# Personal Home at UEL

Document Sample

```					An introduction to specification in VDM-SL

At the end of this lecture you should be able to:

•   write a formal specification of a system in VDM-SL;
•   correlate the components of a UML class diagram with
those of a VDM specification;
•   declare constants and specify functions to enhance the
specification;
•   explain the use of a state invariant to place a global
constraint on the system;
•   explain the purpose of the nil value in VDM.
The Incubator case study

The temperature of the
incubator needs to be carefully
controlled and monitored;

Safety requirements :

-10 Celsius      TEMPERATURE      +10 Celsius
The UML specification

IncubatorMonitor

temp : Integer

increment()
decrement()
getTemp() : Integer
Specifying the ‘state’ in VDM-SL
IncubatorMonitor

temp : Integer

increment()
decrement()
getTemp() : Integer
The VDM
state refers
to the
permanent
data stored
by the          IncubatorMonitor
system.
temp : Integer

increment()
decrement()
getTemp() : Integer

In VDM-SL we use mathematical types
The intrinsic types available in VDM-SL
:     natural numbers (positive whole numbers)

1 :   natural numbers excluding zero

:     integers (positive and negative whole numbers)

:     real numbers (positive and negative numbers
that can include a fractional part)

:     boolean values (true or false)

Char : the set of alphanumeric characters
Specifying the state of the Incubator Monitor System
UML                    VDM-SL
IncubatorMonitor     state IncubatorMonitor of
temp : Integer              temp :   
end
increment()
decrement()
getTemp() : Integer
Specifying the operations in VDM-SL
IncubatorMonitor
Each operation specified in
temp : Integer        VDM-SL as follows:

increment()               the external clause
decrement()               the precondition
getTemp() : Integer       the postcondition
IncubatorMonitor

temp : Integer

increment()
decrement()
getTemp() : Integer
increment()
ext  ?    ?
wr temp : 
pre temp < 10
?
?
post temp = temp + 1
temp > temp

temp + 1 = temp
temp - temp = 1
IncubatorMonitor

temp : Integer

increment()
decrement()
getTemp() : Integer
decrement()
ext  ?    ?
wr temp : 
pre temp > -10
?
post ?
temp = temp - 1
IncubatorMonitor

temp : Integer

increment()
decrement()
getTemp() : Integer
getTemp( ) currentTemp :

ext rd temp :
?

?
pre TRUE
post currentTemp = temp
?
Declaring constants
Constants are specified using the keyword values.
The declaration would come immediately before the state
definition:

values
MAX :  = 10
MIN :  = -10

decrement()
ext      wr      temp : 
pre             MIN
temp > -10
post    temp =    temp - 1
Specifying functions
36
FALSE
   79   hasPassed   TRUE    
50
There are two ways in which we can
specify a function in VDM-SL:

Explicitly and implicitly
Specifying a function explicitly

Example

add(x, y) ∆ x + y

signature   definition
Specifying a function implicitly

add( x :  , y :  ) z : 
pre ?  TRUE
z
post ? = x + y
An absolute function defined implicitly

abs(z : ) r : 
pre  TRUE
?
post z<0  r = -z  z  0  r = z
?
An absolute function defined explicitly

abs:   
abs(z) ∆ if z < 0
then -z
else z
Two special functions

The state invariant and initialisation
State

inv            
Returns true if the
state meets global
constraint and false
otherwise
the IncubatorMonitor system

-10 Celsius    TEMPERATURE      +10 Celsius

inv            ?             ?
the IncubatorMonitor system

-10 Celsius     TEMPERATURE      +10 Celsius

inv mk-IncubatorMonitor(t)    ?
the IncubatorMonitor system

-10 Celsius    TEMPERATURE         +10 Celsius

inv mk-IncubatorMonitor(t)  MIN  t  MAX
State

init           
Returns true if the
correct initial values
have been given to the
state and false otherwise
Specifying an initialization function

We will assume that when the incubator is turned
on, its temperature should be adjusted until a
steady 5 degrees Celsius is obtained.

init              ?                   ?
Specifying an initialization function

We will assume that when the incubator is turned
on, its temperature should be adjusted until a
steady 5 degrees Celsius is obtained.

init mk-IncubatorMonitor(t)           ?
Specifying an initialization function

We will assume that when the incubator is turned
on, its temperature should be adjusted until a
steady 5 degrees Celsius is obtained.

init mk-IncubatorMonitor(t)  t = 5
The modified state specification

values
MAX :  = 10
MIN :  = -10

state IncubatorMonitor of
temp : 
inv mk-IncubatorMonitor(t)  MIN  t  MAX
init mk-IncubatorMonitor(t)  t = 5
end
Improving the Incubator System

IncubatorController

requestedTemp : Integer
actualTemp : Integer

setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment( ) : Signal
decrement( ) : Signal
getRequestedTemp( ) : Integer
getActualTemp( ) : Integer
Improving the Incubator System

IncubatorController

requestedTemp : Integer           Signal is an
actualTemp : Integer
enumerated
setIInitialTemp(Integer)          type
requestChange(Integer) : Signal
increment( ) : Signal
decrement( ) : Signal
getRequestedTemp( ) : Integer
getActualTemp( ) : Integer
Enumerated types in UML

A standard method of marking a UML class as an
enumerated type is to add <<enumeration>> above
the type name:

<<enumeration>>
Signal

INCREASE
DECREASE
DO_NOTHING
Enumerated types in VDM-SL

In VDM-SL the types clause is the appropriate
place to define new types.

types
Signal = <INCREASE>|< DECREASE>|< DO_NOTHING>

values
…..
state
…..
end
The nil value
It is common in the programming world for a value to be undefined

VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;

x:
‘x’ must be a
natural number
The nil value
It is common in the programming world for a value to be undefined

VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;

x : []              ‘x’ can be a
natural
number or nil
The nil value
It is common in the programming world for a value to be undefined

VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;

x : []
When the incubator system first comes into being, the actual
and requested values will be undefined, and must therefore be
set to nil.
Specifying the IncubatorController state

IncubatorController         state IncubatorController of

requestedTemp : Integer                  requestedTemp : ?
actualTemp : Integer
actualTemp : ?
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer
Specifying the IncubatorController state

IncubatorController         state IncubatorController of

requestedTemp : Integer                  requestedTemp : 
actualTemp : Integer
actualTemp : 
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer
Specifying the IncubatorController state

IncubatorController         state IncubatorController of

requestedTemp : Integer                  requestedTemp : [ 
actualTemp : Integer              ]

setIInitialTemp(Integer)                 actualTemp : [  ]
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer
The invariant
state IncubatorController of
The requested
temperature             requestedTemp : [ 
must be in the    ]
range of -10 to
+10 degrees             actualTemp : [  ]

inv mk-IncubatorController (r, a) 
MIN  r  MAX
The invariant              The requested
temperature
could be nil
state IncubatorController of
The requested
temperature             requestedTemp : [ 
must be in the    ]
range of -10 to
+10 degrees             actualTemp : [  ]

inv mk-IncubatorController (r, a) 
MIN  r  MAX       r = nil
The invariant              The requested
temperature
could be nil
state IncubatorController of
The requested
temperature             requestedTemp : [ 
must be in the    ]
range of -10 to
+10 degrees             actualTemp : [  ]

inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)
The invariant
state IncubatorController of

requestedTemp : [ 
The actual      ]
temperature
must be in the           actualTemp : [  ]
range of -10 to
+10 degrees

inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)       MIN  a  MAX
The invariant
state IncubatorController of

requestedTemp : [ 
The actual      ]
The actual
temperature                                        temperature
must be in the           actualTemp : [  ]         could be nil
range of -10 to
+10 degrees

inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)        MIN  a  MAX    a = nil
The invariant
The requested                                         The requested
temperature                                           temperature
must be in the    state IncubatorController of         could be nil
range of -10 to
+10 degrees
requestedTemp : [ 
The actual      ]
The actual
temperature                                         temperature
must be in the           actualTemp : [  ]          could be nil
range of -10 to
+10 degrees

inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)       (MIN  a  MAX  a = nil)
The invariant
state IncubatorController of

requestedTemp : [ 
]

actualTemp : [  ]

inv mk-IncubatorController (r, a) 
(MIN  r  MAX  r = nil)      (MIN  a  MAX  a = nil)
spec by using a function

inRange( val : ) result : 
pre TRUE 
post result  MIN  val  MAX

inv mk-IncubatorController (r, a) 
(inRange(r)  r = nil)  (inRange(a)  a = nil)
The initialisation function

init mk-IncubatorController (r, a)    r = nil  a = nil
Specifying the setInitialTemp operation

setInitialTemp( tempIn : )
ext   wr actualTemp : []
pre   inRange(tempIn)  actualTemp = nil
post actualTemp = tempIn
The requestChange operation

requestChange( tempIn : ) signalOut : Signal

ext   wr requestedTemp : []
rd   actualTemp : []
pre    inRange(tempIn)  actualTemp  nil

post    requestedTemp = tempIn 
( tempIn > actualTemp  signalOut = <INCREASE>
 tempIn < actualTemp  signalOut = <DECREASE>
 tempIn = actualTemp  signalOut = <DO_NOTHING> )
actualTemp

The increment operation

increment () signalOut : Signal
ext      rd    requestedTemp : []
wr   actualTemp :
[]
actualTemp < requestedTemp
pre
 actualTemp  nil  requestedTemp  nil
post    actualTemp = actualTemp + 1  
( actualTemp < requestedTemp  signalOut = <INCREASE>

actualTemp = requestedTemp  signalOut = <DO_NOTHING> )
The getRequestedTemp operation

getRequestedTemp() currentRequested : []
ext    rd     requestedTemp : []
pre    TRUE

post   currentRequested = requestedTemp
The getActualTemp operation

getActualTemp() currentActual : []
ext    rd     actualTemp : []
pre    TRUE

post   currentActual = actualTemp
A standard template for VDM-SL specifications
types
SomeType = …..

values
constantName : ConstantType = someValue
state SystemName of
attribute1 : Type
:
attributen : Type

inv mk-SystemName(i1:Type, ..., in:Type)  Expression(i1, ..., in)

init mk-SystemName(i1:Type, ..., in:Type)  Expression(i1, ..., in)
end
functions
specification of functions .....
operations
specification of operations .....

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 10 posted: 6/28/2011 language: English pages: 62