An introduction to specification in VDM-SL

Download Report

Transcript An introduction to specification in VDM-SL 

An introduction to specification in VDM-SL
At the end of this lecture you should be able to:
•
write a formal specification of a system in VDM-SL;
•
correlate the components of a UML class diagram with
those of a VDM specification;
•
declare constants and specify functions to enhance the
specification;
•
explain the use of a state invariant to place a global
constraint on the system;
•
explain the purpose of the nil value in VDM.
The Incubator case study
The temperature of the
incubator needs to be carefully
controlled and monitored;
Safety requirements :
-10 Celsius
TEMPERATURE
+10 Celsius
The UML specification
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
Specifying the ‘state’ in VDM-SL
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
The VDM
state refers
to the
permanent
data stored
by the
system.
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
In VDM-SL we use mathematical types
The intrinsic types available in VDM-SL
:
natural numbers (positive whole numbers)
1 :
natural numbers excluding zero
:
integers (positive and negative whole numbers)
:
real numbers (positive and negative numbers
that can include a fractional part)
:
boolean values (true or false)
Char : the set of alphanumeric characters
Specifying the state of the Incubator Monitor System
UML
IncubatorMonitor
VDM-SL
state IncubatorMonitor of
temp :
temp : Integer
increment()
decrement()
getTemp() : Integer
end

Specifying the operations in VDM-SL
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
Each operation specified in
VDM-SL as follows:
the operation header
the external clause
the precondition
the postcondition
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
increment()
ext
? temp
wr
? :
< 10
pre temp
?
post temp
?
temp => temp
temp + 1
temp + 1 = temp
temp - temp = 1
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
decrement()
ext
? temp
wr
? :
> -10
pre temp
?
post ?
temp = temp - 1
IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer
getTemp( ) currentTemp :
 :
ext rd
? temp

pre TRUE
?
= temp
post currentTemp
?
Declaring constants
Constants are specified using the keyword values.
The declaration would come immediately before the state
definition:
values
MAX :  = 10
MIN :  = -10
decrement()
temp : 
ext
wr
pre
MIN
temp > -10
post
temp =
temp - 1
Specifying functions
36

79
50
hasPassed
FALSE
TRUE

There are two ways in which we can
specify a function in VDM-SL:
Explicitly and implicitly
Specifying a function explicitly
Example
add:    
add(x, y) ∆ x + y
signature
definition
Specifying a function implicitly
add( x :  , y :  ) z : 
pre ?TRUE
z=x+y
post ?
An absolute function defined implicitly
abs(z : ) r : 
pre  TRUE
?
post z<0
?  r = -z  z  0  r = z
An absolute function defined explicitly
abs:   
abs(z) ∆ if z < 0
then -z
else z
Two special functions
The state invariant and initialisation
State
inv

Returns true if the
state meets global
constraint and false
otherwise
Adding a state invariant into
the IncubatorMonitor system
-10 Celsius
inv
TEMPERATURE
?

+10 Celsius
?
Adding a state invariant into
the IncubatorMonitor system
-10 Celsius
TEMPERATURE
inv mk-IncubatorMonitor(t) 
+10 Celsius
?
Adding a state invariant into
the IncubatorMonitor system
-10 Celsius
TEMPERATURE
+10 Celsius
inv mk-IncubatorMonitor(t)  MIN  t  MAX
State
init

Returns true if the
correct initial values
have been given to the
state and false otherwise
Specifying an initialization function
We will assume that when the incubator is turned
on, its temperature should be adjusted until a
steady 5 degrees Celsius is obtained.
init
?

?
Specifying an initialization function
We will assume that when the incubator is turned
on, its temperature should be adjusted until a
steady 5 degrees Celsius is obtained.
init mk-IncubatorMonitor(t) 
?
Specifying an initialization function
We will assume that when the incubator is turned
on, its temperature should be adjusted until a
steady 5 degrees Celsius is obtained.
init mk-IncubatorMonitor(t)  t = 5
The modified state specification
values
MAX :  = 10
MIN :  = -10
state IncubatorMonitor of
temp : 
inv mk-IncubatorMonitor(t)  MIN  t  MAX
init mk-IncubatorMonitor(t)  t = 5
end
Improving the Incubator System
IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment( ) : Signal
decrement( ) : Signal
getRequestedTemp( ) : Integer
getActualTemp( ) : Integer
Improving the Incubator System
IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment( ) : Signal
decrement( ) : Signal
getRequestedTemp( ) : Integer
getActualTemp( ) : Integer
Signal is an
enumerated
type
Enumerated types in UML
A standard method of marking a UML class as an
enumerated type is to add <<enumeration>> above
the type name:
<<enumeration>>
Signal
INCREASE
DECREASE
DO_NOTHING
Enumerated types in VDM-SL
In VDM-SL the types clause is the appropriate
place to define new types.
types
Signal = <INCREASE>|<
values
…..
state
…..
end
DECREASE>|< DO_NOTHING>
The nil value
It is common in the programming world for a value to be undefined
VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;
x:
‘x’ must be a
natural number
The nil value
It is common in the programming world for a value to be undefined
VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;
x : []
‘x’ can be a
natural
number or nil
The nil value
It is common in the programming world for a value to be undefined
VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;
x : []
When the incubator system first comes into being, the actual
and requested values will be undefined, and must therefore be
set to nil.
Specifying the IncubatorController state
IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer
state IncubatorController of
requestedTemp : ?
actualTemp : ?
Specifying the IncubatorController state
IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer
state IncubatorController of
requestedTemp : 
actualTemp : 
Specifying the IncubatorController state
IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer
state IncubatorController of
requestedTemp : [ 
]
actualTemp : [  ]
The invariant
state IncubatorController of
The requested
temperature
must be in the
range of -10 to
+10 degrees
requestedTemp : [ 
]
actualTemp : [  ]
inv mk-IncubatorController (r, a) 
MIN  r  MAX
The invariant
state IncubatorController of
The requested
temperature
must be in the
range of -10 to
+10 degrees
requestedTemp : [ 
]
actualTemp : [  ]
inv mk-IncubatorController (r, a) 
MIN  r  MAX
r = nil
The requested
temperature
could be nil
The invariant
state IncubatorController of
The requested
temperature
must be in the
range of -10 to
+10 degrees
requestedTemp : [ 
]
actualTemp : [  ]
inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)
The requested
temperature
could be nil
The invariant
state IncubatorController of
requestedTemp : [ 
The actual
temperature
must be in the
range of -10 to
+10 degrees
]
actualTemp : [  ]
inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)
MIN  a  MAX
The invariant
state IncubatorController of
requestedTemp : [ 
The actual
temperature
must be in the
range of -10 to
+10 degrees
]
actualTemp : [  ]
The actual
temperature
could be nil
inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)
MIN  a  MAX
a = nil
The invariant
The requested
temperature
must be in the
range of -10 to
+10 degrees
The actual
temperature
must be in the
range of -10 to
+10 degrees
state IncubatorController of
The requested
temperature
could be nil
requestedTemp : [ 
]
actualTemp : [  ]
The actual
temperature
could be nil
inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)
(MIN  a  MAX  a = nil)
The invariant
state IncubatorController of
requestedTemp : [ 
]
actualTemp : [  ]
inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)

(MIN  a  MAX  a = nil)
Improving the readability of the
spec by using a function
inRange( val :
) result : 

pre TRUE
post result  MIN  val  MAX
inv mk-IncubatorController (r, a) 
(inRange(r)  r = nil)  (inRange(a)  a = nil)
The initialisation function
init mk-IncubatorController (r, a) 
r = nil  a = nil
Specifying the setInitialTemp operation
setInitialTemp( tempIn : )
ext
wr actualTemp : []
pre
inRange(tempIn)  actualTemp = nil
post actualTemp = tempIn
The requestChange operation
requestChange( tempIn :
) signalOut : Signal

ext
wr requestedTemp : []
rd
actualTemp : []
pre
inRange(tempIn)  actualTemp  nil
post
requestedTemp = tempIn 
( tempIn > actualTemp  signalOut = <INCREASE>
 tempIn < actualTemp  signalOut = <DECREASE>
 tempIn = actualTemp  signalOut = <DO_NOTHING> )
actualTemp
The increment operation
increment () signalOut : Signal
ext
rd
requestedTemp : []
wr
pre
actualTemp :
[]
actualTemp
< requestedTemp
 actualTemp  nil  requestedTemp  nil
post

( actualTemp < requestedTemp  signalOut = <INCREASE>

actualTemp = requestedTemp  signalOut = <DO_NOTHING> )
actualTemp = actualTemp + 1
The getRequestedTemp operation
getRequestedTemp() currentRequested : []
requestedTemp : []
ext
rd
pre
TRUE
post
currentRequested = requestedTemp
The getActualTemp operation
getActualTemp() currentActual : []
actualTemp : []
ext
rd
pre
TRUE
post
currentActual = actualTemp
A standard template for VDM-SL specifications
types
SomeType = …..
values
constantName : ConstantType = someValue
state SystemName of
attribute1 : Type
:
attributen : Type
inv mk-SystemName(i1:Type, ..., in:Type)  Expression(i1, ..., in)
init mk-SystemName(i1:Type, ..., in:Type)  Expression(i1, ..., in)
end
functions
specification of functions .....
operations
specification of operations .....