TIVDM2Model Quality1 Peter Gorm Larsen

TIVDM2Model Quality2 Agenda  Introduction Internal Consistency External Consistency

TIVDM2Model Quality3 Introduction What is now the value of the models you have produced? How do we assess the quality of a model? Internal consistency: Does the model describe something? Syntax, type checking and proof obligations No potential run-time errors External consistency: Does the model describe the right thing? Validation with domain expert Does the model have desirable properties?

TIVDM2Model Quality4 Agenda Introduction  Internal Consistency External Consistency

TIVDM2Model Quality5 POP3: Protection of Partial Operators class POP3Server... instance variables maildrop : MailDrop;... types public MailDrop = map POP3Types`UserName to MailBox; public MailBox :: msgs : seq of POP3Message locked : bool; operations GetUserMessages: POP3Types`UserName ==> seq of POP3Message GetUserMessages(user) == return GetUserMail(user).msgs pre UserKnown(user); end POP3Server

TIVDM2Model Quality6 Booking of Flights: Invariant Preservation class Trip types Flight :: departure : seq of char destination : seq of char instance variables journey: seq of Flight; inv forall i in set {1,...,len journey -1} & journey(i).destination = journey(i+1).departure operations AddFlight: Flight ==> () AddFlight(f) == journey := journey ^ [f] pre journey(len journey).destination = f.departure end Trip journey <> [] =>

TIVDM2Model Quality7 Robot Routes: Satisfiability 1 class Route instance variables points: set of Point; inv forall p1, p2 in set points & p1.GetCoord() = p2.GetCoord() => p1 = p2 and forall p in set points & p.GetIndex() <> card points => GetNext(p).GetCoord() in set {n.GetCoord() | n in set p.Neighbour()} … end Route

TIVDM2Model Quality8 Robot Routes: Satisfiability 2 class Route functions static public AvoidanceRoutes( obstacles: set of (nat * nat), currentPosition: Point, nextWaypoint: Point) routes: set of Route post forall r in set routes & r.GetFirst().GetCoord() = currentPosition.GetCoord() and r.GetLast().GetCoord() = nextWaypoint.GetCoord() and r.GetCoords() inter obstacles = {}; end Route

TIVDM2Model Quality9 Robot Routes: Satisfiability 3 For implicit definitions there must exist at least one potential result for each input satisfying the pre-condition Proof Obligation (or integrity constraint): forall obstacles: set of (nat * nat), currentPosition: Point, nextWaypoint: Point & exists routes: set of Route & post-AvoidanceRoutes(obstances,currentPosition, nextWaypoint,routes) Can in principle be proved formally

TIVDM2Model Quality10 Agenda Introduction Internal Consistency  External Consistency

TIVDM2Model Quality11 Dialogue with Domain Experts Typically domain experts know little about IT Understanding their intended usage may be a challenge Creating a model will create further questions to experts Model should seldomly been shown directly Scenarios to be used for test purposes can typically be discussed A CORBA-based API can be used to ”demonstrate” ideas to domain experts/end users

TIVDM2Model Quality12 Syntax, type check and Execute using API Example model to use: class A operations public op: int ==> int op(n) == return n + 1 pre n > 0 end A

TIVDM2Model Quality13 The CORBA API for VDMTools The class ToolboxClient shall be used Includes the getVDMApplication method Result must be casted to VDMApplication In Java this would look like: ToolboxClient toolboxClient = new ToolboxClient(); org.omg.CORBA.Object obj = toolboxClient.getVDMApplication( new String[]{}, ToolType.PP_TOOLBOX); app = VDMApplicationHelper.narrow(obj); Additional initialization: client = app.Register(); app.PushTag(client);

TIVDM2Model Quality14 Interacting with the API: Syntax and Type Checking VDMProject prj = app.GetProject(); prj.New(); String path = "/local/vdm++book/validation"; String[] modelFiles = {"A.vpp"}; VDMParser parser = app.GetParser(); for (int i = 0; i < modelFiles.length; i++) { String filename = path + "/" + modelFiles[i]; prj.AddFile(filename); parser.Parse(filename); } private void typeCheck() throws APIError { ModuleListHolder moduleList = new ModuleListHolder(); app.GetProject().GetModules(moduleList); app.GetTypeChecker().TypeCheckList(moduleList.value); }

TIVDM2Model Quality15 Interacting with the API: Execution VDMInterpreter interp = app.GetInterpreter(); interp.Initialize (); interp.EvalCmd("create a := new A()"); try { VDMFactory fact = app.GetVDMFactory(); VDMSequence args = fact.MkSequence(client); VDMNumeric intValue = fact.MkNumeric(client, 5); args.ImpAppend(intValue); VDMGeneric result = interp.Apply(client, "a.op", args); System.out.println("Result is " + result.ToAscii()); } catch (APIError e) { System.err.println("Unable to validate model"); }

TIVDM2Model Quality16 Validating POP3 using the API

TIVDM2Model Quality17 Class Diagram for API GUI Layer

TIVDM2Model Quality18 Interacting with One Client Pop3APILayer defined a number of fields: VDMApplication app : This is a CORBA reference to the running VDMTools instance. VDMInterpreter interp : This is a CORBA reference to the interpreter in the instance of the VDMTools to which app refers. short client : The identifier number allocated by the VDMTools to this client. JTextArea logArea : A reference to a Java swing text area object, used to show the dialogue between the client and VDMTools. String channel : The name of the channel that will be used within the interpreter for communication with the server.

TIVDM2Model Quality19 Initializing the Interpreter private void initInterpreter() throws APIError { // Ensure echoing in interpreter interp.Verbose(true); // Enable precondition checking during execution interp.DynPreCheck(true); interp.Initialize (); EvalCmd("create ch := new MessageChannelBuffer()"); EvalCmd("create pt := new POP3Test()"); EvalCmd("create server := " + "new POP3Server(pt.Mak Drop(), " + "ch,pt.MakePasswordMap())"); EvalCmd("debug pt.StartServer(server)"); }

TIVDM2Model Quality20 Interaction between Client and Server public boolean openServerConnection(String username,String password, StringBuffer response) { try { EvalCmd("create " + channel + " := new MessageChannel()"); EvalCmd("debug ch.Put(" + channel + ")"); boolean status = executeCommand("USER", new String[]{"\""+username+"\""}, response); if (!status) return false; status = executeCommand("PASS", new String[]{"\""+password+"\""}, response); return status; } catch (Exception e) { e.printStackTrace(System.err); return false; } }

TIVDM2Model Quality21 Executing Commands private boolean executeCommand(String title, String[] args, StringBuffer response) { String command = makeCommand(title, args); try { VDMRecord responseObj = sendCommandResponse(command); boolean status = checkResponse(responseObj); response.append(responseObj.GetField(1).ToAscii()); return status; } catch (Exception e) { System.err.println("executeCommand: " + e.toString()); return false; }

TIVDM2Model Quality22 Constructing a Command Record private String makeCommand(String cmd, String[] args) { StringBuffer command = new StringBuffer(); command.append("mk_POP3Types`"); command.append(cmd); command.append("("); for (int index = 0; index < args.length; index++) { command.append(args[index]); if (index != args.length-1) command.append(","); } command.append(")"); return command.toString(); }

TIVDM2Model Quality23 Send Command Responses private VDMRecord sendCommandResponse(String command) { VDMRecord responseRecord = null; try { EvalCmd("debug " + channel + ".ClientSend(" + command + ")"); VDMFactory fact = app.GetVDMFactory(); VDMSequence args = fact.MkSequence(client); VDMGeneric response = interp.Apply(client,channel+ ".ClientListen", args); responseRecord = VDMRecordHelper.narrow(response); } catch (APIError e) { System.out.println("sendCommandResponse: " + e.msg.toString()); } return responseRecord; }

TIVDM2Model Quality24 Checking Responses private boolean checkResponse(VDMRecord response) { try { Log("response is " + response.ToAscii()); return response.GetTag().equals( "POP3Types`OkResponse"); } catch (APIError e) { System.err.println(e.toString()); return false; } }

TIVDM2Model Quality25 Interacting with Multiple Clients Two challenges: 1.The objects created by a client for a single POP3 session need to be unique for that client: otherwise it would be possible for one client to interfere with another client's session. 2.Only the very first client that registers with the tool set should load the specification and initialise the interpreter; otherwise a client's session could be prematurely terminated by another client reinitializing the interpreter in the middle of that session. 1 can be solved by: channel = "mc" + String.valueOf(client);

TIVDM2Model Quality26 Updating the Pop3ApiLayer Constructor public Pop3ApiLayer(JTextArea logArea) { try { this.logArea = logArea; ToolboxClient toolboxClient = new ToolboxClient(); app = toolboxClient. getVDMApplication(new String[]{}, ToolType.PP_TOOLBOX); client = app.Register(); channel = "mc" + String.valueOf(client); app.PushTag(client); interp = app.GetInterpreter(); if (!isInitialized()) { loadSpecification(); typeCheck(); initInterpreter(); } } catch (Exception e) { e.printStackTrace(System.err); System.err.println(e.toString()); } }

TIVDM2Model Quality27 isInitialized Definition private boolean isInitialized() throws APIError { VDMProject prj = app.GetProject(); ModuleListHolder moduleList = new ModuleListHolder(); prj.GetModules(moduleList); return moduleList.value.length != 0; }

TIVDM2Model Quality28 Summary What have I presented today? Assessing model quality Internal consistency External consistency What do you need to do now? Read chapter 13 Go on with your project to real-time inclusion Assess the models consistency If you know CORBA already you may use the API on your project Present your status to all of us

TIVDM2Model Quality29 Quote of the day Bertrand Meyer Formal specifications may become for software engineers what, say, differential equations are for engineers of other fields