How To Write A Paper On Csp And Object-Z

Transcription

1 Renementandvericationofconcurrentsystemsspecied TechnischeUniversitatBerlin,FBInformatik,FGSoftwaretechnik, GraemeSmithandJohnDerricky inobject-zandcsp ycomputinglaboratory,universityofkent,canterbury,ct27nf,uk. Sekr.FR5-6,Franklinstr.28/29,D-10587Berlin,Germany. morethenoneformalspecicationlanguage.suchacombinationoflanguagesisparticularly suitedtothespecicationofconcurrentordistributedsystems,whereboththemodelling Theformaldevelopmentoflargeorcomplexsystemscanoftenbefacilitatedbytheuseof Abstract ofprocessesandstateisnecessary.thispaperpresentsanapproachtorenementand Object-Zcomponentsofaspecicationwedevelopstate-basedrenementrelationswhichare soundandcompletewithrespecttocsprenement. vericationofspecicationswrittenusingacombinationofobject-zandcsp. tobeused,baseduponcsprenement.toenablestate-basedtechniquestobeusedforthe Acommonsemanticbasisforthetwolanguagesenablesauniedmethodofrenement methodallowsustoverifypropertiesofthecspsystemspecicationintermsofitscomponent Object-ZclassesbyusingthelawsoftheCSPoperatorstogetherwiththelogicforObject-Z. Inaddition,avericationmethodforstaticanddynamicpropertiesispresented.The 1 Introduction Keywords:Object-Z;CSP;Renement;Verication;Concurrency. Theformaldevelopmentofparticularlylarge,orcomplex,systemscanoftenbefacilitatedby suchsystems.thisrealisationhasleadtothedevelopmentofnewspecicationlanguageswhich theuseofmorethenoneformalspecicationlanguage.whilemostspecicationlanguagescan beusedtospecifyentiresystems,few,ifany,areparticularlysuitedtomodellingallaspectsof combinefeaturesofoneormoreexistinglanguages[1,8]and,morerecently,approachesforformally integratingexistinglanguages[4,24,11,22,9]. Suchacombinationoflanguagesisparticularlysuitedtothespecicationofconcurrentordistributedsystems,whereboththemodellingofprocessesandstateisnecessary.Processalgebras suchasccs[16]andcsp[12]aresuitablevehiclesformodellingtheinteractionsbetweenprocesses ortheirtemporalordering.state-basedlanguagessuchasz[23]orvdm[14],however,oerbetter facilitiesforthespecicationofthecomplexdatastructureswhichmaybeneededtodescribe theprocessesthemselves.indeed,theopendistributedprocessingreferencemodel[13]recognises thatdierentlanguagesarelikelytobeusedinthedierentviewpointspecicationsofalarge distributedsystem. 2

2 AmethodofformallyspecifyingconcurrentsystemsusingObject-Z[7],anobject-orientedextensionofZ,togetherwithCSPisdescribedin[22].TherationaleisthatObject-Zprovidesaconvenientmethodofmodellingthecomplexdatastructuresneededtodenecomponentprocesses, moretraditionalstate-basedlanguagessuchaszisthatitsclassstructureprovidesaconstruct classesidenticaltothatofcspprocesses.thisenablesclassesspeciedinobject-ztobeused directlywithinthecsppartofthespecication. andcspenablestheconcisespecicationofprocessinteraction.theadvantageofobject-zover easilyidentiablewithcspprocesses.thebasisoftheintegrationisasemanticsofobject-z toverifybothstaticanddynamic,i.e.behavioural,propertiesofthesespecications.thework describedherepresentsamethodofreningspecicationswrittenintheintegratedobject-z/ mentofspecicationsthroughawell-denedmethodofrenement.itisalsodesirabletobeable CSPnotation,andamethodforverifyingsuchpropertiesofthosespecications. However,inadditiontospecication,anotationneedstobeabletosupportincrementaldevelop- Thecommonsemanticbasisforthetwolanguagesenablesauniedmethodofrenementtobe forverifyingarenementitismoreconvenienttobeabletouseastate-basedrenementrelation usecsprenementastherenementrelationfortheintegratednotation.however,asameans developedfortheintegratednotation:becausewegiveobject-zclassesacspsemantics,wecan fortheobject-zcomponents,ratherthanhavingtocalculatetheirsemantics.inordertodoso, whicharesoundandcompletewithrespecttocsprenement. weadapttheworkofjosephs[15],whohasdevelopedrenementrelationsforstate-basedsystems Inordertobeabletoverifystaticanddynamicproperties,wepresentamethodofvericationfor theintegratednotation.themethodallowsustoverifypropertiesofthecspsystemspecication intermsofitscomponentobject-zclassesbyusingthelawsofthecspoperatorspresentedin [12]togetherwiththelogicforObject-Zin[19].CSPandObject-Zpropertiesarerelatedvia auxiliaryvariablesintroducedintotheobject-zclassesusinginheritance. Thepaperisstructuredasfollows.Section2presentstheintegrationofObject-ZandCSPbased onthecommonsemantics.section3thendiscussesrenementintheintegratednotation,and denesthestate-basedrenementrelationsthatwewillusefortheobject-zcomponentsofa specication.section4explainshowpropertiesofspecicationscanbeveried,andweconclude insection5.throughoutthepaperweillustratethesetechniqueswiththespecicationand 2renementofacinemabookingsystem. ThissectionpresentstheintegrationofObject-ZandCSP.Thebasisofthisintegrationisa semanticsofobject-zclassesidenticaltothatofcspprocesses.thisallowsclassesspeciedin IntegratingObject-ZandCSP Object-ZtobeuseddirectlywithintheCSPpartofthespecication.Theapproachtospecication comprisesthreephases. TherstphaseinvolvesspecifyingthecomponentsofthesystemusingObject-Z.Sinceall subsetofobject-zisusedwhichdoesnotincludeinstantiationofobjectsofaclass(see[7] interactionofsystemcomponentsisspeciedinthecsppartofthespecication,arestricted Thecomponentsspeciedintherstphasewillgenerallynotbeinaformthatallows fordetails).thisrestrictiongreatlysimpliesreasoningabouttheobject-zpartofthe specication. interfacessothattheywillsynchroniseandcommunicateasdesired.thismaybeachieved themtobecomposedusingcspoperators.thesecondphaseinvolvesmodifyingtheclass usingobject-zinheritance. 3

3 ThenalphaseinvolvesthespecicationofthesystemusingCSPoperators.Asdetailedin Thisoptionalphaseisnotrequiredforthesimpleexamplespresentedinthispaper.An exampleillustratingitsusecanbefoundin[22]. Toillustratetheapproachwepresentacasestudyofacinemabookingsystem.Thiscasestudy isbasedonthespecicationoftheapolloboxocein[25]butextendedtosupportmultiple thissection,awell-denednessconditionisplacedonthehidingoperatorrestrictingitsuse. customers. 2.1Specifyingthecomponentsofasystem calls,ifthereisanavailableticketthenoneisallocatedandputtoonesideforthecaller.when TheMarloweboxoceallowscustomerstobookticketsinadvancebytelephone.Whenacustomer callybyanamedboxpossiblywithgenericparameters.inthisboxtheremaybelocaltypeand approach,thesewillbespeciedbyobject-zclasses.aclassinobject-zisrepresentedsyntacti- ThecomponentsofthebookingsystemarethecustomersandtheMarloweboxoce.Inour thecustomerarrives,theyarepresentedwiththisticket. constantdenitions,atmostonestateschemaandassociatedinitialstateschema,andzeroor moreoperationschemas.asanexample,considerthespecicationofacustomerofthebooking system. LetNamedenotethesetofallcustomernamesandTicketthesetofalltickets. Customer myname:name name!:name name!=myname Book name!:name t?:ticket name!=myname Arrive andarrivingtocollectaticketrespectively.theyhaveinputparameters(denotedbynames BookandArrive.TheoperationsBookandArrivecorrespondtothecustomerbookingaticket endingin?)andoutputparameters(denotedbynamesendingin!)forcommunicationwiththe boxoce. Thisclasshasasingleconstantmynamedenotingthenameofthecustomerandtwooperations: AmoresubstantialexampleofaclassisprovidedbythespecicationoftheMarloweboxoce. 4

4 Marlowe mpool:pticket tkt:name7ticket tkt=? (tkt;mpool) INIT name?:name name?62domtkt Book mpool6=? 9t:mpool (tkt) Arrive mpool0=mpoolnftg name?:name tkt0=tkt[fname?7!tg t!:ticket name?2domtkt t!=tkt(name?) Thisclasshasastateschemawithtwostatevariables:mpool,denotingthepooloftickets,and tkt0=fname?g?ctkt tkt,apartialinjectivefunctionfromnametoticketrecordingwhichticketshavebeenallocated towhichcustomers.initially,noticketshavebeenallocated. Eachoperationschemahasa-listofthestatevariableswhichitmaychange.Statevariables notlistedremainunchanged.theoperationbookisfeasiblewhenevertherearestilltickets available(mpool6=?)andallocatesatickettoacustomerwhohasnotalreadymadeabooking (name?62domtkt).theoperationarriveissuestheticketbutdoesnotchangethepooloftickets (mpool=mpool0isaconsequenceofmpoolnotappearinginthe-listoftheoperationarrive). 2.2Specifyingthesystem TospecifythebookingsystemweuseCSPoperatorstocapturetheinteractionbetweenthe customersandboxoce.thisismadepossiblebygivingasemanticstoobject-zclasseswhich 2.2.1SemanticsofCSPprocesses isidenticaltothatofcspprocesses. failures-divergencessemanticsof[3,12].inthissemantics,aprocessismodelledbythetriple (A;F;D)whereAisitsalphabet(i.e.thesetofeventsthatitcanpossiblyengagein)1,Fisits ThereareseveralsemanticmodelsforCSPprocesses.Themostwidelyacceptedoftheseisthe process,i.e.anitesequenceofeventsthattheprocessmayundergo,andxisasetofeventsthe failuresandditsdivergences.thefailuresofaprocessarepairs(s;x)wheresisatraceofthe 1Thealphabetismadeimplicitin[3]byassumingallprocesseshavethesamealphabet. 5

5 anenvironmentwhichonlyallowsittoundergoeventsinx,itmaydeadlock.thedivergencesof processmayrefusetoperformafterundergoings.thatis,iftheprocessafterundergoingsisin aprocessarethesequencesofeventsafterwhichtheprocessmayundergoaninnitesequenceof internalevents,i.e.livelock.divergencesalsoresultfromunguardedrecursion. Weadopt,however,avariantofthesimplerfailuressemanticsof[2].Thissemanticsdoesn't includeacomponentcorrespondingtothedivergencesofaprocess.thereasonforadoptingthis simplersemanticsisbecauseobject-ziscapableofmodellingunboundednondeterminism,i.e. whereachoiceismadefromaninniteset,whichcannotbemodelledinstandardcsp.asshown areasfollows. in[17]and[22],thiscanleadtoproblemswhencalculatingdivergences. GivenaclasswithalphabetAandfailuresFAPA,thepropertiesofthesemanticsweadopt (sat;?)2f)(s;?)2f (s;x)2f^(8x2y(sahxi;?)62f))(s;x[y)2f (s;x)2f^yx)(s;y)2f (hi;?)2f (F3) (F4) (F2) (F1) Thatis,wehavedroppedtherestrictionin[2]thatthesetofrefusedeventsisniteasisalso divergencefree.thisistrueofprocessescorrespondingtoobject-zclassessinceobject-zhasno Forthefailuressemanticstobeadequate,however,wemustensurethatourspecicationsare donein[3]2and[15]. notionofinternaloperationsnorrecursivedenitionsofoperations3.itcanbeensuredforother asisdonein[15].thatis,givenaprocesspwithfailuresf,pnciswell-denedonlyif processesinourapproachbyplacingawell-denednessconditiononthehidingoperatorofcsp Thispreventsinnitesequencesofeventsbeinghidden. Analternativesolutiontotheproblemofunboundednondeterminismwouldbetoaddtothe 8s2domF:(8n2N9t2C#t>n^sat2domF) failures-divergencessemanticsacomponentcorrespondingtotheinnitetracesofaprocessasis adoptingthismorecomplicatedsemanticsareworthwhile,however,needstobeinvestigated. donein[18].inthiscase,norestrictionwouldberequiredonhiding.whetherthebenetsof modelledbyitssetofhistories,i.e.thesequencesofstatesitcanpassthroughtogetherwiththe 2.2.2SemanticsofObject-Zclasses AsemanticsofObject-Zclassesispresentedin[21]where,followingtheworkof[6],aclassis correspondingsequencesofoperationsitcanundergo. classcanberepresentedbyaset GiventhesetofallpossibleidentiersIdandthesetofallpossiblevaluesValue,thestatesofa beunnecessaryin[17]. andtheoperationsbyaset 2Theadditionalpropertystatingthatasetisrefusableifallitsnitesubsetsarerefusablein[3]wasshownto S(Id77!Value) moreconservativeviewofobject-zinthispaper. 3AlthoughrecursivedenitionsofoperationshavebeensuggestedforObject-Z(e.g.[5]),wehaveadopteda 6

6 Theoperationsareinstancesoftheclass'operationschemas.Theycomprisethenameoftheoperationschematogetherwithanassignmentofvaluestoitsparameters.Forexample,(Book;f(name?;n)g) OId(Id77!Value): historiesofaclasswithstatessandoperationsocanberepresentedbyaset wheren2nameisapossibleoperationoftheclassmarlowe. sequencesareinnite4orthestatesequenceisonelongerthantheoperationsequence.the Ahistoryisanon-emptysequenceofstatestogetherwithasequenceofoperations.Eitherboth suchthatthefollowingpropertieshold. HS!O! (s;o)2h^s2s)#s=#o+1 (s1as2;o1ao2)2h^#s1=#o1+1)(s1;o1)2h (s;o)2h^s62s)o62o (s;o)2h)s6=hi (H1) (H3) (H4) (H2) theclass. closed.thisisnecessarysinceanyprexofaclass'historyalsorepresentsapossibleevolutionof nalpropertyisaconditiononthesetofhistoriesrepresentingaclass.thissetmustbeprex- Therstthreepropertiescapturetherequirementsonanindividualhistorydetailedabove.The 2.2.3Modellingclassesasprocesses Inordertorelateclassesandprocesses,weneedtorelateoperationsandevents.Thisneedstobe doneinsuchawaythatappropriateinputandoutputparametersofsynchronisingoperationscan beidentied.wethereforedeneameta-functionwhichreturnsthebasenameofaparameter name,i.e.(x?)=(x!)=x,andallowitbeappliedtotheassignmentofvaluestoanoperation's parametersasfollows. Thefunctionrelatingoperationsandeventsisthendenedasfollows. (f(x1;v1);:::;(xn;vn)g)=f((x1);v1);:::;((xn);vn)g wherefx1;:::;xngidandfv1;:::;vngvalue Forexample,theeventcorrespondingtoacustomerwithnamenmakingabookingisBook:f(name;n)g. Thiseventisidenticaltothatcorrespondingtotheboxoceacceptingabookingfromacustomerwithnamen.Hence,thesetwooperationswillbeabletosynchronisewhentheirclasses arecombinedusingthecspparallelcompositionoperatorjj.similarly,theeventscorresponding toacustomerwithnamenarrivingandcollectingaticketsandtheboxoceallocatingtickets WeletaclassCbemodelledbyaparameterisedprocessCi.Theparameteriisanassignment tothatcustomerwillbetheeventarrive:f(name;n);(t;s)g. event((n;p))=n:(p)wheren2idandp2(id77!value) descriptionofobject-zinthispaper. ofvaluestoasubsetofthestateofcsatisfyingapossibleinitialstateofc.thatis,i2fjj 4Innitehistoriesenablelivenesspropertiesofclassestobemodelled.Suchpropertieshavebeenignoredinthe 7

7 9(s;o)2Hjs(1)g5.Thisallowsustorefertotheclass'constantswhenitisusedasa process.forexample,wecandeneaprocesscustomerncorrespondingtothecustomerwith namenasfollows. Fornotationalconvenience,weintroducetheconventionthatC=C?allowingustowrite,for example,marloweratherthanmarlowe?fortheprocesscorrespondingtotheclassmarlowe Customern=Customerf(myname;n)g GivenaclassCwithstatesS,operationsOandhistoriesH,thealphabetofprocessCicomprises theeventscorrespondingtotheoperationsino. withoutanyrestrictionontheinitialstate. Todenethefailuresofaclassweusethefollowingfunctionwhichmapsasequenceofoperations toasequenceofevents. alphabet(ci)=fevent(op)jop2og ThefailuresofCiarederivedfromthehistoriesinHasfollows:(t;X)isafailureofCiif events(hi)=hi events(hopiao)=hevent(op)iaevents(o) thereexistsanitehistoryofcwhoseinitialstateissatisedbyi, thesequenceofoperationsofthehistorycorrespondstothesequenceofeventsintand foreacheventinx,theredoesnotexistahistorywhichextendstheoriginalhistorybyan failures(ci)=f(t;x)j9(s;o)2h operationcorrespondingtothatevent. s2s^ is(1)^ t=events(o)^ failuressemantics. Asshownin[22],thefailuresofCidenedinthiswaysatisfythepropertiesF1toF4ofthe e=event(op)^(sahsti;oahopi)2hg 2.2.4Thebookingsystemspecication TheprocessesCustomernandMarlowecannowbecomposedtospecifythebookingsystem. Thatis,thebookingsystemconsistsoftheboxocerunningconcurrentlywithacollectionof customers{oneforeachnameinname.sincethispartofthespecicationisacspspecication, BookingSystem=(jjjn:NameCustomern)jjMarlowe erateclassesare,however,unimplementableandofnopracticalinteresttothespecier. 5AnObject-Zclasswithunsatisableinitialconstraintsisnotgivenasemanticsinthisapproach.Suchdegen- 8

8 wecanstatepropertieswewishtoproveaboutitinthesamewayastheyarestatedincsp(see traces,andref,therefusalsets,ofthefailuresofprocessp.forexample,thepropertythatthe numberofbookingsmadeisgreaterthanorequaltothenumberofticketsallocatedtoarriving [12]).Thatis,intheformPsatSwherePisaprocessandSisapredicateintermsoftr,the customerscanbestatedasfollows6. AnapproachtoprovingsuchpropertiesintermsofthecomponentObject-Zclassesispresented insection4. BookingSystemsat#tr#Book>#tr#Arrive ThissectionpresentsamethodofrenementforsystemsspeciedusingtheintegratedObject-Z/ CSPnotation.TheuseofaCSPsemanticsforObject-ZclassesenablesustouseCSPrenement 3 ReningObject-ZandCSPspecications astherenementrelationfortheintegratednotation.toverifysucharenementtherearetwo dierentapproachesthatcanbeemployed: TherstisbasedontheapproachusedinCSP.Therenementisverieddirectlybycalculatingandcomparingthefailuresofthespecicationsor,inthecasewherethespecications haveidenticalstructure,thefailuresofthecomponentsofthespecications. Object-Zclassesofaspecication.ThisisachievedbyadaptingtheworkofJosephs[15], whichprovidesrenementrelationsforstate-basedsystemsthataresoundandcomplete Thesecondinvolvesusingstate-basedmethodstoverifytherenementofthecomponent InthissectionweillustratebothapproachesbyreningthecinemabookingsystemofSection2. identicalstructure. withrespecttocsprenement.thisapproachisonlypossiblewhenthespecicationshave ofaprocesspif RenementinCSPisdenedintermsoffailuresanddivergences[3].AprocessQisarenement 3.1FailuresApproach orwhenusingthesimplerfailuressemanticsif failuresqfailurespanddivergencesqdivergencesp WewritePvQtodenotethelatter.BecausewehavemodelledObject-Zclassessemantically asprocesses,csprenementcanbeusedasthebasisforreningspecicationswritteninthe integratedobject-z/cspnotation.asanexample,consideranalternativebookingsystemto failuresqfailuresp: LiketheMarloweboxoce,theKurbelboxoceallowscustomerstobookticketsinadvanceby thebookingsystemspecicationgiveninsection2. calls,ifthereisanavailableticketthenthecustomer'snameissimplyrecorded.whenacustomer telephone.however,theprocedureisdierentfromthatusedatthemarlowe.whenacustomer whosenamehasbeenrecordedarrivesattheboxoce,aticketisallocated. 6s#cdenotesthesequenceofvaluesvofeventsoftheformc:vins,e.g.hc:1;a:4;c:3;d:1i#c=h1;3i. 9

9 ThecontrastbetweentheMarloweandtheKurbelboxocesisthepointofallocationoftickets (atbookingtimevsatcollectiontime).however,atthislevelofabstractionthecustomercannot tellthatthekurbelisbehavingdierentlytothemarlowe.wewillprovethispropertybyshowing thatthekurbelbookingsystemisacsprenementofthemarlowebookingsystem. specicationofacustomerisidenticaltothatgiveninthemarlowebookingsystem.thekurbel ThecomponentsoftheKurbelbookingsystemarethecustomersandtheKurbelboxoce.The boxoceisrepresentedbythefollowingobject-zclass. kpool:pticket bkd:pname bkd=? (bkd) INIT name?:name name?62bkd Book #bkd<#kpool bkd0=bkd[fname?g (bkd;kpool) name?:name t!:ticket Arrive name?2bkd bkd0=bkdnfname?g t!2kpool Thestatevariablekpooldenotesthepoolofticketsandbkddenotesthesetofnamesofcustomers kpool0=kpoolnft!g thattherearecurrentlylessbookingsthanticketsand,hence,stillticketsavailable.theoperation whohavebookedaticket.initially,bkdisempty.theoperationbookrecordsabookingprovided customers. Arriveallocatesatickettoacustomerwhohasabooking. Thecompletesystemagainconsistsoftheboxocerunningconcurrentlywithacollectionof ures.sincethestructureofthebookingsystemspecicationsareidenticalandthecomponents ToshowthatBookingSystemKisarenementofBookingSystem,wewillcomparetheirfail- BookingSystemK=(jjjn:NameCustomern)jjKurbel Customernareidentical,weneedonlyshowthatfailures(Kurbel)failures(Marlowe). processeskurbelf(kpool;p)gforeachpossiblesetofticketsp. ConsiderrsttheclassKurbel.ThefailuresofKurbelcanbegivenintermsofthefailuresofthe ThetracesofKurbelf(kpool;p)gcomprisetheemptytraceandanytraceformedbyextendingatrace ofkurbelf(kpool;p)gby failures(kurbel)=[p2pticketfailures(kurbelf(kpool;p)g) 10

10 anarriveeventwhenever abookeventwheneverthecustomerdoingthebookinghasarrivedandcollectedanytickets heorshehaspreviouslybookedand {theticketbeingcollectedwasinitiallyinkpool, {theticketbeingcollectedhasnotbeenpreviouslycollectedbyanycustomerand traces(kurbel)=fhig {thecustomerarrivinghasbookedoncemorethanheorshehasarrivedtocollecta [fsahbook:f(name;n)gijs2traces(kurbel)^n2name^ ticket. [fsaharrive:f(name;n);(t;x)gijs2traces(kurbel)^n2name^ #(sfbook:f(name;n)gg)=#(sfarrive:f(name;n);(t;x)gjx2ticketg)g Kurbelf(kpool;p)gcanrefuseaBookeventwheneverthecustomermakingthebookinghasbooked #(sfbook:f(name;n)gg)=#(sfarrive:f(name;n);(t;y)gjy2ticketg)+1g x2p^#(sfarrive:f(name;m);(t;x)gjm2nameg)=0^ Arriveeventwheneverthecustomerarrivinghasalreadyarrivedasmanytimesasheorshehas booked,theticketofthearriveeventhasalreadybeenallocatedtoacustomerortheticketof moretimesthanheorshehasarrived,ortherearenoticketsremaininginkpool.itcanrefusean thearriveeventwasnotinkpoolinitially. Hence,thefailuresofKurbelf(kpool;p)gare failures(kurbelf(kpool;p)g)=f(tr;x)jtr2traces(kurbelf(kpool;p)g)^xsg where S=fBook:f(name;n)g;Arrive:f(name;m);(t;x)gjx2Ticket^n;m2Name^ (#(trfbook:f(name;n)gg>#(trfarrive:f(name;n);(t;y)jy2ticketg) (#(trfbook:f(name;m)gg)=#(trfarrive:f(name;m);(t;x)gg) _#(trfarrive:f(name;l);(t;y)jl2name^y2ticketg=#p) ThefailuresofMarlowecansimilarlybegivenintermsofthefailuresoftheprocessesMarlowef(mpool;p)g _x62pg: _#(trfarrive:f(name;l);(t;x)gjl2nameg)6=0 foreachpossiblesetofticketsp. thermore,marlowef(mpool;p)gcanrefuseanyeventsthatkurbelf(kpool;p)gcanrefuseafterthesame IteasytoseethatthetracesofMarlowef(mpool;p)gareidenticaltothoseofKurbelf(kpool;p)g.Fur- failures(marlowe)=[p2pticketfailures(marlowef(mpool;p)g) failures(kurbelf(mpool;k)g)failures(marlowef(mpool;k)g)and,therefore,failures(kurbel)failures(marlowe) trace.itcan,infact,refusemoreeventsafteragiventracebecauseitcanrefuseanarriveevent whenevertheticketofthearriveeventisnotthatpreviouslyallocatedtothecustomer.hence, asdesired. 11

11 3.2State-basedApproach Calculatingandcomparingthefailuresofclassesasillustratedaboveisfeasible,butcanbecomplex renementtechniquesfortheobject-zcomponentofaspecication.thiswillenablerenements fornon-trivialspecications.thepurposeofthissectionistoshowhowwecanusestate-based tobeveriedatthespecicationlevel,ratherthanworkingexplicitlyintermsoffailures,traces Workonstate-basedrenementforconcurrentsystemsgoesbacktoHe[10]andJosephs[15],who andrefusalsatthesemanticlevel. havedevelopedrenementrelationsforstate-basedtransitionsystemswhicharecompleteand soundwithrespecttocsprenement.woodcockandmorgan[27]haveproducedsimilarresults theworkofjosephstotheobject-zsetting.thisworkisdirectlyapplicabletothiscontext inthecontextofactionsystemsandweakestpreconditionformulae.inthissectionweadapt thesamerestrictionsonhidingthatwehaveadopted.weproducetworenementrelations,called becauseitusesthefailuressemantics(asopposedtothefailures-divergencesmodel)andplaces upwardanddownwardsimulation,whichtogetheraresoundandcompletewithrespecttocsp renement.usingtheseruleswecanrenetheobject-zcomponentsofanintegratedobject-z/ alphabet,sitsstates,?!itstransitionrelationandritsinitialstates(rs;r6=?).asusual CSPspecicationsuchthattheentirespecicationisalsorened. Josephsconsidersastate-basedsystemPtobedenedbyatuple(A;S;?!;R)whereAisits wewilldenoteatransitionundereventefromstate1to2by1e ofnextpossibleeventsthatasystempcanundergowheninstateisdenotednextp(),i.e. nextp()=fe2aj902se!0g?!2.inaddition,theset Renementinstate-basedsystemsisbasedontheconceptofsimulations.Forexample,simulation formsthebasisoftherenementrulesinzastheyareusuallypresented[25].josephsuses twoversionscalleddownwardandupwardsimulation(sometimescalledforwardandbackward simulationsrespectively)denedasfollows. P2isadownwardsimulationofP1ifthereisarelationDS1S2suchthat Denition1Downwardsimulation 3.822R2912R11D S1;22S21D2=)nextP1(1)=nextP2(2) 2.812S1;2;022S2;e2A1D2^2e?!202=)9012S11e?!101^01D02 Denition2Upwardsimulation P2isanupwardsimulationofP1ifthereisarelationUS1S2suchthat 3.812S1;22R21U2=)12R S1;2;022S2;e2A01U02^2e 1.822S2912S11U2^nextP1(1)nextP2(2)?!202=)912S11e?!101^1U2 JosephsthenprovesthatthesetworelationsaresoundandcompletewithrespecttoCSPrenement. 12

12 Tousetheseresults,werstadaptthedenitionstotheObject-Zsetting.Thetranslation relations(denotedabs)betweentheabstractstate(astate)andtheconcretestate(cstate). isstraightforward,andtherelationsdandubetweenthestatespacesarere-castasretrieve TotranslatetherulesinvolvingnextP()weintroduceanewpreconditionoperatorPre.Thisis necessarybecausewhenwemodelobject-zclassesasprocesseswerelateoperationstoeventsby removingthedecorations?and!.thereforethesimulationrulespresentedabovewilltreatoutputs inthesamewayasinputs.thisisincontrasttostandardzrenementwheretheconstraintson inputscanbeweakenedandthoseonoutputsstrengthened[25].doingthisinournotationwould meanthatwecouldreducetheeventsthatoccurunderarenement,andhencerestrictpossible Soinordertoreecttheabovesimulationrulesaccuratelyandmaintaincompositionalityinthe synchronisationwithotherprocesses.compositionalitywouldthenbelost. Object-Zsetting,wedenePretohidethepost-stateofanoperation,butnotitsoutputs,i.e. PreOpb=9State0Op.TheeventcorrespondingtoanObject-ZoperationOpisinnextP() ipreopistrueinthestaterepresenting.thisisbecausetheinterpretationofoperationsin Object-ZdiersfromthatinZinthatanoperationcannotoccurwhenitspreconditionisnot AnObject-ZclassCisadownwardsimulationoftheclassAifthereisaretrieverelationAbs Denition3Downwardsimulation enabled7.wecannowgivethedenitionofdownwardandupwardsimulationinobject-z. suchthateveryabstractoperationaopisrecastintoaconcreteoperationcopandthefollowing hold. DS.38Cinit9AinitAbs DS.18Astate;CstateAbs=)(PreAOp()PreCOp) DS.28Astate;Cstate;Cstate0Abs^COp=)9Astate0Abs0^AOp Denition4Upwardsimulation AnObject-ZclassCisanupwardsimulationoftheclassAifthereisaretrieverelationAbssuch thateveryabstractoperationaopisrecastintoaconcreteoperationcopandthefollowinghold. US.18Cstate9AstateAbs^PreAOp=)PreCOp US.28Astate0;Cstate;Cstate0COp^Abs0=)9AstateAbs^AOp US.38Astate;CinitAbs=)Ainit UsingtheseruleswecanshowthattheKurbelclassisanupwardsimulation,andhencearenement,oftheMarloweclasswithouthavingtocalculatethefailures.Todosowerstrecordthe relationshipbetweenthetwoclassesasaretrieverelationgivenby Kurbel:STATE Marlowe:STATE bkd=domtkt Ret 7InZwhenoperationsoccuroutsidetheirpreconditions,thepost-stateisundened. kpool=mpool[rantkt mpool\rantkt=? 13

13 Kurbel:STATEdenotesthestateschemaintheclassKurbel,etc. Firstly,toprovetheinitialisationcorrect(US.3)wemustprovethefollowing: Todosowemustshowthefollowingholds(whichitclearlydoes). 8Marlowe:STATE;Kurbel:INITRet=)Marlowe:INIT Next,wemustshowthatUS.1holdsfortheoperationsBookandArrive.FortheBookoperation, 8mpool:PTicket;tkt:Name7Ticket;kpool:PTicket;bkd:PNamejbkd=? thisrequiresustoshowthat bkd=domtkt^kpool=mpool[rantkt^mpool\rantkt=?=)tkt=? Thisamountstoshowingthat 8Kurbel:STATE9Marlowe:STATERet^PreMarlowe:Book=)PreKurbel:Book 8kpool:PTicket;bkd:PName9mpool:PTicket;tkt:Name7Ticket (bkd=domtkt^kpool=mpool[rantkt^mpool\rantkt=?)^ GiventhedeclarationsandtheconstraintsinRet,weproceedasfollows. (name?62domtkt^mpool6=?)=) (name?62bkd^#bkd<#kpool): name?62domtkt^mpool6=? =)name?62domtkt^#domtkt<#(mpool[rantkt) =)name?62domtkt^#rantkt<#(mpool[rantkt) =)name?62domtkt^#mpool>0 AsimilarproofcanbegivenfortheoperationArrive. =)name?62bkd^#bkd<#kpool [since#domtkt=#rantkt] [ByRet] Finally,wemustshowthatUS.2holdsfortheoperationsBookandArrive.FortheArrive operation,thisrequiresustoshowthat Thatis,giventhedeclarationsweneedtoshowthat 8Marlowe:STATE0;Kurbel:STATE;Kurbel:STATE0 (name?2bkd^bkd0=bkdnfname?g^t!2kpool^kpool0=kpoolnft!g^ Kurbel:Arrive^Ret0=)9Marlowe:STATERet^Marlowe:Arrive: bkd0=domtkt0^kpool0=mpool0[rantkt0^?=mpool0\rantkt0)=) 9mpool:PTicket;tkt:Name7Ticket Thiscanbeseentobetrueifwetakempool=mpool0andtkt=tkt0[fname?7!t!g.Weonly (bkd=domtkt^kpool=mpool[rantkt^mpool\rantkt=?^ needtoprovetherstthreeconjunctsoftheconsequent,therestfollowtriviallyfromourchoice name?2domtkt^mpool=mpool0^tkt0=fname?g?ctkt^t!=tkt(name?)): ofmpool,etc.forexample,withthesechoiceswecanthenmakethefollowingdeductions. domtkt=dom(tkt0[fname?7!t!g)=domtkt0[fname?g =bkd0[fname?g=(bkdnfname?g)[fname?g 14

14 Finally,toshowthatmpool\rantkt=?wenotethat(sincerantkt=rantkt0[ft!g) mpool[rantkt=mpool0[rantkt0[ft!g=kpool0[ft!g=kpool Nowfromt!2kpool^t!62kpool0wededucethatt!62mpool0=mpool.Thereforempool\rantkt=?. mpool\rantkt=(mpool\rantkt0)[mpool\ft!g=?[(mpool\ft!g) ThisconcludestheproofthatKurbelisanupwardsimulationofMarlowe,andthereforeaCSP renement.aswiththefailuresapproach,fromthiswecanconcludethatbookingsystemkis 4indeedarenementofBookingSystem. Thissectionpresentsamethodofvericationfortheintegratednotation.Themethodallowsus toverifypropertiesofthecspsystemspecicationintermsofitscomponentobject-zclasses. VerifyingObject-ZandCSPspecications Itcomprisesthreephases. ThepropertiesoftheObject-Zclassesderivedintherstphasewilloftenincludeterms TherstphaseinvolvesreasoningabouttheCSPpartofthespecication.SystempropertiesarestatedandtransformedtopropertiesofthecomponentObject-Zclassesusingthe notreadilyreasonedaboutinobject-z.thesecondphaseinvolvesextendingtheobject- notationandlawsforcspoperatorsof[12]. Zclasseswithauxiliaryvariablestomodeltheseterms.ThisisachievedusingObject-Z Thenalphaseinvolvesshowingthattheclassesextendedwiththeauxiliaryvariablesare inheritancewhichallowstheadditionofvariablesandpredicatestothestateschema,initial renedbytheoriginalobject-zclassesandhencetheoriginalclassesalsosatisfythedesired forobject-zpresentedin[19]. stateschemaandoperationsofaclass.reasoningcanthenbecarriedoutusingthelogic Section2. Toillustratetheapproach,wewillverifythepropertyofBookingSystemstatedattheendof properties. PropertiesaboutCSPprocessescanbestatedintermoftheirfailures.GivenaprocessPwith failuresf,theproperty8(tr;ref)2fs(tr;ref)canbeexpressedusingthenotationof[12]as 4.1ReasoningabouttheCSPprocesses PsatS(tr;ref).Forexample,thefollowingpropertyoftheprocessBookingSystemstatesthat customers. thenumberofbookingsmadeisgreaterthanorequaltothenumberofticketsallocatedtoarriving ToprovesuchapropertyinCSP,wewouldusethelawsforthevariousCSPoperatorsgivenin [12].Therefore,were-expressthepropertyintermsofCSPoperatorsbyreplacingBookingSystem BookingSystemsat#tr#Book>#tr#Arrive withitsdenitionintermsofcomponentprocesses. 15

15 Inthisform,wecanapplythefollowinglawfortheparallelcompositionoperator8. (jjjn:namecustomern)jjmarlowesat#tr#book>#tr#arrive andqsatt(tr) then(pjjq)sat(s(trp)^t(trq)). IfPsatS(tr) LetS(tr(jjjn:NameCustomern))=trueand,sincethealphabetofMarloweisidenticaltothat ofbookingsystem,lett(trmarlowe)=#tr#book>#tr#arrive.usingthelawforthe parallelcompositionoperator,theabovepropertyistruewheneverthefollowingistrue. ThispropertyisnowintermsofaprocesscorrespondingtoanObject-Zclassandwecanno longerusethelawsforcspoperators.tocompletetheproof,werequireamethodforshowing Marlowesat#tr#Book>#tr#Arrive theabovepropertyistruefortheobject-zclassmarlowe. Buildingontheworkin[26],alogicforreasoningaboutObject-Zclassesispresentedin[19]. Propertiesofclassesareexpressedassequentsoftheform 4.2ReasoningabouttheObject-Zclasses whereaisaclassname,disalistofdeclarationsand A::dj ` (INITdenotesthedeclarationsandpredicatesoftheINITschemaofMarlowe). isvalid,i.e.thestatedpropertyistrue,whenevergiventhedeclarationsdandpredicates leastoneofthepredicatesinistrueinclassa.forexample,thefollowingisavalidsequent andarelistsofpredicates.thesequent Marlowe::INIT`tkt=? at intheclassordeclaredind.hence,itisnotpossibletostatepropertiesaboutsequencesofevents Thepredicatesin weneedtointroduceauxiliaryvariablestocapturesuchproperties.forexample,anauxiliary suchasthosewewouldliketoproveaboutthecspprocesscorrespondingtoaclass.therefore, variablebks:ncouldbeaddedtotheclassmarlowetomodelthecspterm#tr#book.initially andareonlydenedintermsofvariablesandconstantswhichareaccessible term#tr#arrive. TheadditionofsuchvariablestoaclassispossibleusingObject-Zinheritance(see[7]).When bkswouldbezero,itwouldbeincrementedeachtimebookoccursandremainunchangedeach timearriveoccurs.similarly,anauxiliaryvariablearrs:ncouldbeaddedtomodelthecsp namedschemasintheinheritingclass.forexample,considerthefollowingclassauxmarlowe aclassinheritsanother,schemasfromtheinheritedclassareimplicitlyconjoinedwithcommon- whichinheritsmarlowe. 8Asmentionedin[12],thislawisvalidprovidedSandTdonotmentionrefusalsets. 16

16 auxmarlowe bks;arrs:n #tkt=bks?arrs bks=arrs=0 (bks) INIT bks0=bks+1 Book (arrs) arrs0=arrs+1 Arrive #tkt=bks?arrs.thispredicateisn'tstrictlynecessarybutaidstheproofoftherenement Thestateschemahastheadditionalstatevariablesbksandarrsandtheadditionalpredicate TheclassauxMarloweincludesallthedenitionsofclassMarloweandextendsthemasfollows. relationbetweenmarloweandauxmarloweasshowninsection4.3.theinitialstateschema includestheadditionalconstraintthatbksandarrsareequaltozeroandtheoperationsbook andarriveincrementthevariablesbksandarrsrespectively. Toprovethepropertythatthenumberofbookingsisgreaterthanorequaltothenumberoftickets allocatedtoarrivingcustomersfortheclassauxmarlowe,i.e.auxmarlowesat#tr#book>#tr# Arrive,weneedtoshowthatthefollowingsequentsarevalid. auxmarlowe::init`bks=0^arrs=0 auxmarlowe::book`bks0=bks+1^arrs0=arrs Therstthreesequentsensurethatbksandarrsmodelthenumberofoccurrencesoftheoperations auxmarlowe::`bks>arrs auxmarlowe::arrive`bks0=bks^arrs0=arrs+1 BookandArriverespectively.TheycaneasilybeprovedusingthelogicforObject-Z(see[20]for bystructuralinduction,i.e.byprovingthefollowingsequents. examplesofproofsinthelogic).thenalsequentstatesthedesiredproperty.itcanbeproved auxmarlowe::init`bks>arrs ThesesequentscanalsobeeasilyprovedusingthelogicforObject-Z. auxmarlowe::book`bks>arrs)bks0>arrs0 auxmarlowe::arrive`bks>arrs)bks0>arrs0 Theabovecanbegeneralisedasfollows.ApropertyPofaprocesscorrespondingtoaclassCin termsofthenumberofoccurrencesofparticulareventsop1;:::;opn, wherem>n.) istruewhenthefollowingsequentsarevalid.(thesetofoperationsoftheclassareop1;:::;opm CsatP(#tr#Op1;:::;#tr#Opn) 17

17 C::INIT`a1=0^:::^an=0 C::Op1`a01=a1+1^a02=a2^:::^a0n=an Ċ::Opn`a01=a1^:::a0n?1=an?1^a0n=an+1 C::Opn+1`a01=a1^:::^a0n=an Similarly,wecandeveloprulesforprovingothertypesofproperties.Forexample,aCSPpredicate C::`P(a1;:::;an) Ċ::Opm`a01=a1^:::^a0n=an intermsofop2refcanbereplacedbyanobject-zpredicateintermsof:preopwherepreop respecttothefailuressemanticsofclassespresentedinsection2. denotesthepreconditionofop.suchrulesneedtobeprovedsound.thiscanbedonewith 4.3Provingtherenementrelations havetoshowthat andmarloweissimplytheidentity(whichwedenoteid).thereforetoprovetherenementwe ulationdenedinsection3.todosowerstnotethattheretrieverelationbetweenauxmarlowe renementrelationauxmarlowevmarlowe.thiscanbedoneusingthenotionofdownwardsim- ToshowthatthepropertyprovedforauxMarlowealsoholdsforMarlowe,weneedtoprovethe DS.18auxMarlowe:STATE;Marlowe:STATE(PreauxMarlowe:Book()PreMarlowe:Book) DS.28auxMarlowe:STATE;Marlowe:STATE;Marlowe:STATE0 DS.38Marlowe:INIT9auxMarlowe:INITId togetherwithsimilarconditionsfortheoperationarrive.becausewehavesimplyaddednew Marlowe:Book=)9auxMarlowe:STATE0auxMarlowe:Book statevariablesundertherenement,theseconditionsareeasilydischarged. DS.1:Thisamountstoshowingthat (name?62domtkt^mpool6=?^#tkt=bks?arrs^ 9tkt0:Name7Ticket;mpool0:PTicket;bks0;arrs0:N 9tkt0:Name7Ticket;mpool0:PTicket ()#tkt0=bks0?arrs0^bks0=bks+1^arrs0=arrs) (name?62domtkt^mpool6=?^ (9t:mpooltkt0=tkt[fname?7!tg^mpool0=mpoolnftg)^ whichiseasilyshowntobetrue(forexample,#tkt0=#tkt+1=bks?arrs+1=bks0?arrs= bks0?arrs0). 9t:mpooltkt0=tkt[fname?7!tg^mpool0=mpoolnftg) DS.2:Thisamountstoshowingthefollowing,whichagaincaneasilyshowntobetrue. =) (9bks0;arrs0:N (name?62domtkt^mpool6=?^9t:mpooltkt0=tkt[fname?7!tg^mpool0=mpoolnftg) #tkt=bks?arrs^#tkt0=bks0?arrs0^bks0=bks+1^arrs0=arrs) name?62domtkt^mpool6=?^9t:tickettkt0=tkt[fname?7!tg^mpool0=mpoolnftg^ 18

18 DS.3:Toprovethis,itissucienttoshowthefollowing,whichiseasilydone. TheconditionsforArrivecanbeprovedinasimilarfashion.Hence,auxMarlowevMarlowe. SincewehaveshownthatauxMarlowesat#tr#Book>#tr#Arrivewecandeducethat Marlowesat#tr#Book>#tr#Arrive,andhenceconcludetheproofthatthebookingsystem 8tkt:Name7Ticketjtkt=?9bks;arrs:Nj#tkt=bks?arrs^bks=arrs=0 satisesthedesiredproperty.furthermore,sincemarlowevkurbel,wecanalsoconcludethat thekurbelbookingsystemsatisestheproperty. 5Inthispaperwehavepresentedmethodsforreningandverifyingspecicationswrittenusinga combinationofobject-zandcsp.becausewehavenotmodiedeitherofthelanguagesusedinthe Conclusion renementrelationstotheobject-zcomponents. beveriedbyeithercalculatingthefailuressemanticsdirectly,orbyapplyingstandardstate-based combinednotation,wehavebeenabletouseexistingmethodsinourapproachtorenementand wecanusecsprenementastherenementrelationfortheintegratednotation.arenementcan vericationinthecombinednotation.forexample,bygivingobject-zclassesacspsemantics, ToverifybehaviouralpropertiesoftheCSPsystemspecicationweusetheObject-Zlogictoprove Somefurtherareasofworkremain.Inparticular,inadditiontothestate-basedmethodsofrenementpresentedabove,furthermethodsofrenementneedtobedevelopedforspecicationswhose anapproachforreasoningabouttheobject-zclassesinacombinedspecication,andpresented Object-Zclasseswithouthavingtoresorttocalculationoftheirsemantics?Section4.2developed andthefailuressemanticsdevelopedinthispaper. rulesforverifyingcertainproperties.furthervericationrulesforarangeofothertypesofpropertiesneedtobedeveloped,andtheseneedtobeprovedsoundwithrespecttotheobject-zlogic applicationofcsplawstodeducethedesiredbehaviouralpropertiesoftheoverallsystem. subsidiarypropertiesoftheobject-zcomponentclasses,thesepropertiesarethencombinedby systemstructurechangesundertherenement.forexample,howcanoneverifytherenement oftheobject-zkurbelclassintheexamplepresentedaboveintotwoormorecommunicating References [1]T.BolognesiandE.Brinksma.IntroductiontotheISOspecicationlanguageLOTOS. [2]S.D.Brookes,C.A.R.Hoare,andA.W.Roscoe.Atheoryofcommunicatingsequentialprocesses.JournaloftheACM,31(3):560{599,1984. ComputerNetworksandISDNSystems,14(1):25{59,1988. [3]S.D.BrookesandA.W.Roscoe.Animprovedfailuresmodelforcommunicatingprocesses.In [4]J.Derrick,E.A.Boiten,H.Bowman,andM.Steen.SupportingODP-translatingLOTOSto PittsburghSymposiumonConcurrency,volume197ofLectureNotesinComputerScience, Z.InFirstIFIPInternationalworkshoponFormalMethodsforOpenObject-basedDistributed pages281{305.springer-verlag,1985. [5]J.Dong,R.Duke,andG.Rose.Anobject-orientedapproachtothesemanticsofprogramming Systems.Chapman&Hall,1996. languages.ing.gupta,editor,17thannualcomputerscienceconference(acsc'17),pages 767{775,

19 [7]R.Duke,G.Rose,andG.Smith.Object-Z:Aspecicationlanguageadvocatedforthe [6]D.DukeandR.Duke.TowardsasemanticsforObject-Z.InD.Bjorner,C.A.R.Hoare, andh.langmaack,editors,vdm'90:vdmandz!,volume428oflecturenotesincomputer Science,pages242{262.Springer-Verlag,1990. [8]M.Nielsenetal.TheRAISElanguage,methodsandtools.FormalAspectsofComputing, descriptionofstandards.computerstandardsandinterfaces,17:511{533,1995. [10]J.He.Processrenement.InJ.McDermid,editor,TheTheoryandPracticeofRenement. [9]C.Fischer.CombiningCSPandZ.SubmittedtoFormalMethodsEurope(FME'97), :85{114,1989. [11]M.HeiselandC.Suhl.Formalspecicationofsafety-criticalsoftwarewithZandreal-time CSP.InE.Schoitsch,editor,Proceedings15thInternationalConferenceonComputerSafety, Butterworths,1989. [12]C.A.R.Hoare.CommunicatingSequentialProcesses.InternationalSeriesinComputerScience.Prentice-Hall,1985. ReliabilityandSecurity,pages31{45.Springer,1996. [14]C.B.Jones.SystematicSoftwareDevelopmentusingVDM.InternationalSeriesinComputer [13]ITURecommendationX OpenDistributedProcessing-ReferenceModel-Parts1-4, July1995. [15]M.B.Josephs.Astate-basedapproachtocommunicatingprocesses.DistributedComputing, 3:9{18,1988. Science.Prentice-Hall,1986. [17]A.W.Roscoe.Analternativeorderforthefailuresmodel.JournalofLogicandComputation, [16]R.Milner.CommunicationandConcurrency.InternationalSeriesinComputerScience. Prentice-Hall,1989. [18]A.W.Roscoe.UnboundednondeterminisminCSP.JournalofLogicandComputation,3(2), 3(2),1993. [19]G.Smith.ExtendingWforObject-Z.InJ.BowenandM.Hinchey,editors,9thInternational [20]G.Smith.FormalvericationofObject-Zspecications.TechnicalReport95-55,Software ConferenceofZUsers,volume967ofLectureNotesinComputerScience,pages276{295. Springer-Verlag,1995. [21]G.Smith.AfullyabstractsemanticsofclassesforObject-Z.FormalAspectsofComputing, Australia,1995. VericationResearchCentre,DepartmentofComputerScience,UniversityofQueensland, [22]G.Smith.AsemanticintegrationofObject-ZandCSPforthespecicationofconcurrent 7(3):289{313,1995. [23]J.M.Spivey.TheZNotation:AReferenceManual(2ndEd.).InternationalSeriesinComputerScience.Prentice-Hall,1992. systems.toappearinformalmethodseurope(fme'97),1997. [24]M.Weber.CombiningStatechartsandZforthedesignofsafety-criticalsystems.InM.-C. Methods,volume1051ofLectureNotesinComputerScience,pages307{326.Springer-Verlag, GaudelandJ.C.P.Woodcock,editors,FME'96{IndustrialBenetsandAdvancesinFormal

20 [25]J.WoodcockandJ.Davies.UsingZ:Specication,Renement,andProof.International [26]J.C.P.WoodcockandS.M.Brien.W:AlogicforZ.InJ.E.Nicholls,editor,ZUser Workshop,WorkshopsinComputing,pages77{98.Springer-Verlag,1992. SeriesinComputerScience.Prentice-Hall,1996. [27]J.C.P.WoodcockandC.C.Morgan.Renementofstate-basedconcurrentsystems.In D.Bjorner,C.A.R.Hoare,andH.Langmaack,editors,VDM'90:VDMandZ!,volume428of LectureNotesinComputerScience.Springer-Verlag,