TIVDM1Development process, Logic and VDMTools and Eclipse 1 RT development process, Logic and VDMTools and Eclipse support Peter Gorm Larsen

TIVDM1 Development process, Logic and VDMTools and Eclipse

1

RT development process, Logic and VDMTools and Eclipse support

Peter Gorm Larsen


2

Agenda

Development Process for RT systems• Introduction to Logic• Overview of VDMTools® Functionality and Eclipse

support


3

Reactive systems Nature

The World

Environment System

stimuli

response


4

Overview of Development Process


5

General use case for anembedded system


6

Capturing Requirements in VDM-SL

operations

PerformSystemReaction: seq of SensorInput ==> seq of ActuatorCommand PerformSystemReaction(inputseq) == if inputseq = [] then [] else SensorTreatment(hd inputseq) ^ PerformSystemReaction(tl inputseq)

An accumulating parameter can be used for feedback


7

Sequential Design Model


8

Typical Design Structure

• An Environment class is needed• A SystemName class is needed• A World class is introduced for setting up both the

environment and the system• World shall contain a Run operation• World have access to some notion of time• The Environment has operation for creating signals to

the system and receiving events from the system• Flow of control resides with the Environment• Each class that do actions has an isFinished

operation


9

Concurrent Design Model

• Similar to sequential design model but• Identification of threads

• Determine necessary communication

• Establish synchronization points

• Validation of model

• Typical design structure• Flow of control is distributed

• Synchronization using permission predicates and mutex• isFinished operations become skip with permission

predicates

• A simple Timer class is replaced with the TimeStamp class


10

Concurrent Real-Time and Distributed Design Model

• Timing built in:• Use of default durations

• Use of duration and cycles statements

• Setting task switching overhead• Typical Design Structure

• SystemName is now turned into a system• CPU’s and BUS’es are introduced inside SystemName• Environment may be turned into a system

• Some operations are made asynchronous

• Some Step like threads are made periodic• Explicit use of TimeStamp is removed


11

Agenda

Development Process for RT systems Introduction to Logic• Overview of VDMTools® Functionality and Eclipse

support


12

Logic

Our ability to state invariants, record pre-conditions and post-conditions, and the ability to reason about a formal model depend on the logic on which the modelling language is based.

• Classical logical propositions and predicates

• Connectives

• Quantifiers


13

A temperature monitor example

30

20

10

01 2 3 4 5 6 7 8 9

Temperature (C)

Time (s)

The monitor records the last five temperature readings 25 105510


14

A temperature monitor example

The following conditions are to be detected by the monitor:

1. Rising: the last reading in the sample is greater than the first

2. Over limit: there is a reading in the sample in excess of 400 C

3. Continually over limit: all the readings in the sample exceed 400 C

4. Safe: If readings do not exceed 400 C by the middle of the sample, the reactor is safe. If readings exceed 400 C by the middle of the sample, the reactor is still safe provided that the reading at the end of the sample is less than 400 C.

5. Alarm: The alarm is to be raised if and only if the reactor is not safe


15

Predicates and Propositions

Predicates are simply logical expressions. The simplest kind of logical predicate is a proposition.

A proposition is a logical assertion about a particular value or values, usually involving a Boolean operator to compare the values, e.g.

3 < 27 5 = 9


16

PredicatesA predicate is a logical expression that is not specific to particular values but contains variables which can stand for one of a range of possible values, e.g.

x < 27

(x**2) + x - 6 = 0

The truth or falsehood of a predicate depends on the value taken by the variables.


17

Predicates in the monitor example

Monitor :: temps : seq of int alarm : bool

inv m == len m.temps = 5

Consider a monitor m. m is a sequence so we can index into it:

First reading in m:

Last reading in m:

Predicate stating that the first reading in m is strictly less than the last reading:

The truth of the predicate depends on the value of m.

m.temps(1)

m.temps(5)

m.temps(1) < m.temps(5)


18

The rising condition

The last reading in the sample is greater than the first


inv m == len m.temps = 5

We can express the rising condition as a Boolean function:

Rising: Monitor -> bool

Rising(m) == m.temps(1) < m.temps(5)

For any monitor m, the expression Rising(m) evaluates to true iff the last reading in the sample in m is higher than the first, e.g.

Rising( mk_Monitor([233,45,677,650,900], false) )

Rising( mk_Monitor([23,45,67,50,20], false) )


19

Logical Operators (Connectives)

We will examine the following logical operators:

• Negation (NOT)• Conjunction (AND)• Disjunction (OR)• Implication (if – then)• Biconditional (if and only if)

Truth tables can be used to show how these operators can combine propositions to compound propositions.


20

Negation (not)

Negation allows us to state that the opposite of some logical expression is true, e.g.

The temperature in the monitor mon is not rising:

not Rising(mon)

Truth table for negation:P P

true false

false true


21

Disjunction (or)

Disjunction allows us to express alternatives that are not necessarily exclusive:

Over limit: There is a reading in the sample in excess of 400 C

OverLimit: Monitor -> bool

OverLimit(m) == m.temps(1) > 400 or m.temps(2) > 400 or m.temps(3) > 400 or m.temps(4) > 400 or m.temps(5) > 400

P Q PQtrue true true

true false true

false true true

false false false


22

Conjunction (and)

Conjunction allows us to express the fact that all of a collection of facts are true.

Continually over limit: all the readings in the sample exceed 400 C

COverLimit: Monitor -> bool

COverLimit(m) ==

m.temps(1) > 400 and m.temps(2) > 400 and m.temps(3) > 400 and m.temps(4) > 400 and m.temps(5) > 400

P Q PQ

true true true

true false false

false true false

false false false


23

ImplicationImplication allows us to express facts which are only true under certain conditions (“if … then …”):

Safe: If readings do not exceed 400 C by the middle of the sample, the reactor is safe. If readings exceed 400 C by the middle of the sample, the reactor is still safe provided that the reading at the end of the sample is less than 400 C.

Safe: Monitor -> bool

Safe(m) ==

m.temps(3) > 400 =>

m.temps(5) < 400

P Q PQ

true true true

true false false

false true true

false false true


24

BiimplicationBiimplication allows us to express equivalence (“if and only if”).

Alarm: The alarm is to be raised if and only if the reactor is not safe

This can be recorded as an invariant property:


inv m ==

len m.temps = 5 and

not Safe(m.temps) <=> m.alarm

P Q PQ

true true true

true false false

false true false

false false true


25

Operator Precedence and Associativity

• not has the highest precedence• Followed by and, or, => and <=> in that order• => has right grouping i.e.

o A => B => C without brackets meanso A => (B => C)

• The other logical operators are associative so right and left grouping are equivalent, i.e.o A and (B and C) is identical to (A and B) and C


26

Quantifiers

For large collections of values, using a variable makes more sense than dealing with each case separately.

inds m.temps represents indices (1-5) of the sample

The “over limit” condition can then be expressed more economically as:

exists i in set inds m.temps & temps(i) > 400

The “continually over limit” condition can then be expressed using “forall”:

COverLimit: Monitor -> boolCOverLimit(m) == forall i in set inds m.temps & temps(i) > 400


27

QuantifiersSyntax:

forall binding & predicate

exists binding & predicate

There are two types of binding:

Type Binding, e.g.

x : nat

n : seq of char

Set Binding, e.g.

i in set inds m

x in set {1,…,20}

A type binding lets the bound variable range over a type (a possibly infinite collection of values).

A set binding lets the bound variable range over a finite set of values.


28

Universal quantification

• Universal quantification is a generalised form of conjunction

• For example, the statement “every natural number is greater than or equal to zero” is denoted by

n: nat n 0 ( is a turned-round “A”, “for All” and written as “forall” in ASCII)

“for all n drawn from the natural numbers,

n is greater than or equal to zero”• This statement is equivalent to (and a lot more

succinct than):

0 0 1 0 2 0 3 0 …


29

Questions

Formulate the following statements using predicate logic:

• Everybody likes Danish pastry

• Everybody either likes Danish pastry or is a vegetarian

• Either everybody likes Danish pastry or everybody is a

vegetarian

Are the last two statements equivalent?


30

Existential quantification

• Existential quantification allows us to assert that a predicate holds for at least one value — but not necessarily all values — of a given set

• For example, the statement “there is a natural number that is greater than or equal to zero” is denoted by:

n: nat n 0 ( is a turned-round “E”, “there Exists” and written as “exists” in ASCII)

“there exists an n drawn from the natural numbers such that n is greater than or equal to zero”

0 0 1 0 2 0 3 0 …


31

Questions

Formulate the following statements using predicate logic:

• Somebody likes Danish pastry

• There is somebody who either likes Danish pastry or is

a vegetarian

• Either somebody likes Danish pastry or somebody is a

vegetarian

Are the last two statements equivalent?


32

Quantifiers

Several variables may be bound at once by a single quantifier, e.g.

forall x,y in set {1,…,5} &

X <> y => not m.temps(x) = m.temps(y)

Would this predicate be true for the following value of m.temps ?

[320, 220, 105, 119, 150]


33

Formulation Questions

All the readings in the sample are less than 400 and greater than 50.

Each reading in the sample is up to 10 greater than its predecessor.

There are two distinct readings in the sample which are over 400.

forall i in set inds m.temps & m.temps(i) < 400 and m.temps(i) > 50

forall i in set inds m.temps\{1} & m.temps(i – 1) + 10 <= m.temps(i)

exists i,j in set inds m.temps & i <> j and m.temps(i) > 400 and m.temps(j) > 400


34

Combination of quantifiers

• Assume we have a predicate with two free variables P(x,y) where x : X and y : Y

• Then quantifiers can be combined: y : Y x : X P(x,y) or y : Y x : X P(x,y)

• Would these be equal if X, Y are int and P = x >y?• However if the same quantifier was used both places

the expressions would be equivalent: y : Y x : X P(x,y) x : X y : Y P(x,y) y : Y x : X P(x,y) x : X y : Y P(x,y)


35

Quantifiers

Suppose we have to formalise the following property:

There is a “single minimum” in the sequence of readings, i.e. there is a reading which is strictly smaller than any of the other readings.

Suppose the order of the quantifiers is reversed.

exists i in set inds m.temps & forall j in set inds m.temps & i <> j => m.temps(i) < m.temps(j)


36

Questions

• Translate the following into English:x:Elephant & grey(x)x:ANIMAL & elephant(x) => grey(x)x : ANIMAL & bird(x) has-wings(x) flies(x)

• Represent the following using predicate logic formulae:• “Joanne is a teacher, she teaches AI, and likes

chocolate.”• “Some teachers do not like chocolate”


37

Agenda

Development Process for RT systems Introduction to Logic Overview of VDMTools® Functionality and Eclipse

support


38

VDMTools® Overview

The Rose-VDM++ Link

Document Generator

Code Generators- C++, Java

Syntax & Type Checker

API (Corba), DL Facility

Interpreter (Debugger)

Integrity CheckerJava to VDM++


39

Japanese Support via Unicode


40

Validation with VDMTools®

VDM specsVDM specs

Test casesTest cases Expected resultsExpected results

Actual resultsActual results

ComparisonComparison

ExecutionExecution


41

Documentation in MS Word/RTF

One compound document:One compound document:

• Documentation

• Specification

• Test coverage

• Test coverage

statistics


42

Architecture of the Rose VDM++ Link

VDM++ ToolboxVDM++ Toolbox IBM Rational RoseIBM Rational Rose

ClassClassRepositoryRepository

ClassClassRepositoryRepositoryMerge ToolMerge Tool

VDM++ FilesVDM++ Files

UMLUMLDiagramsDiagrams

UML modelUML modelfilefile


43

Integrity checker


44

Reference Material

• The VDM++ Language for VICE, CSK, 2005• The VDM++ User Manual, CSK, 2005• The VDM++ Installation Guide, CSK, 2005• Rational Rose Link Plug-in Installation and User

Guide, CSK, 2005


45

Further Information

• An Executable Subset of Meta-IV with Loose Specification, P.G. Larsen, P.B. Lassen, VDM '91: Formal Software Development Methods, 1991

• The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM Sigplan Notices, September 1994

• Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995

• Ten Years of Historical Development - ”Bootstrapping” VDMTools, P.G. Larsen, Journal of Universal Computer Science, 2001


46

Summary

• What have I presented today?• Development Process for RT systems• Introduction to Logic• Introduction to VDMTools® and Eclipse Support

• What do you need to do now?• Read chapter 4 and 5 of the book for next week• Get Eclipse and VDMTools installed• Start playing with the combination of VDMTools, Eclipse and

Rose• Read existing material about the selected project • Formulate a new requirements definition for the project • Decide upon the purpose of the model to develop• Present about this project for the rest of us


47

Quote of the day

The successful construction of all machinery depends on the perfection of the tools employed, and whoever is

the master in the art of tool-making possesses the key to the construction of all machines.

Charles Babbage, 1851

Documents

TIVDM1Development process, Logic and VDMTools and Eclipse 1 RT development process, Logic and VDMTools and Eclipse support Peter Gorm Larsen