Java - Personal Home Pages (at UEL)

Download Report

Transcript Java - Personal Home Pages (at UEL) 

VDM to Java
Learning Outcomes
At the end of this lecture you should be able to:
•
Evaluate the suitability of Java for the implementation of VDM
specifications;
•
Translate simple VDM-SL types into Java types;
•
Translate a VDM specification into a Java class;
•
Incorporate run-time assertions into Java implementations.
The choice of Java as a programming
language
1. Java is object-oriented
2. Java is portable
3. Java is robust
4. Java is high level
Lightweight Formal Methods
INFORMAL SPECIFICATION
(UML class diagram)
FORMAL SPECIFICATION
(VDM specification)
IMPLEMENTATION
(Java class)
From VDM-SL types to Java types
VDM-SL type
Java type

int
1
int

int

double

boolean
Char
char
Implementing the IncubatorMonitor specification
values
MAX :  = 10
MIN :  = -10
state IncubatorMonitor of
temp : 
inv mk-IncubatorMonitor(t)  MIN  t  MAX
init mk-IncubatorMonitor(t)  t = 5
end
operations
increment()
ext wr temp : 
pre
temp < MAX
post
temp = + 1
-- more operations here
VDM-SL
Java
class IncubatorMonitor
{
// code goes here
}
Translating a 'values' clause into Java
VDM-SL
Java
values
MAX :  =
10
MIN :  = 10
public static final int MAX = 10;
public static final int MIN = -10;
Translating a 'state' clause into Java
VDM-SL
state IncubatorMonitor of
temp : 
Java
private int temp;
Translating an 'invariant' into Java
VDM-SL
Java
public boolean inv()
inv mk-IncubatorMonitor(t) {
return
 MIN  t  MAX
(MIN <= temp && temp <= MAX);
}
The InvariantCheck interface
interface InvariantCheck
{
public boolean inv();
}
class IncubatorMonitor implements InvariantCheck
{
public boolean inv()
{
return (MIN <= temp && temp <= MAX);
}
// more code here
}
Comparison operators
VDM-SL
Java
a=b
a==b
ab
a != b
a<b
a<b
a>b
a>b
ab
a >= b
ab
a <= b
Logical operators
VDM-SL
Java
ab
a && b
ab
a||b
a
!a
ab
a==b
ab
(!a) || b
Using the conjunction and disjunction operators in Java
VDM-SL expression:
xy >1
 y0
undefined  false
false
Java
y!=
x/y 0> 1&&&&x/y
y!=
> 01
undefined
false  undefined
 false
undefined
false
Methods of the VDM class
Method
implies
Description
Implementation of the implication () operator.
forall
Implementation of the universal quantifier ()
exists
Implementation of the existential quantifier ()
uniqueExists
Implementation of the unique existential quantifier (!)
preTest
Checks a precondition and throws an exception if the
precondition is broken.
postTest
Checks a postcondition and throws an exception if the
postcondition is broken.
invTest
Checks the invariant of an object and throws an exception if
the invariant is broken.
VDM-SL
x>y  y+x>1
Java
VDM.implies(x > y,
y +x > 1)
Translating the 'initialization' clause into Java
The initialization clause of the VDM specification defines valid
initial values for attributes of the corresponding class;
A constructor is the mechanism used to initialise class attributes
in Java;
VDM-SL
init mk-IncubatorMonitor(t)
 t =5
Java
public IncubatorMonitor()
{
temp = 5;
VDM.invTest(this);
}
Translation of the increment operation
VDM-SL
increment()
ext wr temp : 
pre
temp < MAX
post temp = temp + 1
Java
public void increment()
{
VDM.preTest(temp < MAX);
temp = temp + 1;
VDM.invTest(this);
}
Translation of the decrement operation
VDM-SL
decrement()
ext wr temp : 
pre
temp > MIN
post temp = temp - 1
Java
public void decrement()
{
VDM.preTest(temp > MIN);
temp = temp - 1;
VDM.invTest(this);
}
The getTemp operation
VDM-SL
getTemp() currentTemp : 
ext rd temp : 
pre
true
post
currentTemp = temp
Java
public int getTemp()
{
return temp;
}
class IncubatorMonitor implements InvariantCheck
{
// constants
public static final int MAX = 10;
public static final int MIN = -10;
// attributes
private int temp;
public boolean inv()
// invariant
{
return (MIN <= temp && temp <= MAX);
}
public IncubatorMonitor()
{
temp = 5;
}
// operations
}
// initialisation