An introduction to specification in VDM-SL

An introduction to specification in VDM-SL

At the end of this lecture you should be able to:

• write a formal specification of a system in VDM-SL;

• correlate the components of a UML class diagram with those of a VDM specification;

• declare constants and specify functions to enhance the specification;

• explain the use of a state invariant to place a global constraint on the system;

• explain the purpose of the nil value in VDM.

The Incubator case study

The temperature of the incubator needs to be carefully controlled and monitored;

Safety requirements :

-10 Celsius TEMPERATURE +10 Celsius

The UML specification

IncubatorMonitor

temp : Integer

increment() decrement()getTemp() : Integer

Specifying the ‘state’ in VDM-SL

IncubatorMonitor

temp : Integer


IncubatorMonitor

temp : Integer


The VDM state refers to the permanent data stored by the system.

In VDM-SL we use mathematical types

The intrinsic types available in VDM-SL

: natural numbers (positive whole numbers)

1 : natural numbers excluding zero

: integers (positive and negative whole numbers)

: real numbers (positive and negative numbers that can include a fractional part)

: boolean values (true or false)

Char : the set of alphanumeric characters

Specifying the state of the Incubator Monitor System

IncubatorMonitor

temp : Integer


state IncubatorMonitor of

end

temp :

UML VDM-SL

Specifying the operations in VDM-SL

IncubatorMonitor

temp : Integer


Each operation specified in VDM-SL as follows:

the operation headerthe external clausethe preconditionthe postcondition

IncubatorMonitor

temp : Integer


increment()

ext ?

pre ?

post ?

temp < 10

wr ?temp :

temp = + 1temp

+ 1 = temptemp

temp - = 1temp

temp > temp

IncubatorMonitor

temp : Integer


decrement()

ext ?

pre ?

post ?

temp > -10

temp = - 1temp

wr ?temp :

IncubatorMonitor

temp : Integer


getTemp( )

ext ?

pre ?

post ?

currentTemp :

rd temp :

currentTemp = temp

TRUE

Declaring constants

Constants are specified using the keyword values.

The declaration would come immediately before the state definition:

valuesMAX : = 10MIN : = -10

decrement()

ext wr temp :

pre temp > -10

post temp = - 1temp

MIN

Specifying functions

hasPassed

36

79

50

FALSE

TRUE

There are two ways in which we can specify a function in VDM-SL:

Explicitly and implicitly

Specifying a function explicitly

Example

add: add(x, y) ∆ x + y

signature definition

Specifying a function implicitly

add( )pre ?post ?

x , y: : z

z = x + yTRUE

:

An absolute function defined implicitly

abs( )pre ?post ?

z :

r :

z<0 r = -z z 0 r = zTRUE

An absolute function defined explicitly

abs: abs(z) ∆ if z < 0

then -z else z

Two special functions

The state invariant and initialisation

inv

State

Returns true if the state meets global constraint and false otherwise

Adding a state invariant into the IncubatorMonitor system

inv ? ?



inv mk-IncubatorMonitor(t) ?



inv mk-IncubatorMonitor(t) MIN t MAX


init

State

Returns true if the correct initial values have been given to the state and false otherwise

Specifying an initialization function

We will assume that when the incubator is turned on, its temperature should be adjusted until a steady 5 degrees Celsius is obtained.

init ? ?



init mk-IncubatorMonitor(t) ?



init mk-IncubatorMonitor(t) t = 5

The modified state specification

valuesMAX : = 10MIN : = -10

state IncubatorMonitor of temp : inv mk-IncubatorMonitor(t) MIN t MAX

init mk-IncubatorMonitor(t) t = 5

end

Improving the Incubator System

IncubatorController

requestedTemp : IntegeractualTemp : Integer

setIInitialTemp(Integer)requestChange(Integer) : Signalincrement( ) : Signaldecrement( ) : SignalgetRequestedTemp( ) : IntegergetActualTemp( ) : Integer

Improving the Incubator System

IncubatorController


setIInitialTemp(Integer)requestChange(Integer) : Signalincrement( ) : Signaldecrement( ) : SignalgetRequestedTemp( ) : IntegergetActualTemp( ) : Integer

Signal is an enumerated type

A standard method of marking a UML class as an enumerated type is to add <<enumeration>> above the type name:

Enumerated types in UML

<<enumeration>>Signal

INCREASEDECREASE

DO_NOTHING

In VDM-SL the types clause is the appropriate place to define new types.

Enumerated types in VDM-SL

typesSignal = <INCREASE>|< DECREASE>|< DO_NOTHING>

values…..

state…..

end

The nil value

It is common in the programming world for a value to be undefined

VDM-SL allows for this concept by including the possibility of a term or expression having the value nil, meaning that it is undefined;

x : ‘x’ must be a natural number

The nil value



x : [] ‘x’ can be a natural number or nil

The nil value



x : []

When the incubator system first comes into being, the actual and requested values will be undefined, and must therefore be set to nil.

Specifying the IncubatorController state

state IncubatorController of

requestedTemp : ?

actualTemp : ?

IncubatorController


setIInitialTemp(Integer)requestChange(Integer) : Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() : IntegergetActualTemp() : Integer



requestedTemp :

actualTemp :

IncubatorController





requestedTemp : [ ]

actualTemp : [ ]

IncubatorController



The invariant

inv mk-IncubatorController (r, a)

MIN r MAX


requestedTemp : [ ]

actualTemp : [ ]

The requested temperature

must be in the range of -10 to +10 degrees

The invariant


MIN r MAX


requestedTemp : [ ]

actualTemp : [ ]



The requested temperature could be nil

r = nil

The invariant



requestedTemp : [ ]

actualTemp : [ ]




(MIN r MAX r = nil)

The invariant



requestedTemp : [ ]

actualTemp : [ ]The actual temperature


(MIN r MAX r = nil)

MIN a MAX

The invariant



requestedTemp : [ ]



(MIN r MAX r = nil)

MIN a MAX

The actual temperature could be nil

a = nil

The invariant



requestedTemp : [ ]



(MIN r MAX r = nil)

(MIN a MAX a = nil)



The actual temperature could be nil


The invariant



requestedTemp : [ ]

actualTemp : [ ]

(MIN r MAX r = nil)

(MIN a MAX a = nil)

Improving the readability of the spec by using a function

inRange( )pre post

val : result :

result MIN val MAX

TRUE

inv mk-IncubatorController (r, a) (inRange(r) r = nil) (inRange(a) a = nil)

The initialisation function

init mk-IncubatorController (r, a) r = nil a = nil

Specifying the setInitialTemp operation

setInitialTemp( )

ext

pre

post

tempIn :

wr actualTemp : []

actualTemp = tempIn

inRange(tempIn) actualTemp = nil

The requestChange operation

requestChange( )

ext

pre

post

tempIn : signalOut : Signal

requestedTemp : []wr

actualTemp : []rd

requestedTemp = tempIn

(

)

signalOut = <INCREASE>

signalOut = <DECREASE>

signalOut = <DO_NOTHING>

tempIn < actualTemp

tempIn > actualTemp

tempIn = actualTemp

actualTemp nilinRange(tempIn)

The increment operation

increment ()

ext

pre

post

signalOut : Signal

requestedTemp : []rd

actualTemp : []wr

actualTemp

actualTemp = actualTemp + 1

signalOut = <INCREASE>

signalOut = <DO_NOTHING>

(

)

actualTemp < requestedTemp

actualTemp = requestedTemp

actualTemp < requestedTemp

requestedTemp nil actualTemp nil

The getRequestedTemp operation

getRequestedTemp()

ext

pre

post

currentRequested : []

requestedTemp : []rd

currentRequested = requestedTemp

TRUE

The getActualTemp operation

getActualTemp()

ext

pre

post

currentActual : []

actualTemp : []rd

currentActual = actualTemp

TRUE

A standard template for VDM-SL specifications

typesSomeType = …..

valuesconstantName : ConstantType = someValue

state SystemName ofattribute1 : Type

:attributen : Type

inv mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)

init mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)end functions

specification of functions .....operations

specification of operations .....

An introduction to specification in VDM-SL

Documents

Transcript of An introduction to specification in VDM-SL