1 / 36

An introduction to specification in VDM-SL

An introduction to specification in VDM-SL. At the end of this lecture you should be able to:. write a formal specification of a system in VDM-SL; correlate the components of a UML class diagram with those of a VDM specification;

braden
Download Presentation

An introduction to specification in VDM-SL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An introduction to specification in VDM-SL At the end of this lecture you should be able to: • write a formal specification of a system in VDM-SL; • correlate the components of a UML class diagram with those of a VDM specification; • declare constants and specify functions to enhance the specification; • explain the use of a state invariant to place a global constraint on the system; • explain the purpose of the nil value in VDM.

  2. -10 Celsius TEMPERATURE +10 Celsius The Incubator case study The temperature of the incubator needs to be carefully controlled and monitored; Initially we will specify the software needed to monitor the incubator temperature; Later we will specify the software needed to monitor and control the incubator temperature. Safety requirements :

  3. The UML specification IncubatorMonitor temp : Integer increment() decrement() getTemp() : Integer

  4. Specifying the ‘state’ in VDM-SL in VDM-SL the state refers to the permanent data that must be stored by the system, and which can be accessed by means of operations; It corresponds to the attributes in the class diagram; The state is specified by declaring variables, in a similar manner a programming language and UML. Each variables is given a name, and a VDM-SL type.

  5. The intrinsic types available in VDM-SL  : natural numbers (positive whole numbers) 1 : natural numbers excluding zero : integers (positive and negative whole numbers) : real numbers (positive and negative numbers that can include a fractional part)  : boolean values (true or false) Char : the set of alphanumeric characters

  6. IncubatorMonitor temp : Integer increment() decrement() getTemp() : Integer Specifying the state of the Incubator Monitor System UML VDM-SL stateIncubatorMonitorof end temp : 

  7. IncubatorMonitor temp : Integer increment() decrement() getTemp() : Integer Specifying the operations in VDM-SL • Each operation specified in VDM-SL as follows: • the operation header • the external clause • the precondition • the postcondition

  8. temp = + 1 temp > + 1 = temp temp - = 1 The increment operation increment() ext ? pre ? post ? wr ? temp :  temp < 10

  9. temp = - 1 The decrement operation decrement() ext ? pre ? post ? wr ? temp :  temp > -10

  10. The getTemp operation getTemp() ext ? pre ? post ? currentTemp :  rdtemp :  TRUE currentTemp = temp

  11. decrement() extwr temp :  pretemp > -10 post temp = - 1 Declaring constants It is possible in VDM-SL to specify constants; It is done by using the keyword values; The declaration would come immediately before the state definition: values MAX :  = 10 MIN :  = -10 MIN

  12. Specifying functions A function is a set of assignments from one set to another; The function receives an input value (or values) and maps this to an output value according to some rule; 46 FALSE   69 hasPassed TRUE 50 There are two ways in which we can specify a function in VDM-SL

  13. Specifying a function explicitly The style of this specification is algorithmic; We explicitly define the method of transforming the inputs to the output. Example add:  add(x, y) ∆x + y signature definition

  14. Specifying a function implicitly We use a pre- and postcondition in the same way as we described for operations; A function, however, does not access the state variables. add( ) pre ? post ? x , y : : z :  TRUE z = x + y

  15. An absolute function defined implicitly abs( ) pre ? post ? z : r :  TRUE z<0 r = -zz  0 r = z

  16. An absolute function defined explicitly abs:  abs(z) ∆ifz < 0 then -z elsez

  17. Recursive functions Some functions can be neatly specified by a recursive definition, whereby the function calls itself. Example a factorial function: factorial:  factorial(n) ∆ifn = 0 then 1 elsen x factorial(n - 1)

  18. State invariants Before we specified local constraint with preconditions. We can also specify a global constraint. In VDM-SL we incorporate such a restriction into the specification with a function called a stateinvariant; The invariant definition uses the keyword inv. Its signature will be: inv: State 

  19. -10 Celsius TEMPERATURE +10 Celsius Adding a state invariant into the IncubatorMonitor system invmk-IncubatorMonitor(t) MINtMAX

  20. Specifying an initialization function An initialization function is given the name init; We will assume that when the incubator is turned on, its temperature is adjusted until a steady 5 degrees Celsius is obtained. initmk-IncubatorMonitor(t) t = 5

  21. The modified state specification values MAX :  = 10 MIN :  = -10 stateIncubatorMonitorof temp :  invmk-IncubatorMonitor(t) MINtMAX initmk-IncubatorMonitor(t) t = 5 end

  22. Improving the Incubator System IncubatorController requestedTemp : Integer actualTemp : Integer setIInitialTemp(Integer) requestChange(Integer) : Signal increment() : Signal decrement() : Signal getRequestedTemp() : Integer getActualTemp() : Integer

  23. Enumerated types The signal sent to the hardware could be one of 3 possible values: • an instruction to the hardware to increase the temperature; • an instruction to the hardware to decrease the temperature; • an instruction to the hardware to do nothing. A type that consists of a number of named values is often referred to as an enumerated type;

  24. <<enumeration>> Signal INCREASE DECREASE DO_NOTHING Enumerated types in UML A standard method of marking a UML class as an enumerated type is to add <<enumeration>> above the type name:

  25. Enumerated types in VDM-SL In VDM-SL the types clause is the appropriate place to define new types. types Signal = <INCREASE>|< DECREASE>|< DO_NOTHING> values ….. state ….. end

  26. The nil value It is common in the programming world for a value to be undefined; VDM-SL allows for this concept by including the possibility of a term or expression having the value nil, meaning that it is undefined; We do that by placing square brackets around the type name: [] natural numbers or nil [] integers or nil. When the incubator system first comes into being, the actual and requested values will be undefined, and must therefore be set to nil;

  27. IncubatorController requestedTemp : Integer actualTemp : Integer setIInitialTemp(Integer) requestChange(Integer) : Signal increment() : Signal decrement() : Signal getRequestedTemp() : Integer getActualTemp() : Integer Specifying the IncubatorController state stateIncubatorControllerof requestedTemp : [] actualTemp : []

  28. The invariant The actual temperature must not be allowed to go outside the range of -10 to +10 degrees; However we need now to allow for the possibility that it could be equal to the nil value; The same is true for the requested temperature. invmk-IncubatorController (r, a)   (MIN  r MAX r = nil) (MIN  a MAX a = nil)

  29. Improving the readability of the spec by using a function inRange( ) pre post val :  result :  TRUE result MIN  val MAX invmk-IncubatorController (r, a)  (inRange(r)r = nil) (inRange(a)a = nil)

  30. The initialisation function initmk-IncubatorController (r, a)  r = nila = nil

  31. Specifying the setInitialTempoperation setInitialTemp( ) ext pre post tempIn :  wr actualTemp : []  inRange(tempIn) actualTemp = nil actualTemp = tempIn

  32. The requestChange operation requestChange( ) ext pre post tempIn :  signalOut : Signal wr requestedTemp : [] rd actualTemp : [] inRange(tempIn)  actualTempnil requestedTemp = tempIn  tempIn > actualTemp  ( signalOut = <INCREASE>  tempIn < actualTemp  signalOut = <DECREASE>  tempIn = actualTemp  signalOut = <DO_NOTHING> )

  33. actualTemp = actualTemp + 1 The increment operation increment () ext pre post signalOut : Signal rd requestedTemp : [] wr actualTemp : [] actualTemp < requestedTemp actualTempnil requestedTempnil  ( actualTemp < requestedTemp  signalOut = <INCREASE>  actualTemp = requestedTemp  ) signalOut = <DO_NOTHING>

  34. The getRequestedTemp operation getRequestedTemp() ext pre post currentRequested : [] rd requestedTemp : [] TRUE currentRequested = requestedTemp

  35. The getActualTemp operation getActualTemp() ext pre post currentActual : [] rd actualTemp : [] TRUE currentActual = actualTemp

  36. A standard template for VDM-SL specifications types SomeType = ….. values constantName : ConstantType = someValue state SystemNameof attribute1 : Type : attributen : Type invmk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in) initmk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in) end functions specification of functions ..... operations specification of operations .....

More Related