CML tutorial Incorporating the Dwarf Signal Example Simon Foster - - PowerPoint PPT Presentation

cml tutorial
SMART_READER_LITE
LIVE PREVIEW

CML tutorial Incorporating the Dwarf Signal Example Simon Foster - - PowerPoint PPT Presentation

Nov 29, 2023 322 likes •786 views

CML tutorial Incorporating the Dwarf Signal Example Simon Foster Jim Woodcock University of York February 14, 2013 1 Outline Introduction Types and Invariants CML Processes Dwarf Operations and Processes Adding Safety Properties 2 CML

slide-1
SLIDE 1

CML tutorial

Incorporating the Dwarf Signal Example Simon Foster Jim Woodcock

University of York

February 14, 2013

1

slide-2
SLIDE 2

Outline

Introduction Types and Invariants CML Processes Dwarf Operations and Processes Adding Safety Properties

2

slide-3
SLIDE 3

CML Introduction

◮ a formal language for specifying Systems of Systems ◮ draws input from formal languages VDM and Circus ◮ a CML consists of

◮ types with invariants, e.g. ◮ basic types: bool, int, string, real etc. ◮ enumerations (“quote” type) ◮ sets ◮ maps ◮ records ◮ functions with pre and postconditions ◮ operations which act on a state ◮ processes from CSP

◮ we illustrate these by an example

3

slide-4
SLIDE 4

Dwarf Railway Signals

4

slide-5
SLIDE 5

Proper States

Dark Stop Warning Drive {} {L1, L2} {L1, L3} {L2, L3}

◮ Other (transient) states: {L1}, {L2}, {L3}, {L1, L2, L3}

5

slide-6
SLIDE 6

Safety Requirements

◮ Only one lamp may be changed at once ◮ All three lamps must never be on concurrently ◮ The signal must never be dark except if the dark aspect has to

be shown or there is lamp failure

◮ The change to and from dark is allowed only from stop and to

stop

6

slide-7
SLIDE 7

Typical Trace

  • dark

stop warning drive

7

slide-8
SLIDE 8

Outline

Introduction Types and Invariants CML Processes Dwarf Operations and Processes Adding Safety Properties

8

slide-9
SLIDE 9

Dwarf Signal basic types in CML

types LampId = <L1> | <L2> | <L3> Signal = set of LampId ProperState = Signal inv ps == ps in set {dark, stop, warning, drive} values dark: Signal = {} stop: Signal = {<L1>, <L2>} warning: Signal = {<L1>, <L3>} drive: Signal = {<L2>, <L3>}

9

slide-10
SLIDE 10

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

10

slide-11
SLIDE 11

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

◮ the previous/current proper state the signal was in

11

slide-12
SLIDE 12

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

◮ the proper state we desire to reach

12

slide-13
SLIDE 13

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

◮ lamps we need to turn off to reach the desired proper state

13

slide-14
SLIDE 14

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

◮ lamps we need to turn on to reach the desired proper state

14

slide-15
SLIDE 15

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

◮ the actual last state the signal was in

15

slide-16
SLIDE 16

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal

◮ the actual current state the signal is in

16

slide-17
SLIDE 17

Dwarf Signal State - Invariants

inv d == (((d.currentstate \ d.turnoff) union d.turnon) = d.desiredproperstate)

◮ desired state = (current state - lamps to off) + lamps to on

17

slide-18
SLIDE 18

Dwarf Signal State - Invariants

inv d == (((d.currentstate \ d.turnoff) union d.turnon) = d.desiredproperstate) and (d.turnoff inter d.turnon = {})

◮ we can’t simultaneously desire to turn a light on and off

18

slide-19
SLIDE 19

Dwarf Signal State

types DwarfType :: lastproperstate : ProperState desiredproperstate : ProperState turnoff : set of LampId turnon : set of LampId laststate : Signal currentstate : Signal inv d == (((d.currentstate \ d.turnoff) union d.turnon) = d.desiredproperstate) and (d.turnoff inter d.turnon = {})

19

slide-20
SLIDE 20

Outline

Introduction Types and Invariants CML Processes Dwarf Operations and Processes Adding Safety Properties

20

slide-21
SLIDE 21

Processes in CML

◮ channels to communicate on, optionally carrying data ◮ state variables to read and write to ◮ operations acting on the state, with pre/postconditions ◮ actions which describe reactive behaviours ◮ process body, the main behaviour of the process

21

slide-22
SLIDE 22

CML process syntax

Syntax Description Stop Deadlocked process Skip Null behaviour a -> P Communicate on a then behave like P a?v -> P Input value v over channel a then do P a!v -> P Output value v on channel a then do P P ; Q Execute process P followed by Q P [] Q Pick P or Q based on the first communication P [|{a,b,c}|] Q Execute P and Q in parallel, with synchronisation allowed on a, b and c [cond] & P allow execution of P only if cond holds

22

slide-23
SLIDE 23

A basic CML process

channels a: int b: int process Simple = begin @ (a?v -> b!(v * 2) -> Skip) [|a|] (a!5 -> Skip) end

23

slide-24
SLIDE 24

Basic process behaviour

(a?v -> b!(v * 2) -> Skip) [|a|] (a!5 -> Skip)

a.5

  • (b!(v * 2) -> Skip) [|a|] (Skip)

b.10

  • (Skip) [|a|] (Skip)

24

slide-25
SLIDE 25

Outline

Introduction Types and Invariants CML Processes Dwarf Operations and Processes Adding Safety Properties

25

slide-26
SLIDE 26

Dwarf Process

channels init light: LampId extinguish: LampId setPS: ProperState shine: Signal process Dwarf = begin state dw : DwarfType ... end

26

slide-27
SLIDE 27

Init operation

  • perations

Init : () ==> () Init() == dw := mk_DwarfType(stop, {}, {}, stop, stop, stop) post dw.lastproperstate = stop and dw.turnoff = {} and dw.turnon = {} and dw.laststate = stop and dw.currentstate = stop and dw.desiredproperstate = stop

27

slide-28
SLIDE 28

Set New Proper State

SetNewProperState: (ProperState) ==> () SetNewProperState(st) == dw := mk_DwarfType( dw.currentstate , dw.currentstate \ st , st \ dw.currentstate , dw.laststate , dw.currentstate , st) pre dw.currentstate = dw.desiredproperstate and st <> dw.currentstate

28

slide-29
SLIDE 29

Turn On

TurnOn: (LampId) ==> () TurnOn(l) == dw := mk_DwarfType( dw.lastproperstate , dw.turnoff \ {l} , dw.turnon \ {l} , dw.currentstate , dw.currentstate union {l} , dw.desiredproperstate) pre l in set dw.turnon

29

slide-30
SLIDE 30

Turn Off

TurnOff : (LampId) ==> () TurnOff(l) == dw := mk_DwarfType( dw.lastproperstate , dw.turnoff \ {l} , dw.turnon \ {l} , dw.currentstate , dw.currentstate \ {l} , dw.desiredproperstate) pre l in set dw.turnon

30

slide-31
SLIDE 31

Dwarf Signal Process

actions DWARF = ( (light?l -> TurnOn(l); DWARF) [] (extinguish?l -> TurnOff(l); DWARF) [] (setPS?l -> SetNewProperState(l); DWARF) [] shine!dw.currentstate -> DWARF) @ init -> Init() ; DWARF

31

slide-32
SLIDE 32

Practical: Example Interaction

32

slide-33
SLIDE 33

A bad trace

◮ not all traces have good results:

init setPS?warning

  • turnon?L3

◮ we have violated the safety property:

NeverShowAll: DwarfType -> bool NeverShowAll(d) == d.currentstate <> {<L1>,<L2>,<L3>}

33

slide-34
SLIDE 34

The test in CML

actions ...

  • - Tries to turn on 3 lights simultaneously

TEST = setPS!warning -> light!<L3> -> extinguish!<L2>

  • > setPS!drive -> extinguish!<L1> -> light!<L2>
  • > Stop

DWARF_TEST = DWARF [|{setPS,light,extinguish}|] TEST

◮ can be thought of as a counterexample

34

slide-35
SLIDE 35

Practical: Represent this

35

slide-36
SLIDE 36

Outline

Introduction Types and Invariants CML Processes Dwarf Operations and Processes Adding Safety Properties

36

slide-37
SLIDE 37

Safety Properties (1)

◮ A signal must never show all the lights

functions NeverShowAll: DwarfType -> bool NeverShowAll(d) == d.currentstate <> {<L1>,<L2>,<L3>}

37

slide-38
SLIDE 38

Safety Properties (2)

◮ Only one lamp at a time may change

MaxOneLampChange: DwarfType -> bool MaxOneLampChange(d) == card ((d.currentstate \ d.laststate) union (d.laststate \ d.currentstate)) <= 1

  • 38
slide-39
SLIDE 39

Safety Properties (3)

◮ The signal may not go straight from stop to drive

ForbidStopToDrive : DwarfType -> bool ForbidStopToDrive(d) == (d.lastproperstate = stop => d.desiredproperstate <> drive)

  • 39
slide-40
SLIDE 40

Safety Properties (4)

◮ the only proper aspect following dark is stop

DarkOnlyToStop : DwarfType -> bool DarkOnlyToStop(d) == (d.lastproperstate = dark => d.desiredproperstate in set {dark,stop})

  • 40
slide-41
SLIDE 41

Safety Properties (5)

◮ the only proper aspect preceeding dark is stop

DarkOnlyFromStop: DwarfType -> bool DarkOnlyFromStop(d) == ?

  • 41
slide-42
SLIDE 42

Safety Properties (5)

◮ the only proper aspect preceeding dark is stop

DarkOnlyFromStop: DwarfType -> bool DarkOnlyFromStop(d) == (d.desiredproperstate = dark => d.lastproperstate in set {dark,stop})

  • 42
slide-43
SLIDE 43

Correct Dwarf Signal Type

types DwarfSignal = DwarfType inv d == NeverShowAll(d) and MaxOneLampChange(d) and ForbidStopToDrive(d) and DarkOnlyToStop(d) and DarkOnlyFromStop(d)

43

slide-44
SLIDE 44

Practical: 2 more tests

44