An introduction to specification in VDM-SL

At the end of this lecture you should be able to:

write a formal specification of a system in VDM-SL;

correlate the components of a UML class diagram with those

of a VDM specification;

declare constants and specify functions to enhance the

specification;

explain the use of a state invariant to place a global constraint

on the system;

explain the purpose of the nil value in VDM.

The Incubator case study

The temperature of the incubator needs to be carefully controlled
and monitored;
Initially we will specify the software needed to monitor the
incubator temperature;
Later we will specify the software needed to monitor and control
the incubator temperature.
Safety requirements :

-10 Celsius

TEMPERATURE

+10 Celsius

The UML specification

IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer

Specifying the state in VDM-SL

in VDM-SL the state refers to the permanent data that must
be stored by the system, and which can be accessed by
means of operations;
It corresponds to the attributes in the class diagram;
The state is specified by declaring variables, in a similar
manner a programming language and UML.
Each variables is given a name, and a VDM-SL type.

The intrinsic types available in VDM-SL

:

natural numbers (positive whole numbers)

1 :

natural numbers excluding zero

integers (positive and negative whole numbers)

real numbers (positive and negative numbers

that can include a fractional part)

boolean values (true or false)

Char : the set of alphanumeric characters

Specifying the state of the Incubator Monitor System

UML

VDM-SL

IncubatorMonitor

state IncubatorMonitor of
temp :

temp : Integer
increment()
decrement()
getTemp() : Integer

end

Specifying the operations in VDM-SL

IncubatorMonitor
temp : Integer
increment()
decrement()
getTemp() : Integer

Each operation specified in

VDM-SL as follows:
the operation header
the external clause
the precondition
the postcondition

The increment operation

increment()
wr
? :
? temp
< 10
pre temp
?
ext

temp => temp

post temp
?
temp + 1

temp + 1 = temp
temp - temp = 1

The decrement operation

decrement()
wr
? :
? temp
> -10
pre temp
?
ext

temp = temp - 1
post ?

The getTemp operation

getTemp() currentTemp :
ext

rd
?

temp :

pre

TRUE
?

= temp
post currentTemp
?

Declaring constants
It is possible in VDM-SL to specify constants;
It is done by using the keyword values;
The declaration would come immediately before the state definition:
values
MAX : = 10
MIN : = -10
decrement()
ext

wr

temp :

pre

MIN
temp > -10

post

temp =

temp

-1

Specifying functions
A function is a set of assignments from one set to another;
The function receives an input value (or values) and maps this
to an output value according to some rule;

46

79

hasPassed

FALSE
TRUE

50

There are two ways in which we can specify a function in VDM-SL

Specifying a function explicitly

The style of this specification is algorithmic;
We explicitly define the method of transforming the inputs to the output.
Example

add:
add(x, y) x + y
signature

definition

Specifying a function implicitly

We use a pre- and postcondition in the same way as we
described for operations;
A function, however, does not access the state variables.

add( x : , y : ) z :
pre ?TRUE
z=x+y
post ?

An absolute function defined implicitly

abs(z : ) r :
pre TRUE
?
post z<0
? r = -z z 0 r = z

An absolute function defined explicitly

abs:
abs(z) if z < 0
then -z
else z

Recursive functions
Some functions can be neatly specified by a recursive definition,
whereby the function calls itself.
Example
a factorial function:

factorial:
factorial(n) if n = 0
then 1
else n x factorial(n - 1)

State invariants
Before we specified local constraint with preconditions.
We can also specify a global constraint.
In VDM-SL we incorporate such a restriction into the specification
with a function called a state invariant;
The invariant definition uses the keyword inv.
Its signature will be:
inv : State

Adding a state invariant into

the IncubatorMonitor system

-10 Celsius

TEMPERATURE

+10 Celsius

inv mk-IncubatorMonitor(t) MIN t MAX

Specifying an initialization function

An initialization function is given the name init;
We will assume that when the incubator is turned on, its
temperature is adjusted until a steady 5 degrees Celsius is
obtained.

init mk-IncubatorMonitor(t) t = 5

The modified state specification

values
MAX : = 10
MIN : = -10
state IncubatorMonitor of
temp :
inv mk-IncubatorMonitor(t) MIN t MAX
init mk-IncubatorMonitor(t) t = 5
end

Improving the Incubator System

IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer

Enumerated types
The signal sent to the hardware could be one of 3 possible values:
1.

an instruction to the hardware to increase the temperature;

2.

an instruction to the hardware to decrease the

temperature;

3.

an instruction to the hardware to do nothing.

A type that consists of a number of named values is often referred

to as an enumerated type;

Enumerated types in UML

A standard method of marking a UML class as an
enumerated type is to add <<enumeration>> above the
type name:
<<enumeration>>
Signal
INCREASE
DECREASE
DO_NOTHING

Enumerated types in VDM-SL

In VDM-SL the types clause is the appropriate place to define
new types.

types
Signal = <INCREASE>|< DECREASE>|< DO_NOTHING>
values
..
state
..
end

The nil value

It is common in the programming world for a value to be undefined;
VDM-SL allows for this concept by including the possibility of a term
or expression having the value nil, meaning that it is undefined;
We do that by placing square brackets around the type name:
[] natural numbers or nil
[]

integers or nil.

When the incubator system first comes into being, the actual and
requested values will be undefined, and must therefore be set to nil;

Specifying the IncubatorController

state
IncubatorController
requestedTemp : Integer
actualTemp : Integer
setIInitialTemp(Integer)
requestChange(Integer) : Signal
increment() : Signal
decrement() : Signal
getRequestedTemp() : Integer
getActualTemp() : Integer

state IncubatorController of
requestedTemp : []
actualTemp : []

The invariant
The actual temperature must not be allowed to go outside the
range of -10 to +10 degrees;
However we need now to allow for the possibility that it could be
equal to the nil value;
The same is true for the requested temperature.

inv mk-IncubatorController (r, a)

(MIN r MAX r = nil)

(MIN a MAX a = nil)

Improving the readability of the

spec by using a function
inRange( val : ) result :
pre TRUE
post result MIN val MAX

inv mk-IncubatorController (r, a)

(inRange(r) r = nil) (inRange(a) a = nil)

The initialisation function

init mk-IncubatorController (r, a)

r = nil a = nil

Specifying the setInitialTemp operation

setInitialTemp( tempIn : )
ext

wr actualTemp : []

pre

inRange(tempIn) actualTemp = nil

post actualTemp = tempIn

The requestChange operation

requestChange( tempIn : ) signalOut : Signal
ext

wr requestedTemp : []
rd

actualTemp : []

pre

inRange(tempIn) actualTemp nil

post

requestedTemp = tempIn
( tempIn > actualTemp signalOut = <INCREASE>

tempIn < actualTemp signalOut = <DECREASE>

tempIn = actualTemp signalOut = <DO_NOTHING> )

actualTemp

The increment operation

increment () signalOut : Signal
ext

pre

rd

requestedTemp : []

wr

actualTemp : []

actualTemp < requestedTemp

actualTemp nil requestedTemp nil

post

( actualTemp < requestedTemp signalOut = <INCREASE>

actualTemp = requestedTemp signalOut = <DO_NOTHING> )

actualTemp = actualTemp + 1

The getRequestedTemp operation

getRequestedTemp() currentRequested : []
ext

rd

requestedTemp : []

pre

TRUE

post

currentRequested = requestedTemp

The getActualTemp operation

getActualTemp() currentActual : []
ext

rd

actualTemp : []

pre

TRUE

post

currentActual = actualTemp

A standard template for VDM-SL specifications

types
SomeType = ..
values
constantName : ConstantType = someValue
state SystemName of
attribute1 : Type
:
attributen : Type
inv mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)
init mk-SystemName(i1:Type, ..., in:Type) Expression(i1, ..., in)
end
functions
specification of functions .....
operations
specification of operations .....