Download presentation
Presentation is loading. Please wait.
1
Formal Methods in SE Lecture 21
2
Qaisar Javaid, Assistant Professor
VDM II Qaisar Javaid, Assistant Professor 1
3
Defining a type Partial Operators
An operator op : T1 * * Tn -> R is said to be total if, for any a1:T1,. . . an:Tn, the expression op(a1,. . ., an) is defined. If there exists some b1:T1,. . .,bn:Tn for which op(b1,. . .,bn) is undefined, op is said to be a partial operator. We avoid applying partial operators to values on which they are undefined!
4
Basic Types Type Symbol nat nat1 int real char Bool quote Values
Natural numbers nat excluding 0 Integers Real Numbers Characters Booleans Named quote values Example Values 0, 1, 2, … 1, 2, 3, … …,-1,0,1,2,… ‘g’, true, false <Red>, <Bio> Operators +,-,*,/,… =, <> and, or, …
5
Type Constructors | Union types [_] Optional types :: Record types
set of _ Finite sets seq of _ Finite sequences map _ to _ Finite mappings
6
The set type constructor
The finite set type constructor is: set of _ What are the types of the following expressions? {1, -3, 12} { {9, 13, 77}, {32, 8}, {}, {77} }
7
The set type constructor
The type set of X is the class of all possible finite sets of values drawn from the type X. For example: set of nat1 sets of non-zero Natural numbers set of Student sets of student records set of (seq of char) sets of sequences of characters (e.g. sets of names) set of (set of int) sets of sets of integers, e.g. { {3,56,2},{-2},{},{-33,5} }
8
Defining sets ... (0) Empty Set: {} (1) Enumeration:
(2) Subrange (integers only): {integer1,...,integer2} e.g. {12,...,20} = {12,...,12} = {9,...,3} =
9
Defining sets ... (3) Comprehension
{ expression | binding & predicate } The set of values of the expression under each assignment of values to bound variables satisfying the predicate. Consider all the values that can be taken by the variables in the binding. Restrict this to just those combinations of values which satisfy the predicate. Evaluate the expression for each combination. This gives you the values in the set. e.g. { x**2 | x:nat & x < 5 }
10
Defining sets ... {x | x:nat & x < 5} {y | y:nat & y < 0}
Examples of Comprehensions: {x | x:nat & x < 5} {y | y:nat & y < 0} {x+y | x,y:nat & x<3 and y<4}
11
Defining sets … Finiteness
In VDM-SL, sets should be finite, so be careful when writing comprehensions that you don’t define a predicate that could be satisfied by an infinite number of values.
12
Operators on Sets _ union _ : set of A * set of A -> set of A
There are plenty of built-in operators on sets. Each one has a signature defining the number and types of operand expected, e.g. the set union operator: _ union _ : set of A * set of A -> set of A Name of the operator. The underscores show where the arguments go when the operator is used. Types of the inputs, in order. The “*” separates each input type. The type of the result. What can you tell about the union operator from this signature?
13
Operators on Sets _ union _ : set of A * set of A -> set of A
Are the following expressions legal, according to the signature? union({4, 7, 9} {23, 6}) 3 union {7, 1, 12} {12,…,15} union {x-y | x,y:nat & x<4 and y<10} {} union {} {12} union {x**y | x,y:nat & x<4 and y>2}
14
Operators on Sets In order to use operators effectively, you have to know the number and types of operands that they expect, and the types of value that they return as a result.
15
Operators on Sets _ union _ : set of A * set of A -> set of A
_ inter _ : set of A * set of A -> set of A _ \ _ : set of A * set of A -> set of A dunion : set of (set of A) -> set of A dinter : set of (set of A) -> set of A card : set of A > nat _ in set _ : A * set of A > bool _ subset _ : set of A * set of A -> bool Note: we don’t show the underscores when the operator is normally used in a prefix form, e.g. card {12, 45, 12, 3} = 4
16
Operators on Sets distributed operators
The most common operators have special forms in which they are extended to a whole set of arguments, not just two. dunion : set of (set of A) -> set of A dinter : set of (set of A) -> set of A
17
Operators on Sets selecting elements
In side a function definition, we may need to select an arbitrary element from a set, not caring how it is selected. We can do this by using a local definition, i.e. in the body of the function say let x in set S in … (now x stands for some arbitrary member of S) Alternatively, we could just define a general function for selecting an element from a set. Since we are not interested in the means of selection, we could do this by an implicit function definition: Select (s:set of X) result:X pre s <> {} post result in set s … and now we can use Select(_) whenever we want to select an element of a set.
18
Totalization To define refinement for partial relations, we consider their totalised forms: where X = X ⋃ {⊥} Y = Y ⋃ {⊥}
19
Complement of s
20
Example
21
Example a b c d ⊥ a b c d ⊥
22
Example a b c d ⊥ a b c d ⊥
23
Refinement Having decided upon totalization using ⊥, we may derive the conditions for one partial relation to be a correct refinement of another. If σ and ρ are two partial relations of the same type then σ refines ρ precisely when is a subset of . This is true if and only if the domain of σ is at least as big as that of ρ and σ agrees with ρ on dom ρ.
24
Refinement
25
Refinement a a b b c ρ a a Provided some additional information by extending the domain and removed some non-determinism b b c c σ
26
Not a Refinement
27
Using Totalization
28
Refinement If σ and ρ are two partial relations of the same type then σ refines ρ precisely when is a subset of .
29
Example We may corrupt a bit – an element of set {0, 1} – by changing its value.
30
The relation corruptsto associates two sequences of bits if the second is no longer than the first, and no two adjacent bits have been corrupted. _corruptsto_ : seq Bit ↔ seq Bit ∀ bs, bs’ : seq Bit ∙ bs corruptsto bs’ ⇔ #bs’ ≤ #bs ∧ ∀ i : 1 .. #bs’ – 1 ∙ bs i ≠ bs’ i ⇒ bs(i + 1) = bs’(i + 1) For example, <1, 0, 0, 0, 1, 1> corruptsto <1, 0, 1, 0, 0, 1> <1, 1, 0, 1, 1, 1, 0, 0> corruptsto <0, 1, 0, 0, 1>
31
The relation changesto associates two sequences of bits if the second is no longer than the first, and every bit with an odd index has been corrupted. _changesto_ : seq Bit ↔ seq Bit ∀ bs, bs’ : seq Bit ∙ bs changesto bs’ ⇔ #bs’ ≤ #bs ∧ ∀ i : 1 .. (#bs’ – 1) ∙ i ∈ {n : N1 ∙ 2 * n} ⇒ bs i = bs’ i ∧ i ∈ {n : N1 ∙ 2 * n + 1} ⇒ bs i ≠ bs’ i For example, <1, 1, 0, 1, 1, 1, 0, 0> changesto <0, 1, 1, 1, 0> <1, 0, 0, 0, 1, 1> changesto <0, 0, 1, 0, 0, 1>
32
The second relation is a refinement of the first:
both are total relations on seq Bit changesto resolves all the non-determinism present in the definition of corruptsto. If we are content with the behavior of corruptsto, then we will be content with changesto.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.