RT development process, Logic and VDMTools and
Eclipse support
Peter Gorm Larsen
TIVDM1
Development process, Logic and VDMTools and
Eclipse
1
Agenda
 Development Process for RT systems
• Introduction to Logic
• Overview of VDMTools® Functionality and Eclipse
support
TIVDM1
Development process, Logic and VDMTools and
Eclipse
2
Reactive systems Nature
The World
stimuli
Environment
System
response
TIVDM1
Development process, Logic and VDMTools and
Eclipse
3
Overview of Development
Process
TIVDM1
Development process, Logic and VDMTools and
Eclipse
4
General use case for an
embedded system
TIVDM1
Development process, Logic and VDMTools and
Eclipse
5
Capturing Requirements in
VDM-SL
operations
PerformSystemReaction: seq of SensorInput ==>
seq of ActuatorCommand
PerformSystemReaction(inputseq) ==
if inputseq = []
then []
else SensorTreatment(hd inputseq) ^
PerformSystemReaction(tl inputseq)
An accumulating parameter can be used for feedback
TIVDM1
Development process, Logic and VDMTools and
Eclipse
6
Sequential Design Model
TIVDM1
Development process, Logic and VDMTools and
Eclipse
7
Typical Design Structure
• An Environment class is needed
• A SystemName class is needed
• A World class is introduced for setting up both the
environment and the system
• World shall contain a Run operation
• World have access to some notion of time
• The Environment has operation for creating signals to
the system and receiving events from the system
• Flow of control resides with the Environment
• Each class that do actions has an isFinished
operation
TIVDM1
Development process, Logic and VDMTools and
Eclipse
8
Concurrent Design Model
• Similar to sequential design model but
•
•
•
•
Identification of threads
Determine necessary communication
Establish synchronization points
Validation of model
• Typical design structure
• Flow of control is distributed
• Synchronization using permission predicates and mutex
• isFinished operations become skip with permission
predicates
• A simple Timer class is replaced with the TimeStamp
class
TIVDM1
Development process, Logic and VDMTools and
Eclipse
9
Concurrent Real-Time and
Distributed Design Model
• Timing built in:
• Use of default durations
• Use of duration and cycles statements
• Setting task switching overhead
• Typical Design Structure
• SystemName is now turned into a system
• CPU’s and BUS’es are introduced inside SystemName
• Environment may be turned into a system
• Some operations are made asynchronous
• Some Step like threads are made periodic
• Explicit use of TimeStamp is removed
TIVDM1
Development process, Logic and VDMTools and
Eclipse
10
Agenda
 Development Process for RT systems
 Introduction to Logic
• Overview of VDMTools® Functionality and Eclipse
support
TIVDM1
Development process, Logic and VDMTools and
Eclipse
11
Logic
Our ability to state invariants, record pre-conditions and
post-conditions, and the ability to reason about a formal
model depend on the logic on which the modelling language
is based.
• Classical logical propositions and predicates
• Connectives
• Quantifiers
TIVDM1
Development process, Logic and VDMTools and
Eclipse
12
A temperature monitor example
Temperature (C)
30
20
10
0
1
2
3
4
5
The monitor records the last
five temperature readings
TIVDM1
6
7
25
8
9
10
Development process, Logic and VDMTools and
Eclipse
Time (s)
5
5
10
13
A temperature monitor example
The following conditions are to be detected by the monitor:
1. Rising: the last reading in the sample is greater than the first
2. Over limit: there is a reading in the sample in excess of 400 C
3. Continually over limit: all the readings in the sample exceed
400 C
4. Safe: If readings do not exceed 400 C by the middle of the
sample, the reactor is safe. If readings exceed 400 C by the
middle of the sample, the reactor is still safe provided that the
reading at the end of the sample is less than 400 C.
5. Alarm: The alarm is to be raised if and only if the reactor is not
safe
TIVDM1
Development process, Logic and VDMTools and
Eclipse
14
Predicates and Propositions
Predicates are simply logical expressions. The
simplest kind of logical predicate is a
proposition.
A proposition is a logical assertion about a
particular value or values, usually involving a
Boolean operator to compare the values, e.g.
3 < 27
TIVDM1
5 = 9
Development process, Logic and VDMTools and
Eclipse
15
Predicates
A predicate is a logical expression that is not specific to
particular values but contains variables which can
stand for one of a range of possible values, e.g.
x < 27
(x**2) + x - 6 = 0
The truth or falsehood of a predicate depends on the
value taken by the variables.
TIVDM1
Development process, Logic and VDMTools and
Eclipse
16
Predicates in the monitor
example
Monitor :: temps : seq of int
alarm : bool
inv m == len m.temps = 5
Consider a monitor m. m is a sequence so we can index into
it:
First reading in m:
m.temps(1)
Last reading in m:
m.temps(5)
Predicate stating that the first reading in m is strictly
less than the last reading:
m.temps(1) < m.temps(5)
The truth of the predicate depends on the value of m.
TIVDM1
Development process, Logic and VDMTools and
Eclipse
17
The rising condition
The last reading in the sample is greater than the first
Monitor :: temps : seq of int
alarm : bool
inv m == len m.temps = 5
We can express the rising condition as a Boolean function:
Rising: Monitor -> bool
Rising(m) == m.temps(1) < m.temps(5)
For any monitor m, the expression Rising(m) evaluates to true iff
the last reading in the sample in m is higher than the first, e.g.
Rising( mk_Monitor([233,45,677,650,900], false) )
Rising( mk_Monitor([23,45,67,50,20], false) )
TIVDM1
Development process, Logic and VDMTools and
Eclipse
18
Logical Operators (Connectives)
We will examine the following logical operators:
• Negation
• Conjunction
• Disjunction
• Implication
• Biconditional
(NOT)
(AND)
(OR)
(if – then)
(if and only if)
Truth tables can be used to show how these operators
can combine propositions to compound propositions.
TIVDM1
Development process, Logic and VDMTools and
Eclipse
19
Negation (not)
Negation allows us to state that the opposite of some
logical expression is true, e.g.
The temperature in the monitor mon is not rising:
not Rising(mon)
Truth table for negation:
TIVDM1
P
P
true
false
false
true
Development process, Logic and VDMTools and
Eclipse
20
Disjunction (or)
Disjunction allows us to express alternatives that are not
necessarily exclusive:
Over limit: There is a reading in the sample in excess of
400 C
OverLimit: Monitor -> bool
OverLimit(m) ==
m.temps(1) > 400 or
m.temps(2) > 400 or
m.temps(3) > 400 or
P
m.temps(4) > 400 or
true
m.temps(5) > 400
true
TIVDM1
Q
PQ
true
true
false
true
false
true
true
false
false
false
Development process, Logic and VDMTools and
Eclipse
21
Conjunction (and)
Conjunction allows us to express the fact that all of a
collection of facts are true.
Continually over limit: all the readings in the sample exceed 400 C
COverLimit: Monitor -> bool
COverLimit(m) ==
m.temps(1) > 400 and
m.temps(2) > 400 and
m.temps(3) > 400 and
m.temps(4) > 400 and
m.temps(5) > 400
TIVDM1
P
Q
PQ
true
true
true
true
false
false
false
true
false
false
false
false
Development process, Logic and VDMTools and
Eclipse
22
Implication
Implication allows us to express facts which are only true
under certain conditions (“if … then …”):
Safe: If readings do not exceed 400 C by the middle of
the sample, the reactor is safe. If readings exceed 400 C
by the middle of the sample, the reactor is still safe
provided that the reading at the end of the sample is less
than 400 C.
Safe: Monitor -> bool
Safe(m) ==
m.temps(3) > 400 =>
m.temps(5) < 400
TIVDM1
P
Q
PQ
true
true
true
true
false
false
false
true
true
false
false
true
Development process, Logic and VDMTools and
Eclipse
23
Biimplication
Biimplication allows us to express equivalence (“if and only if”).
Alarm: The alarm is to be raised if and only if the reactor is not
safe
This can be recorded as an invariant property:
Monitor :: temps : seq of int
alarm : bool
inv m ==
len m.temps = 5 and
not Safe(m.temps) <=> m.alarm
TIVDM1
P
Q
PQ
true
true
true
true
false
false
false
true
false
false
false
true
Development process, Logic and VDMTools and
Eclipse
24
Operator Precedence and
Associativity
• not has the highest precedence
• Followed by and, or, => and <=> in that order
• => has right grouping i.e.
o A => B => C without brackets means
o A => (B => C)
• The other logical operators are associative so right
and left grouping are equivalent, i.e.
o A and (B and C) is identical to (A and B) and C
TIVDM1
Development process, Logic and VDMTools and
Eclipse
25
Quantifiers
For large collections of values, using a variable makes
more sense than dealing with each case separately.
inds m.temps
represents indices (1-5) of the sample
The “over limit” condition can then be expressed more
economically as:
exists i in set inds m.temps & temps(i) > 400
The “continually over limit” condition can then be expressed
using “forall”:
COverLimit: Monitor -> bool
COverLimit(m) ==
forall i in set inds m.temps & temps(i) > 400
TIVDM1
Development process, Logic and VDMTools and
Eclipse
26
Quantifiers
Syntax:
forall
binding & predicate
exists
binding & predicate
There are two types of binding:
Type Binding, e.g.
x : nat
n : seq of char
Set Binding, e.g.
i in set inds m
x in set {1,…,20}
TIVDM1
A type binding lets the
bound variable range
over a type (a possibly
infinite collection of
values).
A set binding lets the
bound variable range
over a finite set of
values.
Development process, Logic and VDMTools and
Eclipse
27
Universal quantification
• Universal quantification is a generalised form of
conjunction
• For example, the statement “every natural number is
greater than or equal to zero” is denoted by
n: nat  n  0 ( is a turned-round “A”, “for All”
and written as “forall” in ASCII)
“for all n drawn from the natural numbers,
n is greater than or equal to zero”
• This statement is equivalent to (and a lot more
succinct than):
00102030…
TIVDM1
Development process, Logic and VDMTools and
Eclipse
28
Questions
Formulate the following statements using predicate logic:
• Everybody likes Danish pastry
• Everybody either likes Danish pastry or is a vegetarian
• Either everybody likes Danish pastry or everybody is a
vegetarian
Are the last two statements equivalent?
TIVDM1
Development process, Logic and VDMTools and
Eclipse
29
Existential quantification
• Existential quantification allows us to assert that a
predicate holds for at least one value — but not
necessarily all values — of a given set
• For example, the statement “there is a natural number
that is greater than or equal to zero” is denoted by:
n: nat  n  0 ( is a turned-round “E”, “there Exists”
and written as “exists” in ASCII)
“there exists an n drawn from the natural numbers
such that n is greater than or equal to zero”
00102030…
TIVDM1
Development process, Logic and VDMTools and
Eclipse
30
Questions
Formulate the following statements using predicate logic:
• Somebody likes Danish pastry
• There is somebody who either likes Danish pastry or is
a vegetarian
• Either somebody likes Danish pastry or somebody is a
vegetarian
Are the last two statements equivalent?
TIVDM1
Development process, Logic and VDMTools and
Eclipse
31
Quantifiers
Several variables may be bound at once by a single
quantifier, e.g.
forall x,y in set {1,…,5} &
X <> y => not m.temps(x) = m.temps(y)
Would this predicate be true for the following value of
m.temps ?
[320, 220, 105, 119, 150]
TIVDM1
Development process, Logic and VDMTools and
Eclipse
32
Formulation Questions
All the readings in the sample are less than 400 and greater than 50.
forall i in set inds m.temps &
m.temps(i) < 400 and m.temps(i) > 50
Each reading in the sample is up to 10 greater than its predecessor.
forall i in set inds m.temps\{1} &
m.temps(i – 1) + 10 <= m.temps(i)
There are two distinct readings in the sample which are over 400.
exists i,j in set inds m.temps &
i <> j and m.temps(i) > 400 and m.temps(j) > 400
TIVDM1
Development process, Logic and VDMTools and
Eclipse
33
Combination of quantifiers
• Assume we have a predicate with two free variables
P(x,y) where x : X and y : Y
• Then quantifiers can be combined:
• y : Y  x : X  P(x,y) or
• y : Y  x : X  P(x,y)
• Would these be equal if X, Y are int and P = x >y?
• However if the same quantifier was used both places
the expressions would be equivalent:
• y : Y  x : X  P(x,y)  x : X  y : Y  P(x,y)
• y : Y  x : X  P(x,y)  x : X  y : Y  P(x,y)
TIVDM1
Development process, Logic and VDMTools and
Eclipse
34
Quantifiers
Suppose we have to formalise the following property:
There is a “single minimum” in the sequence of
readings, i.e. there is a reading which is strictly smaller
than any of the other readings.
exists i in set inds m.temps &
forall j in set inds m.temps &
i <> j => m.temps(i) < m.temps(j)
Suppose the order of the quantifiers is reversed.
TIVDM1
Development process, Logic and VDMTools and
Eclipse
35
Questions
• Translate the following into English:
• x:Elephant & grey(x)
• x:ANIMAL & elephant(x) => grey(x)
• x : ANIMAL & bird(x)  has-wings(x)   flies(x)
• Represent the following using predicate logic
formulae:
• “Joanne is a teacher, she teaches AI, and likes
chocolate.”
• “Some teachers do not like chocolate”
TIVDM1
Development process, Logic and VDMTools and
Eclipse
36
Agenda
 Development Process for RT systems
 Introduction to Logic
 Overview of VDMTools® Functionality and Eclipse
support
TIVDM1
Development process, Logic and VDMTools and
Eclipse
37
VDMTools® Overview
Syntax & Type Checker
Java to VDM++
Integrity Checker
The Rose-VDM++ Link
Interpreter (Debugger)
Document Generator
API (Corba), DL Facility
Code Generators
- C++, Java
TIVDM1
Development process, Logic and VDMTools and
Eclipse
38
Japanese Support via Unicode
TIVDM1
Development process, Logic and VDMTools and
Eclipse
39
Validation with VDMTools®
VDM specs
Actual results
Comparison
Execution
Test cases
TIVDM1
Expected results
Development process, Logic and VDMTools and
Eclipse
40
Documentation in MS Word/RTF
One compound document:
• Documentation
• Specification
• Test coverage
• Test coverage
statistics
TIVDM1
Development process, Logic and VDMTools and
Eclipse
41
Architecture of the Rose VDM++ Link
VDM++ Toolbox
IBM Rational Rose
UML
Diagrams
Class
Repository
Merge Tool
Class
Repository
UML model
file
VDM++ Files
TIVDM1
Development process, Logic and VDMTools and
Eclipse
42
Integrity checker
TIVDM1
Development process, Logic and VDMTools and
Eclipse
43
Reference Material
•
•
•
•
TIVDM1
The VDM++ Language for VICE, CSK, 2005
The VDM++ User Manual, CSK, 2005
The VDM++ Installation Guide, CSK, 2005
Rational Rose Link Plug-in Installation and User
Guide, CSK, 2005
Development process, Logic and VDMTools and
Eclipse
44
Further Information
• An Executable Subset of Meta-IV with Loose Specification, P.G.
Larsen, P.B. Lassen, VDM '91: Formal Software Development
Methods, 1991
• The IFAD VDM-SL Toolbox: A Practical Approach to Formal
Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM
Sigplan Notices, September 1994
• Computer-aided Validation of Formal Specifications, P.
Mukherjee, Software Engineering Journal, July 1995
• Ten Years of Historical Development - ”Bootstrapping”
VDMTools, P.G. Larsen, Journal of Universal Computer Science,
2001
TIVDM1
Development process, Logic and VDMTools and
Eclipse
45
Summary
• What have I presented today?
• Development Process for RT systems
• Introduction to Logic
• Introduction to VDMTools® and Eclipse Support
• What do you need to do now?
• Read chapter 4 and 5 of the book for next week
• Get Eclipse and VDMTools installed
• Start playing with the combination of VDMTools, Eclipse and
Rose
• Read existing material about the selected project
• Formulate a new requirements definition for the project
• Decide upon the purpose of the model to develop
• Present about this project for the rest of us
TIVDM1
Development process, Logic and VDMTools and
Eclipse
46
Quote of the day
The successful construction of all machinery depends on
the perfection of the tools employed, and whoever is
the master in the art of tool-making possesses the key
to the construction of all machines.
Charles Babbage, 1851
TIVDM1
Development process, Logic and VDMTools and
Eclipse
47