VDMTools and Logic
Download
Report
Transcript VDMTools and Logic
RT development process, Abstract Syntax Trees and
Logic
Peter Gorm Larsen
([email protected])
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
1
Agenda
Development Process for RT systems
• Abstract Syntax Trees and analysis of ASTs
• Introduction to Logic
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
2
Reactive systems Nature
The World
stimuli
Environment
System
response
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
3
Overview of Development
Process
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
4
General use case for an
embedded system
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
5
Capturing Requirements in
VDM-SL
operations
PerformSystemReaction: seq of SensorInput ==>
seq of ActuatorCommand
PerformSystemReaction(inputseq) ==
if inputseq = []
then []
else SensorTreatment(hd inputseq) ^
PerformSystemReaction(tl inputseq)
An accumulating parameter can be used for feedback
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
6
Sequential Design Model
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
7
Typical Design Structure
• An Environment class is needed
• A SystemName class is needed
• A World class is introduced for setting up both the
environment and the system
• World shall contain a Run operation
• World have access to some notion of time
• The Environment has operation for creating signals to
the system and receiving events from the system
• Flow of control resides with the Environment
• Each class that do actions has an isFinished
operation
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
8
Concurrent Design Model
• Similar to sequential design model but
•
•
•
•
Identification of threads
Determine necessary communication
Establish synchronization points
Validation of model
• Typical design structure
• Flow of control is distributed
• Synchronization using permission predicates and mutex
• isFinished operations become skip with permission
predicates
• A simple Timer class is replaced with the TimeStamp
class
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
9
Concurrent Real-Time and
Distributed Design Model
• Timing built in:
• Use of default durations
• Use of duration and cycles statements
• Setting task switching overhead
• Typical Design Structure
• SystemName is now turned into a system
• CPU’s and BUS’es are introduced inside SystemName
• Environment may be turned into a system
• Some operations are made asynchronous
• Some Step like threads are made periodic
• Explicit use of TimeStamp is removed
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
10
Agenda
Development Process for RT systems
Abstract Syntax Trees and analysis of ASTs
• Introduction to Logic
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
11
The “Phases” of a Compiler
Source Program
Syntax Analysis
Error Reports
Abstract Syntax Tree
Type Analysis
Error Reports
Decorated Abstract Syntax Tree
Code Generation
Object Code
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
12
VDM-SL AST Example 1
Program :: decls : seq of Declaration
stmt : Stmt;
Declaration :: id : Identifier
tp : Type
val : [Value];
Identifier = seq1 of char;
Type = <BoolType> | <IntType> ;
Value = BoolVal | IntVal;
BoolVal :: val : bool;
IntVal :: val : int;
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
13
VDM-SL AST Example 2
Stmt = BlockStmt | AssignStmt | CondStmt | ForStmt |
RepeatStmt;
BlockStmt :: decls : seq of Declaration
stmts : seq1 of Stmt;
AssignStmt :: lhs : Variable
rhs : Expr;
Variable :: id : Identifier;
CondStmt :: guard : Expr
thenst : Stmt
elsest : Stmt;
ForStmt :: start : AssignStmt
stop : Expr
stmt : Stmt;
RepeatStmt :: repeat : Stmt
until : Expr;
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
14
VDM-SL AST Example 3
Expr = BinaryExpr | Value | Variable;
BinaryExpr :: lhs : Expr
op : Operator
rhs : Expr;
Operator = <Add> | <Sub> | <Div> | <Mul> |
<Lt> | <Gt> | <Eq> | <And> |
<Or>;
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
15
Semantic Analysis of ASTs
• Environments that denote context
• StatEnv = map AST`Identifier to AST`Type;
• DynEnv = map AST`Identifier to AST`Value;
• CGEnv
= map AST`Identifier to AST`Type;
• Recursive top-down handling of analysis
• Possibly use a visitor pattern in an OO context
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
16
Evaluation of An Expression
EvalExpr : AST‘Expr * DynEnv
EvalExpr(ex, denv) ==
cases ex :
mk_AST‘BoolVal(-),
mk_AST‘IntVal(-)
mk_AST‘Variable(id)
mk_AST‘BinaryExpr(-,-,-)
end
pre is_AST‘BinaryExpr(ex) =>
-> AST‘Value
-> ex,
-> denv(id),
-> EvalBinaryExpr(ex, denv)
pre_EvalBinaryExpr(ex, denv);
EvalBinaryExpr : AST‘BinaryExpr * DynEnv -> AST‘Value
EvalBinaryExpr(mk_AST‘BinaryExpr(lhs, op, rhs), denv) ==
let v1 = EvalExpr(lhs, denv).val,
v2 = EvalExpr(rhs, denv).val
in cases op :
<Add> -> mk_AST‘IntVal(v1 + v2),
...
end
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
17
Type Checking An Expression
wf_Expr : AST‘Expr * StatEnv -> bool * [AST‘Type]
wf_Expr(ex, senv) ==
cases true :
(is_AST‘BoolVal(ex))
-> mk (true, <BoolType>),
(is_AST‘IntVal(ex))
-> mk_(true, <IntType>),
(is_AST‘Variable(ex))
-> wf Variable(ex, senv),
(is_AST‘BinaryExpr(ex)) -> wf_BinaryExpr(ex, senv),
others
-> mk_(false, <IntType>)
end;
wf_BinaryExpr : AST‘BinaryExpr * StatEnv -> bool * [AST‘Type]
wf_BinaryExpr(mk_AST‘BinaryExpr(lhs, op, rhs), senv) ==
let mk_(wf_lhs, tp_lhs) = wf_Expr(lhs, senv),
mk_(wf_rhs, tp_rhs) = wf_Expr(rhs, senv)
in cases op :
<Add>, <Sub>, <Div>, <Mul> ->
mk_(wf_lhs and wf_rhs and
tp_lhs = <IntType> and tp_rhs = <IntType>,
<IntType>),
...
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
18
The ASTGen Tool
JAVA
interfaces
JAVA
implementation
Simple
AST spec
(restricted VDM++)
ASTGEN
VDM++
Interface
classes
VDM++
Implementation
classes
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
19
Binary Expression in AST file
Expression = BinaryExpression | ...
BinaryExpression ::
lhs : Expression
op : BinaryOperator
rhs : Expression;
SimpleExpression.vdmpp
Then ASTGen will produce:
SimpleBinaryExpression.vdmpp
SimpleBinaryExpressionImpl.vdmpp
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
20
Generated VDM++ Interface Class
class SimpleBinaryExpression is subclass of SimpleExpression
operations
public getLhs: () ==> SimpleExpression
getLhs() == is subclass responsibility;
public getOp: () ==> SimpleBinaryOperator
getOp() == is subclass responsibility;
public getRhs: () ==> SimpleExpression
getRhs() == is subclass responsibility;
end SimpleBinaryExpression
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
21
Generated VDM++ Implementation
Class
class SimpleBinaryExpressionImpl is subclass of SimpleBinaryExpression
instance variables
private iv_lhs:SimpleExpression;
private iv_op:SimpleBinaryOperator;
private iv_rhs:SimpleExpression;
operations
public SimpleBinaryExpressionImpl: SimpleExpression * SimpleBinaryOperator *
SimpleExpression ==> SimpleBinaryExpressionImpl
SimpleBinaryExpressionImpl(p_lhs, p_op, p_rhs) ==
(
iv_lhs := p_lhs;
iv_op := p_op;
iv_rhs := p_rhs;
);
public getLhs: () ==> SimpleExpression
getLhs() == return iv_lhs;
public getOp: () ==> SimpleBinaryOperator
getOp() == return iv_op;
public getRhs: () ==> SimpleExpression
getRhs() == return iv_rhs;
end SimpleBinaryExpressionImpl
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
22
Code Generator Structure
VDM model to
be developed
Simple AST
Programming language AST
(developed using ASTGen)
Potential
backend
Simple parser
Programming language
concrete syntax
Simple concrete syntax
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
23
Agenda
Development Process for RT systems
Abstract Syntax Trees and analysis of ASTs
Introduction to Logic
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
24
Logic
Our ability to state invariants, record pre-conditions and
post-conditions, and the ability to reason about a formal
model depend on the logic on which the modelling language
is based.
• Classical logical propositions and predicates
• Connectives
• Quantifiers
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
25
A temperature monitor example
Temperature (C)
30
20
10
0
1
2
3
4
5
The monitor records the last
five temperature readings
TIVDM1
6
7
25
8
9
10
RT Development process, Abstract Syntax Trees
and Logic
Time (s)
5
5
10
26
A temperature monitor example
The following conditions are to be detected by the monitor:
1. Rising: the last reading in the sample is greater than the first
2. Over limit: there is a reading in the sample in excess of 400 C
3. Continually over limit: all the readings in the sample exceed
400 C
4. Safe: If readings do not exceed 400 C by the middle of the
sample, the reactor is safe. If readings exceed 400 C by the
middle of the sample, the reactor is still safe provided that the
reading at the end of the sample is less than 400 C.
5. Alarm: The alarm is to be raised if and only if the reactor is not
safe
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
27
Predicates and Propositions
Predicates are simply logical expressions. The
simplest kind of logical predicate is a
proposition.
A proposition is a logical assertion about a
particular value or values, usually involving a
Boolean operator to compare the values, e.g.
3 < 27
TIVDM1
5 = 9
RT Development process, Abstract Syntax Trees
and Logic
28
Predicates
A predicate is a logical expression that is not specific to
particular values but contains variables which can
stand for one of a range of possible values, e.g.
x < 27
(x**2) + x - 6 = 0
The truth or falsehood of a predicate depends on the
value taken by the variables.
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
29
Predicates in the monitor
example
Monitor :: temps : seq of int
alarm : bool
inv m == len m.temps = 5
Consider a monitor m. m is a sequence so we can index into
it:
First reading in m:
m.temps(1)
Last reading in m:
m.temps(5)
Predicate stating that the first reading in m is strictly
less than the last reading:
m.temps(1) < m.temps(5)
The truth of the predicate depends on the value of m.
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
30
The rising condition
The last reading in the sample is greater than the first
Monitor :: temps : seq of int
alarm : bool
inv m == len m.temps = 5
We can express the rising condition as a Boolean function:
Rising: Monitor -> bool
Rising(m) == m.temps(1) < m.temps(5)
For any monitor m, the expression Rising(m) evaluates to true iff
the last reading in the sample in m is higher than the first, e.g.
Rising( mk_Monitor([233,45,677,650,900], false) )
Rising( mk_Monitor([23,45,67,50,20], false) )
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
31
Logical Operators (Connectives)
We will examine the following logical operators:
• Negation
• Conjunction
• Disjunction
• Implication
• Biconditional
(NOT)
(AND)
(OR)
(if – then)
(if and only if)
Truth tables can be used to show how these operators
can combine propositions to compound propositions.
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
32
Negation (not)
Negation allows us to state that the opposite of some
logical expression is true, e.g.
The temperature in the monitor mon is not rising:
not Rising(mon)
Truth table for negation:
TIVDM1
P
not P
true
false
false
true
RT Development process, Abstract Syntax Trees
and Logic
33
Disjunction (or)
Disjunction allows us to express alternatives that are not
necessarily exclusive:
Over limit: There is a reading in the sample in excess of
400 C
OverLimit: Monitor -> bool
OverLimit(m) ==
m.temps(1) > 400 or
m.temps(2) > 400 or
m.temps(3) > 400 or
P
m.temps(4) > 400 or
true
m.temps(5) > 400
true
TIVDM1
Q
P or Q
true
true
false
true
false
true
true
false
false
false
RT Development process, Abstract Syntax Trees
and Logic
34
Conjunction (and)
Conjunction allows us to express the fact that all of a
collection of facts are true.
Continually over limit: all the readings in the sample exceed 400 C
COverLimit: Monitor -> bool
COverLimit(m) ==
m.temps(1) > 400 and
m.temps(2) > 400 and
m.temps(3) > 400 and
m.temps(4) > 400 and
m.temps(5) > 400
TIVDM1
P
Q
P and Q
true
true
true
true
false
false
false
true
false
false
false
false
RT Development process, Abstract Syntax Trees
and Logic
35
Implication
Implication allows us to express facts which are only true
under certain conditions (“if … then …”):
Safe: If readings do not exceed 400 C by the middle of
the sample, the reactor is safe. If readings exceed 400 C
by the middle of the sample, the reactor is still safe
provided that the reading at the end of the sample is less
than 400 C.
Safe: Monitor -> bool
Safe(m) ==
m.temps(3) > 400 =>
m.temps(5) < 400
TIVDM1
P
Q
P => Q
true
true
true
true
false
false
false
true
true
false
false
true
RT Development process, Abstract Syntax Trees
and Logic
36
Biimplication
Biimplication allows us to express equivalence (“if and only if”).
Alarm: The alarm is to be raised if and only if the reactor is not
safe
This can be recorded as an invariant property:
Monitor :: temps : seq of int
alarm : bool
inv m ==
len m.temps = 5 and
not Safe(m.temps) <=> m.alarm
TIVDM1
P
Q
P <=> Q
true
true
true
true
false
false
false
true
false
false
false
true
RT Development process, Abstract Syntax Trees
and Logic
37
Operator Precedence and
Associativity
• not has the highest precedence
• Followed by and, or, => and <=> in that order
• => has right grouping i.e.
o A => B => C without brackets means
o A => (B => C)
• The other logical operators are associative so right
and left grouping are equivalent, i.e.
o A and (B and C) is identical to (A and B) and C
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
38
Quantifiers
For large collections of values, using a variable makes more
sense than dealing with each case separately.
inds m.temps
represents indices (1-5) of the sample
The “over limit” condition can then be expressed more
economically as:
exists i in set inds m.temps & m.temps(i) > 400
The “continually over limit” condition can then be expressed
using “forall”:
COverLimit: Monitor -> bool
COverLimit(m) ==
forall i in set inds m.temps & m.temps(i) > 400
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
39
Quantifiers
Syntax:
forall
binding & predicate
exists
binding & predicate
There are two types of binding:
Type Binding, e.g.
x : nat
n : seq of char
Set Binding, e.g.
i in set inds m
x in set {1,…,20}
TIVDM1
A type binding lets the
bound variable range
over a type (a possibly
infinite collection of
values).
A set binding lets the
bound variable range
over a finite set of
values.
RT Development process, Abstract Syntax Trees
and Logic
40
Questions
Formulate the following statements using predicate logic:
• Everybody likes Danish pastry
• Everybody either likes Danish pastry or is a vegetarian
• Either everybody likes Danish pastry or everybody is a
vegetarian
Are the last two statements equivalent?
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
41
Questions
Formulate the following statements using predicate logic:
• Somebody likes Danish pastry
• There is somebody who either likes Danish pastry or is
a vegetarian
• Either somebody likes Danish pastry or somebody is a
vegetarian
Are the last two statements equivalent?
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
42
Quantifiers
Several variables may be bound at once by a single
quantifier, e.g.
forall x,y in set {1,…,5} &
X <> y => not m.temps(x) = m.temps(y)
Would this predicate be true for the following value of
m.temps ?
[320, 220, 105, 119, 150]
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
43
Formulation Questions
All the readings in the sample are less than 400 and greater than 50.
forall i in set inds m.temps &
m.temps(i) < 400 and m.temps(i) > 50
Each reading in the sample is up to 10 greater than its predecessor.
forall i in set inds m.temps\{1} &
m.temps(i – 1) + 10 <= m.temps(i)
There are two distinct readings in the sample which are over 400.
exists i,j in set inds m.temps &
i <> j and m.temps(i) > 400 and m.temps(j) > 400
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
44
Combination of quantifiers
• Assume we have a predicate with two free variables
P(x,y) where x : X and y : Y
• Then quantifiers can be combined:
• forall y : Y & exists x : X & P(x,y) or
• exists y : Y & forall x : X & P(x,y)
• Would these be equal if X, Y are int and P = x >y?
• However if the same quantifier was used both places
the expressions would be equivalent:
• forall
forall
• exists
exists
TIVDM1
y
x
y
x
:
:
:
:
Y
X
Y
X
&
&
&
&
forall
forall
exists
exists
x
y
x
y
:
:
:
:
X
Y
X
Y
RT Development process, Abstract Syntax Trees
and Logic
&
&
&
&
P(x,y)
P(x,y)
P(x,y)
P(x,y)
45
Quantifiers
Suppose we have to formalise the following property:
There is a “single minimum” in the sequence of
readings, i.e. there is a reading which is strictly smaller
than any of the other readings.
exists i in set inds m.temps &
forall j in set inds m.temps &
i <> j => m.temps(i) < m.temps(j)
Suppose the order of the quantifiers is reversed.
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
46
Questions
• Translate the following into English:
• forall x:Elephant & grey(x)
• forall x:ANIMAL &
elephant(x) => grey(x)
• exists x : ANIMAL &
bird(x) and
has_wings(x) and
not flies(x)
• Represent the following using predicate logic formulae:
• “Joanne is a teacher, she teaches AI, and likes
chocolate.”
• “Some teachers do not like chocolate”
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
47
Questions
• What is the truth value for the following expressions?
•
•
•
•
•
•
•
•
•
TIVDM1
forall x in set {2,4,6} & IsEven(x)
forall xxx in set {} & xxx = 8
exists b in set {} & b > 0
exists1 x in set {1,2,6,42} & not IsEven(x)
forall x : nat & x < 5 => x ** 2 > 4
exists x : nat & x < 5 => x ** 2 > 4
forall y : nat & y < 5 => y < 20
forall y in set power {1,2} & card y = 2
not forall w : nat &
z < 4 => exists x : nat & z < x ** 2
RT Development process, Abstract Syntax Trees
and Logic
48
Summary
• What have I presented today?
• Development Process for RT systems
• Abstract syntax trees and analysis of ASTs
• Introduction to Logic
• What do you need to do now?
•
•
•
•
•
TIVDM1
Read chapter 4 and 5 of the book for next week
Read existing material about the selected project
Formulate a new requirements definition for the project
Start modelling your project in VDM++ using Overture
Present about this project for the rest of us
RT Development process, Abstract Syntax Trees
and Logic
49
Quote of the day
The successful construction of all machinery depends on
the perfection of the tools employed, and whoever is
the master in the art of tool-making possesses the key
to the construction of all machines.
Charles Babbage, 1851
TIVDM1
RT Development process, Abstract Syntax Trees
and Logic
50