-
An introduction to specification in VDM-SLAt the end of this
lecture you should be able to:write a formal specification of a
system in VDM-SL;correlate the components of a UML class diagram
with those of a VDM specification;declare constants and specify
functions to enhance the specification;explain the use of a state
invariant to place a global constraint on the system;explain the
purpose of the nil value in VDM.
-
The Incubator case study The temperature of the incubator needs
to be carefully controlled and monitored;
Initially we will specify the software needed to monitor the
incubator temperature;
Later we will specify the software needed to monitor and control
the incubator temperature.
Safety requirements :
-
The UML specificationIncubatorMonitortemp : Integerincrement()
decrement()getTemp() : Integer
-
Specifying the state in VDM-SL in VDM-SL the state refers to the
permanent data that must be stored by the system, and which can be
accessed by means of operations;
It corresponds to the attributes in the class diagram;
The state is specified by declaring variables, in a similar
manner a programming language and UML.
Each variables is given a name, and a VDM-SL type.
-
The intrinsic types available in VDM-SL
:natural numbers (positive whole numbers)1 :natural numbers
excluding zero: integers (positive and negative whole numbers):
real numbers (positive and negative numbers that can include a
fractional part) : boolean values (true or false)Char : the set of
alphanumeric characters
-
Specifying the state of the Incubator Monitor Systemstate
IncubatorMonitor ofendtemp : UMLVDM-SL
-
Specifying the operations in VDM-SL Each operation specified in
VDM-SL as follows:
the operation headerthe external clausethe preconditionthe
postcondition
-
The increment operation increment()ext ?pre ?post ?temp <
10wr ?temp :
-
The decrement operation decrement()ext ?pre ?post ?temp >
-10wr ?temp :
-
The getTemp operation getTemp()ext ?pre ?post ?currentTemp :
rdtemp : currentTemp = temp TRUE
-
Declaring constantsIt is possible in VDM-SL to specify
constants;It is done by using the keyword values;The declaration
would come immediately before the state definition:valuesMAX : =
10MIN : = -10MIN
-
Specifying functionsA function is a set of assignments from one
set to another;
The function receives an input value (or values) and maps this
to an output value according to some rule;hasPassed467950FALSE
TRUEThere are two ways in which we can specify a function in
VDM-SL
-
Specifying a function explicitly The style of this specification
is algorithmic;
We explicitly define the method of transforming the inputs to
the output.Exampleadd: add(x, y) x + y signaturedefinition
-
Specifying a function implicitly We use a pre- and postcondition
in the same way as we described for operations;
A function, however, does not access the state variables.add(
)pre ?post ?x, y: : z: z = x + yTRUE
- An absolute function defined implicitly abs( )pre ?post ?z : r
: z
-
An absolute function defined explicitly abs: abs(z) if z < 0
then -z else z
-
Recursive functions Some functions can be neatly specified by a
recursive definition, whereby the function calls itself.Examplea
factorial function:factorial: factorial(n) if n = 0 then 1 else n x
factorial(n - 1)
-
State invariantsBefore we specified local constraint with
preconditions.
We can also specify a global constraint.
In VDM-SL we incorporate such a restriction into the
specification with a function called a state invariant;The
invariant definition uses the keyword inv.
Its signature will be:inv : State
-
Adding a state invariant into the IncubatorMonitor systeminv
mk-IncubatorMonitor(t) MIN t MAX
-
Specifying an initialization function An initialization function
is given the name init;
We will assume that when the incubator is turned on, its
temperature is adjusted until a steady 5 degrees Celsius is
obtained.init mk-IncubatorMonitor(t) t = 5
-
The modified state specificationvaluesMAX : = 10MIN : = -10
state IncubatorMonitor of temp : inv mk-IncubatorMonitor(t) MIN
t MAXinit mk-IncubatorMonitor(t) t = 5end
-
Improving the Incubator System IncubatorController
requestedTemp : IntegeractualTemp : Integer
setIInitialTemp(Integer)requestChange(Integer) :
Signalincrement() : Signaldecrement() : SignalgetRequestedTemp() :
IntegergetActualTemp() : Integer
-
Enumerated typesThe signal sent to the hardware could be one of
3 possible values:an instruction to the hardware to increase the
temperature;an instruction to the hardware to decrease the
temperature;an instruction to the hardware to do nothing.
A type that consists of a number of named values is often
referred to as an enumerated type;
-
A standard method of marking a UML class as an enumerated type
is to add above the type name:Enumerated types in UML
-
In VDM-SL the types clause is the appropriate place to define
new types. Enumerated types in VDM-SLtypesSignal = |<
DECREASE>|< DO_NOTHING>
values..state..end
-
The nil value It is common in the programming world for a value
to be undefined;VDM-SL allows for this concept by including the
possibility of a term or expression having the value nil, meaning
that it is undefined;We do that by placing square brackets around
the type name: [] natural numbers or nil [] integers or nil. When
the incubator system first comes into being, the actual and
requested values will be undefined, and must therefore be set to
nil;
-
Specifying the IncubatorController statestate
IncubatorController ofrequestedTemp : []actualTemp : []
-
The invariant The actual temperature must not be allowed to go
outside the range of -10 to +10 degrees; However we need now to
allow for the possibility that it could be equal to the nil
value;The same is true for the requested temperature. inv
mk-IncubatorController (r, a) (MIN r MAX r = nil)(MIN a MAX a =
nil)
-
Improving the readability of the spec by using a function
inRange( )pre post val : result : result MIN val MAXTRUE inv
mk-IncubatorController (r, a) (inRange(r) r = nil) (inRange(a) a =
nil)
-
The initialisation function init mk-IncubatorController (r, a) r
= nil a = nil
-
Specifying the setInitialTemp operationsetInitialTemp( ) ext pre
post tempIn : wractualTemp : []actualTemp =
tempIninRange(tempIn)actualTemp = nil
-
The requestChange operation requestChange( )extpre post tempIn :
signalOut : SignalrequestedTemp : []wractualTemp :
[]rdrequestedTemp = tempIn()signalOut = signalOut = signalOut =
tempIn < actualTemp tempIn > actualTemp tempIn = actualTemp
actualTemp nilinRange(tempIn)
-
The increment operation increment ()ext pre post signalOut :
SignalrequestedTemp : []rdactualTemp : []wrsignalOut = signalOut =
()actualTemp < requestedTemp actualTemp = requestedTemp
actualTemp < requestedTemp requestedTemp nil actualTemp nil
-
The getRequestedTemp operationgetRequestedTemp() ext
prepostcurrentRequested : []requestedTemp : []rdcurrentRequested =
requestedTempTRUE
-
The getActualTemp operationgetActualTemp() ext
prepostcurrentActual : []actualTemp : []rdcurrentActual =
actualTempTRUE
-
A standard template for VDM-SL specifications typesSomeType =
..valuesconstantName : ConstantType = someValuestate SystemName
ofattribute1 : Type:attributen : Typeinv mk-SystemName(i1:Type,
..., in:Type) Expression(i1, ..., in)init mk-SystemName(i1:Type,
..., in:Type) Expression(i1, ..., in)end functionsspecification of
functions .....operationsspecification of operations .....