e.Consider the three '
entiti es Suppl i er, Part, and Proi ect shown in that hgure A part icul ar part may be i
sup-l plied by several suppliers, depending on t he project Also, t he various part s suppli ed l
for a specihc project may come from different suppliers A many-to-many-to-many 1
é
1 relationship is necessary to m odel such a situation accurately C
i Entity-relationship modeling is discussed further in the next chapter, w hich de- ,
5 i b bject-ori ented analysis another semiformal technique The next t opic of this '
$
1 ! 1 ë 6 chapt er f or mal t echni ques The under l yi ng t heme of he next f our seet i ons i s hat
em ploying form al techniques can Iead to m ore precise specifieations than are possible ,
, m athem atical form ulations are preceded by informal presentations of the same
ma-r terial Nevertheless, the level of Sections 1 16 through l l9 is higher than that of the
J
'
j
1 :
Trang 2! i
i inally form ulated by the 51202 team atthe Open i I
Uni versi ty, U.K (Brady, 1 9771 A safe has a combination lock that can be i n one 1
I
of three positions
, I abeled 1 , 2, and 3 The dial can be turned left or right (L or R) lj
Thus, at any t i me, si x di al movement s ar e pos si bl e: 1 R, 2L, 2R, 3L, and 3R The '
c ombi na t on o t he a e i 1 , 3R, 2L ; ny ot h er di al move me nt wi l ca us e an l r I
t o go off. The si tuation is depi cted in Fi gure l 1 2. There is one initial state, Safe
' Loc e k d If the i nput i s 1 L, t hen the next state is A but if any other dial movement, 1 R 1
.
j
or 3L, say, is made, t hen the next state i s Sound Al arm one of the two hnal states I
If the correct combination is chosen, then t he sequence of transi ti ons is from Safe 1
L ocked t o A t o B t o Saf e Unl ocked, he ot her nal st at e Fi gur e 1 12 s hows a st at e I
t ransition diagram (STD) of a l inite state machi ne It i s not necessary to depi ct a I
lSTD graphically', the same information is shown in tabular form in Figure 1 I 3. For ; each state other than the two final states, the transition to the next state is indicated, :
:
i l-
' S
rd Current stat safe locked A B
: ;
a-
,I jl le
iFIgvr@ Xl.1a Transiton table for a finite state machine.
!
1(
l
l
l
I
Trang 3: A finite state machine consists of five parts: a set of states, J; a set of inputs,
. K; the transition function, T, that specihes the next state given the current state and '
the cun-ent input; the initial state, S) and the set of linal states, F In the case of the .
: combination Iock on the safe:
I The set of states J is lsafe Locked, A, B, Saf e Unl ocked, Sound Al arm ). '
The set of i nputs K is ( 1 L 1 R, 2L, 2R, 3L, 3R).
I
The ini tial state S i s Saf e Locked.
The set of tinal stat es F is ( Safe Unl ocked, Sound Al arm )
l ln more formal t erms, a finite state machine is a s-tuple (J, K, T. S, F), where
, '
) i keyboard or selecting an icon w ith the m ouse is an event that causes the product to
l ) j go into some other state For exam ple entering V when the main menu appears on
l $
'j ; the screen mi ght cause a volumet ri c analysis to be performed on the current data set
; j A new menu then appears, and the user may enter G, F, or R Selecting G causes the
i results of the calculation to be graphed
,P causes them to be printed, and R causes aI
1 return t o the main menu Each transition has the form
1
1 current slal e (menul and eveni goption sel ectedl =u > nex, stoie (1 1) .
1 ' To specify a product,
1
1 to the preceding s-tuple: a set of predicates, P, where each predicate is a function
j Of the global state, Y, ot the product gKampen, 1 9871 More tormall y, the transi ti on
,
,T, is now a funetion from (J x F) x K x P into J Transition rules now have .7
l.i
' F ' can be model ed in terms of states and transiti ons between states.To see how this ?
.:! formali sm works in practi ce,the technique will now be applied to a modified version
i 1
.
E
14 of the so-called elevator problem ',see the Just in Case You W anted to Know box on
l ; 337 tbr background inform ation on the elevator problem :
j The pr obl em concer ns t he l ogi c requi r ed t o move n el evat ors bet ween m l loor s
Trang 411.* FINITE STATE M ACHINES 33F :
e el evator pr obl em truly is a cl assi c probl em of soft- gineeri ng Not es i n t he Cal l for Papers for t he Fourth j
war e engi neer i ng r appear ed ipr i nt n j 968 n t he I nt er nat i onal Wor ks hop on Sof t wa r e Speci f ca t on and ( j
'Don Knuth's Iandmark book, TheArt0J' Design (IW SSD, 19861.The elevator problem was one '
I
f irst vol ume ot
Comput er Pr ogramming, I Knut h, 1 9681 l t is based on of fi ve probl ems t o be used as exampl es by resear chers l
( l
the single elevator in the mathematics building at the in their submissions to the conference,held in M
on-' i a, n May 1 987 I n t he f or m i n whi ch i l Cal i or ni a I nst i ut e of Technol ogy.The example was terey, Calitorn j
used to il lustrat e corouti nes i n the mythi cal program- i appeared i n the Cal l for Papers, i t was termed the l
ming I anguage MI X l 4t probl em and att ri buted t o N (Neil ) Davi s of STC- I
I
By the m id- l980s the elevator problem had been IDEC (a division of Standard Telecommunications and !
generali zed to n elevat ors; i n addi ti on, speci fi c prop- Cable, in Stevenage, Uni t ed Ki ngdoml ' I
e t s of e s ol ut i n h d t be pr o e n, or xa mp l , Si nc e t e n, h pr o bl em h s a t n d e e wi d er : j
t ha t n el e a or en t ua l wou l r v wi t hi n a i ni t p r omi ne n e n e en s d o d emons t t a x e ns i s
tim e It was now the problem for researchers working variety of techniques within software engineering in ! '
in t he area of formal speci l icati on l anguages, and any general, not just formal specif i cation l anguages It i s '
proposed form alspecitication language had to work for used in this book to illustrate every technique because,
the elevat or probl em as you soon wil l di scover, the probl em is by no means I
The probl em att ained broader prominence i n l 986 as simple as i t I ooks l q
'.i s
. when itwas published in ACM SIGSOFT Sqftware
le is canceled when the corresponding tloor is visited by the elevator i '
!
a
2 Each floor, except the first floor and the top floor, has two buttons one to request !
an up-elevator and one to request a dow n-elevator These buttons illuminate w hen1) pressed The illumination is canceled when an elevator visits the floor and then :
imoves in the desired direction.
two buttons, one to request an up-elevator, one t o request a down-el evator These are ' I i
ln The state transition diagram for an elevator button is show n in Figure 1 l.14. Let l kk
'FI EB(e f) # denote the but ton in el evator e that i s pressed to request l loor f EB(e, f) can 1
I j
be in t wo stat es, wit h t he button on (illumi nat ed) or off M ore precisely, the states are ' ' j
iI 1. EBON (e, f ) : -il evator.-Bui ton (e, f) O N ( 1 I j
EBO FFI
e, f) : kl evator Qut ton (e, f) OFF ;
If the button i s on and the el evator arrives at Eoor f, then the button is turned off ! c-
l if the button is off and it is pressed, then the button com es on Thus, two lConverse y
l
'
jl
;
Trang 5l .
; '
i1
aae < u A p : : R 11 * Spetlfkafion Phose
) EBP( e, f ) : Yl evat or lppon ( e, f ) zr essed
1 EAF(e f) : il evator e Arri ves at jl oor f tl
l To deune the state transition rules connecting these events and states
-a predicatel
i V(e, f) i s needed (a predi cate is a condition that is either true or false):
.f s vte, f): El evator e i s yi si ti ng (st opped at ) fl oor f (1 1 .
!
I E1
1 : '
'
1: k state) and elevator button (e.f ) is pressed (event) and el evator e is not visi ting floor f
? (predicate),then the button is turned on. In the format of transi tion rule ( I 2) thi s
i off This is expressed as
1
I EBO N(e, f) and EAF(e, f) : z 4 EBO FFIe, f) ( 1 7) 1
' N ow the lloor buttons are considered.FB(d, f) denotes the button on tloor f t hat
l requests an elevator travel ing in di recti on d The STD for t loor button FB(d: f) i s
y l k If t he button is on and an elevat orarri ves at floor f traveli ng in the correct directi on,
' i
rj : , d, hen t he but t on it ur ned of f Convers el y, i t he but t on iof f and i ipr ess ed, t hen
t 1 the but ton comes on Agai n, two events are involved:
! g
! )
1 : :
à l ' :
Trang 6. l
!'
; 1
To dehne t he s at e t ansi t on rul S es connect i ng t hes e event s and s at es, a pr edi cat e j
(d e f), whi ch is del ined as follows: I again i s needed ln t hi s case, i t is , ,
FBOFFIH, f ) ond FBPId, f) and not S( d, 1 n, f ) è i
pushed and none of t he elevators currentl y is visiting floor f about t o move in di rection '
Cd d hen t he l loor button i s turned on.Conversel y, if the butt on is on and at l east one ' '
el evator anives at Poor f and t he elevator is about to move in di recti on d, then the but ton is turned off The notation 1 n i n S(d, 1 n, f) and EAFII n, f) was def ined in ' '
.7)
Aat of S(d, e f) as foll ows:
' ' Turning to the elevators, com plications arise. The state of an elevator essentially L
consists of a num ber of component substates Kampen identifies several, such as the : .7n, elevator slowing and stopping,the dooropening,the dooropen with atimer running, or !
i :
e doorclosi ng aft er a timeout gKampen, 19871 He makes the reasonabl e assumption : EI
t hat t he el evat or cont rol ler (t he mechanism t hat directs t he motion of the elevator) !
i nitiates a st ate such as S(d, e, f) and that the controller then moves the el evator 2 I ''
9) through the substates Three elevator states can be delined, one of which, S(d, e, t), E
was defi ned in dehni tion (1 l 1 1) but is included here for completeness: ! :
Trang 7f
1 '
8 the diagram and reduce the overall num ber of states
t riggered as it nears floor f and the elevator controll er must deci de whether to stop
1 he elevator at that floor; and RL
.whi ch occurs whenever an el evat or but ton or a Qoor
1 : button is Pressed and enters its OS state
l DC( e, f ): poor çl osed f or el evat or e, at oor
'
I sT( e, f ): :ensor Jr i gger ed as el evct or e nears f l oor f ( 1 1 5
I RL: Request kogged (buqon pressed)
1
' i These events are indicated in Figure 1 1 16 '
Finally, the state transition rules for an elevator can be presented They can be
Trang 8n.y PETRI N zTs a*1
l
The first rule states that, iel evator e i s in state S(U, e, f) that is, stopped at floor f I
labout to go up
,and the doors close, then the elevator will move up toward the next j ' floor.The second and third l'ules correspond to the cases of the elevator about to go l.
The form at of these rules reQects the power of finite state m achines for specifying 1
l
complex products Instead of having to li st a complex set of precondi tions that have j
to hold for the product to do something and then having to list all the conditions that I
hold after the product has done i t, the speci t icati ons take t he simpl e form ' )
I )
turreni st cte and evenù ond predi cot e = next si áe 1 '
'
l !
' This type of specification is easy to write, easy to validate and easy to con- 11 $
ve14 into a design and into code ln fact, it is straightforw ard to construct a CASE t
C specitications are modified and a new version of the product generated directly from j
i
The FSM approach is more precise than the graphical technique of Gane and i
Sarsen presented in Section 1 1.3.1, but it is alm ost as easy to understand It has a ;
drawback, in that for large systems the number of (si ofe, evenl, predkoie) tripl cs (
can grow rapidly Also, like G ane and Sarsen's technique, tim ing considerations are i
nothandled in Kampen
These probl ems can be solved using statecharts, an extensi on of FSM S gldarel et I
' al 19901 St atecharts are ext remel y powerful and are support ed by a CASE work- : ; 1 !
1bench
, Rhapsody The approach has been successfully used for a num ber of large I
difhculty can manifest itself in many different ways such as synchronization prob- : j y
l ems, race condi tions, and deadlock (Sil berschat z and Gal vin, 19981 Although timi ng 8 j l '
i /
orobl ems can arise as a consecl uence of a ooor desien or a faul tv imol ementation, such I j
' designs and implem entations often are the consequence of poor specihcations.lf spec- , l à
ifications are not properly draw n up there is a very real risk that the corresponding 1 jdesign and im plem entation will be inadequate One powerful technique for specify- i )
q
ing system s with potential tim ing problems is Petri nets.A further advantage of this (
technique is that it can be used for the design as well ' '1
Petri nets were invented by Carl Adam Petri (Pet ri, 19621 Original ly of i n- j l
terest only to autom ata theorists, Petri nets have found w ide applicability in com- ! ; :
q
- put er sci ence,being used in such fields as perform ance evaluation, operating system s, :
-I and software engineering In particular, Petri nets have proven useful for describing t
. !I L
. é
'
j ui
i E'
Trang 9j The out put f unct i ons f or t he t wo t r ansi t ons,
r epr es ent ed by t he arr ows f r om
l
1 Not e t he dupl i cat i on of pa; t her e ar e t wo ar r ows om t 2 t o pa.
l More formall y (Pet erson, l98 l1, a Petri net structure is a 4-tupl e, C =
' ( i !. T = ( , 2, t m ) i s a f ini t e set of t ransi t ons, m k2 0 wi t h P and T di s joi nt '
l ! l : T > P= is the input function a mapping from transitions to bags of places
f tokens' one in pl , tw o in p2, none in pa, and one in pz The m arkingcontains our
Trang 10ls because there are tokens in p2 and in pa; in general, a transition is enabled if each
of its input places has as many tokens in it as there are ar
-cs from the place to that 1
'
l
transition. lf @1 were to lire, one token would be rem oved lrom p2 and one from pz, I
at and one new token would be placed in pl The num ber of tokens is notconserved-two
!
7 tokens are removed, but only one new one is placed in pl ln Figure l l 8, transition q '
l is enabled, because there are tokens in p2 If t2 were to hre, one token would : i i
t2 are enabled suppose that tl fires The resulting marking (2, 1 , 0, 0) is shown in !
19 where only t2 is enabled It tires, the enabling token is rem oved from ! 1yigure l 1
m ' More formall y gpet erson, l98 11, a marki ng, M , of a Petri net, C = (P, T, 1 , O ),
is a function from the set of places, P, to the set of nonnegative integers' '
M : P > l 0, 1 , 2, )
' A marked Petri net then is a s-tuple (P, T, 1 , 0, M ) '
An important extension to a Petri net is an inhibitor arc ln Figure l 12 l the :
. inhibitor arc is m arked by a sm all circle rather than an arrowhead Transition tl is :
enabled because a token is in pa but no token in pa ln general,a transition is enabled l I'
g p if at least one token is on each of its (normal) input arcs and no tokens on any of g 1I
i its inhibitor input arcs This extension will be used in a Petri net specification of the : I
Ag ' s f s m, in the Petri net; an elevator is represented by a token A token in Fj denotes
Trang 124.y PETRI NETS a*5 I
1 iFlrs: tlns:reln: Each elevator has a set of m buttons, one for each floor These $
vator but ton for floor f i s represented in t he Petri net by pl ace EBf, 1 S f : ; m M ore , l l
t precisely, because there are n elevators the place should be denoted EBje w ith 1 :j! l '
1 f s m, 1 s e s n But, for the sake of simplicity of notati on t he subscri pt e repre- 1
Isenting the elevator is suppressed
.A token in EBf denotes that the elevator button for !.
l loor f is il luminated Because the but ton must be il luminated the f irst time the button i l '
r
is pressed and subsequent button presses must be ignored
, this is specified using a I ,Petri net as shown in Figure 1 l.22 First suppose that button EBf is not illuminated !
j 'Accordingly,no token is in place and, because of the presence of the inhibitor arc, j r
t ansi t on EBf pres sed i enabl ed The but t on now i pr ess ed The t ransi t on f i es and : I I )
a new token is pl aced in FBf, as shown in Fi gure l l 22 Now, no matt er how many j
times the button is pressed, the combination of the inhibitor arc and the presence of l 9,
1
: t he token means t hat transi tion EBf pressed cannot be enabled Therefore, no more I j
1' than one token ever can be in place EBf. Surmose that the elevator is to travel from !
fl oor a to fl oor f Because t he elevator is at fl oor o, a token is in place Fa, as shown
in Figure l l 22 Transi ti on El evator in acti on i s enabl ed and hres The tokens in EBf ' :
and Fg ar e r emoved, t urni ng of f but t on EBj , and a new t oken appears n Ff ; he l ir i ng I
f this transition bri ngs the elevator from Eoor g t o l loor f j o
This motion from fl oor g to floor f cannot take place instantaneously To handl e I '' this and sim ilar issues such as the physical im possibility for a button to illum inate l '
: '
at the very instant it is pressed, tim ing must be added to the Petri net model That I
' )is
,wher eas i n cl assi cal Pet r net t heor y, r ansi t ons ar e i nst ant aneous i n pract i cal j
si tuations, such as the elevatorproblem, timed Pet ri nets gcool ahan and Roussopoul os, '
the tloor then moves in the desired direction ; t
I i
: ! 2
lEBf pressed EBf Elevator in action Ff j
I .
l: :
; : F
Trang 13i floor g with one or both buttons illum inated is shown in Figure 1 1.23 In fact, that
ù ugure needs furt her refinement, because it both the buttons are ill uminated, one i s
' turned off on a nondeterm inistic basis To ensure that the correct button is turned off '
I requires a Petri net model too complicated to present here; see, for example, (Ghezzi
1
lI
Thled tonso oln: w hen an elevator has no requests, it remains at its current
floor with its doors closed
1
l This is achieved easily: lf there are no requests
,no El evator i n acti on transit ion
! :
1 Not onl y can Pet r net s be used t o repr es ent he speci f cat i ons hey can be use d
!
( j j for the desi gn as well (Guha, Lang, and Bassi ouni, 19871 Even at thi s stage of t he
' ; development of the product, i t is cl ear t hat Petri nets possess the expressive power
A formal specit ications I anguage gai ning widel y i n popul ari ty i s Z (Spivey, 19921.
' (For the correct pronunciation of the name Z, see the Just in Case You W anted to
; i Know box on page 347.) Use of Z requires knowledge of set theory, funetions, and
Trang 14' ' of the great settheorist Ernst Friedrich Ferdinand Zer- nounced t'zee'' is the name of an American fourth- 1
l me (I l) (87 1-1953).Because itwas developed atoxford generation language (see Section 14.2) However, we 1
l'
University (Abrial 19801, the name Z is properly pro- cannot trademark a single Ietter of the alphabet Fur- 1
nounced ' ' zed, ' t he way t he Bri ti sh pronounce t he 26t h t hermores we are fr ee t o pronounce the Iet ter Z t he wav I
7
l
ett er ot the al phabet we wish Nevert hel esss wi t hi n the programming l an- j
Lately, how ever, m oves are afoot to acknow ledge guage context, the pronunciation t.zee'' refers to the i
l
that Z is named af ter a German mat hemat i ci an and t o 4GL, not the formal speci fi cati on I anguage l ronounce i t he German way, T t zet ' l n response, Fran- Watch thi s space t br the next round i n the Z pro- l P
i cophiles and Francophones point out that Abrials a nunciation wars . 1
, the elevator problem of I
; 1 G iven sets data types, and constants
1'
Trang 15, i In the elevator problem,there are four subsets of Button: the floor buttons, t
' l t 1 ; l e e va t or but t ons , but t ons t he e of al l ut t ons he l va t or pr obl em) , and pus h ed,
j
i ' the set of those butt ons that have been pushed (and therefore are on) Figure 1 1.
:
!
I depicts the schem a Button-stute The symbol P denotes the power set (the set of all
1 subsets of a given set).The constraints,thatis, the statements below the horizontal line,
! state that the set of f l oor butt ons and el evot or but ions are di sioint and t hat toeether ,
' j on The but ton is added to the set pushed Thi s is depicted in Figure l l 26, i n whi ch
l operation Pusb 8t /l f on is detined The k t î in the first l ine of t he schema denot es t hat '( this operation changes the state of Button-state The operation has one inputvariable,
l but t on? As in various other l anguages (such as CSP (Hoare, 19851), the question mark
Trang 16I4.a Z a4@
:
I !
I ;
' l
l :l 'r' Flgure 11.Q4 Z specifcation of operation Posb-Bvtton l '
1 jl ù
ert or med, but t on? must be added t o t he s et pushed Ther e i no need t o t urn on t he :
i P but ton expli citl y' , i t is suffi cient that butt on? now is an element of pushed. i I
The other possibility is that an already pushed button is pushed again Because :
' buqon? ( E pushed the t hird precondi tion hol dsl and, as required, nothing happens.
This is indicat ed by the stat ement pushed = pushed' , the new stat e of pushed i s the
I '
Now suppose an el evat or arrives at a f loor If the corresponding l loor butt on i s i 1 1 )
' f and simi larl y for the corresponding elevator butt on : l f
on,then it m ust be turned ot
Th
at is, if buhon? i s an element ot pushed, then i t must be removed trom t he set, as (,
1 shown in Figure l 1.27 (The symbol à denotes set difference) However, if a but ton I r i l
is not on then set pushed is unchanged i ,
' ;The solution presented in this section is an oversim plification
,in that it does not E
t ! distingui sh bet ween up and down f loor buttons
.Nevertheless, it gives an indication ,
. i
, how Z can be used to speci fy the behavi or of the but tons i n the elevator problem t
; '
'
!jè
! l1.@.Q A xAkvsls o: X
1 r'
I 1 Wi f hout he t hi r d pr econdi t o , he speci f caf i on woul d not at e what t o hoppen i f a but t on al r eady pushed :
.
Trang 17j ( tbut l on? Y pushed) A ( pus hed' = pushedl l
p These successes perhaps are som ew hatsum rising,in view of the faet that,evenfor
.! p ( the si mplif ied version ot the elevator problem, i t i s clear that Z is not strai ghtforwar d
1 ' t o use First is the problem caused by the notation; a new user has to learn the set of
i
i ) :
1. symbols and their m eanings before being able to read Z specifications
,let alone write
' '
1 t hem.Second, notevery software engineer has the required training in m athematics to '
i 'j r be able to use Z (although recent graduates of almost a11 computer science programs
( !j I either know enough m athem atics to use Z or could learn what they still need to know
y especially during inspections of the specifications themselves and inspections
i of desi gns or code against the formal specihcati ons (Nix and Coll ins, 1988 ,
uajj, jqqtlj
j 2 W ri ting Z specifi cations requi res the specit ier t o be extremely precise' , as a resul t
j of hi s need f or exact ness, here appear o be f ewer ambi gui t es, cont r adi ct i ons ,
I and om issions than with inform al specifications
j
'
I 3 As a form al language,Z allow s developers to prove specilications correct when
.! l 2 : necessar y Thus, al t hough some or gani zat i ons ar el y do any cor rect ness pr ovi ng
( f z such proofs have been done,
even f or such pr act i cal speci f cat i ons as t l
'
j
( j t 6 The problem that the cl ient cannot understand specif icati ons wri tten i n Z has been
,including rewriting the specifications in natural
I 1
p !
l 1 j
Trang 18I
cl earer than informal specihcati ons const ructed from scrat ch (This also was ,the experience w ith M eyer's English paraphrase of his form al specification for i' text-processing problem, described in Section l 12 ) 1Naur s
j (The bottom line is that, notwithstanding the argum ents to the contrary, Z has I '
t tb
een used successful ly in t he software i ndustry for a number of l arge-scale projects !
Al though the vast majori ty of specif ications continue to be writ ten in languages con- I '
siderably less formal than Z, there is a growing global trend toward the use of torm al 1
lspecilications
.The use of such form al specifications traditionally has been largely a jice However, m ore and m ore organizations in the United States are 1European pract
fications of one sort or another The extent to which Z and i
em ploying formal speci
j
sim ilar languages will be used in the future remains to be seen !
Ij '
l :
1
i
1
1 11
. j ,
Many ot her formal t echni ques have been pr oposed These t echni ques ar e ext r emel y ! r
i ed For exampl e, Anna ( Luckham and von Henke, 1 9851 i s a for mal speci f cat i on E
language for Ada Some formal techniques are knowledge based, such as Gist (Balzer,
5 19851.Gi st was desi gned so us er s coul d descri be pr ocesses i n a way as cl ose as 2
;
possible to the way we think aboutprocesses This was to be achieved by formalizing : ;
' :
1. the constructs used in natural languages In practice, Gist specifications are as hard y
i
to read as most other formal specifications,so much so that a paraphraser from Gist ;
f t o English as h been written. i 2 t (
1 Vi e nn a de hni t on me t hod VDM) ones , 986b1 ec hni que bas ed on de not a- , ' 1
t ional semanti cs gGordon, 19791 VDM can be appli ed, notjust to t he specifi cations, ' 6 ;' ' but also to the design and im plem entation V DM has been used successfully in a g !
number of projects, most spectacul arly in the Dansk Datamati k Center devel opment i
2
of the DDC Ada compiler syst em ( Oest 1 9861 1
'f t way of Iooking at specifications is to view them in term s of sequences i' A dit eren
t'
j of events, where an event is either a simple action or a comm unication that transfers , l
data into or out of the system For exam ple, in the elevator problem one event consists ! l
' of pushing t e e h l evator butt on for f loor f on elevator e and i ts resulti ng illumination ' '
Another event is el evator e leaving l loor f i n the downward di rection and the canceli ng ; '
of the illum ination of the corresponding floor button The language Com m unicating 1
Sequential Processes (CSP), invented by Hoare, is based on the idea of descr :
t he behavi or of a system i n terms of such events gl doare, 19851 In CSP, a process is ! ; 1
:
. described in terms ofthe sequences of events in which the process willengage with its 1
environm ent Processes interact w ith each other by sending m essages to one another !
CSP al l ows pr oces ses o be combi ned i n a wi de var i et y ol ways , such as equent i al l y, '
in parall el or interl eaved nondetermi nisti cal ly ' j
2 i The power of CSP li es i n the executable nat ure of CSP specif icati ons ( Delisl e and I
'
il -@Schwartz, 19871 , as a result, they can be checked for internal consi stency In additi on, I jCSP provides a fram ew ork for going from specifications to design to im plem entation ' '!
in a sequence of steps that preserve validity In other words, if the specihcations are
Trang 19:l $ ! correet and the transformations are performed correctly, then the design and impl
e-p! ' ' mentati on will be con- ect as wel l.Going from design to implem entation is particularly
'
; : , t
2
l language to learn An attem pt was made to include a CSP specilication for the elevator
( general as this one The relationship between the power of a specification language
and its degree of difficulty of use is expanded in the next section
1 The main lesson of this chapter is that every development organization has to decide
l ' : 1 W hat ype of speei f cat i on l anguage i appropr i at e f or he pr oduct about o be devel
1 form al technique.Conversely, each form al technique supports a variety of features
1 k : ticult to learn and use A lsos a form al specification can be difhcult for the client to
i 1( ' understand. In other words, there is a trade-off between ease of use and the power of
q a specitication language
j In som e circum stances, the choice of specification language type is easy For
ex-ample, i f the vast majorit y of the members of the development team have no t raini ng i l
l computerscience t hen i tis virtually impossibl e t o use anything othert han an i nformal
I or sem iformal specificat ion techni que Conversel y, where a mission-criti cal real-t ime
'
L
i syst em is being buil t in a research l aborat ory, the power of a formal speci t icat ion
' J techni que almost certainl y will be requi red.
t : An additional com plicating factor is that many of the newer formal techniques
h
i i have not been t est ed under practi cal conditi ons.Considerable risk is involved in using
I
!
,'l 1 1 1 ; , ' such a t m m bers of the devel echni que Lar ge opment team, sums of money ar and more money wil e needed t o pay f l be spent whil or ai ni ng t he e the team rel evant
l T l ! Furt-herm ore, the language s supporting software tools might'-' '-', not work properly, as
l on t he project, he devel opment eam, he management eam, and myr i ad ot herf act or s
l such as the cli ent i nsisting that a speci fic method be used (or not used).As with so
Trang 20! .
14.41 TESTINO ouRlNo TH: 5pEcIFIcATIoN PHASE asa
osy to use Specifcations can I
for client to understand 6e ambiguous, p.
Easy
contradictory, and/or I i
incomplete 1 1
IEntiprelotionship modeling Semiformal Can be understood by client Notas precise os formal . l )
! 2
y
FSL /FSA ( Seci i on 1 1:) met hods Gener al l y cannot handl e i S '
j
5 SZEM ( Sect i on 1 1.
CSF ( Sect i on 1 19) Can r educe speci fi cat i on Hard t o use ; i
fault Almost impossible for most 'Extended finite state machines
(Section 1 1 é) Can reduce development clients to understand
! Can suppor t corr ectness
many other aspects of software engineering,trade-offs have to be m ade Unfortunately,
there is no simple rule for deciding which specification technique to use 1
'
j
.
:
' j
l.
p :
'
j 1E iDuring the specilication phase
, the functionality of the proposed product is expressed ;
in the speci hcat ion document It is vi tal to verify that the specifi cation l 1.precisely
document is correct One way to do t hi s is by means ofa walkthrough of the document 1
(Secti on 6 2 l).
A m ore powerful m echanism for detecting faults in specihcation documents is i
i nspection (Sect ion 6 2.3) A team of i nspectors reviews the speci hcati ons against 1 ! ' an
!
a checkl i.Typical item s on a specihcation inspection checklist include these: Have
'
; (t
e required hardware resources been specihed? Have the acceptance crit eria been i 1
!specitied?
! ,
!
:
j ' y