目录
1. Specification Process
Specification Process关注如何编写用于描述系统状态的断言和谓词。
1.1 State Invariants
这部分主要解释了状态机(State Machine)和状态断言的概念。这里的状态(State)指的是系统在给定时间点的状态。每一个操作都可能导致系统状态的改变。我们通常用一种称为断言(assertion)的方式来验证状态的性质。
例如,一个状态机可以用如下的方式进行描述:S0 (Init) --Opi-> S1 --Opj-> S2 ... --Opk-> Sn,其中S0, S1, S2...Sn代表不同的状态,Opi, Opj, Opk等代表可能的操作。
其中的Inv[s]
是一个谓词(predicate),它用于描述系统状态s是否满足某种性质。验证Inv[s]
是否对所有状态s都成立,可以通过以下两个断言:
assert invInit { all s : State | Init[s] => Inv[s] }
assert invOpi { always all s : State | Inv[s] and Opi[s] => after Inv[s] }
其中invInit
确保所有初始状态都满足Inv[s]
,invOpi
确保在执行操作Opi后,新的状态依然满足Inv[s]
。这里的"always"和"after"关键词分别表示所有状态和操作后的状态。
1.2 Exceptional Behaviour
Distinguishing normal and exceptional behaviour in models
//Add a password for a *new* user/url pair
pred addNormal [pb : PassBook, url : URL, user : Username,
pwd: Password, report : one Report] {
addPre [pb, url, user]
addPost [pb, url, user, pwd]
report in Success
}
//Fail to add a password that already exists
pred addExceptional [pb : PassBook, url : URL, user : Username,
report : one Report] {
not addPre [pb, url, user]
pb.password' = pb.password
report in Failed
}
//Add a password for a *new* user/ url, otherwise, add nothing
pred add [pb : PassBook, url : URL, user: Username, pwd: Password,
report :one Report]s
addNormal [pb, url, user, pwd, report]
or
addExceptional [pb, url, user, report]
}
The point is to constrain what the system is meant to do in exceptional cases
//Fail to add a password that already exists
pred addExceptional [pb : PassBook, url : URL, user : Username,
report : one Report] {
not addPre [pb, url, user]
pb.password' = pb.password
report in Failed
}