an introduction to specification in vdm-sl at the end of this lecture you should be able to: write a...
TRANSCRIPT
An introduction to specification in VDM-SL
At the end of this lecture you should be able to:
• write a formal specification of a system in VDM-SL;
• correlate the components of a UML class diagram with those of a VDM specification;
• declare constants and specify functions to enhance the specification;
• explain the use of a state invariant to place a global constraint on the system;
• explain the purpose of the nil value in VDM.
The Incubator case study
The temperature of the incubator needs to be carefully controlled and monitored;
Initially we will specify the software needed to monitor the incubator temperature;
Later we will specify the software needed to monitor and control the incubator temperature.
Safety requirements :
-10 Celsius TEMPERATURE +10 Celsius
The UML specification
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
Specifying the ‘state’ in VDM-SL
in VDM-SL the state refers to the permanent data that must be stored by the system, and which can be accessed by means of operations;
It corresponds to the attributes in the class diagram;
The state is specified by declaring variables, in a similar manner a programming language and UML.
Each variables is given a name, and a VDM-SL type.
The intrinsic types available in VDM-SL
: natural numbers (positive whole numbers)
1 : natural numbers excluding zero
: integers (positive and negative whole numbers)
: real numbers (positive and negative numbers that can include a fractional part)
: boolean values (true or false)
Char : the set of alphanumeric characters
Specifying the state of the Incubator Monitor System
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
state IncubatorMonitor of
end
temp :
UML VDM-SL
Specifying the operations in VDM-SL
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
Each operation specified in VDM-SL as follows:
the operation headerthe external clausethe preconditionthe postcondition
The increment operation
increment()
ext ?
pre ?
post ?
temp < 10
wr ?temp :
temp = + 1temp
+ 1 = temptemp
temp - = 1temp
temp > temp
The decrement operation
decrement()
ext ?
pre ?
post ?
temp > -10
temp = - 1temp
wr ?temp :
The getTemp operation
getTemp()
ext ?
pre ?
post ?
currentTemp :
rd temp :
currentTemp = temp
TRUE
Declaring constants
It is possible in VDM-SL to specify constants;
It is done by using the keyword values;
The declaration would come immediately before the state definition:
valuesMAX : = 10MIN : = -10
decrement()
ext wr temp :
pre temp > -10
post temp = - 1temp
MIN
Specifying functions
A function is a set of assignments from one set to another;
The function receives an input value (or values) and maps this to an output value according to some rule;
hasPassed
46
79
50
FALSE
TRUE
There are two ways in which we can specify a function in VDM-SL
Specifying a function explicitly
The style of this specification is algorithmic;
We explicitly define the method of transforming the inputs to the output.
Example
add: add(x, y) ∆ x + y
signature definition
Specifying a function implicitly
We use a pre- and postcondition in the same way as we described for operations;
A function, however, does not access the state variables.
add( )pre ?post ?
x , y: : z :
z = x + yTRUE
An absolute function defined implicitly
abs( )pre ?post ?
z :
r :
z<0 r = -z z 0 r = zTRUE
An absolute function defined explicitly
abs: abs(z) ∆ if z < 0
then -z else z
Recursive functions
Some functions can be neatly specified by a recursive definition, whereby the function calls itself.
Example
a factorial function:
factorial: factorial(n) ∆ if n = 0
then 1 else n x factorial(n - 1)
State invariants
Before we specified local constraint with preconditions.
We can also specify a global constraint.
In VDM-SL we incorporate such a restriction into the specification with a function called a state invariant;
The invariant definition uses the keyword inv.
Its signature will be:
inv : State
Adding a state invariant into the IncubatorMonitor system
inv mk-IncubatorMonitor(t) MIN t MAX
-10 Celsius TEMPERATURE +10 Celsius
Specifying an initialization function
An initialization function is given the name init;
We will assume that when the incubator is turned on, its temperature is adjusted until a steady 5 degrees Celsius is obtained.
init mk-IncubatorMonitor(t) t = 5
The modified state specification
valuesMAX : = 10MIN : = -10
state IncubatorMonitor of temp : inv mk-IncubatorMonitor(t) MIN t MAX
init mk-IncubatorMonitor(t) t = 5
end
Improving the Incubator System
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() : IntegergetActualTemp() : Integer
Enumerated types
The signal sent to the hardware could be one of 3 possible values:
1. an instruction to the hardware to increase the temperature;
2. an instruction to the hardware to decrease the temperature;
3. an instruction to the hardware to do nothing.
A type that consists of a number of named values is often referred to as an enumerated type;
A standard method of marking a UML class as an enumerated type is to add <<enumeration>> above the type name:
Enumerated types in UML
<<enumeration>>Signal
INCREASEDECREASE
DO_NOTHING
In VDM-SL the types clause is the appropriate place to define new types.
Enumerated types in VDM-SL
typesSignal = <INCREASE>|< DECREASE>|< DO_NOTHING>
values…..
state…..
end
The nil value
It is common in the programming world for a value to be undefined;
VDM-SL allows for this concept by including the possibility of a term or expression having the value nil, meaning that it is undefined;
We do that by placing square brackets around the type name:
[] natural numbers or nil
[] integers or nil.
When the incubator system first comes into being, the actual and requested values will be undefined, and must therefore be set to nil;
Specifying the IncubatorController state
state IncubatorController of
requestedTemp : []
actualTemp : []
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() : IntegergetActualTemp() : Integer
The invariant
The actual temperature must not be allowed to go outside the range of -10 to +10 degrees;
However we need now to allow for the possibility that it could be equal to the nil value;
The same is true for the requested temperature.
inv mk-IncubatorController (r, a)
(MIN r MAX r = nil) (MIN a MAX a = nil)
Improving the readability of the spec by using a function
inRange( )pre post
val : result :
result MIN val MAX
TRUE
inv mk-IncubatorController (r, a) (inRange(r) r = nil) (inRange(a) a = nil)
The initialisation function
init mk-IncubatorController (r, a) r = nil a = nil
Specifying the setInitialTemp operation
setInitialTemp( )
ext
pre
post
tempIn :
wr actualTemp : []
actualTemp = tempIn
inRange(tempIn) actualTemp = nil
The requestChange operation
requestChange( )
ext
pre
post
tempIn : signalOut : Signal
requestedTemp : []wr
actualTemp : []rd
requestedTemp = tempIn
(
)
signalOut = <INCREASE>
signalOut = <DECREASE>
signalOut = <DO_NOTHING>
tempIn < actualTemp
tempIn > actualTemp
tempIn = actualTemp
actualTemp nilinRange(tempIn)
The increment operation
increment ()
ext
pre
post
signalOut : Signal
requestedTemp : []rd
actualTemp : []wr
actualTemp
actualTemp = actualTemp + 1
signalOut = <INCREASE>
signalOut = <DO_NOTHING>
(
)
actualTemp < requestedTemp
actualTemp = requestedTemp
actualTemp < requestedTemp
requestedTemp nil actualTemp nil
The getRequestedTemp operation
getRequestedTemp()
ext
pre
post
currentRequested : []
requestedTemp : []rd
currentRequested = requestedTemp
TRUE
The getActualTemp operation
getActualTemp()
ext
pre
post
currentActual : []
actualTemp : []rd
currentActual = actualTemp
TRUE
A standard template for VDM-SL specifications
typesSomeType = …..
valuesconstantName : ConstantType = someValue
state SystemName ofattribute1 : Type
:attributen : Type
inv mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)
init mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)end functions
specification of functions .....operations
specification of operations .....