1 Basic elements of a formal model Having explored the logic of VDM-SL, we go on to introduce the main data types and operators of the language. Recall that a formal model is formed from type definitions and function definitions. The representation of data is therefore crucial to developing a useful formal model. Defining types and operators: total and partial operators The Traffic light control kernel: Quote types Type union Composite types Token types

2 Defining a type To define a type we need: a type symbol a way of writing values operators to manipulate values For each operator, we give a signature, e.g. + : nat * nat -> nat

3 Defining a typePartial Operators An operator op : T1 *... * Tn -> R is said to be total if, for any a1:T1,... an:Tn, the expression op(a1,..., an) is defined. If there exists some b1:T1,...,bn:Tn for which op(b1,...,bn) is undefined, op is said to be a partial operator. We avoid applying partial operators to values on which they are undefined!

4 Basic Types Type Symbol nat nat1 int real char bool token quote Values Natural numbers nat excluding 0 Integers Real Numbers Characters Booleans Structureless tokens Named quote values Example Values 0, 1, 2, … 1, 2, 3, … …,-1,0,1,2,… ‘g’, true, false Not applicable, Operators +,-,*,/,… =, <> and, or, … =, <>

5 Type Constructors | Union types [_] Optional types :: Record types set of _ Finite sets seq of _ Finite sequences map _to _ Finite mappings Examples:

6 Traffic light controller kernel

7 Traffic light controller kernel Safety Requirements S1: If two paths conflict, then it must always be the case that the light on one of the conflicting paths is red. S2: There must be a delay of at least 5 seconds between a light turning red and the light in the conflicting direction turning green. S3: There must be a delay of at least 5 seconds between a light turning amber and the light turning red. Red Amber Green

8 Traffic light controller kernel Union & Quote Types Light = is a type containing one value, also called (a quote type). Thus: : Light : We can only compare quote literals by equality/inequality: x,y : Light x = y x <> y | |

9 Traffic light controller kernel Numeric Types Time = Is there an invariant on the time? real

10 Traffic light controller kernel Numeric Types Time = Is there an invariant on the time? real Time = real inv t == t > 0

11 Traffic light controller kernel Token Type Path = The token type is used when we do not need the details of the representation of a particular type. Values of token types may be compared only by = and <>. token

12 Traffic light controller kernel Token Type Constants are called values in VDM-SL: values p1 : Path = mk_token(“A1North”) p2 : Path = mk_token(“A1South”) p3 : Path = mk_token(“A66East”) p4 : Path = mk_token(“A66West”) Note that we can represent token values by using the “ mk_token ” constructor and an arbitrary value between the parentheses. Strictly speaking, this is an extension to the ISO Standard VDM-SL, which states that values of the type token can not be inspected or constructed.

13 Traffic light controller kernel Record Types Conflict :: path1 : Path path2 : Path Constructor mk_Conflit e.g. mk_Conflit(mk_token(“A1North”), mk_token(“A2”)) Selectors e.g. c.path1 c.path2 Invariant: A path is not in conflict with itself.

14 Traffic light controller kernel Record Types Conflict :: path1 : Path path2 : Path Invariant: A path is not in conflict with itself. inv c == c.path1 <> c.path2 Or inv mk_Conflict(p1,p2) == p1 <> p2

15 Traffic light controller kernel Record Types Kernel :: lights : conflicts : Example values: conflicts: set of Conflict = { mk_Conflict(p1,p3), mk_Conflict(p1,p4), mk_Conflict(p2,p3), mk_Conflict(p2,p4), mk_Conflict(p3,p1), mk_Conflict(p4,p1), mk_Conflict(p3,p2), mk_Conflict(p4,p2)}

16 Traffic light controller kernel Record Types An example value for the lights component of a Kernel : lights : map Path to Light = { p1 |->, p2 |->, p3 |->, p4 |-> }

17 Traffic light controller kernel Record Types An invariant on Kernel : Kernel :: lights : map Path to Light conflicts : set of Conflict inv mk_Kernel(ls,cs) == --The conflicting paths must have lights -- One of the paths in each conflict must have a red light -- The set of conflicts is symmetric

18 Traffic light controller kernel Record Types An invariant on Kernel : Kernel :: lights : map Path to Light conflicts : set of Conflict inv mk_Kernel(ls,cs) == --The conflicting paths must have lights forall c in set cs & c.path1 in set dom ls and c.path2 in set dom ls -- One of the paths in each conflict must have a red light forall c in set cs & ls(c.path1) = or ls(c.path2) = -- The set of conflicts is symmetric forall c in set cs & mk_Conflit(c.path2,c.path1) is in set cs

19 Traffic light controller kernel Functions f: T1 *... * Tn -> R f(a1,…,an) == expression defining result pre logical (Boolean) expression of assumptions ToGreen: Path * Kernel -> Kernel ToGreen(p, mk_Kernel(lights,conflicts)) == The functions for the other colours are similar. But are there any preconditions?

20 Traffic light controller kernel Functions ToGreen: Path * Kernel -> Kernel ToGreen(p, mk_Kernel(lights,conflicts)) == mk_Kernel( lights ++ { p |-> }, conflicts) pre -- p has a light! p in set dom lights -- p’s light is red! lights(p) = -- all paths conflicting with p have red lights forall con in set conflicts & p = con.path1 => lights(con.path2) =

21 Traffic light controller kernel Functions ToRed: Path * Kernel -> Kernel ToRed(p, mk_Kernel(lights,conflicts)) == mk_Kernel( lights ++ { p |-> }, conflicts) pre p in set dom lights and lights(p) = ToAmber: Path * Kernel -> Kernel ToAmber(p, mk_Kernel(lights,conflicts)) == mk_Kernel( lights ++ { p |-> }, conflicts) pre p in set dom lights and lights(p) =

22 Traffic light controller kernel Adding time Kernel :: lights : map Path to Light conflicts : set of Conflict lastch : map Path to Time inv mk_Kernel(ls,cs,lc) == dom ls = dom lc and forall c in set cs & mk_Conflict(c.path2, c.path1) in set cs and c.path1 in set dom ls and c.path2 in set dom ls and (ls(c.path1) = or ls(c.path2) = )

23 Traffic light controller kernel Adding time ToGreen: Path * Kernel * Time -> Kernel ToGreen(p, mk_Kernel(lights,conflicts,lastch),clock) == mk_Kernel( lights ++ { p |-> }, conflicts, lastch ++ { p |-> clock}) pre p in set dom lights and lights(p) = and forall con in set conflicts & p = con.path1 => ( lights(con.path2) = and clock-lastch(con.path2) >= 5 )

24 Traffic light controller kernel Adding time ToRed: Path * Kernel * Time -> Kernel ToRed(p, mk_Kernel(lights,conflicts,lastch),clock) == mk_Kernel( lights ++ { p |-> }, conflicts, lastch ++ { p |-> clock}) pre p in set dom lights and lights(p) = and clock-lastch(p) >= 5

25 Traffic light controller kernel Adding time ToAmber: Path * Kernel * Time -> Kernel ToAmber(p, mk_Kernel(lights,conflicts,lastch),clock) == mk_Kernel( lights ++ { p |-> }, conflicts, lastch ++ { p |-> clock}) pre p in set dom lights and lights(p) =

26 Traffic light controller kernel Review Requirements S1: If two paths conflict, then it must always be the case that the light on one of the conflicting paths is red. * Considered in the invariant of type Kernel S2: There must be a delay of at least 5 seconds between a light turning red and the light in the conflicting direction turning green. * Considered in precondition of function ToGreen S3: There must be a delay of at least 5 seconds between a light turning amber and the light turning red. * Considered in precondition of function ToGreen

27 Traffic light controller kernel Optional Types Light = | | LightFail = [Light]

28 Summary Defining a type: give type symbol, methods for expressing values and operators. Operators may be total or partial. Avoid application of partial operators outside their domains. Basic types: numerics, characters, Booleans, tokens, quote types Type constructors: union, records, optionals, finite sets, sequences and mappings.