Introduction to VDM Copyright, 2003 © Jerzy R. Nawrocki Jerzy.Nawrocki@put.poznan.pl Models and...

transcript

Introduction to Introduction to VDMVDM

Copyright, 2003 © Jerzy R. Nawrocki

Jerzy.Nawrocki@put.poznan.pl

www.cs.put.poznan.pl/jnawrocki/models/

Models and Analysis of Software Models and Analysis of Software

Lecture Lecture 33

Models and Analysis of Software Models and Analysis of Software

Lecture Lecture 33

J. Nawrocki, Models ... (3)

IntroductionIntroductionIntroductionIntroduction

• VDM = Vienna Development Method, IBM Laboratory

• Model-based: basic types (integer, real, ..) and compound types (sets, sequences, ..)

• Implicit specification (what?) and explicit one (how?).

• No explicit support for concurrency and time.

• Math & text notations.

VDM = VeryDifficult Method

IntroductionIntroductionIntroductionIntroduction

add (a, b: N) result: Npost result = a + badd (a, b: N) result: Npost result = a + b

Simple example

It’s trivial!

Plan of the lecturePlan of the lecturePlan of the lecturePlan of the lecture

Introduction

Identifiers and commentsInteger numbersBoolean valuesPredicatesImplicit functionsNon-integer numbersSequencesSets

IdentifiersIdentifiersIdentifiersIdentifiers

add (a, b: N) result: Npost result = a + badd (a, b: N) result: Npost result = a + b

Letter (Letter | Digit | Greek_letter | Underscore)*

Letter case is significant.

First_element

First_Element

Value_6

First_element

First_Element

Value_6

CommentsCommentsCommentsComments

-- adding two numbersadd (a, b: N) result: Npost result = a + b

annotations Author: J.R. Nawrocki Written on: March 6, 2002end annotations

add (a, b: N) result: Npost result = a + b

annotations Author: J.R. Nawrocki Written on: March 6, 2002end annotations

add (a, b: N) result: Npost result = a + b

I prefer double hyphen.

IntroductionIdentifiers and comments

Integer numbersBoolean valuesPredicatesImplicit functionsNon-integer numbersSequencesSets

Integer numbersInteger numbersInteger numbersInteger numbers

Integer types

NN Natural numbers (0, 1, 2, ..)

N1N1 Positive integers (1, 2, ..)

ZZ Integers (.., -2, -1, 0, 1, 2, ..)

Operators

a + b 3 + 2 = 5

a - b 5 - 2 = 3

a b 3 2 = 6

a / b 6 / 4 = 1.5

a div b 11 div 4 = 2

a mod b 11 mod 4 = 3

a b 2 3 = 8

abs a abs -3 = 3

a + b 3 + 2 = 5

a - b 5 - 2 = 3

a b 3 2 = 6

a / b 6 / 4 = 1.5

a div b 11 div 4 = 2

a mod b 11 mod 4 = 3

a b 2 3 = 8

abs a abs -3 = 3

Looks likePascal

except for ‘’.

Example

f(0) = 0f(1) = 1f(2) = 3

-- f(n) = 1 + 2 + .. + nf (n: N) res: Npost res = (n+1) n / 2

IntroductionIdentifiers and commentsInteger numbers

Boolean valuesPredicatesImplicit functionsNon-integer numbersSequencesSets

Boolean valuesBoolean valuesBoolean valuesBoolean values

Relations

Constants

a not a

a b a and b

a b a or b

a ba implies b

a b a equivalent to b

a not a

a b a and b

a b a or b

a ba implies b

a b a equivalent to b

Boolean operators

BB Boolean values

Example

Boolean valuesBoolean valuesBoolean valuesBoolean values

Is_CD(12, 16, 4)=true -- CD = Common Divisor

-- Is k a CD for a and b?Is_CD (a, b, k: N) res: Bpost res (a mod k = 0 b mod k = 0)

-- CD = Common Divisor-- Is k a CD for a and b?Is_CD (a, b, k: N) res: Bpost res (a mod k = 0 b mod k = 0)

IntroductionIdentifiers and commentsInteger numbersBoolean values

PredicatesImplicit functionsNon-integer numbersSequencesSets

Quantifiers

PredicatesPredicatesPredicatesPredicates

For all (universal q.)

Exists (existential q.)

!! Exists one (unique q.)

-- A prime number, n, is-- divisible only by 1 and n.

IsPrime (n: N1) res: B

post res k N1 (1 < k k < n)

n mod k 0

-- A prime number, n, is-- divisible only by 1 and n.

IsPrime (n: N1) res: B

post res k N1 (1 < k k < n)

n mod k 0

Example

PredicatesPredicatesPredicatesPredicates

That’s reallydifferent from

Pascal!

IntroductionIdentifiers and commentsInteger numbersBoolean valuesPredicates

Implicit functionsNon-integer numbersSequencesSets

General form

Implicit functionsImplicit functionsImplicit functionsImplicit functions

function_name (Ids1: T1, .., Idsk: Tk) Id_r: T

post B’

function_name (Ids1: T1, .., Idsk: Tk) Id_r: T

post B’

Optionalpre-condition

Example

Implicit functionsImplicit functionsImplicit functionsImplicit functions

Quotient (-6, 2) = 3

Quotient (a, b: Z) res: Npre b 0post res = (abs a) div (abs b)

IntroductionIdentifiers and commentsInteger numbersBoolean valuesPredicatesImplicit functions

Non-integer numbersSequencesSets

Non-integer numbersNon-integer numbersNon-integer numbersNon-integer numbers

Non-integer types

QQ Rationals (2, 1/4, 3.8, ..)

RR Real numbers (2.0, 3.8, 2, ..)

Operators

a + b 3 + 0.2 = 3.2

a - b 5 - 0.2 = 4.8

a b 3.1 2 = 6.2

a / b 6.0 / 4 = 1.5

a b 2.0 3 = 8.0

abs a abs -3.1 = 3.1

floor a floor 3.9 = 3

a + b 3 + 0.2 = 3.2

a - b 5 - 0.2 = 4.8

a b 3.1 2 = 6.2

a / b 6.0 / 4 = 1.5

a b 2.0 3 = 8.0

abs a abs -3.1 = 3.1

floor a floor 3.9 = 3

Where isdiv and mod?

Example

-- CV = Cuboid VolumeCV (a, b, h: R) res: Rpost res = a b h

IntroductionIdentifiers and commentsInteger numbersBoolean valuesPredicatesImplicit functionsNon-integer numbers

SequencesSets

SequencesSequencesSequencesSequences

Type constructors

T*T* General sequence (possibly empty)

T+T+ Non-empty sequence

What isa sequence?

[ 1, 5, 5, 1]

First Second Third

Operators

[ ] empty sequence

hd X hd [14, 15, 16] = 14

tl X tl [14, 15, 16] = [15, 16]

len X len [14, 15, 16] = 3

inds X inds [14, 15, 16] = {1, 2, 3}

elems X elems [14, 15, 14] = {14, 15}

X(n) [14, 15, 14](2) = 15

X(l,...,u)[14, 15, 16](2,...,3) = [15, 16]

[ ] empty sequence

hd X hd [14, 15, 16] = 14

tl X tl [14, 15, 16] = [15, 16]

len X len [14, 15, 16] = 3

inds X inds [14, 15, 16] = {1, 2, 3}

elems X elems [14, 15, 14] = {14, 15}

X(n) [14, 15, 14](2) = 15

X(l,...,u)[14, 15, 16](2,...,3) = [15, 16]

s1 s2 [6, 5] [2, 4, 9] = [6, 5, 2, 4, 9]s1 s2 [6, 5] [2, 4, 9] = [6, 5, 2, 4, 9]

Sequence concatenation

Sequence comprehension

[ E | Id S Boolean_condition ][ E | Id S Boolean_condition ]

Expression Subset of R Selects a finitesubset of S

Evens_to_10 = [ 2n | n N1 n < 6 ]

Evens_to_10 = [ 2, 4, 6, 8, 10 ]

Evens_to_10 = [ 2n | n N1 n < 6 ]

Evens_to_10 = [ 2, 4, 6, 8, 10 ]

Example (I)

-- CDs = sequence of Common Divisors

CDs (a, b: N1) res: N1+

post res = [k | k N1 a mod k = 0 b mod k = 0]

-- CDs = sequence of Common Divisors

CDs (a, b: N1) res: N1+

post res = [k | k N1 a mod k = 0 b mod k = 0]

Example (II)

-- Max = maximum element of a sequence

Max (s: N1+) m: N1

post (tl s = [ ] m = hd s) (tl s [ ] hd s Max(tl s) m = hd s) (tl s [ ] hd s < Max(tl s) m = Max(tl s))

-- Max = maximum element of a sequence

Max (s: N1+) m: N1

post (tl s = [ ] m = hd s) (tl s [ ] hd s Max(tl s) m = hd s) (tl s [ ] hd s < Max(tl s) m = Max(tl s))

Recursion Recursion

Example (III)

-- GCD = Greatest Common Divisor

GCD (a,b: N1) res: N1

post res= Max (CDs (a, b))

-- GCD = Greatest Common Divisor

GCD (a,b: N1) res: N1

post res= Max (CDs (a, b))

Is Max necessary?Can’t we make it

simpler?

IntroductionIdentifiers and commentsInteger numbersBoolean valuesPredicatesImplicit functionsNon-integer numbersSequences

B - Boolean (true, false)

N1 - positive integers (1, 2, 3, ..)

N - natural numbers (including 0)

Z - integers

Q - rationals

R - reals

B - Boolean (true, false)

N1 - positive integers (1, 2, 3, ..)

N - natural numbers (including 0)

Z - integers

Q - rationals

R - reals

SetsSetsSetsSets

Basic sets

x BasicSet x BasicSet

Basic setsor

basic types?

T-set a finite set of values of type TT-set a finite set of values of type T

SetsSetsSetsSets

Finite sets

N-set a finite set of natural numbers

R-set a finite set of reals

R-set-set a finite set of finite sets of reals

N-set a finite set of natural numbers

R-set a finite set of reals

R-set-set a finite set of finite sets of reals

{E | B1, B2, ..., Bn Boolean_condition }{E | B1, B2, ..., Bn Boolean_condition }

SetsSetsSetsSets

Set values

{ } empty set

{0, 2, 4} explicit set value

{2, ..., 5} = {2, 3, 4, 5}

{2n | nN n<3} = {0, 2, 4}

{ } empty set

{0, 2, 4} explicit set value

{2, ..., 5} = {2, 3, 4, 5}

{2n | nN n<3} = {0, 2, 4}

{[a, b] | aN, bN b = aa a 3}{[a, b] | aN, bN b = aa a 3}

Onlyfinitesets!

SetsSetsSetsSets

Finite set operators (I)

x S belongs to

x S does not belong to

card S cardinality of S

S1 = S2 equals

S1 S2 does not equal

S1 S2 S1 is a subset of S2

S1 S2 S1 is a proper subset of S2

x S belongs to

x S does not belong to

card S cardinality of S

S1 = S2 equals

S1 S2 does not equal

S1 S2 S1 is a subset of S2

S1 S2 S1 is a proper subset of S2

Onlyfinitesets!

SetsSetsSetsSets

Finite set operators (II)

S1 S2 union

S1 S2 intersection

S1\ S2difference

F S power set of S

S1 S2 union

S1 S2 intersection

S1\ S2difference

F S power set of S

Onlyfinitesets!

SetsSetsSetsSets

A set of decimal digits of a number k

digit = {0, ..., 9}

digits1(k: N) res: digit-setpost res = {k mod 10} digits1(k div 10)

digit = {0, ..., 9}

digits1(k: N) res: digit-setpost res = {k mod 10} digits1(k div 10)

Doesnot

SetsSetsSetsSets

A set of decimal digits of a number k

digits2(k: N) res: digit-setpost (k=0 res = { }) (k>0 res = {k mod 10} digits2(k div 10))

Whatif

digits3(k: N) res: digit-setpost (k=0 res = { 0 }) (k>0 res = digits2(k))

SummarySummarySummarySummary

VDM is a formal method.

Its basic types are similar to those in Pascal, C, ..

It contains quantifiers.

Finite sequence is quite a powerful mechanism.

VDM allows for recursion.

Further readingsFurther readingsFurther readingsFurther readings

• A. Harry, Formal Methods Fact File, John Wiley & Sons, Chichester, 1996, pages 93-170.

HomeworkHomeworkHomeworkHomework

• Write a shorter definition of GCD.• Specify the factorial.• Specify the least common

multiply.• Specify a function that checks if

n is an automorphic number (i.e. if n appears in a decimal representation of its square).

• Specify a total of decimal digits of a given number n.

Quality assessmentQuality assessmentQuality assessmentQuality assessment

1. What is your general impression? (1 - 6)

2. Was it too slow or too fast?

3. What important did you learn during the lecture?

4. What to improve and how?

Introduction to VDM Copyright, 2003 © Jerzy R. Nawrocki Jerzy.Nawrocki@put.poznan.pl Models and...

Documents