View
228
Download
0
Category
Tags:
Preview:
Citation preview
TIVDM1 VDMTools and Logic 1
VDMTools and Logic
Peter Gorm Larsen
TIVDM1 VDMTools and Logic 2
Agenda
Overview of VDMTools® Functionality• Demonstration of VDMTools® and Rational Rose• Introduction to Logic
TIVDM1 VDMTools and Logic 3
VDMTools® Overview
The Rose-VDM++ Link
Document Generator
Code Generators- C++, Java
Syntax & Type Checker
API (Corba), DL Facility
Interpreter (Debugger)
Integrity CheckerJava to VDM++
TIVDM1 VDMTools and Logic 4
Japanese Support via Unicode
TIVDM1 VDMTools and Logic 5
Validation with VDMTools®
VDM specsVDM specs
Test casesTest cases Expected resultsExpected results
Actual resultsActual results
ComparisonComparison
ExecutionExecution
TIVDM1 VDMTools and Logic 6
Documentation in MS Word/RTF
One compound document:One compound document:
• Documentation
• Specification
• Test coverage
• Test coverage
statistics
TIVDM1 VDMTools and Logic 7
Architecture of the Rose VDM++ Link
VDM++ ToolboxVDM++ Toolbox Rational Rose 2000Rational Rose 2000
ClassClassRepositoryRepository
ClassClassRepositoryRepositoryMerge ToolMerge Tool
VDM++ FilesVDM++ Files
UMLUMLDiagramsDiagrams
UML modelUML modelfilefile
TIVDM1 VDMTools and Logic 8
Integrity checker
TIVDM1 VDMTools and Logic 9
Reference Material
• The VDM++ Language for VICE, CSK, 2005• The VDM++ User Manual, CSK, 2005• The VDM++ Installation Guide, CSK, 2005• Rational Rose Link Plug-in Installation and User
Guide, CSK, 2005
TIVDM1 VDMTools and Logic 10
Further Information
• An Executable Subset of Meta-IV with Loose Specification, P.G. Larsen, P.B. Lassen, VDM '91: Formal Software Development Methods, 1991
• The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM Sigplan Notices, September 1994
• Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995
• Ten Years of Historical Development - ”Bootstrapping” VDMTools, P.G. Larsen, Journal of Universal Computer Science, 2001
TIVDM1 VDMTools and Logic 11
Agenda
Overview of VDMTools® Functionality Demonstration of VDMTools® and Rational Rose• Introduction to Logic
TIVDM1 VDMTools and Logic 12
Agenda
Overview of VDMTools® Functionality Demonstration of VDMTools® and Rational Rose Introduction to Logic
TIVDM1 VDMTools and Logic 13
Logic
Our ability to state invariants, record pre-conditions and post-conditions, and the ability to reason about a formal model depend on the logic on which the modelling language is based.
• Classical logical propositions and predicates
• Connectives
• Quantifiers
TIVDM1 VDMTools and Logic 14
A temperature monitor example
30
20
10
01 2 3 4 5 6 7 8 9
Temperature (C)
Time (s)
The monitor records the last five temperature readings 25 105510
TIVDM1 VDMTools and Logic 15
A temperature monitor example
The following conditions are to be detected by the monitor:
1. Rising: the last reading in the sample is greater than the first
2. Over limit: there is a reading in the sample in excess of 400 C
3. Continually over limit: all the readings in the sample exceed 400 C
4. Safe: If readings do not exceed 400 C by the middle of the sample, the reactor is safe. If readings exceed 400 C by the middle of the sample, the reactor is still safe provided that the reading at the end of the sample is less than 400 C.
5. Alarm: The alarm is to be raised if and only if the reactor is not safe
TIVDM1 VDMTools and Logic 16
Predicates and Propositions
Predicates are simply logical expressions. The simplest kind of logical predicate is a proposition.
A proposition is a logical assertion about a particular value or values, usually involving a Boolean operator to compare the values, e.g.
3 < 27 5 = 9
TIVDM1 VDMTools and Logic 17
PredicatesA predicate is a logical expression that is not specific to particular values but contains variables which can stand for one of a range of possible values, e.g.
x < 27
(x**2) + x - 6 = 0
The truth or falsehood of a predicate depends on the value taken by the variables.
TIVDM1 VDMTools and Logic 18
Predicates in the monitor example
Monitor :: temps : seq of int alarm : bool
inv m == len m.temps = 5
Consider a monitor m. m is a sequence so we can index into it:
First reading in m:
Last reading in m:
Predicate stating that the first reading in m is strictly less than the last reading:
The truth of the predicate depends on the value of m.
m.temps(1)
m.temps(5)
m.temps(1) < m.temps(5)
TIVDM1 VDMTools and Logic 19
The rising condition
The last reading in the sample is greater than the first
Monitor :: temps : seq of int alarm : bool
inv m == len m.temps = 5
We can express the rising condition as a Boolean function:
Rising: Monitor -> bool
Rising(m) == m.temps(1) < m.temps(5)
For any monitor m, the expression Rising(m) evaluates to true iff the last reading in the sample in m is higher than the first, e.g.
Rising( mk_Monitor([233,45,677,650,900], false) )
Rising( mk_Monitor([23,45,67,50,20], false) )
TIVDM1 VDMTools and Logic 20
Logical Operators (Connectives)
We will examine the following logical operators:
• Negation (NOT)• Conjunction (AND)• Disjunction (OR)• Implication (if – then)• Biconditional (if and only if)
Truth tables can be used to show how these operators can combine propositions to compound propositions.
TIVDM1 VDMTools and Logic 21
Negation
Negation allows us to state that the opposite of some logical expression is true, e.g.
The temperature in the monitor mon is not rising:
not Rising(mon)
Truth table for negation:P P
true false
false true
TIVDM1 VDMTools and Logic 22
Disjunction
Disjunction allows us to express alternatives that are not necessarily exclusive:
Over limit: There is a reading in the sample in excess of 400 C
OverLimit: Monitor -> bool
OverLimit(m) == m.temps(1) > 400 or m.temps(2) > 400 or m.temps(3) > 400 or m.temps(4) > 400 or m.temps(5) > 400
P Q PQtrue true true
true false true
false true true
false false false
TIVDM1 VDMTools and Logic 23
Conjunction
Conjunction allows us to express the fact that all of a collection of facts are true.
Continually over limit: all the readings in the sample exceed 400 C
COverLimit: Monitor -> bool
COverLimit(m) ==
m.temps(1) > 400 and m.temps(2) > 400 and m.temps(3) > 400 and m.temps(4) > 400 and m.temps(5) > 400
P Q PQ
true true true
true false false
false true false
false false false
TIVDM1 VDMTools and Logic 24
ImplicationImplication allows us to express facts which are only true under certain conditions (“if … then …”):
Safe: If readings do not exceed 400 C by the middle of the sample, the reactor is safe. If readings exceed 400 C by the middle of the sample, the reactor is still safe provided that the reading at the end of the sample is less than 400 C.
Safe: Monitor -> bool
Safe(m) ==
m.temps(3) > 400 =>
m.temps(5) < 400
P Q PQ
true true true
true false false
false true true
false false true
TIVDM1 VDMTools and Logic 25
BiimplicationBiimplication allows us to express equivalence (“if and only if”).
Alarm: The alarm is to be raised if and only if the reactor is not safe
This can be recorded as an invariant property:
Monitor :: temps : seq of int alarm : bool
inv m ==
len m.temps = 5 and
not Safe(m.temps) <=> m.alarm
P Q PQ
true true true
true false false
false true false
false false true
TIVDM1 VDMTools and Logic 26
Operator Precedence and Associativity
• not has the highest precedence• Followed by and, or, => and <=> in that order• => has right grouping i.e.
o A => B => C without brackets meanso A => (B => C)
• The other logical operators are associative so right and left grouping are equivalent, i.e.o A and (B and C) is identical to (A and B) and C
TIVDM1 VDMTools and Logic 27
Quantifiers
For large collections of values, using a variable makes more sense than dealing with each case separately.
inds m.temps represents indices (1-5) of the sample
The “over limit” condition can then be expressed more economically as:
exists i in set inds m.temps & temps(i) > 400
The “continually over limit” condition can then be expressed using “forall”:
COverLimit: Monitor -> boolCOverLimit(m) == forall i in set inds m.temps & temps(i) > 400
TIVDM1 VDMTools and Logic 28
QuantifiersSyntax:
forall binding & predicate
exists binding & predicate
There are two types of binding:
Type Binding, e.g.
x : nat
n : seq of char
Set Binding, e.g.
i in set inds m
x in set {1,…,20}
A type binding lets the bound variable range over a type (a possibly infinite collection of values).
A set binding lets the bound variable range over a finite set of values.
TIVDM1 VDMTools and Logic 29
Universal quantification
• Universal quantification is a generalised form of conjunction
• For example, the statement “every natural number is greater than or equal to zero” is denoted by
n: nat n 0 ( is a turned-round “A”, “for All” and written as “forall” in ASCII)
“for all n drawn from the natural numbers,
n is greater than or equal to zero”• This statement is equivalent to (and a lot more
succinct than):
0 0 1 0 2 0 3 0 …
TIVDM1 VDMTools and Logic 30
Questions
Formulate the following statements using predicate logic:
• Everybody likes Danish pastry
• Everybody either likes Danish pastry or is a vegetarian
• Either everybody likes Danish pastry or everybody is a
vegetarian
Are the last two statements equivalent?
TIVDM1 VDMTools and Logic 31
Existential quantification
• Existential quantification allows us to assert that a predicate holds for at least one value — but not necessarily all values — of a given set
• For example, the statement “there is a natural number that is greater than or equal to zero” is denoted by:
n: nat n 0 ( is a turned-round “E”, “there Exists” and written as “exists” in ASCII)
“there exists an n drawn from the natural numbers such that n is greater than or equal to zero”
0 0 1 0 2 0 3 0 …
TIVDM1 VDMTools and Logic 32
Questions
Formulate the following statements using predicate logic:
• Somebody likes Danish pastry
• There is somebody who either likes Danish pastry or is
a vegetarian
• Either somebody likes Danish pastry or somebody is a
vegetarian
Are the last two statements equivalent?
TIVDM1 VDMTools and Logic 33
Quantifiers
Several variables may be bound at once by a single quantifier, e.g.
forall x,y in set {1,…,5} &
X <> y => not m.temps(x) = m.temps(y)
Would this predicate be true for the following value of m.temps ?
[320, 220, 105, 119, 150]
TIVDM1 VDMTools and Logic 34
Formulation Questions
All the readings in the sample are less than 400 and greater than 50.
Each reading in the sample is up to 10 greater than its predecessor.
There are two distinct readings in the sample which are over 400.
forall i in set inds m.temps & m.temps(i) < 400 and m.temps(i) > 50
forall i in set inds m.temps\{1} & m.temps(i – 1) >= m.temps(i) + 10
exists i,j in set inds m.temps & i <> j and m.temps(i) > 400 and m.temps(j) > 400
TIVDM1 VDMTools and Logic 35
Combination of quantifiers
• Assume we have a predicate with two free variables P(x,y) where x : X and y : Y
• Then quantifiers can be combined: y : Y x : X P(x,y) or y : Y x : X P(x,y)
• Would these be equal if X, Y are int and P = x >y?• However if the same quantifier was used both places
the expressions would be equivalent: y : Y x : X P(x,y) x : X y : Y P(x,y) y : Y x : X P(x,y) x : X y : Y P(x,y)
TIVDM1 VDMTools and Logic 36
Quantifiers
Suppose we have to formalise the following property:
There is a “single minimum” in the sequence of readings, i.e. there is a reading which is strictly smaller than any of the other readings.
Suppose the order of the quantifiers is reversed.
exists i in set inds m.temps & forall j in set inds m.temps & i <> j => m.temps(i) < m.temps(j)
TIVDM1 VDMTools and Logic 37
Questions
• Translate the following into English:x:Elephant & grey(x)x:ANIMAL & elephant(x) => grey(x)x : ANIMAL & bird(x) has-wings(x) flies(x)
• Represent the following using predicate logic formulae:• “Joanne is a teacher, she teaches AI, and likes
chocolate.”• “Some teachers do not like chocolate”
TIVDM1 VDMTools and Logic 38
Summary
• What have I presented today?• Introduction to VDMTools®
• Demonstration of VDMTools® and Rose
• Introduction to Logic
• What do you need to do now?• Read chapter 4 and 5 of the book for next week
• Start playing with the combination of VDMTools and Rose
• Read existing material about the selected project
• Formulate a new requirements definition for the project
• Decide upon the purpose of the model to develop
• Prepare presentation about this for the rest of us
TIVDM1 VDMTools and Logic 39
Quote of the day
The successful construction of all machinery depends on the perfection of the tools employed, and whoever is
the master in the art of tool-making possesses the key to the construction of all machines.
Charles Babbage, 1851
Recommended