BlockLibrary StructuralFeature theory

Block interfaces are compositions of StructuralFeature elements with constrained data types and values. In order to model BlockLibrary conforming models with Why3, we need to be able to express those elements at a Why3 theory level. We choose to model the StructuralFeature elements with specific Why3 record types:

7.3. WHY3 LIBRARIES

function subString (s: string_type) (lo up:int) : string_type =

if lo >= length s \/ lo < 0 \/ up < 0 \/ up >= length s \/ up < lo then Nil

else match s with

5 | Nil -> Nil | Cons hd tl ->

if lo = 0 then if up = 0 then

Cons hd Nil

10 else Cons hd (subString tl 0 (up -1))

else subString tl (lo -1) (up -1) end

lemma subString_nil: forall x,y: int.

15 subString Nil x y = Nil

lemma subString_length_nil : forall x,y: int.

length (subString Nil x y) = 0

20 lemma subString_0_0: forall s: string_type , c: tChar.

subString (Cons c s) 0 0 = Cons c Nil

lemma subString_length_0_0 : forall s: string_type , c: tChar.

length (subString (Cons c s) 0 0) = 1 25

lemma subString_0_x: forall s: string_type , c: tChar , x: int.

(0 <= x < length s) ->

subString (Cons c s) 0 x = Cons c (subString s 0 (x -1))

30 lemma subString_length_0_x : forall s: string_type , c: tChar , x: int.

(0 <= x < length s) ->

length (subString (Cons c s) 0 x) = 1 + length (subString s 0 (x -1))

lemma subString_x_y: forall s: string_type , c: tChar , x,y: int.

35 (0 < x <= y < length s) ->

subString (Cons c s) x y = subString s (x-1) (y-1)

lemma subString_length_x_y : forall s: string_type , c: tChar , x,y: int.

(0 < x <= y < length s) ->

40 length (subString (Cons c s) x y) = length (subString s (x-1) (y -1))

lemma subString_OutOfBound : forall l: string_type , lo up: int.

(lo >= length l -> (subString l lo up) = Nil) /\ (lo < 0 -> (subString l lo up) = Nil) /\

45 (up < 0 -> (subString l lo up) = Nil) /\

(up >= length l -> (subString l lo up) = Nil) /\ (up < lo -> (subString l lo up) = Nil)

lemma length_one: forall l: list 'a, e: 'a.

50 length (Cons e l) = 1 + length l end

7.3. WHY3 LIBRARIES

theory InPortGroup

use import String.String

use import int.Int

4

type tInPortGroup 'a

function name_inpg (tInPortGroup 'a) : string_type

function min_size_inpg (tInPortGroup 'a) : int

9 function max_size_inpg (tInPortGroup 'a) : int

function value_inpg (tInPortGroup 'a) : 'a

axiom tInPortGroup_min_max_one : forall pg: tInPortGroup 'a.

pg.max_size_inpg = one -> pg.min_size_inpg = one 14

axiom tInPortGroup_min_max_value : forall pg: tInPortGroup 'a.

pg.min_size_inpg >= zero /\ pg.max_size_inpg >= zero

axiom tInPortGroup_min_max_size : forall pg: tInPortGroup 'a.

19 pg.min_size_inpg <= pg.max_size_inpg \/ pg.max_size_inpg = zero

function size_inpg (pg: tInPortGroup 'a) : int =

if pg.max_size_inpg = zero then zero else 24 if pg.max_size_inpg = one then one else

pg.max_size_inpg - pg.min_size_inpg

lemma size_inpg_max_zero: forall pg: tInPortGroup 'a.

pg.max_size_inpg = zero -> size_inpg pg = zero 29

lemma size_inpg_min_zero: forall pg: tInPortGroup 'a.

pg.max_size_inpg <> zero /\ pg.min_size_inpg = zero -> size_inpg pg = pg.max_size_inpg

34 lemma size_inpg_max_one : forall pg: tInPortGroup 'a.

pg.max_size_inpg = one -> size_inpg pg = one

lemma size_inpg_min_non_zero : forall pg: tInPortGroup 'a.

pg.max_size_inpg <> zero /\ pg.min_size_inpg <> zero -> 39 size_inpg pg = pg.max_size_inpg - pg.min_size_inpg

end

Listing 7.7: Input PortGroup definition in Why3

Input PortGroup

Input PortGroup is modeled as the tInPortGroup type. Listing 7.7 contains its formalisation. We formalise some of the Input PortGroup metaclass attributes as uninterpreted function: name_inpg, min_size_inpg, max_size_inpg and value_inpg respectively formalizing the name, min_size, max_size and value attributes. By relying on uninterpreted function, we are then able to provide ad- ditional axioms expressing constraints on the size values for a port group. These axioms express the same constraints as the one given at the metamodel level. Finally, we provide the lemmas for the size_inpg function retrieving the actual size of an input port.

Output PortGroup

Output PortGroup is modeled as the tOutPortGroup type. As previously, the Output PortGroup at- tributes are formalised as uninterpreted functions. Its definition is very close to the one of tInPortGroup. Only one predicate is expressed on this record type constraining the minimum and maximum size of the group to one. This constraint is extracted from the BlockLibrary metamodel OCL ones. Listing 7.8 contains the tOutPortGroup definition.

7.3. WHY3 LIBRARIES

theory OutPortGroup

use import String.String

use import Scalar.Boolean

use import int.Int

5

type tOutPortGroup 'a

function name_outpg (tOutPortGroup 'a) : string_type

function min_size_outpg (tOutPortGroup 'a) : int

10 function max_size_outpg (tOutPortGroup 'a) : int

function value_outpg (tOutPortGroup 'a) : 'a

axiom tOutPortGroup_min_max_one : forall pg: tOutPortGroup 'a.

pg.max_size_outpg = one /\ pg.min_size_outpg = one 15 end

Listing 7.8: Output PortGroup definition in Why3

theory Parameter

use import String.String

type tParameter 'a = { 5 name_pt : string_type ; isMandatory_pt : boolean_type ; value_pt : 'a } end

Listing 7.9: Parameter definition in Why3

Parameter

Parameter is modeled as the tParameter type-parametrised record type. Listing 7.9 contains its for- malisation. We defined the tParameter record type with fields corresponding to the Parameter meta- class attributes.

MemoryVariable

MemoryVariable are modeled as the tMemoryVariable type-parametrised record type. Listing 7.10 contains its formalisation. We defined the tMemoryVariable record type with fields corresponding to the

MemoryVariable metaclass attributes.

For each StructuralFeature type definition, we have declared a value_XX field. This field is typed according to the type parameter of its containing record type. In a BlockLibrary specification, we refer to this value_XX field on a StructuralFeature instance sf by calling sf.value.

According to our experiments, it looks like there elements could be generated automatically from the metamodel definition along with its OCL constraints. Early experiments were conducted by M. Carton and are a perspective to ease some of our work.

1 theory MemoryVariable

use import String.String

type tMemoryVariable 'a = { name_mv : string_type ; 6 value_mv : 'a

} end