Invariants and the Specification of Operations
5.4 The Specification of Common Operations
The development of specifications in VDM can be very complex. It is not our intention to develop a tool that produces all possible specifications, this is beyond the current research. However, there are several specifications that are common across applications. These include the specification of operations that add items, delete items and list items that satisfy require-ments. In this section we describe how such specifications are generated once the preceding step has identified the data types.
The general format of an operation specification in VDM is as follows:
OPER (input: In t) output: Out t ext . . .
pre ...input...
post ...input...output...
The first line, where OPER is the name of the operation, is called the signature of the operation. The signature is composed of the name of the operation, a list of input parameters and their types and a list of results and their types. The second line records those state variables to which an operation has external access. These state variables can be read only (rd) or read and write (wr) and the name of each variable is followed by its type.
The pre-condition of an operation records assumptions about the arguments and state variables to which it is to be applied. The post-condition is an assertion that is required to hold after the operation is applied.
We can view this format as a template that needs to be filled to obtain a specification. In general, the template used is dependent on the operation required and the data type identified. Thus for adding an item to a map we provide a template which specifies that:
• there is one input argument (the item to be added), and one output argument (the identifier of the item added),
• a state variable with write access (the map),
• no precondition,
• a postcondition that records the requirement that the identifier of the
added item is new and that the map has been updated appropriately.
The information required for naming the arguments and the types are readily available as a result of the previous phase that identifies the types.
Thus for the data type defined in section 5.3 and for convenience repeated here:
Stock t = Item ID -→m Item t
Item t :: description : Description t unit cost : Cost t
quantity : Quantity t reorder -level : Level t
we describe how the required information is extracted knowing that we want to specify an operation that adds an item to a map.
• The name of the operation is obtained by the kind of function (add, delete, update), concatenated to the item on which the operation is carried out. In this example we want to specify an operation that adds an item to a stock map. Hence the operation is named: ADD-ITEM .
• There is only one input argument which should be of the same type as the range of the map. We use the first three letters of the name of the data type to generate a name for the argument.
• There is only one output argument and this should be of the same type as the domain of the map.
• There is a state variable with write access to the map (Stock).
• There is no precondition.
• As postcondition, we check that the identifier of the added item (the output argument) is not a member of the domain of the map and update the map by adding the new element (the input argument).
Hence, the template can be filled to obtain the following specification for adding an item into a stock system:
ADD-ITEM (ite: Item t) r : Item-ID ext wr stock : Stock t
pre true
post r 6∈ dom(−−
stock ∧ stock =(−−
stock ∪ {r 7→ ite}
where a hook over a state variable that has write access denotes the prior value of the variable. For example, (−−
stock denotes the map before the item is added.
Specifying the same operation for a sequence or a set does not differ too much from that for a map. The other category of common operations are updating and selection of elements. The specification of these operations differs from the previous ones in that the user has to supply extra infor-mation to specify the operations. For example to select a list of elements we need to know the condition for selection. This condition is supplied by the user as an English sentence which is translated into LFL. For the stock problem a condition such as:
Which items are to be reordered.
is first transformed to logical form:
wh(X&item(X),be(X,reorder(X)))
Then the condition reorder (X ) can be extracted from the focus of the logical form and used to construct the following post-condition.
r = {iteide 7→ stock (iteide) | iteide ∈ dom stock ∧ reorder (stock (iteide))}
As this example shows, there is no guarantee that the condition gener-ated is fully defined. In this case the user has to define the function reorder .
If instead the user had typed:
The quantity in stock is less than or equal to the reorder level.
The system would have produced the logical form:
the(quantity(X , stock ), the(reorder (level(Y )), is less then or equal(X , Y )))
which leads to the post-condition:
r = {iteide 7→ stock (iteide) | iteide ∈ dom stock ∧
is less than or equal to(quantity(stock (iteide)), level(stock (iteide)))}
Notice that in this example the user provided enough information for the system to generate a complete post-condition. In general, the template that generates the specification that lists specific items of a map specifies that:
• There is no input argument. The output argument is a map of the same type,
• a state variable with read access is used,
• there are no preconditions,
• a postcondition that ensures that the output variable consists of those items that belong to the map and which satisfy the given condition for selection.
Hence, the specification of the operation that lists the items of stock whose quantity in stock is less than or equal to the minimum reorder level is:
LIST -ITEM () r : Stock t ext rd stock : Stock t pre true
post r = {iteide 7→ stock (iteide) | iteide ∈ dom stock ∧ is less than or equal
to(quantity(stock (iteide)), level(stock (iteide)))}
The template that generates the specifications of an operations that deletes an item from a map specifies that:
• There is one input argument which represents the identifier of the item to be removed from the map.
• A state variable with write access containing the map.
• A precondition that requires that the identifier of the item to be re-moved should be a member of the domain of the map.
• A postcondition that ensures that the new value of the state variable reflects the deletion made.
Hence the specification of an operation that removes an item from the stock is:
DELETE -ITEM (i: Item ID) ext wr stock : Stock t
pre i ∈ dom(−−
stock post stock = {i} −¢(−−
stock
We also adopt a similar template based approach to obtain specifications for sequences. The specifications of operations for a sequence will be given in the case study presented in the next chapter.