VDM Tools

Introduction
VDMTools, Rational Rose and Eclipse plug-ins

Aims
To install the different tools on your own computer
To introduce VDMTools, creating project files and using the interpreter
To introduce the general format of a specification file
How to configure a VDM project
Syntax checking, type checking and editing a model
Introduce classes, operations and abstractions
Invariants and preconditions
Using the interpreter to query your model
Linking to Rational Rose class diagrams
Displaying execution traces on top of Eclipse

Introduction

VDMTools is an industrial strength support tool for the formal modelling language VDM++.
This tutorial provides an introduction to the tool and the tools that it can be connected to with
advantage. Since you will need to use this tool suite substantially for your own project it is
essential that you complete this material.
Work through the tasks at your own pace. When you have completed the tasks you should
discuss them with the teacher and get the exercise signed off.

1.1

Assumptions

In order to be able to install the different tools you need access to setup.exes and run a
small program called hostinfo.exe to generate information the teacher can use to generate
a license file for you for Rational Rose.
If you run linux or mac you will not be able to get access to Rational Rose, and in that case
you will have to draw class diagrams using a different tool by hand.

Installing the tools

All executables can be found at K:/from eit staff to eit stud/PGL. The same holds for the
plugins for Eclipse enabling the show of timed traces. For VDMTools the setup.exe shall just
be copied to your computer and started and the instructions followed (pressing on the next button). The same holds for Rational Rose except that a license file must be set up as described in
http://kurser.iha.dk/eit/tivdm1/Activating Rational Rose guide.pdf. Finally, concerning eclipse you first need to install it from the web. In addition, the eclipse plugins must be copied
into your Eclipse/plugins directory, but this must be done while eclipse is NOT started up. In
case you are upgrading to a newer version of the plugins it is important that the older versions
must be removed before eclipse is started up again.

Getting started
1. Under windows start the GUI version of VDMTools from the start-menu all-programs/vdmtools
(dont take the command line version). If you use linux start the tools with the command
vppgde &. The & is used to run the command in the background. You should be presented
with the main Toolbox window.
2. Click on Windows, then Interpreter.
3. Well use the Interpreter later to query a model: for now, we can use it to evaluate straightforward mathematical and logical expressions. Type the following at the >> prompt, noting
the answers returned after each line:
print 3*12
print 3 < 4
print {1,...,10}
Most output should be self-explanatory: notice that the interpreter can evaluate logical
expressions such as 3 < 4 as well as mathematical ones. The last expression returns a set of
integers.
Other commands are available in the interpreter dialog window: the help command lists
them and gives more detailed help on specific commands.
4. Exit the toolbox, by selecting Project and Exit from the main window.

Organising Projects, and Reading Files

The rest of the tutorial uses the material presented in the lectures on the Guided Tour, using the
model of the Chemical Plant Alarm System.
In the following instructions youll use the menus in the main window to set up a project and
load specification files into the project. There are also toolbar buttons for quick access to most
commands.

4.1

Specification template

A standard specification has one or more class definitions, each of which may include definitions
of types, operations, instance variables, functions and values.
1. Go to the TIVDM1 web page and fetch http://kurser.iha.dk/eit/tivdm1/template.vpp
or the http://kurser.iha.dk/eit/tivdm1/template.rtf file. The rtf file makes only
sense on the windows platform, but in case you wish to use the round-trip engineering
capability with Rational Rose we recommend to use the rtf format. Note that if you use
2

Microsoft Word the input file should be based on the VDM.dot file in the same way as the
template.rtf file is using the VDM style for the VDM parts.
2. Open the file in an editor. It should look like Figure 1.
------------------------------------------------ Author:
-- Created:
-- Updated:
-- Description:
------------------------------------------------- class definition
-class c1
--- instance variables
-instance variables
--- Types definition section
-types
--- Operations definition section
-operations
--- Functions definition section
-functions
--- Values definition section
-values
end c1

Figure 1: VDM++ specification template in ASCII format

The file contains a header comment and a class definition for a class c1. Each class definition
will normally have the sections shown for types, instance variables, operations, functions and
values. Several classes can be defined in the same specification.
3. Edit the header comment by adding relevant details and then save the file under a new name
(such as tour.vpp or tour.rtf).
4. Start VDMTools and begin a new project. Add the file you just created to your project.
5. Syntax check and type check the file. Its empty apart from the headings so the check should
pass.

6. Click the Class tab of the Manager window. You should see the status of the class c1 shown
with a S and T under the Syntax and Type headings.

Types

Now youll define the classes which make up the alarm system. The initial version of the Plant
class is as follows:
class Plant
types
public Period = token;
public Schedule = map Period to set of Expert;
instance variables
alarms
: set of Alarm;
schedule : Schedule;
end Plant
1. Edit your file tour.rtf (or tour.vpp) to add this class, using the headings in the template
as a starting point (you should change the name of class c1 to Plant).
2. Save the specification file, then syntax check and type check it. The syntax check should
pass if not, check your spelling, semicolons etc!
The type check should fail, since the model is incomplete. You should now add the other
two classes to your specification in seperate files:
class Expert
types
public Qualification = <Mech> | <Chem> | <Bio> | <Elec>;
instance variables
quali: set of Qualification;
end Expert
class Alarm
types
public String = seq of char;
instance variables
descr
: String;
reqQuali: ExpertQualification;
end Alarm
3. Repeat the syntax check and type check, and ensure you fix any errors.
4. Save the project for example as tour.prj.

Operations

We can now add signatures of the operations required for the Plant:
operations
public ExpertToPage: Alarm * Period ==> Expert
ExpertToPage(a, p) == is not yet specified;
4

public NumberOfExperts: Period ==> nat

NumberOfExperts(p) == is not yet specified;
public ExpertIsOnDuty: Expert ==> set of Period
ExpertIsOnDuty(ex) == is not yet specified;
Add the operations as defined above, and repeat the syntax and type check. Full definition of
the operations will follow after considering invariants.

Invariants
1. After discussions with the client, it is decided that experts must have at least one qualification. This can be modelled using an invariant in the Expert class. Edit your specification
to include this invariant by changing the Expert datatype as follows:
class Expert
types
public Qualification = <Mech> | <Chem> | <Bio> | <Elec>
instance variables
quali: set of Qualification;
inv quali <> {};
end Expert
This defines an invariant on the Expert class which restricts values of the quali instance
variable. The invariant will be satisfied as long as the set of qualifications held by the expert
is not empty (not equal to the empty set).
2. Syntax check and type check your model, and fix any problems that arise.

Completing Operations

We now complete the explicit operation definitions.

1. The definitions for the explicit operations NumberOfExperts and ExpertIsOnDuty are given
on slide 59. Add these to your model, taking care to include the preconditions.
2. Add a constructor to the Plant class:
public Plant: set of Alarm * Schedule ==> Plant
Plant(als,sch) ==
( alarms := als;
schedule := sch
);
3. Finally, add constructor operations to the Alarm and Expert classes. Use the format of the
Plant constructor to guide you, and consider whether any precondition is needed in each
case. The signatures will be
public Expert: set of Qualification ==> Expert
public Alarm: ExpertQualification * String ==> Alarm
Syntax and type check your model, and fix any problems before moving onto the next section.
5

Connection to Rational-Rose

Once all three classes are type correct press the icon with a flower that will start up Rational Rose
and start by checking whether there exists a tour.mdl in the same directory as the tour.prj.
Since this file does not exists it adds three classes to a generated classes directory in the Logical
view. When these three classes are draged into a class diagram it should like like in Figure 2.

Figure 2: A UML class diagram for the tour classes

You can also try to make modifications at the Rational Rose level and press the Rose link
again inside VDMTools so you can see how it is suggested to move the changes you have made at
Rose level back to the VDM++ textual classes.

10

Adding test values

We can now add a test class to the model. For the sake of simplicity we test by defining a number
of public instance variables.
1. Enable dynamic type checking in the interpreter. This ensures that a type check is run on
any values defined in the model. Also enable invariant checking and checking of pre- and
post-conditions. Choose Project, Project Options, then Interpreter, then enable the first 4
options listed for the interpreter.
2. Add the following test class to your specification file:
class Test1
instance variables
public a1
: Alarm
public a2
: Alarm
public ex1 : Expert
public ex2 : Expert
public ex3 : Expert
public ex4 : Expert
public plant: Plant

:=
:=
:=
:=
:=
:=
:=

new
new
new
new
new
new
new

Alarm(<Mech>,"Mechanical fault");
Alarm(<Chem>,"Tank overflow");
Expert({<Mech>,<Bio>});
Expert({<Elec>});
Expert({<Chem>,<Bio>,<Mech>});
Expert({<Elec>,<Chem>});
Plant({a1},{p1 |-> {ex1,ex4},
p2 |-> {ex2,ex3}});

values
6

public p1:
public p2:
public p3:
public p4:
end Test1

PlantPeriod
PlantPeriod
PlantPeriod
PlantPeriod

=
=
=
=

mk_token("Monday day");
mk_token("Monday night");
mk_token("Tuesday day");
mk_token("Tuesday night");

The class Test1 defines and initialises a number of instance variables. Pay attention to the
way that quote types, sets and mappings are initialised. For example, plant is initialised
using a set of alarms {a1} and a schedule mapping.
3. Save, syntax check and type check your file. Assuming no problems, open the interpreter
and initialise the specification (type init).
4. To initialise the test class execute the command
create t:= new Test1()
This creates a new, initialised instance bound to the name t. Examine your model by
evalating these commands:
print t.plant
print t.plant.NumberOfExperts(t.p1)
print t.plant.ExpertIsOnDuty(t.ex2)
and others.
5. Add a new value to your model for the expert to be identified by the variable name barney,
with an empty set of qualifications.
6. Now return to the interpreter, and re-initialise the specification. You should find that when
object t is reinitialised, there is a precondition violation.
If there is not, but there is a broken instance invariant, you will need to add a precondition to the Expert class constructor.
If there is neither, you may have ommitted to add the invariant to the Expert class.
Go back and do this.
If there is still no error, you have probably not set the invariant checking, and pre/post
checking, options in the interpreter as described above. Go back and do this.
Failing all this, ask the teacher!
7. Modify your test value to satisfy the invariant.

11

Show Traces in showtrace

In the directory where the project file is stored there will now be a file called logfile. Start up
eclipse and select Window->show view->other and select the Overture->tracefile viewer. Load
the newly generated logfile and an architecture overview with simply one CPU will appear. If one
selects the pane for that CPU it is possible to get an overview of the execution trace shown in
Figure 3.
This completes the first tutorial. It has omitted many details of the guided tour discussed in
the lecture notes, so if you have completed this you may optionally go through the notes to add
the other invariants and preconditions discussed there.
Remember to show your work to the teacher when you have finished this tutorial.

Figure 3: Overview of operation trace