Peter Gorm Larsen

1
VDMTools and Logic

• Peter Gorm Larsen

2
Agenda

• Overview of VDMTools Functionality
• Demonstration of VDMTools and Rational Rose
• Introduction to Logic

3
VDMTools Overview
4
Japanese Support via Unicode
5
Validation with VDMTools
VDM specs
Actual results
Comparison
Execution
Test cases
Expected results
6
Documentation in MS Word/RTF
One compound document

• Documentation
• Specification
• Test coverage
• Test coverage statistics

7
Architecture of the Rose VDM Link
VDM Toolbox
Rational Rose 2000
UML Diagrams
Class Repository
Class Repository
Merge Tool
UML model file
VDM Files
8
Integrity checker
9
Reference Material

• The VDM Language for VICE, CSK, 2005
• The VDM User Manual, CSK, 2005
• The VDM Installation Guide, CSK, 2005
• Rational Rose Link Plug-in Installation and User
  Guide, CSK, 2005

10
Further Information

• An Executable Subset of Meta-IV with Loose
  Specification, P.G. Larsen, P.B. Lassen, VDM '91
  Formal Software Development Methods, 1991
• The IFAD VDM-SL Toolbox A Practical Approach to
  Formal Specifications, R. Elmstrøm, P.G. Larsen,
  P.B. Lassen, ACM Sigplan Notices, September 1994
• Computer-aided Validation of Formal
  Specifications, P. Mukherjee, Software
  Engineering Journal, July 1995
• Ten Years of Historical Development -
  Bootstrapping VDMTools, P.G. Larsen, Journal of
  Universal Computer Science, 2001

11
Agenda

• Overview of VDMTools Functionality
• Demonstration of VDMTools and Rational Rose
• Introduction to Logic

12
Agenda

• Overview of VDMTools Functionality
• Demonstration of VDMTools and Rational Rose
• Introduction to Logic

13
Logic

• Our ability to state invariants, record
  pre-conditions and post-conditions, and the
  ability to reason about a formal model depend on
  the logic on which the modelling language is
  based.
• Classical logical propositions and predicates
• Connectives
• Quantifiers

14
A temperature monitor example
Temperature (C)
30
20
10
0
1
2
3
4
5
6
7
8
9
Time (s)
The monitor records the last five temperature
readings
15
A temperature monitor example

• The following conditions are to be detected by
  the monitor
• Rising the last reading in the sample is greater
  than the first
• Over limit there is a reading in the sample in
  excess of 400 C
• Continually over limit all the readings in the
  sample exceed 400 C
• Safe If readings do not exceed 400 C by the
  middle of the sample, the reactor is safe. If
  readings exceed 400 C by the middle of the
  sample, the reactor is still safe provided that
  the reading at the end of the sample is less than
  400 C.
• Alarm The alarm is to be raised if and only if
  the reactor is not safe

16
Predicates and Propositions
Predicates are simply logical expressions. The
simplest kind of logical predicate is a
proposition. A proposition is a logical assertion
about a particular value or values, usually
involving a Boolean operator to compare the
values, e.g. 3 lt 27 5 9
17
Predicates
A predicate is a logical expression that is not
specific to particular values but contains
variables which can stand for one of a range of
possible values, e.g. x lt 27 (x2) x - 6
0 The truth or falsehood of a predicate depends
on the value taken by the variables.
18
Predicates in the monitor example
Monitor temps seq of int alarm
bool inv m len m.temps 5
Consider a monitor m. m is a sequence so we can
index into it First reading in m Last reading
in m Predicate stating that the first reading in
m is strictly less than the last reading The
truth of the predicate depends on the value of m.
m.temps(1)
m.temps(5)
m.temps(1) lt m.temps(5)
19
The rising condition
The last reading in the sample is greater than
the first
Monitor temps seq of int alarm
bool inv m len m.temps 5
We can express the rising condition as a Boolean
function
Rising Monitor -gt bool Rising(m) m.temps(1) lt
m.temps(5)
For any monitor m, the expression Rising(m)
evaluates to true iff the last reading in the
sample in m is higher than the first, e.g.
Rising( mk_Monitor(233,45,677,650,900, false) )
Rising( mk_Monitor(23,45,67,50,20, false) )
20
Logical Operators (Connectives)

• We will examine the following logical operators
• Negation (NOT)
• Conjunction (AND)
• Disjunction (OR)
• Implication (if then)
• Biconditional (if and only if)
• Truth tables can be used to show how these
  operators can combine propositions to compound
  propositions.

21
Negation
Negation allows us to state that the opposite of
some logical expression is true, e.g. The
temperature in the monitor mon is not
rising not Rising(mon)
Truth table for negation
22
Disjunction
Disjunction allows us to express alternatives
that are not necessarily exclusive Over limit
There is a reading in the sample in excess of 400
C OverLimit Monitor -gt bool OverLimit(m)
m.temps(1) gt 400 or m.temps(2) gt 400 or
m.temps(3) gt 400 or m.temps(4) gt 400 or
m.temps(5) gt 400
23
Conjunction
Conjunction allows us to express the fact that
all of a collection of facts are true.
Continually over limit all the readings in the
sample exceed 400 C
COverLimit Monitor -gt bool COverLimit(m)
m.temps(1) gt 400 and m.temps(2) gt 400 and
m.temps(3) gt 400 and m.temps(4) gt 400 and
m.temps(5) gt 400
24
Implication
Implication allows us to express facts which are
only true under certain conditions (if then
) Safe If readings do not exceed 400 C by the
middle of the sample, the reactor is safe. If
readings exceed 400 C by the middle of the
sample, the reactor is still safe provided that
the reading at the end of the sample is less than
400 C.
Safe Monitor -gt bool Safe(m) m.temps(3) gt
400 gt m.temps(5) lt 400
25
Biimplication
Biimplication allows us to express equivalence
(if and only if). Alarm The alarm is to be
raised if and only if the reactor is not safe
This can be recorded as an invariant property
Monitor temps seq of int alarm
bool inv m len m.temps 5 and not
Safe(m.temps) ltgt m.alarm
26
Operator Precedence and Associativity

• not has the highest precedence
• Followed by and, or, gt and ltgt in that order
• gt has right grouping i.e.
• A gt B gt C without brackets means
• A gt (B gt C)
• The other logical operators are associative so
  right and left grouping are equivalent, i.e.
• A and (B and C) is identical to (A and B) and C

27
Quantifiers
For large collections of values, using a variable
makes more sense than dealing with each case
separately. inds m.temps represents indices
(1-5) of the sample The over limit condition
can then be expressed more economically
as exists i in set inds m.temps temps(i) gt 400
The continually over limit condition can then
be expressed using forall
COverLimit Monitor -gt bool COverLimit(m)
forall i in set inds m.temps temps(i) gt 400
28
Quantifiers
Syntax forall binding predicate exists
binding predicate
There are two types of binding Type Binding,
e.g. x nat n seq of char Set Binding,
e.g. i in set inds m x in set 1,,20
A type binding lets the bound variable range over
a type (a possibly infinite collection of
values).
A set binding lets the bound variable range over
a finite set of values.
29
Universal quantification

• Universal quantification is a generalised form of
  conjunction
• For example, the statement every natural number
  is greater than or equal to zero is denoted by
• ?n nat ? n ? 0 (? is a turned-round A, for
  All and written as forall in ASCII)
• for all n drawn from the natural numbers,
• n is greater than or equal to zero
• This statement is equivalent to (and a lot more
  succinct than)
• 0 ? 0 ? 1 ? 0 ? 2 ? 0 ? 3 ? 0 ?

30
Questions

• Formulate the following statements using
  predicate logic
• Everybody likes Danish pastry
• Everybody either likes Danish pastry or is a
  vegetarian
• Either everybody likes Danish pastry or everybody
  is a vegetarian
• Are the last two statements equivalent?

31
Existential quantification

• Existential quantification allows us to assert
  that a predicate holds for at least one value
  but not necessarily all values of a given set
• For example, the statement there is a natural
  number that is greater than or equal to zero is
  denoted by
• ?n nat ? n ? 0 (? is a turned-round E, there
  Exists and written as exists in ASCII)
• there exists an n drawn from the natural
  numbers such that n is greater than or equal to
  zero
• 0 ? 0 ? 1 ? 0 ? 2 ? 0 ? 3 ? 0 ?

32
Questions

• Formulate the following statements using
  predicate logic
• Somebody likes Danish pastry
• There is somebody who either likes Danish pastry
  or is a vegetarian
• Either somebody likes Danish pastry or somebody
  is a vegetarian
• Are the last two statements equivalent?

33
Quantifiers
Several variables may be bound at once by a
single quantifier, e.g. forall x,y in set 1,,5
X ltgt y gt not m.temps(x) m.temps(y)
Would this predicate be true for the following
value of m.temps ? 320, 220, 105, 119, 150
34
Formulation Questions
All the readings in the sample are less than 400
and greater than 50. Each reading in the sample
is up to 10 greater than its predecessor. There
are two distinct readings in the sample which are
over 400.
forall i in set inds m.temps m.temps(i)
lt 400 and m.temps(i) gt 50
forall i in set inds m.temps\1
m.temps(i 1) gt m.temps(i) 10
exists i,j in set inds m.temps i ltgt j
and m.temps(i) gt 400 and m.temps(j) gt 400
35
Combination of quantifiers

• Assume we have a predicate with two free
  variables P(x,y) where x X and y Y
• Then quantifiers can be combined
• ?y Y ? ?x X ? P(x,y) or
• ?y Y ? ?x X ? P(x,y)
• Would these be equal if X, Y are int and P x
  gty?
• However if the same quantifier was used both
  places the expressions would be equivalent
• ?y Y ? ?x X ? P(x,y) ? ?x X ? ?y Y ?
  P(x,y)
• ?y Y ? ?x X ? P(x,y) ? ?x X ? ?y Y ?
  P(x,y)

36
Quantifiers
Suppose we have to formalise the following
property There is a single minimum in the
sequence of readings, i.e. there is a reading
which is strictly smaller than any of the other
readings.
exists i in set inds m.temps forall j
in set inds m.temps i ltgt j gt
m.temps(i) lt m.temps(j)
Suppose the order of the quantifiers is reversed.
37
Questions

• Translate the following into English
• ?xElephant grey(x)
• ?xANIMAL elephant(x) gt grey(x)
• ?x ANIMAL bird(x) ? has-wings(x) ? ? flies(x)
• Represent the following using predicate logic
  formulae
• Joanne is a teacher, she teaches AI, and likes
  chocolate.
• Some teachers do not like chocolate

38
Summary

• What have I presented today?
• Introduction to VDMTools
• Demonstration of VDMTools and Rose
• Introduction to Logic
• What do you need to do now?
• Read chapter 4 and 5 of the book for next week
• Start playing with the combination of VDMTools
  and Rose
• Read existing material about the selected project
  
• Formulate a new requirements definition for the
  project
• Decide upon the purpose of the model to develop
• Prepare presentation about this for the rest of us

39
Quote of the day

• The successful construction of all machinery
  depends on the perfection of the tools employed,
  and whoever is the master in the art of
  tool-making possesses the key to the construction
  of all machines.
• Charles Babbage, 1851