Systematic Software Development Using Vdm Second Edition Systematic Software Development Using Vdm Second Edition
نویسنده
چکیده
operation is true of a retrieved state, the representation state must satisfy the pre-condition of the representation operation. Theorem 8.6 For the first example in the preceding section, the sequent form of the domain obligation 8.4: ws ∈ Dicta, w ∈Word ` pre-CHECKWORD(w , retr -Dict(ws)) ⇒ pre-CHECKWORDa(w ,ws) is vacuously true because the operation on the representation is total. Theorem 8.7 Noting that the pre-condition of the abstract operation is also true, the sequent form of the result obligation (8.5) becomes: ws ∈ Dicta, w ∈Word , b ∈ B ` post-CHECKWORDa(w ,ws, b) ⇒ post-CHECKWORD(w , retr -Dict(ws), b) which follows from: ws ∈Word∗, w ∈Word , b ∈ B ` (b ⇔ ∃i ∈ indsws · ws(i) = w) ⇒ (b ⇔ w ∈ elemsws) Thus, CHECKWORDa can be said to model CHECKWORD . Strictly, this statement is with respect to retr -Dict but, here again, the qualification can normally be omitted without confusion. The ADDWORD operation changes the state and can be modelled by: ADDWORDa (w :Word) ext wr dict : Dicta pre ¬∃i ∈ inds dict · dict(i) = w post dict = ↼−− dict _̀ [w ] Theorem 8.8 Its domain rule becomes: ws ∈ Dicta, w ∈Word ` pre-ADDWORD(w , retr -Dict(ws)) ⇒ pre-ADDWORDa(w ,ws) This is proved on page 192. Theorem 8.9 It is often convenient to expand out the definitions. The result rule becomes: ↼− ws,ws ∈ Dicta, w ∈Word ` w / ∈ elems↼− ws ∧ ws = ↼− ws _̀ [w ] ⇒ elemsws = elems↼− ws ∪ {w} 192 8 Data Reification from ws ∈Word∗, w ∈Word 1 from w / ∈ elemsws infer ¬∃i ∈ indsws · w = ws(i) elems 2 δ(w / ∈ elemsws) ∈,h 3 w / ∈ elemsws ⇒ ¬∃i ∈ indsws · w = ws(i) ⇒ -I (2,1) infer pre-ADDWORD(w , retr -Dict(ws)) ⇒ pre-ADDWORDa(w ,ws) Theorem 8.8: domain rule for ADDWORDa from ↼− ws,ws ∈Word∗, w ∈Word 1 from ws = ↼− ws _̀ [w ] 1.1 elemsws = elems↼− ws ∪ elems [w ] L7.6(h1) infer = elems↼− ws ∪ {w} elems 2 δ(ws = ↼− ws _̀ [w ]) _̀, h infer ws = ↼− ws _̀ [w ] ⇒ elemsws = elems↼− ws ∪ {w} ⇒ -I (2,1) Theorem 8.9: result rule for ADDWORDa Which is, again, straightforward (cf. page 192). Thus ADDWORDa models ADDWORD . If these are the only operations, the reification has been justified and attention can be turned to the next step of development. If defined, it is also necessary to show that the initial states correspond – with respect to the retrieve function. The proof is straightforward in this case and is shown explicitly only on examples where the initial states are less obvious. In large applications of the rigorous approach, there are likely to be several stages of data reification: when the data objects have been refined to the level of the machine or language constructs, operation decomposition is carried out. In either case, the compositionality property of the development method requires that the next step of development relies only on the result (e.g. Dicta , etc.) of this stage of development and not on the original specification. 8.2 Operation modelling proofs 193 Modelling proofs for the other dictionary representation The operations on the second dictionary representation are addressed in Exercise 8.2.1 below. The third dictionary representation given above is more interesting. In this case, the initial state is worth special consideration. Theorem 8.10 The proof obligation for initial states is (with retr -Dict :Dictc → Dict): dictc0 ∈ Dictc ` retr -Dict(dictc0) = dict0 This can be satisfied with: dictc0 = mk -Dictc(false, { }) The specification of CHECKWORDc must be written in terms of Dictc. A specification which used the retrieve function would make little real progress in design. To avoid such insipid steps of development, one could use a function: is-inc :Word ×Dictc → B is-inc(w ,mk -Dictc(eow ,m)) 4 w = [ ] ∧ eow ∨ w 6= [ ] ∧ hdw ∈ domm ∧ is-inc(tlw ,m(hdw)) Theorem 8.11 The modelling proof relies on the lemma: w ∈Word , d ∈ Dictc ` is-inc(w , d) ⇔ w ∈ retr -Dict(d) This can be proved by structural induction. In fact, a theory of Dictc can be developed. A function which inserts words is: insc :Word ×Dictc → Dictc insc(w ,mk -Dictc(e,m)) 4 if w = [ ] then mk -Dictc(true,m) else if hdw ∈ domm then mk -Dictc(e,m † [hdw 7→ insc(tlw ,m(hdw))]) else mk -Dictc(e,m ∪ [hdw 7→ insc(tlw ,mk -Dictc(false, { })]) Lemma 8.12 The relevant lemma here is: L8.12 w ∈Word ; d ∈ Dictc retr -Dict(insc(w , d)) = retr -Dict(d) ∪ {w} 194 8 Data Reification Buffer pools and non-determinism In the spell-checking example, all of the operations are deterministic. The buffer pool example of Section 4.4 exhibits non-determinism. The abstract buffer pool is shown as:
منابع مشابه
On the Verification of VDM Specification and Refinement with PVS - Automated Software Engineering, 1997. Proceedings., 12th IEEE International Conference
Although the formal method VDM has been in existence since the 1970S, there are still no satisfactory tools to support verqkation in VDM. This paper deals with one possible means of approaching this problem by using the PVS theorem-prover It describes a translation of a VDM-SL speciJication into the PVS specification language using, essentially, the very transparent translation methods describe...
متن کاملSoftware Evolution Strategy Evaluation: Industrial Case Study Applying Value-Based Decision Model
This study aims at supplementing the empirical basis of using software evolution evaluation methods in industrial settings. An industrial case study applying Value-Based Decision Model (VDM) for software evolution strategy evaluations is presented. VDM considers the value of a legacy software system and proposes convenient evolution strategies. Use of VDM is characterized, and the case study de...
متن کاملModelling Systems - Practical Tools and Techniques in Software Development (2. ed.)
How can we make sure that the software we build does what it is supposed to do? This book provides an insight into established techniques that help developers overcome the complexity of software development by constructing models of software systems in early design stages. It uses one of the leading formal methods, the Vienna Development Method (VDM), and combines training in the formalism with...
متن کاملA Small Language Deenition in Z
Note: Most SVRC technical reports are available via anonymous ftp, from ftp.cs.uq.edu.au in the directory /pub/SVRC/techreports. Abstract We give give a denotational-style speciication of a simple programming language in Z and comment on the suitability of Z for this purpose. The language speciied is based closely on one speciied by Clii Jones in VDM (Chapter 9 of Case Studies in Systematic Sof...
متن کاملVdm and the Refinement Calculus: a Comparison of Two Systematic Design Methods Vdm and the Reenement Calculus: a Comparison of Two Systematic Design Methods
This paper compares VDM and the Reenement Calculus as methods for deriving executable code from formal speciications. Two existing VDM case studies are recast in the Reenement Calculus style to illustrate the comparison. One case study illustrates operation decomposition or procedural reenement while the other is an example of data reiication or data reenement.
متن کاملRun-Time Validation of Timing Constraints for VDM-RT Models
Development of distributed real-time embedded systems is often a challenging task and validation of the timing behaviour of such systems is typically as important as its functional correctness. VDM-RT is a modelling language with an executable subset that can be used to describe distributed realtime embedded systems. In previous work [5], post-analysis of important timing constraints was achiev...
متن کامل