Peter Gorm Larsen

1
Model Quality

• Peter Gorm Larsen

2
Agenda

• Introduction
• Internal Consistency
• External Consistency

3
Introduction

• What is now the value of the models you have
  produced?
• How do we assess the quality of a model?
• Internal consistency
• Does the model describe something?
• Syntax, type checking and proof obligations
• No potential run-time errors
• External consistency
• Does the model describe the right thing?
• Validation with domain expert
• Does the model have desirable properties?

4
Agenda

• Introduction
• Internal Consistency
• External Consistency

5
POP3 Protection of Partial Operators

• class POP3Server
• ...
• instance variables
• maildrop MailDrop
• ...
• types
• public MailDrop map POP3TypesUserName to
  MailBox
• public MailBox
• msgs seq of POP3Message
• locked bool
• operations
• GetUserMessages POP3TypesUserName gt seq of
  POP3Message
• GetUserMessages(user)
• return GetUserMail(user).msgs
• pre UserKnown(user)

6
Booking of Flights Invariant Preservation

• class Trip
• types
• Flight departure seq of char
• destination seq of char
• instance variables
• journey seq of Flight
• inv forall i in set 1,...,len journey -1
• journey(i).destination journey(i1).depart
  ure
• operations
• AddFlight Flight gt ()
• AddFlight(f)
• journey journey f
• pre
• journey(len journey).destination
  f.departure

journey ltgt gt
7
Robot Routes Satisfiability 1

• class Route
• instance variables
• points set of Point
• inv forall p1, p2 in set points
• p1.GetCoord() p2.GetCoord() gt p1 p2
  and
• forall p in set points
• p.GetIndex() ltgt card points gt
• GetNext(p).GetCoord() in set
• n.GetCoord() n in set p.Neighbour()
• end Route

8
Robot Routes Satisfiability 2

• class Route
• functions
• static
• public AvoidanceRoutes(
• obstacles set of (nat nat),
• currentPosition Point,
• nextWaypoint Point) routes set
  of Route
• post forall r in set routes
• r.GetFirst().GetCoord()
• currentPosition.GetCoord() and
• r.GetLast().GetCoord()
• nextWaypoint.GetCoord() and
• r.GetCoords() inter obstacles
• end Route

9
Robot Routes Satisfiability 3

• For implicit definitions there must exist at
  least one potential result for each input
  satisfying the pre-condition
• Proof Obligation (or integrity constraint)
• forall obstacles set of (nat nat),
• currentPosition Point,
• nextWaypoint Point
• exists routes set of Route
• post-AvoidanceRoutes(obstances,currentPosition
  ,
• nextWaypoint,routes)
• Can in principle be proved formally

10
Agenda

• Introduction
• Internal Consistency
• External Consistency

11
Dialogue with Domain Experts

• Typically domain experts know little about IT
• Understanding their intended usage may be a
  challenge
• Creating a model will create further questions to
  experts
• Model should seldomly been shown directly
• Scenarios to be used for test purposes can
  typically be discussed
• A CORBA-based API can be used to demonstrate
  ideas to domain experts/end users

12
Syntax, type check and Execute using API

• Example model to use
• class A
• operations
• public op int gt int
• op(n)
• return n 1
• pre n gt 0
• end A

13
The CORBA API for VDMTools

• The class ToolboxClient shall be used
• Includes the getVDMApplication method
• Result must be casted to VDMApplication
• In Java this would look like
• ToolboxClient toolboxClient new
  ToolboxClient()
• org.omg.CORBA.Object obj
• toolboxClient.getVDMApplication(
• new String,
• ToolType.PP_TOOLBOX)
  
• app VDMApplicationHelper.narrow(obj)
• Additional initialization
• client app.Register()
• app.PushTag(client)

14
Interacting with the APISyntax and Type Checking

• VDMProject prj app.GetProject()
• prj.New()
• String path "/local/vdmbook/validation"
• String modelFiles "A.vpp"
• VDMParser parser app.GetParser()
• for (int i 0 i lt modelFiles.length i)
• String filename path "/"
  modelFilesi
• prj.AddFile(filename)
• parser.Parse(filename)
• private void typeCheck() throws APIError
• ModuleListHolder moduleList new
  ModuleListHolder()
• app.GetProject().GetModules(moduleList)
• app.GetTypeChecker().TypeCheckList(moduleList.v
  alue)

15
Interacting with the API Execution

• VDMInterpreter interp app.GetInterpreter()
• interp.Initialize ()
• interp.EvalCmd("create a new A()")
• try
• VDMFactory fact app.GetVDMFactory()
• VDMSequence args fact.MkSequence(client)
  
• VDMNumeric intValue fact.MkNumeric(client,
  5)
• args.ImpAppend(intValue)
• VDMGeneric result
• interp.Apply(client, "a.op",
  args)
• System.out.println("Result is "
  result.ToAscii())
• catch (APIError e)
• System.err.println("Unable to validate
  model")

16
Validating POP3 using the API
17
Class Diagram for API GUI Layer
18
Interacting with One Client

• Pop3APILayer defined a number of fields
• VDMApplication app This is a CORBA reference to
  the running VDMTools instance.
• VDMInterpreter interp This is a CORBA reference
  to the interpreter in the instance of the
  VDMTools to which app refers.
• short client The identifier number allocated by
  the VDMTools to this client.
• JTextArea logArea A reference to a Java swing
  text area object, used to show the dialogue
  between the client and VDMTools.
• String channel The name of the channel that will
  be used within the interpreter for communication
  with the server.

19
Initializing the Interpreter

• private void initInterpreter() throws APIError
• // Ensure echoing in interpreter
• interp.Verbose(true)
• // Enable precondition checking during
  execution
• interp.DynPreCheck(true)
• interp.Initialize ()
• EvalCmd("create ch new MessageChannelBuffer()
  ")
• EvalCmd("create pt new POP3Test()")
• EvalCmd("create server "
• "new POP3Server(pt.MakeMailDrop(), "
  
• "ch,pt.MakePasswordMap(
  ))")
• EvalCmd("debug pt.StartServer(server)")

20
Interaction between Client and Server

• public boolean openServerConnection(String
  username,String password,
• StringBuffer
  response)
• try
• EvalCmd("create " channel " new
  MessageChannel()")
• EvalCmd("debug ch.Put(" channel ")")
• boolean status executeCommand("USER",
• new String"\""username
  "\"",
• response)
• if (!status)
• return false
• status executeCommand("PASS",
• new String"\""password"\"",
• response)
• return status
• catch (Exception e)
• e.printStackTrace(System.err)
• return false

21
Executing Commands

• private boolean executeCommand(String title,
• String args,
• StringBuffer
  response)
• String command makeCommand(title, args)
• try
• VDMRecord responseObj sendCommandResponse(co
  mmand)
• boolean status checkResponse(responseObj)
• response.append(responseObj.GetField(1).ToAsci
  i())
• return status
• catch (Exception e)
• System.err.println("executeCommand "
  e.toString())
• return false

22
Constructing a Command Record

• private String makeCommand(String cmd, String
  args)
• StringBuffer command new StringBuffer()
• command.append("mk_POP3Types")
• command.append(cmd)
• command.append("(")
• for (int index 0 index lt args.length
  index)
• command.append(argsindex)
• if (index ! args.length-1)
• command.append(",")
• command.append(")")
• return command.toString()

23
Send Command Responses

• private VDMRecord sendCommandResponse(String
  command)
• VDMRecord responseRecord null
• try
• EvalCmd("debug " channel ".ClientSend("
  
• command ")")
• VDMFactory fact app.GetVDMFactory()
• VDMSequence args fact.MkSequence(client
  )
• VDMGeneric response interp.Apply(client,ch
  annel
• 
  ".ClientListen",
• args)
• responseRecord VDMRecordHelper.narrow(resp
  onse)
• catch (APIError e)
• System.out.println("sendCommandResponse "
  
• e.msg.toString())
• return responseRecord

24
Checking Responses

• private boolean checkResponse(VDMRecord response)
• try
• Log("response is " response.ToAscii())
• return response.GetTag().equals(
• "POP3TypesOkResponse")
• catch (APIError e)
• System.err.println(e.toString())
• return false

25
Interacting with Multiple Clients

• Two challenges
• The objects created by a client for a single POP3
  session need to be unique for that client
  otherwise it would be possible for one client to
  interfere with another client's session.
• Only the very first client that registers with
  the tool set should load the specification and
  initialise the interpreter otherwise a client's
  session could be prematurely terminated by
  another client reinitializing the interpreter in
  the middle of that session.
• 1 can be solved by
• channel "mc" String.valueOf(client)

26
Updating the Pop3ApiLayer Constructor

• public Pop3ApiLayer(JTextArea logArea)
• try
• this.logArea logArea
• ToolboxClient toolboxClient new
  ToolboxClient()
• app toolboxClient.
• getVDMApplication(new String,
• ToolType.PP_TOOLBOX)
• client app.Register()
• channel "mc" String.valueOf(client)
• app.PushTag(client)
• interp app.GetInterpreter()
• if (!isInitialized())
• loadSpecification()
• typeCheck()
• initInterpreter()
• catch (Exception e)

27
isInitialized Definition

• private boolean isInitialized() throws APIError
• VDMProject prj app.GetProject()
• ModuleListHolder moduleList new
  ModuleListHolder()
• prj.GetModules(moduleList)
• return moduleList.value.length ! 0

28
Summary

• What have I presented today?
• Assessing model quality
• Internal consistency
• External consistency
• What do you need to do now?
• Read chapter 13
• Complete your project
• Assess the models consistency
• If you know CORBA already you may use the API on
  your project
• Present your status to all of us

29
Quote of the day
Formal specifications may become for
software engineers what, say, differential
equations are for engineers of other fields
Bertrand Meyer