The VDM-SL Reference Guide


Data types are defined to represent the main data of the modelled system. Each type definition introduces a new type name and gives a representation in terms of the basic types or in terms of types already introduced. For example, a type modelling user identifiers for a log-in management system might be defined as follows:. For manipulating values belonging to data types, operators are defined on the values.

Thus, natural number addition, subtraction etc. The language does not fix a maximum or minimum representable number or a precision for real numbers. Such constraints are defined where they are required in each model by means of data type invariants—Boolean expressions denoting conditions that must be respected by all elements of the defined type.

Since invariants can be arbitrarily complex logical expressions, and membership of a defined type is limited to only those values satisfying the invariant, type correctness in VDM-SL is not automatically decidable in all situations.

  • !
  • Dream Master.
  • .
  • What Dogs Teach Us About The Kingdom Of Heaven.
  • William Henry Seward and the Secession Crisis: The Effort to Prevent Civil War.
  • Grinzleville: Return of the Magic!

The other basic types include char for characters. In such cases, the members of the type may be represented as structureless tokens. Values of token types can only be compared for equality — no other operators are defined on them. Where specific named values are required, these are introduced as quote types.

Each quote type consists of one named value of the same name as the type itself. Values of quote types known as quote literals may only be compared for equality.

Overture Tool

For example, in modelling a traffic signal controller, it may be convenient to define values to represent the colours of the traffic signal as quote types:. The basic types alone are of limited value. New, more structured data types are built using type constructors. The most basic type constructor forms the union of two predefined types. The type A B contains all elements of the type A and all of the type B. In the traffic signal controller example, the type modelling the colour of a traffic signal could be defined as follows:.

The composite or record type is a Cartesian product with labels for the fields. Conversely, given an element of type T , the field names can be used to select the named component. For example, the type. Given a date d , the expression d.

An overview of the ISO/VDM-SL standard

Restrictions on days per month and leap years could be incorporated into the invariant if desired. Collection types model groups of values. Sets are finite unordered collections in which duplication between values is suppressed. Sequences are finite ordered collections lists in which duplication may occur and mappings represent finite correspondences between two sets of values.

The set type constructor written set of T where T is a predefined type constructs the type composed of all finite sets of values drawn from the type T. For example, the type definition. Various operators are defined on sets for constructing their union, intersections, determining proper and non-strict subset relationships etc. The finite sequence type constructor written seq of T where T is a predefined type constructs the type composed of all finite lists of values drawn from the type T.

Defines a type String composed of all finite strings of characters. Various operators are defined on sequences for constructing concatenation, selection of elements and subsequences etc.

Navigation menu

Many of these operators are partial in the sense that they are not defined for certain applications. For example, selecting the 5th element of a sequence that contains only three elements is undefined. The order and repetition of items in a sequence is significant, so [a, b] is not equal to [b, a] , and [a] is not equal to [a, a].

A finite mapping is a correspondence between two sets, the domain and range, with the domain indexing elements of the range. It is therefore similar to a finite function. Defines a type Birthdays which maps character strings to Date. Again, operators are defined on mappings for indexing into the mapping, merging mappings, overwriting extracting sub-mappings. These all follow traditional information hiding principles with modules and they can be explained as:.

Support for abstraction requires that it should be possible to characterize the result that a function should compute without having to say how it should be computed. The main mechanism for doing this is the implicit function definition in which, instead of a formula computing a result, a logical predicate over the input and result variables, termed a postcondition , gives the result's properties.

For example, a function SQRT for calculating a square root of a natural number might be defined as follows:. Here the postcondition does not define a method for calculating the result r but states what properties can be assumed to hold of it. Note that this defines a function that returns a valid square root; there is no requirement that it should be the positive or negative root.

The specification above would be satisfied, for example, by a function that returned the negative root of 4 but the positive root of all other valid inputs. Note that functions in VDM-SL are required to be deterministic so that a function satisfying the example specification above must always return the same result for the same input. A more constrained function specification is arrived at by strengthening the postcondition.

  • VIOLETS ARE BLUE: A Novella.
  • Foodborne Parasites (Food Microbiology and Food Safety).
  • Vienna Development Method.

For example, the following definition constrains the function to return the positive root. All function specifications may be restricted by preconditions which are logical predicates over the input variables only and which describe constraints that are assumed to be satisfied when the function is executed. For example, a square root calculating function that works only on positive real numbers might be specified as follows:.

The precondition and postcondition together form a contract that to be satisfied by any program claiming to implement the function. The precondition records the assumptions under which the function guarantees to return a result satisfying the postcondition. If a function is called on inputs that do not satisfy its precondition, the outcome is undefined indeed, termination is not even guaranteed. VDM-SL also supports the definition of executable functions in the manner of a functional programming language.

In an explicit function definition, the result is defined by means of an expression over the inputs. For example, a function that produces a list of the squares of a list of numbers might be defined as follows:. This recursive definition consists of a function signature giving the types of the input and result and a function body. An implicit definition of the same function might take the following form:. The explicit definition is in a simple sense an implementation of the implicitly specified function.

The set type constructor written set of T where T is a predefined type constructs the type composed of all finite sets of values drawn from the type T.

VDM Features

ACINF returns all the balances of all the accounts of a customer, as a map of account number to balance:. It stresses modelling persistent [7] state through the use of data types constructed from a rich collection of base types. For manipulating values belonging to data types, operators are defined on the values. All function specifications may be restricted by preconditions which are logical predicates over the input variables only and which describe constraints that are assumed to be satisfied when the function is executed. For example, a function that produces a list of the squares of a list of numbers might be defined as follows:. For example, in modelling a traffic signal controller, it may be convenient to define values to represent the colours of the traffic signal as quote types:.

For example, the type definition. Various operators are defined on sets for constructing their union, intersections, determining proper and non-strict subset relationships etc. The finite sequence type constructor written seq of T where T is a predefined type constructs the type composed of all finite lists of values drawn from the type T.

Defines a type String composed of all finite strings of characters. Various operators are defined on sequences for constructing concatenation, selection of elements and subsequences etc. Many of these operators are partial in the sense that they are not defined for certain applications. For example, selecting the 5th element of a sequence that contains only three elements is undefined. The order and repetition of items in a sequence is significant, so [a, b] is not equal to [b, a] , and [a] is not equal to [a, a].

The VDM Specification Language

and understandable way the document is not a complete VDM-SL reference This document is the language reference manual for all the VDM dialects. Contents. 3 An Introduction to Overture Tool Support for VDM-SL . system, you will find the first time you start it up it will ask you to select a workspace. Here we.

A finite mapping is a correspondence between two sets, the domain and range, with the domain indexing elements of the range. It is therefore similar to a finite function. Defines a type Birthdays which maps character strings to Date. Again, operators are defined on mappings for indexing into the mapping, merging mappings, overwriting extracting sub-mappings. These all follow traditional information hiding principles with modules and they can be explained as:. Support for abstraction requires that it should be possible to characterize the result that a function should compute without having to say how it should be computed.

For example, a function SQRT for calculating a square root of a natural number might be defined as follows:. Here the postcondition does not define a method for calculating the result r but states what properties can be assumed to hold of it. Note that this defines a function that returns a valid square root; there is no requirement that it should be the positive or negative root. The specification above would be satisfied, for example, by a function that returned the negative root of 4 but the positive root of all other valid inputs. Note that functions in VDM-SL are required to be deterministic so that a function satisfying the example specification above must always return the same result for the same input.

A more constrained function specification is arrived at by strengthening the postcondition. For example the following definition constrains the function to return the positive root. All function specifications may be restricted by preconditions which are logical predicates over the input variables only and which describe constraints that are assumed to be satisfied when the function is executed.

ZBrush VDM Tutorial - Follygon

For example, a square root calculating function that works only on positive real numbers might be specified as follows:. The precondition and postcondition together form a contract that to be satisfied by any program claiming to implement the function. The precondition records the assumptions under which the function guarantees to return a result satisfying the postcondition.

If a function is called on inputs that do not satisfy its precondition, the outcome is undefined indeed, termination is not even guaranteed. VDM-SL also supports the definition of executable functions in the manner of a functional programming language. In an explicit function definition, the result is defined by means of an expression over the inputs.

For example, a function that produces a list of the squares of a list of numbers might be defined as follows:. This recursive definition consists of a function signature giving the types of the input and result and a function body. An implicit definition of the same function might take the following form:. The explicit definition is in a simple sense an implementation of the implicitly specified function.

The correctness of an explicit function definition with respect to an implicit specification may be defined as follows.