VDMTools - PowerPoint PPT Presentation

1 / 77
About This Presentation
Title:

VDMTools

Description:

Rolls Royce. Transitive Technologies. Italy. Alenia. ENEA. Ansaldo. The Netherlands ... Where does VDM fit in? VDM Overview. Overview of VDMTools ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 78
Provided by: tgi4
Category:

less

Transcript and Presenter's Notes

Title: VDMTools


1
VDMTools Validated Design through Modelling
Your Solution to Quality Problems in Software
Development
IFAD A/S Forskerparken 10 DK-5230 Odense M Denmark
www.ifad.dk
2
VDMTools Tutorial
  • IFAD Profile
  • Where does VDM fit in?
  • VDM Overview
  • Overview of VDMTools?
  • Demonstration overview

3
IFAD Location
Europe
Denmark
IFAD A/S Forskerparken 10A 5230 Odense M Phone
45 6315 7131 Fax 45 6593 2999 Web
www.ifad.dk
Copenhagen
Odense
4
IFAD Organisation Chart
Management
Subcontracting
Consultancy
Tools
Products
Henrik Voss
VDMTools
MUSTER
Sales
Services
Methods Tools
Training Simulation
5
IFAD Profile
  • Tool Provider(Products VDMTools, MUSTER)
  • Service Provider(Training, Customer-specific
    Consultancy)
  • Subcontractor(Development of Applications
    Tools)

6
VDMTools
7
IFAD VDMTools Alliances
Sidereus, Portugal
ISPRAS, Russia
Rational, USA
SofTools, USA
Technical partners
IFAD
DDC-I, USA
Fellows
Distributors
Alagar, Canada
JFITS, Japan
Aichernig, Austria
8
Boeing/Joint Strike Fighter
9
The Boeing JSF One Team
10
References, World-wide
More than 150 clients world-wide
France Aerospatiale Espace et Defense Dassault
Aviation Dasssault Electronique CISI CEA et
Defense CEA Leti Cap Gemini LAAS Matra Bae
Dynamics U.K. British Aerospace Systems
Equipment British Aerospace Defense Adelard ICL
Enterprise Engineering Rolls Royce Transitive
Technologies
North America Boeing Rockwell Collins Lockheed
Martin DDC-I, Inc. Rational Software Corp. Formal
Systems Inc. Concordia University Japan RTRI
(Japan Railways) JFITS Germany GAO mbH
Italy Alenia ENEA Ansaldo The Netherlands Dutch
Dept. of Defence Origin Chess Denmark Danish
Railways Baan Nordic Odense Steel Shipyard DDC
International
11
VDMTools Tutorial
  • IFAD Profile
  • Where does VDM fit in?
  • VDM Overview
  • Overview of VDMTools?
  • Demonstration overview

12
The Life-cycle Model
Where does the VDM technology fit in?
System Analysis
System Test
Software Design
Module Test
Coding
Unit Test
13
VDM for Requirements Analysis
Animation
System Analysis
System Test
VDM Model
Test Cases
Modelling Validation
Software Design
Module Test
Coding
Unit Test
14
VDM for Analysis Design
Animation
System Analysis
System Test
VDM Model
Test Cases
Modelling Validation
Software Design
Module Test
Coding
Unit Test
15
VDM for the Full Life-cycle Model
Animation
System Analysis
System Test
VDM Model
Test Cases
Modelling Validation
Software Design
Module Test
Unit Test
Code Generation
16
VDMTools Tutorial
  • IFAD Profile
  • Where does VDM fit in?
  • VDM Overview
  • Overview of VDMTools?
  • Demonstration overview

17
VDM Class Outline
class ltclass-namegt end
ltclass-namegt
instance variables ...
Internal object state
types values functions operations ...
Definitions
thread ...
Dynamic behaviour
sync ...
Synchronization control
18
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

19
Access Modifiers
  • VDM Class Members may have their access
    specified as public, private or protected.
  • The default for all members is private
  • Access modifiers may not be narrowed e.g. a
    subclass can not override a public operation in
    the superclass with a private operation in the
    subclass.
  • static modifiers can be used for definitions
    which are independent of the object state.

20
Constructors
  • Each class can have a number of constructors
  • Syntax identical to operations with a reference
    to the class name in return type
  • The return does not need to be made explicitly
  • Can be invoked when a new instance of a class
    gets created

21
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

22
Instance Variables (1)
  • Used to model attributes
  • Consistency properties modelled as invariants

class Person types string seq of
char instance variables name string
age int 0 inv 0 lt age and age lt 99 end
Person
23
Instance Variables (2)
  • Used to model associations
  • Object reference type simply written as the class
    name, e.g. Person
  • Multiplicity using VDM-SL data types

class Person ... instance variables name
string age int 0 employer set of
Company ... end Person
class Company ... end Company
24
Instance Variable Access
  • Instance variables can only be accessed directly
    from within the object they belong to.
  • To read/write instance variables from outside
    access operations must be defined

class Person ... instance variables name
string ... operations public GetName
() gt string GetName () return name end
Person
25
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

26
Type Definitions
  • Basic types
  • Boolean
  • Numeric
  • Tokens
  • Characters
  • Quotations
  • Compound types
  • Set types
  • Sequence types
  • Map types
  • Product types
  • Composite types
  • Union types
  • Optional types
  • Function types

Invariants can be added
27
Boolean
not b Negation bool -gt bool a and
b Conjunction bool bool -gt bool a or
b Disjunction bool bool -gt bool a gt
b Implication bool bool -gt bool a ltgt
b Biimplication bool bool -gt bool a
b Equality bool bool -gt bool a ltgt
b Inequality bool bool -gt bool
Quantified expressions can also be considered to
be basic operators but we will present them
together with the other general expressions
28
Numeric (1)
-x Unary minus real -gt real abs x Absolute
value real -gt real floor x Floor real -gt int x
y Sum real real -gt real x -
y Difference real real -gt real x
y Product real real -gt real x /
y Division real real -gt real x div y Integer
division int int -gt int x rem y Remainder int
int -gt int x mod y Modulus int int -gt int x
y Power real real -gt real
29
Numeric (2)
x lt y Less than real real -gt bool x gt
y Greater than real real -gt bool x lt y Less
or equal real real -gt bool x gt y Greater or
equal real real -gt bool x y Equal real
real -gt bool x ltgt y Not equal real real -gt bool
30
Product and Record Types
  • Product type definition A1 A2
    AnConstruction of a tuple mk_(a1,a2,,an)
  • Record type definition A selfirst A1
    selsec A2 seln
    AnConstruction of a record mk_A(a1,a2,...,an)

31
Set Operators
e in set s1 Membership A set of A -gt bool e not
in set s1 Not membership A set of A -gt bool s1
union s2 Union set of A set of A -gt set of A s1
inter s2 Intersection set of A set of A -gt set
of A s1 \ s2 Difference set of A set of A -gt
set of A s1 subset s2 Subset set of A set of A
-gt bool s1 psubset s2 Proper subset set of A
set of A -gt bool s1 s2 Equality set of A set
of A -gt bool s1 ltgt s2 Inequality set of A set
of A -gt bool card s1 Cardinality set of A -gt
nat dunion s1 Distr. union set of set of A -gt set
of A dinter s1 Distr. intersection set of set of
A -gt set of A power s1 Finite power set set of A
-gt set of set of A
32
Map Operators
dom m Domain (map A to B) -gt set of A rng
m Range (map A to B) -gt set of B m1 munion
m2 Merge (map A to B) (map A to B) -gt map A
to B m1 m2 Override (map A to B) (map A to
B) -gt map A to B merge ms Distr. merge set of
(map A to B) -gt map A to B s lt m Dom. restr.
to set of A (map A to B) -gt map A to B s lt-
m Dom. restr. by set of A (map A to B) -gt map A
to B m gt s Rng. restr. to (map A to B) set of
A -gt map A to B m -gt s Rng. restr. by (map A to
B) set of A -gt map A to B m(d) Map apply (map A
to B) A -gt B inverse m Map inverse inmap A to B
-gt inmap B to A m1 m2 Equality (map A to B)
(map A to B) -gt bool m1 ltgt m2 Inequality (map A
to B) (map A to B) -gt bool
33
Sequence Operators
hd l Head seq1 of A -gt A tl l Tail seq1 of A -gt
seq of A len l Length seq of A -gt nat elems
l Elements seq of A -gt set of A inds
l Indexes seq of A -gt set of nat1 l1
l2 Concatenation seq of A seq of A -gt seq of
A conc ll Distr. conc. seq of seq of A -gt seq of
A l(i) Seq. application seq1 of A nat1 -gt A l
m Seq. modification seq1 of A map nat1 to A
-gt seq1 of A l1 l2 Equality seq of A seq
of A -gt bool l1 ltgt l2 Inequality seq of A seq
of A -gt bool
34
Comprehension Notation
Convenient comprehensions exist for sets, maps
and sequences
  • Set comprehension elem bind-list pred
    e.g.
  • x 2 x in set 1,,10 x mod 2 0
  • Map comprehension maplet bind-list pred
    e.g.
  • x -gt f(x) x in set s p(x)
  • Sequence comprehension elem setbind pred
    e.g.
  • l(i) 2 I in set inds l l(i) lt 10
  • The set binding is restricted to sets of numeric
    values, which are used to find the order of the
    resulting sequence

35
Invariants
DT
inv_DT
Even nat inv n n mod 2 0 SpecialPair
nat real inv mk_(n,r) n lt r DisjointSets
set of set of A inv ss forall s1, s2 in set
ss s1 ltgt s2 gt s1 inter s2
36
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

37
Function Definitions (1)
  • Explicit functions f A B Z -gt R1 R2
    Rn f(a,b,,z) expr pre
    preexpr(a,b,,z) post postexpr(a,b,,z,RESULT)
  • Implicit functions f(aA, bB, , zZ) r1R1,
    , rnRn pre preexpr(a,b,,z) post
    postexpr(a,b,,z,r1,,rn)Implicit functions
    cannot be executed by the VDM interpreter.

38
Function Definitions (2)
  • Extended explicit functions f(aA, bB, , zZ)
    r1R1, , rnRn expr pre
    preexpr(a,b,,z) post postexpr(a,b,,z,r1,,rn)E
    xtended explicit functions are a non-standard
    combination of the implicit colon style with an
    explicit body.
  • Preliminary explicit functions f A B Z
    -gt R1 R2 Rn f(a,b,,z) is not yet
    specified pre preexpr(a,b,,z) post
    postexpr(a,b,,z,RESULT)

39
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

40
Expressions
  • Define expressions
  • Lambda expressions
  • New and Self expressions
  • Class membership expressions
  • Object comparison expressions
  • Object reference expressions
  • Let and let-be expressions
  • If-then-else expressions
  • Cases expressions
  • Quantified expressions
  • Set expressions
  • Sequence expressions
  • Map expressions
  • Tuple expressions
  • Record expressions
  • Is expressions

Special VDM Expressions
41
Patterns and Pattern Matching
  • Patterns are empty shells
  • Patterns are matched thereby binding the pattern
    identifiers
  • There are special patterns for
  • Basic values
  • Pattern identifiers
  • Dont care patterns
  • Sets
  • Sequences
  • Tuples
  • Records
  • but not for maps

42
Bindings
  • A binding matches a pattern to a value.
  • A set binding pat in set exprwhere expr must
    denote a set expression.pat is bound to the
    elements of the set expr
  • A type binding pat typeHere pat is bound to
    the elements of type.Type bindings cannot be
    executed by the Toolbox, because such types can
    be infinitely large.

43
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

44
Operation Definitions (1)
  • Explicit operation definitions o A B ...
    gt R o(a,b,...)
  • stmt pre expr
  • post expr
  • Implicit operations definitions o(aA,
    bB,...) rR ext rd ... wr ... pre
    expr post expr

45
Operation Definitions (2)
  • Preliminary operation definitions o A B
    ... gt R o(a,b,...) is not yet
    specified pre expr
  • post expr
  • Delegated operation definitions o A B ...
    gt R o(a,b,...) is subclass
    responsibility pre expr
  • post expr

46
Operation Definitions (3)
  • Operations in VDM can be overloaded
  • Different definitions of operations with same
    name
  • Argument types must not be overlapping statically
    (structural equivalence omitting invariants)

47
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

48
Statements
  • Let and Let-be statements
  • Define Statements
  • Block statements
  • Assign statements
  • Conditional statements
  • For loop statements
  • While loop statements
  • Call Statements
  • Non deterministic statements
  • Return statements
  • Exception handling statements
  • Error statements
  • Identity statements
  • start and startlist statements

Special VDM Statement
49
VDM Overview
  • Access Modifiers and Constructors
  • Instance Variables
  • Types
  • Functions
  • Expressions,Patterns,Bindings
  • Operations
  • Statements
  • Concurrency

50
Concurrency in VDM
Objects can be
  • Passive Change state on request only, i.e. as a
    consequence of an operation invocation.
  • Active Can change their internal state
    spontaneously without any influence from other
    objects. Active objects have their own thread of
    control.

Why use concurrency in specifications?
  • The real world is highly concurrent.Consequently
    models of the world are likely to be concurrent
    too.
  • For efficiency reasons in a multi processor
    environment.

51
Passive Objects
  • Respond to requests (operation invocations) from
    active objects (clients).
  • Supply an interface (a set of operations) for
    their clients.
  • No thread.
  • Can serve several clients.

52
Permission Guards
Synchronization for objects is specified using
VDMs sync clause
sync per ltoperation-namegt gt ltconditiongt
The per clause is known as a permission guard.
condition is a boolean expression, which involves
the attributes of the class, that must hold in
order for operation-name to be invoked.
Permission guards reflecting the bounding of the
buffer
sync per GetItem gt len buf gt 0 per PutItem
gt len buf lt size
53
VDMTools Tutorial
  • IFAD Profile
  • Where does VDM fit in?
  • VDM Overview
  • Overview of VDMTools?
  • Demonstration overview

54
VDMTools Overview
55
Syntax and Type Checking
56
Validation with VDMTools
VDM specs
Actual results
Comparison
Execution
Test cases
Expected results
57
Documentation in MS Word/RTF
One compound document
  • Documentation
  • Specification
  • Test coverage
  • Test coverage statistics

58
The Rose-VDM Link
  • Supports round-trip engineering with Rational
    Rose
  • Offers the complementary benefits of the
    graphical notation UML and the textual formal
    notation VDM
  • Massive use of UML expected world-wide!

59
UML - An Overview
UML offers a wide variety of graphical diagrams
providing different perspectives of the system
under development.
  • Interaction between users and the system
  • use case diagrams
  • Static structure
  • class diagram
  • Dynamic structure
  • sequence diagram
  • collaboration diagram
  • activity diagram
  • state diagram
  • Implementation details
  • component diagram
  • deployment diagram

60
The Rose-VDM Link
Validate requirements and design. Test your
models!
How can I check my model?
Is my model right?
Rose-VDM Link
Rose2000
61
Integration Principle
62
Associations
  • Clientship relations are represented in UML as an
    association class Producer class
    Consumer instance variables instance
    variables buf Buffer buf
    Buffer ... ...
  • Associations can have multiplicity
  • class Company instance variables staff set
    of Employee ...

63
Inheritance
  • In UML inheritance is termed as generalization.
  • In VDM the is subclass of keyword identifies
    the inheritance relations between classes

64
A Class Diagram
Attributes
The Buffer class
Operations
65
Mapping Rules
class A instance variables toC C end A
class B is subclass of C instance variables
b nat seqofA seq of A operations
public Get () gt nat Get() return
b public Set nat gt () Set(val)
b val end B
class C instance variables selfLink C end C
66
Architecture of Link
VDM Toolbox
Rational Rose 2000
UML Diagrams
Class Repository
Class Repository
Merge Tool
UML model file
VDM Files
67
Toolbox API
Request
Result
68
Dynamic Link Facility
VDM Specification
Dynamic Link Module
External Code
Type Conversion Module
69
Japanese Support
70
Free Academic Site Licenses
  • For teaching purposes
  • For research purposes
  • So far more than 30 around the world
  • FitzgeraldLarsen book translated to Japanese
  • A VDM book has been started
  • Hopefully more in Japan now!

71
Future VDMTools Extensions
  • Reverse engineering from Java
  • Real-time features
  • Proof support
  • Test case generation (ISPRAS)
  • Database reverse engineering (Sidereus)
  • No more EU projects
  • Directions will depend on customers

72
VDMTools Tutorial
  • IFAD Profile
  • Where does VDM fit in?
  • VDM Overview
  • Overview of VDMTools?
  • Demonstration overview

73
The Cash Dispenser Model
  • Model of a system of tills and a central
    resource.
  • Customers interact with tills by inserting a card
    and entering a PIN
  • Central resources contains detailed records of
    customers bank accounts
  • Illegal cards are kept by the till.

74
A Cash Dispenser Example
Tills
Central Repository
75
Requirement Specification
There are many tills which can access a central
resource containing the detailed records of
customers bank accounts. A till is used by
inserting a card and typing in a PIN (Personal
Identification Number) which is encoded by the
till and compared with a code stored on the
card. After successfully identifying themselves
to the system, customers may try to 1. view the
balance of their accounts 2. make a withdrawal of
cash 3. ask for a statement of their account to
be sent by post. Information on accounts is held
in a central database and may be unavailable. In
that case 1) above may not be possible. If the
database is available, any amount up to the total
in the account may be withdrawn, subject to
a fixed daily limit on withdrawals. This means
that the amount withdrawn within the day must be
stored on the card. Illegal cards are kept by
the till.
76
Development Process
  • Analysis (using VDM-SL with API animation)
  • alternative to use cases
  • abstraction from multiple tills
  • Design (using Rose VDM Link with systematic
    testing and API animation)
  • abstraction from possible failures of tills
  • Implementation (with concurrent VDM model and
    automatic Java code generation combined with user
    interface)

77
UML Class Diagram
Clock
Till
CentralResource
date Date
cardOk bool false
illegalCards set of CardCardId
-clock
GetDate()
numberOfTries map CardCardId to nat -gt
Create()
SetDate()
maxNumberOfTries nat 3
Validate()
CardInside()
Letterbox
Create()
GetBalance()
-resource
-letterbox
AddAccount()
InsertCard()
GetBalance()
ReturnCard()
PostStatement()
Withdrawal()
IsLegalCard()
GetLastStatement()
IsLegalCard()
CardValidated()
PostStatement()
MakeWithdrawal()
AddIllegalCard()
RequestStatement()
IncrNumberOfTries()
Encode()
ordered
ResetNumberOfTries()
-statements
0..
0..
NumberOfTriesExceeded()
AccountAccountId
AccountAccountId
Letter
date ClockDate
-accounts
name CardholderName
Account
address CardholderAddress
-curCard
-retainedCards
balance nat
balance nat
0..
0..
0..1
0..1
transactions seq of AccountTransaction
transactions seq of Transaction
Card
dailyLimit nat 2000
Create()
code Code
Create()
cardId CardId
AddCard()
accountId AccountAccountId
Cardholder
GetBalance()
GetCardIds()
name Name
GetCode()
Withdrawal()
address Address
GetCardId()
CardCardId
CardCardId
MakeStatement()
GetAccountId()
ValidTransaction()
Create()
Create()
-cards
GetName()
Sum()
GetAddress()
TransactionsInvariant()
DateTotal()
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "VDMTools" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!