Add to collection(s) Add to saved
  1. No category

Basic elements of a formal model

advertisement 
Basic elements of a formal model
Having explored the logic of VDM-SL, we go on to introduce the
main data types and operators of the language.
Recall that a formal model is formed from type definitions and
function definitions. The representation of data is therefore
crucial to developing a useful formal model.
• Defining types and operators: total and partial operators
• The Traffic light control kernel:
Quote types
Type union
Composite types
Token types
1
Defining a type
To define a type we need:
• a type symbol
• a way of writing values
• operators to manipulate values
For each operator, we give a signature, e.g.
+ : nat * nat -> nat
2
Defining a type
Partial Operators
An operator
op : T1 * . . . * Tn
->
R
is said to be total if, for any a1:T1,. . . an:Tn, the
expression
op(a1,. . ., an)
is defined.
If there exists some b1:T1,. . .,bn:Tn for which
op(b1,. . .,bn)
is undefined, op is said to be a partial operator.
We avoid applying partial operators to values on which they are
undefined!
3
Basic Types
Type Symbol
Values
Example Values
Operators
nat
Natural numbers
0, 1, 2, …
+,-,*,/,…
nat1
nat excluding 0
1, 2, 3, …
+,-,*,/,…
int
Integers
…,-1,0,1,2,…
+,-,*,/,…
real
Real Numbers
-23.334
+,-,*,/,…
char
Characters
‘g’, ‘@’
=, <>
bool
Booleans
true, false
token
Structureless
tokens
Not applicable
=, <>
quote
Named quote
values
<Red>, <Bio>
=, <>
and, or, …
4
Type Constructors
|
Union types
[_]
Optional types
::
Record types
set of _
Finite sets
seq of _
Finite sequences
map _ to _
Finite mappings
Examples:
5
Traffic light controller kernel
6
Traffic light controller kernel
Safety Requirements
S1: If two paths conflict, then it must always be the case that
the light on one of the conflicting paths is red.
S2: There must be a delay of at least 5 seconds between a light
turning red and the light in the conflicting direction turning
green.
S3: There must be a delay of at least 5 seconds between a light
turning amber and the light turning red.
Red
Green
Amber
7
Traffic light controller kernel
Light =
Union & Quote Types
<Red> | <Amber> | <Green>
<Red> is a type containing one value, also called <Red> (a
quote type). Thus:
<Red> : Light
<Red> : <Red>
We can only compare quote literals by equality/inequality:
x,y : Light
x = y
x <> y
8
Traffic light controller kernel
Numeric Types
Time = real
Is there an invariant on the time?
9
Traffic light controller kernel
Numeric Types
Time = real
Is there an invariant on the time?
Time = real
inv t == t > 0
10
Traffic light controller kernel
Token Type
Path = token
The token type is used when we do not need the details of the
representation of a particular type.
Values of token types may be compared only by = and <>.
11
Traffic light controller kernel
Token Type
Constants are called values in VDM-SL:
values
p1 : Path
p2 : Path
p3 : Path
p4 : Path
=
=
=
=
mk_token(“A1North”)
mk_token(“A1South”)
mk_token(“A66East”)
mk_token(“A66West”)
Note that we can represent token values by using the
“mk_token” constructor and an arbitrary value between the
parentheses. Strictly speaking, this is an extension to the ISO
Standard VDM-SL, which states that values of the type token
can not be inspected or constructed.
12
Traffic light controller kernel
Record Types
Conflict :: path1 : Path
path2 : Path
Constructor
mk_Conflit
e.g.
mk_Conflit(mk_token(“A1North”), mk_token(“A2”))
Selectors
e.g.
c.path1
c.path2
Invariant: A path is not in conflict with itself.
13
Traffic light controller kernel
Record Types
Conflict :: path1 : Path
path2 : Path
Invariant: A path is not in conflict with itself.
inv c == c.path1 <> c.path2
Or
inv mk_Conflict(p1,p2) == p1 <> p2
14
Traffic light controller kernel
Kernel :: lights
Record Types
:
conflicts :
Example values:
conflicts: set of Conflict = { mk_Conflict(p1,p3),
mk_Conflict(p1,p4),
mk_Conflict(p2,p3),
mk_Conflict(p2,p4),
mk_Conflict(p3,p1),
mk_Conflict(p4,p1),
mk_Conflict(p3,p2),
mk_Conflict(p4,p2)}
15
Traffic light controller kernel
Record Types
An example value for the lights component of a Kernel:
lights : map Path to Light
= { p1
|->
<Red>,
p2
|->
<Red>,
p3
|->
<Green>,
p4
|->
<Green> }
16
Traffic light controller kernel
Record Types
An invariant on Kernel:
Kernel :: lights
: map Path to Light
conflicts : set of Conflict
inv mk_Kernel(ls,cs) ==
--The conflicting paths must have lights
-- One of the paths in each conflict must have a red light
-- The set of conflicts is symmetric
17
Traffic light controller kernel
Record Types
An invariant on Kernel:
Kernel :: lights
: map Path to Light
conflicts : set of Conflict
inv mk_Kernel(ls,cs) ==
--The conflicting paths must have lights
forall c in set cs & c.path1 in set dom ls and
c.path2 in set dom ls
-- One of the paths in each conflict must have a red light
forall c in set cs & ls(c.path1) = <Red> or
ls(c.path2) = <Red>
-- The set of conflicts is symmetric
forall c in set cs & mk_Conflit(c.path2,c.path1) is in set cs
18
Traffic light controller kernel
Functions
f: T1 * . . . * Tn -> R
f(a1,…,an) == expression defining result
pre logical (Boolean) expression of assumptions
ToGreen: Path * Kernel
->
Kernel
ToGreen(p, mk_Kernel(lights,conflicts)) ==
The functions for the other colours are similar. But are
there any preconditions?
19
Traffic light controller kernel
Functions
ToGreen: Path * Kernel -> Kernel
ToGreen(p, mk_Kernel(lights,conflicts)) ==
mk_Kernel( lights ++ { p |-> <Green> },
conflicts)
pre
-- p has a light!
p in set dom lights
-- p’s light is red!
lights(p) = <Red>
-- all paths conflicting with p have red lights
forall con in set conflicts &
p = con.path1 => lights(con.path2) = <Red>
20
Traffic light controller kernel
Functions
ToRed: Path * Kernel -> Kernel
ToRed(p, mk_Kernel(lights,conflicts)) ==
mk_Kernel( lights ++ { p |-> <Red> },
conflicts)
pre p in set dom lights and
lights(p) = <Amber>
ToAmber: Path * Kernel -> Kernel
ToAmber(p, mk_Kernel(lights,conflicts)) ==
mk_Kernel( lights ++ { p |-> <Amber> },
conflicts)
pre p in set dom lights and
lights(p) = <Green>
21
Traffic light controller kernel
Adding time
Kernel :: lights
: map Path to Light
conflicts : set of Conflict
lastch
: map Path to Time
inv mk_Kernel(ls,cs,lc) ==
dom ls = dom lc and
forall c in set cs &
mk_Conflict(c.path2, c.path1) in set cs and
c.path1 in set dom ls and
c.path2 in set dom ls and
(ls(c.path1) = <Red> or ls(c.path2) = <Red>)
22
Traffic light controller kernel
Adding time
ToGreen: Path * Kernel * Time -> Kernel
ToGreen(p, mk_Kernel(lights,conflicts,lastch),clock) ==
mk_Kernel( lights ++ { p |-> <Green> },
conflicts,
lastch ++ { p |-> clock})
pre p in set dom lights and
lights(p) = <Red> and
forall con in set conflicts &
p = con.path1 => ( lights(con.path2) = <Red> and
clock-lastch(con.path2) >= 5
)
23
Traffic light controller kernel
Adding time
ToRed: Path * Kernel * Time -> Kernel
ToRed(p, mk_Kernel(lights,conflicts,lastch),clock) ==
mk_Kernel( lights ++ { p |-> <Red> },
conflicts,
lastch ++ { p |-> clock})
pre p in set dom lights and
lights(p) = <Amber> and
clock-lastch(p) >= 5
24
Traffic light controller kernel
Adding time
ToAmber: Path * Kernel * Time -> Kernel
ToAmber(p, mk_Kernel(lights,conflicts,lastch),clock) ==
mk_Kernel( lights ++ { p |-> <Amber> },
conflicts,
lastch ++ { p |-> clock})
pre p in set dom lights and
lights(p) = <Green>
25
Traffic light controller kernel
Review Requirements
S1: If two paths conflict, then it must always be the case that
the light on one of the conflicting paths is red.
* Considered in the invariant of type Kernel
S2: There must be a delay of at least 5 seconds between a light
turning red and the light in the conflicting direction turning
green.
* Considered in precondition of function ToGreen
S3: There must be a delay of at least 5 seconds between a light
turning amber and the light turning red.
* Considered in precondition of function ToGreen
26
Traffic light controller kernel
Optional Types
Light = <Red> | <Amber> | <Green>
LightFail = [Light]
27
Summary
• Defining a type: give type symbol, methods for expressing
values and operators.
• Operators may be total or partial. Avoid application of partial
operators outside their domains.
• Basic types: numerics, characters, Booleans, tokens, quote
types
• Type constructors: union, records, optionals, finite sets,
sequences and mappings.
28
Related documents
Abstract
Abstract
CI04-Week8
CI04-Week8
Domain Invariant Transfer Kernel Learning Abstract: Domain
Domain Invariant Transfer Kernel Learning Abstract: Domain
doc
doc
Office hrs: CII 5217 Thursday 10:00
Office hrs: CII 5217 Thursday 10:00
Worksheet
Worksheet
Week Eight Quiz and Answers
Week Eight Quiz and Answers
HW7CS273Awinter11
HW7CS273Awinter11
Download
advertisement