Upload
vaughan-mckenzie
View
111
Download
0
Embed Size (px)
DESCRIPTION
An introduction to specification in VDM-SL. At the end of this lecture you should be able to:. write a formal specification of a system in VDM-SL ; correlate the components of a UML class diagram with those of a VDM specification ; - PowerPoint PPT Presentation
Citation preview
An introduction to specification in VDM-SL
At the end of this lecture you should be able to:
• write a formal specification of a system in VDM-SL;
• correlate the components of a UML class diagram with those of a VDM specification;
• declare constants and specify functions to enhance the specification;
• explain the use of a state invariant to place a global constraint on the system;
• explain the purpose of the nil value in VDM.
The Incubator case study
The temperature of the incubator needs to be carefully controlled and monitored;
Safety requirements :
-10 Celsius TEMPERATURE +10 Celsius
The UML specification
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
Specifying the ‘state’ in VDM-SL
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
The VDM state refers to the permanent data stored by the system.
In VDM-SL we use mathematical types
The intrinsic types available in VDM-SL
: natural numbers (positive whole numbers)
1 : natural numbers excluding zero
: integers (positive and negative whole numbers)
: real numbers (positive and negative numbers that can include a fractional part)
: boolean values (true or false)
Char : the set of alphanumeric characters
Specifying the state of the Incubator Monitor System
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
state IncubatorMonitor of
end
temp :
UML VDM-SL
Specifying the operations in VDM-SL
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
Each operation specified in VDM-SL as follows:
the operation headerthe external clausethe preconditionthe postcondition
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
increment()
ext ?
pre ?
post ?
temp < 10
wr ?temp :
temp = + 1temp
+ 1 = temptemp
temp - = 1temp
temp > temp
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
decrement()
ext ?
pre ?
post ?
temp > -10
temp = - 1temp
wr ?temp :
IncubatorMonitor
temp : Integer
increment() decrement()getTemp() : Integer
getTemp( )
ext ?
pre ?
post ?
currentTemp :
rd temp :
currentTemp = temp
TRUE
Declaring constants
Constants are specified using the keyword values.
The declaration would come immediately before the state definition:
valuesMAX : = 10MIN : = -10
decrement()
ext wr temp :
pre temp > -10
post temp = - 1temp
MIN
Specifying functions
hasPassed
36
79
50
FALSE
TRUE
There are two ways in which we can specify a function in VDM-SL:
Explicitly and implicitly
Specifying a function explicitly
Example
add: add(x, y) ∆ x + y
signature definition
Specifying a function implicitly
add( )pre ?post ?
x , y: : z
z = x + yTRUE
:
An absolute function defined implicitly
abs( )pre ?post ?
z :
r :
z<0 r = -z z 0 r = zTRUE
An absolute function defined explicitly
abs: abs(z) ∆ if z < 0
then -z else z
Two special functions
The state invariant and initialisation
inv
State
Returns true if the state meets global constraint and false otherwise
Adding a state invariant into the IncubatorMonitor system
inv ? ?
-10 Celsius TEMPERATURE +10 Celsius
Adding a state invariant into the IncubatorMonitor system
inv mk-IncubatorMonitor(t) ?
-10 Celsius TEMPERATURE +10 Celsius
Adding a state invariant into the IncubatorMonitor system
inv mk-IncubatorMonitor(t) MIN t MAX
-10 Celsius TEMPERATURE +10 Celsius
init
State
Returns true if the correct initial values have been given to the state and false otherwise
Specifying an initialization function
We will assume that when the incubator is turned on, its temperature should be adjusted until a steady 5 degrees Celsius is obtained.
init ? ?
Specifying an initialization function
We will assume that when the incubator is turned on, its temperature should be adjusted until a steady 5 degrees Celsius is obtained.
init mk-IncubatorMonitor(t) ?
Specifying an initialization function
We will assume that when the incubator is turned on, its temperature should be adjusted until a steady 5 degrees Celsius is obtained.
init mk-IncubatorMonitor(t) t = 5
The modified state specification
valuesMAX : = 10MIN : = -10
state IncubatorMonitor of temp : inv mk-IncubatorMonitor(t) MIN t MAX
init mk-IncubatorMonitor(t) t = 5
end
Improving the Incubator System
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement( ) : Signaldecrement( ) : SignalgetRequestedTemp( ) : IntegergetActualTemp( ) : Integer
Improving the Incubator System
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement( ) : Signaldecrement( ) : SignalgetRequestedTemp( ) : IntegergetActualTemp( ) : Integer
Signal is an enumerated type
A standard method of marking a UML class as an enumerated type is to add <<enumeration>> above the type name:
Enumerated types in UML
<<enumeration>>Signal
INCREASEDECREASE
DO_NOTHING
In VDM-SL the types clause is the appropriate place to define new types.
Enumerated types in VDM-SL
typesSignal = <INCREASE>|< DECREASE>|< DO_NOTHING>
values…..
state…..
end
The nil value
It is common in the programming world for a value to be undefined
VDM-SL allows for this concept by including the possibility of a term or expression having the value nil, meaning that it is undefined;
x : ‘x’ must be a natural number
The nil value
It is common in the programming world for a value to be undefined
VDM-SL allows for this concept by including the possibility of a term or expression having the value nil, meaning that it is undefined;
x : [] ‘x’ can be a natural number or nil
The nil value
It is common in the programming world for a value to be undefined
VDM-SL allows for this concept by including the possibility of a term or expression having the value nil, meaning that it is undefined;
x : []
When the incubator system first comes into being, the actual and requested values will be undefined, and must therefore be set to nil.
Specifying the IncubatorController state
state IncubatorController of
requestedTemp : ?
actualTemp : ?
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() : IntegergetActualTemp() : Integer
Specifying the IncubatorController state
state IncubatorController of
requestedTemp :
actualTemp :
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() : IntegergetActualTemp() : Integer
Specifying the IncubatorController state
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]
IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) : Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() : IntegergetActualTemp() : Integer
The invariant
inv mk-IncubatorController (r, a)
MIN r MAX
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]
The requested temperature
must be in the range of -10 to +10 degrees
The invariant
inv mk-IncubatorController (r, a)
MIN r MAX
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]
The requested temperature
must be in the range of -10 to +10 degrees
The requested temperature could be nil
r = nil
The invariant
inv mk-IncubatorController (r, a)
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]
The requested temperature
must be in the range of -10 to +10 degrees
The requested temperature could be nil
(MIN r MAX r = nil)
The invariant
inv mk-IncubatorController (r, a)
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]The actual temperature
must be in the range of -10 to +10 degrees
(MIN r MAX r = nil)
MIN a MAX
The invariant
inv mk-IncubatorController (r, a)
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]The actual temperature
must be in the range of -10 to +10 degrees
(MIN r MAX r = nil)
MIN a MAX
The actual temperature could be nil
a = nil
The invariant
inv mk-IncubatorController (r, a)
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]The actual temperature
must be in the range of -10 to +10 degrees
(MIN r MAX r = nil)
(MIN a MAX a = nil)
The requested temperature
must be in the range of -10 to +10 degrees
The actual temperature could be nil
The requested temperature could be nil
The invariant
inv mk-IncubatorController (r, a)
state IncubatorController of
requestedTemp : [ ]
actualTemp : [ ]
(MIN r MAX r = nil)
(MIN a MAX a = nil)
Improving the readability of the spec by using a function
inRange( )pre post
val : result :
result MIN val MAX
TRUE
inv mk-IncubatorController (r, a) (inRange(r) r = nil) (inRange(a) a = nil)
The initialisation function
init mk-IncubatorController (r, a) r = nil a = nil
Specifying the setInitialTemp operation
setInitialTemp( )
ext
pre
post
tempIn :
wr actualTemp : []
actualTemp = tempIn
inRange(tempIn) actualTemp = nil
The requestChange operation
requestChange( )
ext
pre
post
tempIn : signalOut : Signal
requestedTemp : []wr
actualTemp : []rd
requestedTemp = tempIn
(
)
signalOut = <INCREASE>
signalOut = <DECREASE>
signalOut = <DO_NOTHING>
tempIn < actualTemp
tempIn > actualTemp
tempIn = actualTemp
actualTemp nilinRange(tempIn)
The increment operation
increment ()
ext
pre
post
signalOut : Signal
requestedTemp : []rd
actualTemp : []wr
actualTemp
actualTemp = actualTemp + 1
signalOut = <INCREASE>
signalOut = <DO_NOTHING>
(
)
actualTemp < requestedTemp
actualTemp = requestedTemp
actualTemp < requestedTemp
requestedTemp nil actualTemp nil
The getRequestedTemp operation
getRequestedTemp()
ext
pre
post
currentRequested : []
requestedTemp : []rd
currentRequested = requestedTemp
TRUE
The getActualTemp operation
getActualTemp()
ext
pre
post
currentActual : []
actualTemp : []rd
currentActual = actualTemp
TRUE
A standard template for VDM-SL specifications
typesSomeType = …..
valuesconstantName : ConstantType = someValue
state SystemName ofattribute1 : Type
:attributen : Type
inv mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)
init mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)end functions
specification of functions .....operations
specification of operations .....