model structuring and combining uml and vdm++ views

TIVDM2 Model Structuring and Combining UML and VDM++ Views

1

Model Structuring and Combining UML and VDM++ Views

Peter Gorm Larsen


2

Agenda

Combining UML and VDM++ Views• The Enigma Cipher Example


3

The CSLaM System

• A small system for control speed limitation and monitoring for trains


4

The CSLaM Requirements

• The main purpose of the CSLaM system is to provide a continuous train speed monitoring function. This system is intended to be used when temporary speed restrictions are necessary. This is signalled using different types of beacons placed along the track.

• The maximum permitted speed is the lower of the maximum speed of which the train is capable and the speed limits imposed by the temporary speed restriction beacons. If the train speed exceeds the maximum permitted speed, various actions are initiated by the train's on-board computer, depending on the severity of the violation. It is ultimately possible for the on-board system to activate the emergency brake automatically if the train's excess speed is too great.

The CSLaM system components are:• the on-board control speed limitation (CSL) subsystem;• the trackside beacons; and• the performance monitoring subsystem.


5

The On-board CSL System


6

The CSL Associations

class CSL

instance variables

cabDisplay : CabDisplay;emergencyBrake : EmergencyBrake;onboardComp : OnBoardComp;

end CSL

There is a one-to-one relationship between classes in UML and classes in VDM++.

Mapping rule 1

Every association between two classes at the UML class diagram level must be given a role name

Mapping rule 2


7

Additional basic mapping rules 1

Attributes inside a UML class are represented as instance variables or values inside the corresponding VDM++ class. The stereotype will indicate the kind, and the default will be instance variables.

Mapping rule 3: Attributes

Operations inside a UML class are represented as functions andoperations in the corresponding VDM++ class, in accordance with the function or operation stereotype, and vice versa. By default the stereotype is operation.

Mapping rule 4: Functionality

All member declarations can have access modifiers at both the UML class diagram; the VDM++ level and the mapping rules for these are one to one. The only exception here is that implementation at the UML class diagram level is considered as private at the VDM++ level.

Mapping rule 5: Access modifiers


8

Additional basic mapping rules 2

Static member declarations at the VDM++ level correspond to static member declarations at the UML class diagram level, except for operations which cannot be declared static inside Rose.

Mapping rule 6: Static definitions

Type definitions inside a VDM++ class are simply ignored by the mapping rules because there is no equivalent at the UML class diagram level. This just means that type definitions will only be kept at the VDM++ level.

Mapping rule 7: Type definitions


9

The Beacon Classes 1

• Announcement Beacon: This announces a limitation beacon. The information provided by the beacon is the target speed that must be respected when the limitation beacon is met. Several announcement beacons might be met successively.

• Limitation Beacon: The speed restriction is valid as soon as the head of the train reaches the beacon. If a limitation beacon is not preceded by an announcement beacon, a ground fault is raised.

• Cancel Beacon: This beacon cancels all announcements present. If no announcement is available, the cancel beacon is ignored. This beacon is used when a speed restriction is announced before a track switch and is not needed in some branches after the switch.

• End Beacon: This ends the speed restriction area. The speed restriction is no longer valid as soon as the tail of the train reaches the end beacon.


10

The Beacon Classes 2

There is a one-to-one relationship between inheritancein UML class diagrams and inheritance in VDM++.

class AnnounceBeacon is subclass of Beacon…end AnnounceBeacon

Mapping rule 8: Inheritance


11

Multiplicity of Associations

The multiplicity of an association determines its type at the VDM++ level. With“0..n” multiplicity and an ordered constraint the association is modelled as a sequence of object reference types using the sequence type constructor.

Mapping rule 9: Association Multiplicity


12

Qualified Associations

class Supervisor

instance variables

driverInfo: map DriverCard to Driver := {|->};

trainInfo : map TrainId to CSL := {|->};

types

public TrainId = token;end Supervisor

Qualified associations use a type (or a class name) as the qualifier and are modelled as a mapping from the qualifier type to the object reference type it is going to (possibly with further multiplicity).

Mapping rule 10: Qualified Associations


13

Monitoring Driver Performance

class CSLinstance variables

driverCard: [DriverCard] := nil;faults : set of Fault := {};end CSL

The multiplicity of an association determines its type at the VDM++ level. “0 .. n” multiplicity is modelled as an unordered collection of object reference types using the set type constructor.

Mapping rule 11: Collection Associations

The multiplicity of an association determines its type at the VDM++ level. Unspecified (or with 1) multiplicity is simply modelled as an object reference type. “0 .. 1” multiplicity is modelled as an optional type.

Mapping rule 12: Optional Associations


14

Agenda

Combining UML and VDM++ Views The Enigma Cipher Example


15

The Enigma Cipher

• Used by the Germans during the Second World War

• Encryption and decryption• Cracked by ”bombes” by the

Allies at Bletchley Park• More powerful cypher system

cracked by ”Colossus”• Influenced the outcome of the

war• Some believe that Alan Turing

was involved in the worlds first computer


16

Basic principles of Encryption• Around 1400 Leon Alberti invented the cipher disk• Substition of letters in a monalphabetic fashion• Caesar ciphers have an encoding distance

• Distance of 4 would make A -> E and B -> F• Alberti invented a polyalphabetic cipher• Coding distance implemented by a code word e.g. LEON• Now L -> A for the first letter, E -> A for the second letter• Enigma was made of a plugboard, a set of rotors and a

reflector• The plugboard replaces letters• The rotors are jointly called a scambler• The reflector is responsible for making it symmetric


17

The Structure of the Enigma


18

Initial UML Class Diagram


19

The Revised Enigma UML Model


20

The Alphabet Classclass Alphabet

instance variables alph : seq of char := [];inv AlphabetInv(alph)

functions

AlphabetInv: seq of char -> boolAlphabetInv (palph) == len palph mod 2 = 0 and card elems palph = len palph

operations

public Alphabet: seq of char ==> AlphabetAlphabet (pa) == alph := papre AlphabetInv(pa);

public GetChar: nat ==> charGetChar (pidx) == return alph(pidx)pre pidx in set inds alph;

public GetIndex: char ==> nat GetIndex (pch) == let pidx in set {i | i in set inds alph & alph(i) = pch} in return pidx pre pch in set elems alph;

public GetIndices: () ==> set of nat GetIndices () == return inds alph;

public GetSize: () ==> nat GetSize () == return len alph;

public Shift: nat * nat ==> nat Shift (pidx, poffset) == if pidx + poffset > len alph then return pidx + poffset - len alph else return pidx + poffset pre pidx in set inds alph and poffset <= len alph;

public Shift: nat ==> nat Shift (pidx) == Shift(pidx, 1)end Alphabet


21

The Component Classclass Component

instance variables protected next : [Component] := nil; protected alph : Alphabet

operations public Successors: () ==> set of Component Successors () == if next = nil then return {self} else return {self} union next.Successors();

public SetNext: Component ==> () SetNext (pcom) == next := pcom pre next = nil and self not in set pcom.Successors();

public Substitute: nat ==> nat Substitute (-) == is subclass responsibility;

public Rotate: () ==> () Rotate () == skip;

public Rotate: nat ==> () Rotate (-) == skip

end Component


22

The Configuration Class 1

class Configuration is subclass of Component

instance variables

protected config: inmap nat to nat;

Plugboard{2|->3,3|->2}

Rotor{1|->2,2|->1,3|->4,4|->3}

Reflector{1|->2,3|->4}


23

The Configuration Class 2operations protected Encode: nat ==> nat Encode (penc) == if penc in set dom config then return config(penc) else return penc;

protected Decode: nat ==> nat Decode (pdec) == let invcfg = inverse config in if pdec in set dom invcfg then return invcfg(pdec) else return pdec;

public Substitute: nat ==> nat Substitute(pidx) == return Decode(next.Substitute(Encode(pidx))) pre next <> nil

end Configuration


24

The Reflector Classclass Reflector is subclass of Configuration

instance variables inv ReflectorInv(next, config, alph)

functions ReflectorInv: [Component] * inmap nat to nat * Alphabet -> bool ReflectorInv (pnext, pconfig, palph) == pnext = nil and dom pconfig inter rng pconfig = {} and dom pconfig union rng pconfig = palph.GetIndices()

operations public Reflector: nat * Alphabet * inmap nat to nat ==> Reflector Reflector (psp, pa, pcfg) == atomic (alph := pa; config := {pa.Shift(i, psp-1) |-> pa.Shift(pcfg(i), psp-1) | i in set dom pcfg}) pre psp in set pa.GetIndices() and ReflectorInv(next, pcfg, pa);

public Substitute: nat ==> nat Substitute (pidx) == if pidx in set dom config then Encode(pidx) else Decode(pidx)

end Reflector


25

The Rotor Class 1class Rotor is subclass of Configuration

instance variables latch_pos : nat; latch_lock : bool := false;

inv RotorInv(latch_pos, config, alph)

functions RotorInv: nat * inmap nat to nat * Alphabet -> bool RotorInv (platch_pos, pconfig, palph) == let ainds = palph.GetIndices() in platch_pos in set ainds and dom pconfig = ainds and rng pconfig = ainds and exists x in set dom pconfig & x <> pconfig(x)

operations public Rotor: nat * nat * Alphabet * inmap nat to nat ==> Rotor Rotor (psp, plp, pa, pcfg) == atomic (latch_pos := pa.Shift(plp,psp-1); alph := pa; config := {pa.Shift(i,psp-1) |-> pa.Shift(pcfg(i),psp-1) | i in set dom pcfg}) pre psp in set pa.GetIndices() and RotorInv(plp, pcfg, pa);


26

The Rotor Class 2public Rotate: () ==> ()Rotate () == (-- propagate the rotation to the next component and tell it where our latch position is next.Rotate(latch_pos); -- update our own latch position and take the alphabet size into account if latch_pos = alph.GetSize() then latch_pos := 1 else latch_pos := latch_pos+1; -- update the transpositioning relation by shifting all indices one position config := {alph.Shift(i) |-> alph.Shift(config(i)) | i in set dom config}; -- remember the rotation latch_lock := true)pre isofclass(Rotor,next) or isofclass(Reflector,next);

public Rotate: nat ==> ()Rotate (ppos) == -- compare the latch position and the lock if ppos = latch_pos and not latch_lock -- perform the actual rotation then Rotate() -- otherwise reset the lock else latch_lock := falsepre ppos in set alph.GetIndices(); end Rotor


27

The Plugboard Classclass Plugboard is subclass of Configuration

instance variables inv PlugboardInv(config, alph)

functions PlugboardInv: inmap nat to nat * Alphabet -> bool PlugboardInv (pconfig, palph) == dom pconfig subset palph.GetIndices()

operations public Plugboard: Alphabet * inmap nat to nat ==> Plugboard Plugboard (pa, pcfg) == atomic (alph := pa; config := pcfg munion inverse pcfg) pre dom pcfg inter rng pcfg = {} and PlugboardInv(pcfg, pa);

public Substitute: nat ==> nat Substitute (pidx) == (next.Rotate(); Configuration`Substitute(pidx)) pre pidx in set alph.GetIndices() and (isofclass(Rotor,next) or isofclass(Reflector,next))

end Plugboard


28

Redefining Substitute


29

The SimpleEnigma Classclass SimpleEnigma is subclass of Component

values refcfg : inmap nat to nat = {1 |-> 3, 2 |-> 4}; rotcfg : inmap nat to nat = {1 |-> 2, 2 |-> 4, 3 |-> 3, 4 |-> 1}; pbcfg : inmap nat to nat = {2 |-> 3}

operations public SimpleEnigma: () ==> SimpleEnigma SimpleEnigma () == (dcl cp : Component ; alph := new Alphabet("ABCD"); next := new Reflector(4,alph,refcfg); cp := new Rotor(3,3,alph,rotcfg); cp.SetNext(next); next := cp; cp := new Rotor(2,2,alph,rotcfg); cp.SetNext(next); next := cp; cp := new Rotor(1,1,alph,rotcfg); cp.SetNext(next); next := cp; cp := new Plugboard(alph,pbcfg); cp.SetNext(next); next := cp);

public Keystroke : char ==> char Keystroke (pch) == let pidx = alph.GetIndex(pch) in return alph.GetChar(next.Substitute(pidx)) pre isofclass(Plugboard,next)end SimpleEnigma


30

The VDMUnit Framework


31

The TestSuite Class

class TestSuite is subclass of Test

instance variables tests : seq of Test := [];

operations public Run: () ==> () Run () == (dcl ntr : TestResult := new TestResult(); Run(ntr); ntr.Show()); public Run: TestResult ==> () Run (result) == for test in tests do test.Run(result);

public AddTest: Test ==> () AddTest(test) == tests := tests ^ [test];

end TestSuite


32

The TestCase Classpublic Run: TestResult ==> ()

Run (ptr) ==

trap <FAILURE> with

ptr.AddFailure(self)

in

(SetUp();

RunTest();

TearDown());

protected SetUp: () ==> ()

SetUp () ==

is subclass responsibility;

protected RunTest: () ==> ()

RunTest () ==

is subclass responsibility;

protected TearDown: () ==> ()

TearDown () ==

is subclass responsibility

end TestCase

class TestCase is subclass of Test

instance variables name : seq of char

operations

public TestCase: seq of char ==> TestCaseTestCase(nm) == name := nm;

public GetName: () ==> seq of charGetName () == return name;

protected AssertTrue: bool ==> ()AssertTrue (pb) == if not pb then exit <FAILURE>;

protected AssertFalse: bool ==> ()AssertFalse (pb) == if pb then exit <FAILURE>;


33

The TestResult Classclass TestResult

instance variables failures : seq of TestCase := [] operations public AddFailure: TestCase ==> () AddFailure (ptst) == failures := failures ^ [ptst];

public Print: seq of char ==> () Print (pstr) == def - = new IO().echo(pstr ^ "\n") in skip; public Show: () ==> () Show () == if failures = [] then Print ("No failures detected") else for failure in failures do Print (failure.GetName() ^ " failed") end TestResult


34

Enigma Unit Tests


35

Summary

• What have I presented today?• The rules for mappings between VDM++ and UML

• Illustrated by a small Control Speed Limitation and Monitoring (CSLaM) example for trains

• Worked on turning CSLaM into a distributed real-time model

• Illustrated the Enigma example in VDM++

• What do you need to do now?• Read chapters 9 and 10 of the book

• Start your distributed real time model for your project


36

Quote of the day

Science is a differential equation. Religion is a boundary condition.

Alan Turing

(1912 - 1954)

model structuring and combining uml and vdm++ views

Documents