Proceedings of the 7th OVERTURE workshop by Larsen PG & Bryans JW
  
COMPUTING 
SCIENCE 
Proceedings of the 7th OVERTURE Workshop 
 
Peter G. Larsen and Jeremy W. Bryans (Eds.) 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
TECHNICAL REPORT SERIES 
 
No. CS-TR-1177 November 2009 
TECHNICAL REPORT SERIES 
              
 
No. CS-TR-1177  November, 2009 
 
 
Proceedings of the 7th OVERTURE workshop 
 
P.G.Larsen, J.W. Bryans (Eds.) 
 
Abstract 
 
This report contains the proceedings of the 7th OVERTURE workshop, held in 
Eindhoven on 2nd November 2009. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
© 2009 University of Newcastle upon Tyne. 
Printed and published by the University of Newcastle upon Tyne, 
Computing Science, Claremont Tower, Claremont Road, 
Newcastle upon Tyne, NE1 7RU, England. 
Bibliographical details 
 
LARSEN, P.G., BRYANS, J.W.(EDS.) 
 
Proceedings of Formal Aspects of Virtual Organisations 2009  
[By] Larsen, P.G., J. W. Bryans,(Eds.) 
 
Newcastle upon Tyne: University of Newcastle upon Tyne: Computing Science, 2009. 
 
(University of Newcastle upon Tyne, Computing Science, Technical Report Series, No. CS-TR-1177) 
 
Added entries 
 
UNIVERSITY OF NEWCASTLE UPON TYNE 
Computing Science. Technical Report Series.  CS-TR-1177 
 
 
Abstract 
 
This report contains the proceedings of the 7th OVERTURE workshop, held in Eindhoven on 2nd November 
2009. 
 
About the editors 
 
Peter Gorm Larsen is Professor of Computer Technology and Embedded Systems at The Engineering College of 
Aarhus, Denmark. He also works as an independent consultant.  Peter is an authority on system modelling, and 
particularly the Vienna Development Method. Alongside research on VDM’s foundations, he has pioneered the 
development of industrial-strength tool support for model-oriented specification languages, latterly heading the 
group that developed what are now the CSK VDMTools(R)products. He has developed and delivered many 
courses in applicable formal methods. He was co-author with John Fitzgerald of "Modelling Systems: Practical 
Tools and Techniques in Software Development" and continues to collaborate closely, for example on object-
oriented design using formal techniques. Until recently, he was Chief Business Solution Architect with Systematic 
Software Engineering A/S, a leading software development company based at Aarhus in Denmark.  
 
Jeremy received his BSc in Mathematics and Computer Science from Reading University in 1993, and his PhD in 
1997, also from Reading University. He has worked in a number of university departments, including Royal 
Holloway, Kent and Stirling, and has been at Newcastle since December 2002.  His research is in the security of 
information within large computer-based systems. A particular area of current interest is access control the 
development and maintenance of access control policies within dynamic coalition.  In the past at Newcastle he has 
worked on including DIRC (the Interdisciplinary Research Collaboration on Dependability) and GOLD (Grid 
Oriented Lifecycle Development) He is currently employed on the User Friendly Grid Security project and TrAmS 
(Trustworthy Ambient Systems). He is part of the RESIST network, and a member of RESIST's working group on 
Verification. 
 
 
Suggested keywords 
 
VDM,  
VDM TOOLS,  
TESTING,  
DESIGN PATTERNS 
Proceedings of the 7th OVERTURE workshop
2nd November, 2009, Eindhoven
Editors: Peter G. Larsen and Jeremy W. Bryans
Contents
The Overture Initiative: Integrating all VDM tools
David Holst Møller and Christian Thillemann 2
Challenges in Inheriting Test Cases - Configurations from VDM
to Implementation
Fuyuki Ishikawa and Yumiko Murakami 17
Overture 2.0 – Preparing for the Future
Marcel Verhoef 27
How Top-Level Engineers Learn and Investigate VDM:
Experiences in the Top SE Project
Fuyuki Ihsikawa, Kenji Taguchi and Shinichi Honiden 28
Formalising Concurrent and Distributed Design Patterns with
VDM
Sune Wolff 38
The Overture Initiative
Integrating all VDM tools
David Holst Møller (david@netlinq.dk)
and Christian Thillemann (christian@thillemann.com)
Engineering College of Aarhus, Denmark
Abstract. For many years academics have agitated for the use of formal
methods in software development, arguing that it is an effective remedy
for low quality of software and a method for detecting defects earlier,
decreasing rework and automating property checking. The industry in
general however has been reluctant to adopt the use of formal meth-
ods. The lack of adequate tool support has been proposed as one of the
most important reasons for this. While there also may be other reasons,
this paper seeks to accommodate the need for adequate tool support by
investigation of the possibilities for developing an IDE for VDM develop-
ment. VDM is one of the oldest and most mature formal methods avail-
able. IDEs for established programming languages such as Java, C++,
C# etc. provide a comprehensive set of features aiding the developers
in their work. For VDM such functionality is unavailable. Eclipse is a
widely used software development platform that offers a plug-in system,
allowing extension of existing functionality. Eclipse will be used as the
platform for an IDE comprising editor, parser, type checker and debug-
ger and integration of available VDM tools. Thus providing a common
interface for VDM development. This paper describes the work that has
been done in the master thesis “Using Eclipse for Exploring an Integra-
tion Architecture for VDM” Using Eclipse for Exploring an Integration
Architecture for VDM” [lT09].
1 Introduction
The Vienna Development Method(VDM) is one of the most mature formal meth-
ods for formal specification and subsequent development of functional aspects
of software systems. The language is used during the specification and design
phases of software development projects. It supports the production of correct
high quality software [Lar01]. The VDM Specification Language (VDM-SL) is
the core of formal language VDM. VDM has an extended notation that pro-
vide support for object oriented structuring and handling of concurrency called
VDM++ [FLM+05]. Furthermore another notation called VICE is available,
VICE supports modelling of embedded real-time systems [VL06]. The different
notation forms will in this paper be referred to as dialects.
A powerful Integrated Development Environment (IDE) is essential for the
success of any computer based language. An IDE consists of a set of integrated
2
tools aiding the development process. It is not only the characteristic of a lan-
guage itself that is important for effective development of software; the availabil-
ity and quality of the whole set of relevant tools for the given language are also
significant factors. In order for a tool to qualify as an integrated development
environment the following should be provided [www07]:
– Source Editor
– Compiler/Interpreter
– Build automation tools
– Debugger
Obviously, even though a tool does in fact provide the above mentioned, this
alone does not provide any guarantee that the tool is a good IDE. The listed
bullets represent the lowest common denominator and an IDE is not necessarily
limited to this. Even the best technology is likely not to achieve widespread use
if the tool support is poor.
While mainly academics has agitated for the use of formal methods for several
years, the industry has been reluctant to adopt it in the development process.
One reason suggested for formal methods not being used more widely by software
developers is the lack of adequate tool support[Kni97][CM97]. While many other
reasons also have been proposed, it is certainly true that VDM developers today
are not provided with an impressive set of tools. Currently, the most feature-
rich tool available is a commercial tool, VDMTools [FLS08]. VDMTools which
includes features like syntax- and type-check, code- and proof obligation gener-
ation and an interpreter with debugging capabilities. There is no source editor
provided as in integrated part of VDMTools, and the use of other interpreters
is not possible. Section 3 will go into detail about qualities and shortcomings
of VDMTools and provide an analysis of what a fully fledged VDM IDE should
include. A primary objective of this paper; is to describe the development of
an IDE with an integrated editor with support for running and debugging of a
VDM models. Acknowledging how crucial a well build IDE is for a development
process, and for the success in market penetration for any computing language,
and recognising its inadequacies but also the qualities of VDMTools, will be the
point of departure. The possibilities of developing an effective and user friendly
IDE that serves as a common platform for VDM development by integrating
existing and future interpreters and tools, will be investigated in this thesis.
Through out this paper, this IDE will be referred to as the Overture IDE.
The open source community overturetool recently got a new tool VDMJ de-
veloped by Nick Battle, which provides syntax- and type-check, proof obligation
generation and an interpreter with debugging capabilities. Besides VDMJ the
overturetool community have additional tools that may help developing VDM
models. The thesis aimed to develop a common platform that supports both the
Overture community’s tools and the features available from VDMTools.
The Overture Community, prior to the establishment of this project, already
conducted an assessment of the platform that must be used for the integra-
tion of the Overture Tools, and found the Eclipse platform most suited. Eclipse
3
is an open source development platform[CR06], by itself, it is simply a frame-
work and a set of services for building development environments from plug-in
components[Gal02], but by implementing plug-ins, and thus extending the plat-
form, a complex environment can be built.
This paper starts off with introduction to Eclipse and its plug-in architecture
in presented in section 2. Then a quick description of the vision for the final IDE
in section 3. Afterwards section 4 provides information of the debugger and the
decoupling of the IDE and the debugger. Finally Section ?? rounds off the paper
with a few concluding remarks about the future development plans the Overture
IDE.
2 Eclipse
Eclipse is intended to serve as a platform for a whole variety of different tools.
In the Eclipse Documentation in the “Platform Plug-in Guide” the challenge
Eclipse should take on is described:
“What we all want is a level of integration that magically blends sepa-
rately developed tools into a well designed suite. And it should be simple
enough that existing tools can be moved to the platform without using a
shoehorn or a crowbar. The platform should be open, so that users can
select tools from the best source and know that their supplier has a voice
in the development of the underlying platform.” [Ecl08]
While Eclipse does provide a good Java IDE, this is only a small part of
Eclipse, and to some extend meant as an example of what is possible using this
platform. The details about how Eclipse serves as a platform for tools developed
by different independent software vendors is described in section 2.1.
The Eclipse platform user interface is based on editors, views, and perspec-
tives. From the user’s point of view, a Workbench window visually consists of
several views and editors. A perspective defines an appropriate collection of
views, their layout, and applicable actions for a given user task. A view is a
workbench part that can navigate a hierarchy of information or display prop-
erties for an object. Figure 1 shows a screenshot of the Overture IDE build on
top of Eclipse, the editor is the area under the tab “atmcard.vpp” with syntax
highlighting, where the user edits the model. Examples of view is the Problems
view (bottom of the figure) and outline-view (right of the figure).
2.1 Plug-in Architecture
Essentially Eclipse is an extensible platform that supports a plug-in architecture,
the basic platform does not provide much functionality by itself. In other words,
what Eclipse offers is a common, platform independent, user interface that allows
developers to create plug-ins supplying tools for different tasks.
The platform consists of layers of plug-ins, each layer defining extensions to
extension points of lower layers. Plug-ins are components that provide a certain
4
Fig. 1. Overture IDE
5
type of service within the context of the Eclipse workbench. Extensions are
the central mechanism for contributing behaviour to the platform. Plug-ins can
define their own extension points for further customisation.
Except for a small kernel known as the Platform Runtime, all of the Eclipse
Platform’s functionality is located in plug-ins (see figure 2), different plug-ins
can be installed depending on the functionality desired.
A project developed for the Eclipse platform consists of a set of one or more
plug-ins, where each plug-in represents a logical module of that project, which
in turn can depend on other plug-ins.
Fig. 2. The Plug-in Architecture of Eclipse
The box on the right hand side of figure 2 with the caption Overture Plug-
ins represents the plug-ins that make out the implementation of the Overture
IDE. DLTK is the abbreviation for Dynamic Language Toolkit(described in 2.2)
and the Other Plug-ins box represents other plug-ins that might be installed in
Eclipse.
2.2 Dynamic Language Toolkit (DLTK)
The Dynamic Language Toolkit has generalised the Eclipse JDT’s code and
follows the architecture of the JDT.
6
“Dynamic Languages Toolkit (DLTK) is a tool for vendors, researchers,
and end-users who rely on dynamic languages. DLTK is comprised of a
set of extensible frameworks designed to reduce the complexity of building
full featured development environments for dynamic languages such as
PHP and Perl. Besides a set of frameworks DLTK provides exemplary
Tcl, Ruby, and Python development environments ready to use out of
the box.” [DLT]
The DLTK is still a rather immature toolkit, and the documentation is rather
poor. However the source code for a few projects that serve as examples are
available.
DLTK makes it easier to create a development environment in Eclipse, but
there are still some drawbacks. First of all, it is still under development, and a
final version of DLTK 1.0 is yet to be released. Updates are being released and
the framework is being improved gradually, the updates however are not always
backward compatible and occasionally when the the DLTK has been updated,
the already developed source has had to be modified in order to comply with
the changes.
Like many other Eclipse plug-ins, DLTK depends on other plug-ins. Nor-
mally when updating a plug-in depending on other plug-ins, these dependencies
should be resolved by the updater, and the plug-ins necessary should be installed
automatically.
DLTK builds on top of JDT, in an effort to reduce the complexity of building
full featured development environments, JDT avoids the use of internal interfaces
and instead relies on plug-in extensions [DFK+03].
There clearly are drawbacks concerning the use of DLTK, but it provides easy
implementation of a lot of the functionality including the IDE side of the debug-
ging protocol implementation described in section 4. This has been considered
valuable enough to compensate for the immaturity of the toolkit.
3 Vision
Today there is not one specific tool that covers all VDM tasks, consequently
the required effort when developing VDM models, especially for developers new
to VDM, could be lowered and the efficiency improved. There exist different
interpreters and VDM dialects, but since they are all related, features that will
prove beneficial for one will most likely also be beneficial when working with
others. The IDE for VDM development should have one common user interface,
so that the developer only needs one tool for all VDM development. This leads
to less time spent on tool setup and less effort spent familiarising with different
tools.
Making use of a framework that developers are already familiar with to struc-
ture the interface within will furthermore improve the accessibility for new users
of the VDM IDE. Eclipse is an obvious choice; first of all because it is widely
used among developers today. Secondly it is a platform independent IDE allow-
ing both Windows, Macintosh and Linux users to work in it. Finally Eclipse is
7
designed around a concept of plug-ins, which means that the VDM IDE does not
have to be developed from scratch. but instead can be plugged into an existing
well established IDE.
Before commencing the actual implementation of the IDE, a vision for what
features the IDE should provide is necessary, the following sub section sum-
marises these features.
3.1 Feature overview
Syntax Errors and Type Check Errors During editing of a VDM model,
the Eclipse Editor will parse the content of the file, if there are any parse errors,
they will be reported in the Problems View. Each time a specification is saved
the Editor type checks the model and reports errors and warnings if any. For
each warning and error a line containing a description and information about
the location and the type of the error or warning is displayed.
Each error and warning is marked in the editor with a icon displaying a light
bulb and a red cross or yellow triangle respectively in the left margin of the
editor. The line is also highlighted and the error is marked with a wavy also in
red or yellow depending on whether a error or a warning is in question.
Basic Editor Functionality A standard text editor like notepad can only
view the content of text files. Features such as folding, syntax highlighting, and
highlighting of errors and warnings all make the development process easier
by giving the user a better overview of the model. Most IDEs today provide
intellisense, which can be described as automatic completion of words, the IDE
can suggest completions of what the user is writing. Intellisense is not limited to
language dependent keywords only, and typically completion of declared elements
are suggested. In Java these elements would be variables, fields, methods, classes
and so on.
Navigation When working on large projects an essential feature is the ability
to quickly navigate to specific declarations. The developer can easily navigate
to the definition of an element simply by using the go to definition feature from
wherever a defined element is being used in the VDM model.
The Project Explorer View and the Outline View also aids the developer in
the navigation of models. The former basically provides an overview of projects
and files contained by these projects while the latter contains classes, operations,
functions, variables and so forth in a tree structure. This tree structure pro-
vides an overview of a given file, double-clicking an element in the Outline view
will navigate the user to the declaration of the corresponding element. Double-
clicking an error or a warning in the Problems View will navigate the user to
the corresponding location in the model in the same manner as double-clicking
an element in the Outline View will do.
8
Refactoring During development, definitions will typically have to be adjusted,
e.g. renamed, or parameters for an operation or function have to be changed.
Martin Fowler defines refactoring as follows:
“Refactoring is the process of changing a software system in such a way
that it does not alter the external behavior of the code yet improves its
internal structure. It is a disciplined way to clean up code that minimizes
the chances of introducing bugs. In essence when you refactor you are
improving the design of the code after it has been written.” [FBB+99]
An important point to stress out here, is the sentence: “In essence when you
refactor you are improving the design of the code after it has been written.”.
Because there is no tool support for refactoring today, for VDM the task of
refactoring is tedious and error prone, and thus the process of refactoring might
actually have the direct opposite effect than what is desired. The only means
available when performing VDM refactoring today is the simple search (and
replace) functionality provided by most text editors. In comparison IDEs today
provide many different tools when refactoring, support of such feature would
greatly improve the development process, and reduce the risk of introducing
errors during the process of refactoring.
Since modelling a system typically is done early in the development process,
changes are likely to appear. Therefore refactoring is a great tool to have in the
IDE, providing effective and safe renaming of operations, functions, etc.
Debugging features The Debug Perspective contains the views needed for
debugging in VDM. The perspective is very much like the Debugging perspective
for Java in Eclipse. The user can easily set breakpoints at a desired place in a
model. When the model reaches the location of the breakpoint, the user can
inspect the values of different identifiers and step through the VDM model, line
by line.
The debug perspective shows the VDM model in an editor, the one used
in the Overture Perspective, but in this perspective there are also views useful
during debugging. The features provided in the debug perspective are described
below.
Many IDEs, for instance like Netbeans, Visual Studio and Eclipse, have sup-
port for debugging concurrent programs, supporting switching between different
threads. The VDM editor should also include this very useful feature.
Debug View Debugging is an essential feature for an IDE, and in the Overture
IDE the Debug View shows all running models and the call stack belonging to
them. It also displays whether a given model is stopped, suspended or running.
This view provides buttons for debugging commands such as; stop, step into,
step over, resume, etc. All threads are also shown, along with their running
status. It is possible to switch between threads from the Debug View.
The Variables View shows all the variables in a given context when a break-
point it reached. The variables and their values displayed are automatically
9
updated when stepping through a model. The Breakpoints View provides a
overview of all breakpoints and allows the user to navigate to the location of
a given breakpoint, disable, delete or set the hit count or a break condition for
a given break point.
Expressions View The Expressions View allows the user to write expressions
and create watch expressions that are are automatically updated when stepping
through the model.
The Interactive Console View is used for more thorough inspections. Here
commands can be executed on the given context, i.e. where the debugger is
stopped at a breakpoint. The Interactive console keeps a command history, so
that already executed commands can be run again without actually typing in
the command all over. Intellisense is also supported by the Interactive Console
View.
Other useful features Features such as test coverage, proof, profiling and
combinatorial testing are powerful features that in the longer term also should
be provided by the Overture IDE. The vision for these features however are not
essential for the first prototype of the Overture IDE and will not be furtherly
discussed in this paper.
4 Debugger
The Overture IDE must serve as a common interface for different interpreters.
This is done by using the debugging protocol DBGp which is an integrated part
of the DLTK, and this enables the Overture IDE to communicate transparently
with a VDM interpreter. DBGp makes it possible to have one standardised
interface for wrapping interpreters, such that the IDE can communicate with
all interpreters implementing a given interface. This section describes the DBGp
and how it has been used in the development of the Overture debugger.
Multiple VDM engine support and utilisation of different interpreters are
some of the key concepts in this project. The documentation for the protocol is
limited at the moment, but a basic description can be found in [Sha]. The lack of
documentation is however compensated for by the fact that a good number other
open source projects use the same protocol. Furthermore, the DLTK provides
most of the functionality on the IDE side in Eclipse. Commands from Eclipse are
implemented as part of the DLTK, hence allowing the developer to concentrate
on the debugging server side of the protocol implementation.
4.1 DBGp transport layer
The communication between the IDE and the debugging server goes through a
TCP/IP-socket. This means that the debugging server does not have to run on
10
Fig. 3. DBGp Overview
the same machine as the debugger, therefore remote debugging can be imple-
mented with relatively little extra effort. Figure 3 illustrates the architecture of
the DBGp.
In order to avoid the need for an XML parser on the debugging server side,
the debugging client sends ASCII formatted commands. While XML-parsing can
be an issue on a simple debugging server, because it might require additional
libraries, XML generation, on the other hand, is not. Since the client normally
is an IDE, it can be assumed that XML parsing is not a problem. Therefore the
responses to the client, which in turn also tend to grow more complex than the
commands, are sent as XML formatted data.
4.2 Overture IDE debugging implementation
Figure 4 shows how the Overture IDE interact with the the two interpreters
provided by VDMJ and VDMTools. The component VDMTools.jar is an API
that makes it possible to access the functionality provided by VDMTools pro-
grammatically using a CORBA-interface. The component VDMTools.jar is an
API that makes it possible to access the functionality provided by VDMTools
programmatically. The VDMToolsDBGp.jar is library build from the project
with the same name. It establishes the DBGp connection for VDMTools by call-
ing the VDMTools using a provided CORBA-interface. As the name suggests
VDMJ.jar the library compiled from the VDMJ source code. This section ex-
plains the development of the server side of the debugging protocols for the two
interpreters.
VDMJ’s debugging protocol is developed in cooperation with Nick Battle.
The development process has been divided into three parts: development, test-
ing, and feedback. When a new version of VDMJ was released, it was tested
in the Overture IDE. If any errors or missing features was found in the testing
process, a patch or a mail is then sent with the feedback. The Debugging proto-
col was extended by repeating these processes. The knowledge acquired in the
11
Fig. 4. Overture Interpreter Architecture
development of the VDMJ debugging protocol, made it easier for us to design
the VDMTools implementation.
Developing the debugging protocol for VDMTools, was done by creating two
projects: an abstract project including the standard DBGp features, and a sub-
project that handles VDMTools specific communication with VDMTools. Using
this approach made it easier to create new DBGp implementation by extending
the abstract project.
The abstract project handles the standard communication with the Over-
ture IDE, this includes sending responses, listening for incoming commands,
and base64 encoding. A strategy pattern is used to handle the debugging servers
supported features [SM02]. A benefit of using this pattern is, that each behaviour
is defined in its own class, so the strategy (feature in the current case), leads to
more easily maintainable behaviours. It also becomes easier to incorporate new
behaviours without extensive change of the application.
Figure 5 shows a simplified class diagram focusing on how the feature ’set breakpoint’
is implemented. The functionality for the feature is implemented in the class
SetBreakpoint, which implement the abstract class CommandResponse. On ini-
tialisation all the supported strategies will be added to a strategy list, when the
DBGp server receive a new command, if the command is supported the method
parseAndExecute is invoked.
The CORBA-interface misses some functionality to complete the implemen-
tation of the debugging protocol for VDMTools.
5 Conclusion
The main goal has been to investigate the possibilities for using Eclipse as plat-
form for an IDE for VDM development, and the development of a functioning
prototype. The focus of the prototype has been on essential IDE features, such
12
Fig. 5. A simplified Class diagram of VDMTools DBGp
as structured resource management, syntax highlighting, aided navigation and
debugging.
One of the primary capabilities that has been focused on is the support for
multiple interpreters and dialects and equally important; an architecture sup-
porting the addition of other interpreters. VDMJ is the interpreter that is inte-
grated most thoroughly with the Overture IDE, while there are still a few loose
ends when it comes to VDMTools. It is however important to stress out that the
lack of integration of VDMTools in not a matter of insurmountable technical
difficulties. On the contrary the communication and invocation of VDMTools
is fully functional, the shortcomings mainly come down to the fact that func-
tionality, crucial especially to the debugging process, is missing from the current
VDMTools CORBA interface.
5.1 Revisiting the Initial Vision
While the main goal was reached, there are still features which has not yet been
fully implemented. A key point in the discussion of the inadequacies concerning
VDMTools is the fact that the development cycle not is integrated; VDMTools
does not provide an internal environment for editing of models - the Overture
IDE was intended to address this matter. While it has not been the aim to
implement all features presented in the vision in section 3, the Overture IDE
does offer a well integrated development environment providing editor, debug-
ger, parser, and type checker. The editor has Syntax highlighting of keywords,
strings, types, comments, etc. with different colours which can be altered by the
user to fit his liking. This being established, there is still room for improvement:
Intellisense is only available for keywords, not for elements declared in a given
model. A requirement established in the vision is the need for an editor providing
easy navigation, in the same chapter it is described how the Go To Definition
functionality enables the user to easily go to the definition of an element from
13
wherever it is being used. This is not yet implemented. The outline view does
however provide an easy navigatable overview of elements such as classes, oper-
ations, functions, values and instance variables.
When using VDMTools for parsing and type checking, the user can easily
navigate to the location of syntax errors and type check errors in the model, but
not actually correct the errors from within VDMTools since no internal editor
is provided. By displaying of syntax errors and type check errors the Overture
offers similar functionality, but also enables the user to correct any errors or
warnings directly. Double clicking the description of an error or warning will
navigate the user to the corresponding location in the editor.
The debugger is integrated with the text editor, when reaching a breakpoint,
the corresponding line in the model is highlighted. Stepping in the model will
advance the highlighted line to the location of the debugger. At the same time
an automatic display of variables is being maintained in the variables view which
also should give the developer possibilities for further inspection of variables. But
for the time being all values are converted to strings before they are sent to the
IDE by the interpreter. This means that complex types cannot be subject for
further inspection, all details are however displayed, and further inspection can
be carried out via the interactive console.
Support for addition of breakpoints directly in the editor ensures that the
developer can easily add breakpoints during the specification of a model without
having to navigate menus or views, the IDE also offers support for conditional
breakpoints. Via the interactive console it is possible to evaluate expressions while
debugging. The call stack is available for inspection via the debug view in the
debug perspective.
User friendly support for concurrent thread debugging is only partly sup-
ported, the IDE supports changing between threads but there still are some
problems with the implementation of the communication via the debugging pro-
tocol. When reaching breakpoints the communication about what thread the
breakpoint is in fails. This causes an error in the debugging process which then
fails. The cause of the error is however located, but not yet corrected due to the
time constraints of completing this thesis project.
Easy available test coverage measurements is not supported, but should be
implemented as described in the vision. Combinatorial testing has been devel-
oped within the Overture Community by Kenneth Lausdahl in cooperation with
the authors of this project. While the feature are implemented as an plug-in for
Eclipse, it has not yest been fully integrated with the Overture IDE.
6 Overall Conclusion and Future Work
Comparing the vision and the achieved goals will let us know that there is still
work needed before the Overture IDE fully can aid developers to the extend
the Overture Community ultimately aims for. Exactly because a fully fledged
IDE supporting everything involved with VDM development not has been within
the scope, an architecture allowing further extension has been important during
14
design and implementation. Functionality can be added to the existing imple-
mentation without having to rewrite current features, but by further extension
of them.
The integration of interpreters is implemented in such a way that debug-
ging functionality easily can be moved to another IDE. By the development of
a project containing core debugging functionality and abstract classes for inter-
preter specific implementation it is easy to integrate other VDM interpreters
should such need arise.
Comparing the VDM development process before the Overture IDE when
VDMTools was the only real option, it is fair to say that a lot of the inadequacies
has been overcome by the Overture IDE. At the moment there exist a working
Overture IDE which proves that it is not only possible, but also feasible to
use Eclipse for an integration architecture for VDM. While the architecture
does provide a portable debugging functionality, it has however not been proven
possible to develop an architecture which both draws the benefits of extending
existing Eclipse functionality and supports high portability.
The Overture IDE has been developed in order to investigate the possibilities
for integrating VDM tools in one common platform for all VDMwork. While such
an IDE has not been developed, it has been proven possible. Logically the next
steps are to fully implement the IDE. The basic features have the highest priority,
these are the features marked at either unimplemented or partly implemented
in table shown in section 5.1.
Support for multi-threaded debugging, full integration of VDMTools and
support for different VDM dialects are also highly important features. Imple-
mentation of these features and full support for the basic IDE features such
as intellisense and refactoring, will mean that the Overture will become a very
strong alternative to VDMTools. This will mean that it should be possible to
attract a user base providing valuable feedback and hopefully also contributers
to the IDE.
With the problems concerning DLTK and the lack of documentation in mind,
more documentation about the implementation of the different features in Over-
ture including the IDE should be provided. Thus minimising the risk of loosing
potential contributers.
References
CM97. Holloway C. Michael. Why engineers should consider formal methods. Tech-
nical report, NASA Langley Research Center, 1997.
CR06. Eric Clayberg and Dan Rubel. Eclipse: Building Commercial-Quality Plug-
ins (2nd Edition) (Eclipse Series). Addison-Wesley Professional, 2006.
CTM09. User manual for the overture combinatorial testing plug-in, 2009.
DFK+03. Jim D’Anjou, Scott Fairbrother, Dan Kehn, John Kellerman, and Pat Mc-
Carthy. The Java Developer’s Guide to Eclipse, 2nd Edition. Addison-
Wesley, 2003.
DLT. A guide to building a dltk-based language ide. http://wiki.eclipse.org/
A guide to building a DLTK-based language IDE.
15
Ecla. Eclemma. http://www.eclemma.org/.
Eclb. Eclipse test & performance tools platform project.
http://www.eclipse.org/tptp/.
Ecl08. Eclipse Documentation, 2008.
FBB+99. Martin Fowler, Kent Beck, John Brant, William Opdyke, and Don Roberts.
Refactoring: improving the design of existing code. Object Technology Series.
Addison-Wesley, 1999.
FLM+05. John Fitzgerald, Peter Gorm Larsen, Paul Mukherjee, Nico Plat, and Marcel
Verhoef. Validated Designs for Object–oriented Systems. Springer, New
York, 2005.
FLS08. John Fitzgerald, Peter Gorm Larsen, and Shin Sahara. VDMTools: advances
in support for formal modeling in VDM. Sigplan Notices, 43(2):3–11, Febru-
ary 2008.
Gal02. David Gallardo. Getting started with the eclipse platform. developerworks,
2002.
Kni97. Why Are Formal Methods Not Used More Widely, 1997.
Lar01. Peter Gorm Larsen. Ten years of historical development ’bootstrapping’
vdmtools. Universal Computer Science, vol. 7, no. 8 (2001),, 2001.
lT09. David Holst Møller and Christian Rane Paysen Thillemann. Using eclipse
for exploring an integration architecture for vdm. Master’s thesis, Universty
of Aarhus, 2009.
Sha. Derick Rethans Shane Caraveo. Dbgp - a common debugger protocol for
languages and debugger ui communication. http://www.xdebug.org/docs-
dbgp.php.
Shi00. Jack Shirazi. Java Performance Tuning. O’Reilly, 2000.
SM02. Stephen Stelting and Olav Maassen. Applied Java Patterns (Sun Microsys-
tems Press Java). Prentice Hall PTR, 2002.
VL06. Marcel Verhoef and Peter Gorm Larsen. Enhancing VDM++ for Modeling
Distributed Embedded Real-time Systems. Technical Report (to appear),
Radboud University Nijmegen, March 2006. A preliminary version of this
report is available on-line at http://www.cs.ru.nl/∼marcelv/vdm/.
www07. www.Javvin.com. Network Dictionary. Javvin Press, 2007.
16
Challenges in Inheriting Test Cases
Configurations from VDM to Implementation
Fuyuki Ishikawa1 and Yumiko Murakami2
1 GRACE Center,
National Institute of Informatics
2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo, Japan
2 Mitsubishi Electric Corporation
5-1-1 Ofuna, Kamakura, Kanagawa, Japan
Abstract. VDM and its dominant tools, VDM Toolbox, provide sup-
port for lightweight usage of formal methods to verify and validate re-
quirements and designs in early phases of system development. Specifi-
cally, testing based on the executable subset of the formal languages and
the interpreter has played the primary role. However, it is not clear how
the correctness and validity ensured at the VDM level are confirmed also
at the implementation level. In terms of testing, test cases at the VDM
level should be inherited and targeted for verification and validation at
the implementation level. This study presents an initial approach to a
general testing framework to support inheritance of test cases from the
VDM level to the implementation level. Apart from syntactic issues, this
study especially focuses on the fact VDMmodels are typically abstracted
compared with the implementation codes. It implies that test cases at
the VDM level can be abstracted compared with the corresponding test
cases, or the test cases with the equivalent intentions, at the implemen-
tation level. The proposed approach aims at dealing with this point,
facilitating inheritance of test case configurations at the VDM level to
the implementation level, even with abstraction at the VDM level.
1 Introduction
Formal methods are attracting increasing attention from the software industry,
as software is getting more and more complex while efficiency and reliability of
software development is getting more and more significant. On the other hand,
there has been a gap between knowledge and techniques that software engineers
in the industry generally have and those required for use of formal methods.
Lightweight usage of formal methods are one of the countermeasures against the
problem. For example, lightweight use may exclude approaches to completeness
of verification, i.e., model checking or theorem proving, while keeping the essence
of early verification and validation with formal (machine-processable) languages
and supporting tools. VDM and its dominant tools, VDM Toolbox, provide sup-
port for such lightweight usage and primarily consider testing of formal models
with the interpreter, which ordinary developers are quite familiar with [1].
17
The languages of VDM, VDM-SL and VDM++, allow for formal mod-
eling of system states and functionalities in the form of variables and func-
tions/operations. It means that the modeling structure and the constituent el-
ements are similar to programming languages, VDM models can thus be tested
in a similar way to implementation codes, e.g., calling operations with specific
inputs in a specific order and examining the outputs and the resulting states.
On the other hand, abstraction is the key point in VDM and differentiates VDM
models and implementation codes. In order to concentrate on issues that should
be tackled in a certain phase of the development process, VDM models are con-
structed by extracting aspects essential to discuss the issues while eliminating
unnecessary details.
VDM models are constructed to model, verify and validate requirements and
designs in early phases of software development, because it is much more costly
to resolve deficiencies of such intermediate outputs in later phases. However, as
the final output is the implementation of the system, the correctness and validity
ensured at the VDM level needs to be confirmed also at the implementation level.
One way is to use trusted translators from VDM models to implementation
codes, which are provided in VDM Toolbox for C, C++ and Java. However,
generated code is often insufficient in terms of readability and performance.
Actually, the VDM-to-Java translator in VDM++ Toolbox provides an option
to generate only skeletons in Java so that developers can reuse the signature
definitions at the VDM level while specifying sophisticated codes by themselves.
The limitation of code generation was also pointed out in the recent case of
successful application of VDM to IC card systems [2]. In the application case,
instead, a test suite was developed and used to examine the same set of test
cases to VDM models and implementations (this time a chip simulator and
each of a number of different chip implementations). The application case thus
pointed out the significance of inheritance of test cases from the VDM level to
the implementation level as well as the significance of making the inheritance
efficient. A generalized framework, similar to the test suite in the application
case, is necessary, as it seems too costly for every project to develop its own test
suite.
This study presents an initial approach to a general testing framework for
supporting inheritance of test cases from the VDM level to the implementation
level. First of all, syntactical translations and tool adapters are necessary in order
to make equivalent operation calls, which constitute test cases, on VDM Toolbox
and on environments for programming languages. However, this study does not
focus on those issues, most of which could be dealt with by applying common
techniques such as the CORBA API of VDM Toolbox, reflection mechanisms
in Java, and syntax translators. Instead, this study puts a focus on the fact
VDM models can often be abstracted compared with the implementation codes.
It implies that test cases at the VDM level can be abstracted compared with
the corresponding test cases, or the test cases with the same intentions, at the
implementation level. Because developers want to specify test cases that reflect
a certain intention just once, this study aims at providing support to handle the
18
gaps between test cases on abstract VDM models and those on implementation
codes.
In the remainder of this paper, Section 2 discusses in detail the issues of in-
heritance in test cases. Section 3 discusses the design of the proposed framework
to tackle the problem. Section 4 discusses the advantages and limitations of the
approach as well as future work, before concluding remarks.
2 Problem
This section first describes issues in inheritance of test cases, and then discusses
how abstraction in VDM models complicates the problem.
2.1 Inheritance of Test Cases
As discussed earlier, the correctness and validity ensured at the VDM level needs
to be confirmed also at the implementation level. In terms of testing, test cases
at the VDM level should be inherited and targeted for verification and validation
at the implementation level.
Figure 2.1 illustrates an abstract process that this study aims at facilitating.
A testing framework should be provided so that basically developers write test
case configurations once and can run the test cases both on VDM models and
on (possibly multiple) implementation codes. Actually, specific configurations
to each language and each environment would allow for the maximum use of
functionalities of each environment. Even in such cases, anyway, the common
part of test case configurations should be reused as much as possible.
????? ????
??????????????
?????????????????
????????
?????????????
????????
??????
?????
??????? ???
????????????????????? ?????????
????????????????????????
???????????
???
?????????????????????????
?????????????? ?????
Fig. 1. Inheritance of Test Cases
Developing such a framework is a challenging task, including the following
issues.
19
Test Case Configuration The notation should allow for general configura-
tions of each test case, namely, an ordered sequence of creation of values
(objects), operation calls3, and checking the returned values and the states.
It should preferably allow for high-level descriptions such as abstract rules
to generate multiple test cases.
Testing Configuration The notation should allow for configurations of which
language and environment is used for model interpretation or implementa-
tion execution of the system, which test cases are examined and how the
results are formatted and outputted. It may include configurations specific
to the language and environment (e.g., activation of coverage measurement
in VDM Toolbox).
Adapter for Each Language and Environment For each language and en-
vironment, an adapter is necessary to make each action specified in the test
case by activating functionalities of the environment as well as conducting
necessary syntactic translations.
Combining Framework A framework combining the above aspects is neces-
sary, which interprets the configurations, activates the language environ-
ments and reports the results accordingly.
This study primarily focuses on the first issue of test case configurations,
which affects how easy it is to share test cases on VDM models and on imple-
mentation codes. Constructing VDM models is useful only if it is different from
constructing implementation codes. It is thus necessary to carefully examine the
differences, or the gaps, when considering inheritance of test cases.
2.2 Illustrating Example
Possible gaps between VDM models and implementation codes, in terms of ab-
straction, make it difficult to share test case configurations. For example, consider
the following simple command in test cases.
First set the value of a public variable s1 as a set of integer values
including 1, 2, and 3. Then call an operation op1, setting its argument
value as an integer value -1, and check the return value is true.
It is desirable to allow for describing this test case in a common notation for
VDM models and implementation codes, to say, as follows.
assign s1 {1, 2, 3}
Assert: call op1(-1) : true
One possible implementation is to generate a VDM specification and imple-
mentation codes that denote the behavior of the test case. The VDM specifica-
tion would include the following lines, where assert is a checking operation as in
VDMUnit.
3 VDM distinguishes functions, which do not access system states, from operations.
Programming languages use different terms, functions, methods, etc. This paper
refers to call of such a unit of functionality as “operation call.”
20
(s1 := {1, 2, 3};
assert(op(-1), true)
)
Similarly, the Java codes would be like the following.
HashSet s1 = new HashSet();
s1.add(1);
s1.add(2);
s1.add(3);
assert(op(-1), true);
Note that the type of s1 in the Java codes, HashSet, must match with the
actual type in the Java codes of the system. In other words, if the type of
s1, set, in the VDM models is refined into HashSet in implementation of Java
codes, it is necessary to consider the fact for inheritance of test cases. Generation
of the above Java codes can be done only with information of the refinement
relationship, or the link between the VDM type set and the Java type HashSet.
However, once such a relationship is explicitly specified, it is possible to automate
the process of generating HashSet-based codes for all of the test cases, which will
be much more efficient in handling hundreds or more of test cases.
The above example also implies the needs for syntactic translations, e.g.,
gaps in how to generate a set value. However, it can be handled similarly by
enumerating translation patterns, as in the VDM to Java generator, even though
its complete implementation would be a hard task. Operations specific to testing,
e.g., assert, can be implemented similarly to unit testing frameworks (VDMUnit
and JUnit).
3 Framework Design
This section first presents a design of a testing framework, on the basis of the
discussion in Section 2, and then discusses refinement patterns of test cases
handled by the framework.
3.1 Overview
Figure 3.1 illustrates our design of the abstract process presented before (Figure
2.1 in Section 2.1). As discussed in Section 2.2, the approach in this study is to
have explicit descriptions of refinement relationships so that the framework can
handle the differences between abstract VDM models and implementation codes
in all the test cases. The figure also illustrates a plug-in based architecture to
allow for flexible introduction of different languages and environments as well as
different media and strategies for output.
21
????? ????
??????????????
?????
??????? ???
????????????????????? ?????????
????????????????????????
???????????
???
?????????????????????????
?????????????? ?????
????????
?????????????
????????
??????
• ????????????????????????????????
• ?????????????????????
• ?????????????????? ????
• ?????????????????????????????? ?????????????
?????
???????
????
??????? ???
??????????
?????????????
??????????????
????????????????
????? ??????
?????????
???
??
????
?????????????????
???
????????????????????
???????? ???????
????????????????
????????
???????? ??????????
• ????????????????????????????
• ?????????? ????
• ??????????????????
Fig. 2. Framework for Inheritance of Test Cases
3.2 Handling Abstraction in VDM
Below discusses general strategies to abstraction, or simplification, in VDM mod-
eling. Notations of test case configurations and refinement relationships specifi-
cations are then presented to handle each of the abstraction strategies in inher-
itance of test cases.
Modeling Target It is not necessary to model all parts of the system with
VDM. It is often sufficient, or adequate in terms of the costs, to model only
subsystems that play significant roles in the system and are complex. Similarly,
more granular elements may be omitted in VDM models if they are trivial at
that time point of the development process, such as variables, operations and
operation arguments.
For example, suppose an event management system that provides function-
alities such as accepting user booking for seats of an event. The actual system
manages user registration to the system and information of each user (address,
phone number, etc.). However, developers may omit those parts and include only
user ID in the VDM model so that functionalities about event registration is fo-
cused on, which has complex constraints such as double booking prevention and
cancellation policies.
In such a case, additional test cases should be introduced, e.g., to test the
functionalities to manage registration of user information (pattern1: addition
22
of test cases specific to a certain language and environment). For this
purpose, it is possible to specify target language and environment in the header
of test case configurations, as follows.
(in header of test case configurations)
TargetLanguage: Java
TargetEnvironement: ALL
The situation becomes complicated when some fields of record types or some
instance variables of classes are omitted in VDM models. It means that construc-
tion of values in the same type is done in different ways in VDM models and
implementation codes. To handle such a situation, it is possible to specify target
language and environment in each action of test case configurations (pattern2:
configuration of actions in test cases specific to a certain language and
environment). In the following example, the constructor call in Java has an
additional argument, true, for example, activating the logging functionality that
is abstracted away in the VDM model.
(in test case configurations)
{VDM++, ALL} assign s1 new class1("abc", 3)
{Java, ALL} assign s1 new class1("abc", 3, true)
If the additional fields are always set to the same value, in a certain set of test
cases, it is possible to specify them in the refinement relationship specifications.
(in refinement relationship specification of VDM++ to Java)
Operation Refinement
RefinementPattern: class1(a, b) -> class1(a, b, [true])
Target Test Case: 1-100
Here the square bracket is used to distinguish literal values from identifiers to
be matched in the pattern.
Data Abstraction Data types in implementation codes reflect strategies to
allocate data on memory spaces as well as computational efficiency of each op-
eration on those data. On the other hand, VDM models generally abstract away
such implementation details. Embedded data types embedded in the VDM lan-
guages are originally abstract. For example, VDM defines a type set, which is im-
plemented by HashSet or TreeSet in Java. Similarly real in VDM is implemented
by float or double in Java. To handle such a situation, it is possible to specify
links between VDM types and implementation types in refinement relationship
specifications, as follows (pattern3: data type refinement specification).
(in refinement relationship specification of VDM++ to Java)
Data Type Refinement
Variable: s1
Type: set -> HashSet
23
In addition, implementation details of data values are also abstracted away.
For example, suppose that a user ID is constructed by combining the year of the
registration with unique id in the year, e.g., “2009-0005,” in the implementation.
But it would be modeled using the type token, in which any data value is made
a unique ID, if other complex functionalities are focused on. This case requires
different actions for each language, with pattern2, as follows.
(in test case configurations)
{VDM++, ALL} call register(mk_token(‘‘user1’’))
{Java, ALL} call register(issueID(Calendar.getInstance()
.get(Calendar.YEAR)))
Operation Abstraction Operation signatures can be different in VDM mod-
els and implementation codes if any of the arguments and return value are ab-
stracted as already discussed. Besides this point, operations can be modeled at
various levels of abstraction. The most abstract definitions are called implicit
definitions, declarative definitions with signatures, preconditions and postcondi-
tions. But this study does not consider them as they cannot be interpreted or
tested.
The VDM languages allow for abstracting away algorithms that iterate on
composite types (e.g., set) and are specified using for and while statements. In-
stead, declarative descriptions can be used, namely, intensional definitions of
composite types, quantified expressions such as forall expressions, and let be
expressions and statements. When detailed algorithms are introduced in imple-
mentation codes, additional test cases would be introduced for white-box testing
(pattern1).
Another kind of abstraction is the omission of erroneous situations. For ex-
ample, suppose, in VDM models, a precondition is specified in an operation to
register a user to an event to prevent operation calls that cause double booking if
completed. On the other hand, in implementation codes, the corresponding op-
eration throws an exception called “InvalidRegistrationRequestException” with
error code “35.”
(an operation in the VDM model)
register : RegistrationRequest ==> RegistrationInfo
register(request) == ...
pre not doublebookingRequest(request);
(corresponding Java codes)
public register(RegistrationRequest request){
if doublebookingRequest(request){
throw new InvalidRegistrationRequestException(35);
}
...
}
24
Although the VDM languages provide notations for throwing/catching ex-
ceptions (trap statements), exception handling is typically abstracted away in
VDM models, e.g., in textbooks [3, 4]. This is because preconditions make the
conditions for successful completion of the operation much more explicit and
can be used in sophisticated verification and validation (e.g., proof obligation
generation). There is a common intention in test cases in VDM models without
exception handling and implementation codes with it, that is, check that the op-
eration completion is denied properly. The notation for test case configurations
allow for description of this intention, as follows (pattern4: configurations to
distinguish invalid operation calls).
(in test case configurations)
AssertInvalidCall call register(new RegistrationRequest(...))
By default, the AssertInvalidCall command checks whether any of a runtime
error, an exception, or precondition violation (only in VDM) occurs upon the
operation call. If it is necessary to check what kind of exception is thrown, the
Assert command can be used, possibly with pattern2 (e.g., check the exception
and the error code only in Java).
4 Discussion
4.1 Abstraction Strategies
The VDM languages should be used to model abstraction or simplification of the
system, different from what are specified by programming languages (otherwise
there is no reason to use them). Abstraction has thus been said to be the key in
making use of VDM [3, 4]. Here a model is an abstract or simplified (often math-
ematical) description that extracts specific aspects of the system, with which
scientific analysis on those aspects can be conducted effectively and efficiently.
In other words, by abstracting away unnecessary details, construction of models
and analysis of them are made effective and efficient.
However, abstraction leads to gaps between abstract VDM models and im-
plementation codes. Additional costs are introduced to determine abstraction
strategies and record the introduced gaps as well as to track the gaps when
modification occurs. So it is necessary for developers to examine the trade-offs
and determine abstraction strategies, which is not a trivial task or a task to
which a clear guideline can be given.
The VDM languages themselves introduce abstraction, e.g., the VDM set
type and the Java HashSet type. It is thus necessary for developers to be aware
of and handle the gaps caused by abstraction even if they do not introduce
abstraction by themselves. We believe that the analysis in this paper helps this
point, by providing not only the supporting framework but also insights that
help developers even if they tackle the problem manually.
25
4.2 Future Work
The following issues remain as future work.
– More sophisticated configurations of test cases, like combinatorial automa-
tion of test cases [5].
– Checking constraints, i.e., invariants and pre/post-conditions, at the imple-
mentation level. This could be achieved by assuming use of JML [6], possibly
with support of combined use of VDM++ and JML [7].
– The proposed notations could still be naive, incomplete, inefficient, or coun-
terintuitive. We are presently examining more examples to validate the pro-
posed handling patterns while focusing on VDM++ and Java.
– Concrete implementation strategies. We are presently examining a design
that generates VDM++ models and Java codes that denote the test case
behavior, as shown in Section 2.2.
5 Summary
This study has discussed an initial approach to a general testing framework to
support inheritance of test cases from the VDM level to the implementation
level. It is clearly significant to ensure that the correctness and validity at the
VDM level are inherited at the implementation level. On the other hand, abstract
modeling has been considered as the key to make the maximum use of VDM.
This study has pointed out these principles conflict with each other. Specifically,
this study discussed how gaps between abstract modeling and concrete imple-
mentation codes complicates inheritance of test cases, while proposing an initial
approach to a testing framework to handle the problem.
References
1. VDM information web site. http://www.vdmtools.jp/
2. Kurita, T., Chiba, M., Nakatsugawa, Y.: Application of a Formal Specification Lan-
guage in the Development of the• •Mobile FeliCa• •IC Chip Firmware for Embedding
in Mobile Phone. In: The 15th International Symposium on Formal Methods (FM
2008). (2008) 425–429
3. Fitzgerald, J., Larsen, P.G., Bjorner, D., Jones, C.: Modelling Systems: Practical
Tools and Techniques in Software Development. Cambridge University Press (1998)
4. Larsen, P.G., Mukherjee, P., Plat, N., Verhoef, M.: Validated Designs For Object-
oriented Systems. Springer (2005)
5. Santos, A.S.: Combinatorial Test Automation Support for VDM++. In: The 4th
VDM-Overture Workshop. (2008) 45–54
6. The Java Modeling Language (JML). http://www.cs.ucf.edu/∼leavens/JML/
7. Vilhena, C.M.G.: Overture: Connecting VDM++ and JML. In: The 4th VDM-
Overture Workshop
26
Overture 2.0 – Preparing for the Future
Marcel Verhoef (marcel.verhoef@chess.nl)
CHESS, Lichtfabriekplein 1, 2031 TE Haarlem, NL
Current emphasis in the Overture project has been to create a tool platform
for scientific and industrial experiments with formal techniques based on the
Vienna Development Method, in particular its specification languages VDM-
SL and VDM++. The industry proven tool VDMTools has always been our
yardstick, with respect to functionality, useability and performance. The nett
result of these efforts being an open source tool set, implemented entirely in Java,
partly specified and developed using VDMTools, delivered as an extension of the
well-known Eclipse integrated development environment (IDE). This effort is
slowly coming of age, whereby the maturity and performance of the Overture
tool suite currently equals or even outperforms the latest commercial available
version of VDMTools. Not bad for a project that relies entirely on a group of
dedicated volunteers, supported by several BSc and MSc students!
Moreover, the open source character of Overture has indeed lived up to
the original aim to be a playground for both language experiments and novel
tool extensions. Most of the improvements available in the VICE (VDM In a
Constrained Environment) version of VDMTools have been prototyped in this
project. Hence, VDM evolves into the Overture Modeling Language, which is
put under control of a light-weight community review process. In particular
the enhanced visualisation for real-time traces (the so-called “showvice” plug-
in) as well as the combinatorial testing support and enhanced bi-directional
UML2.0 transformations are extensions that are currently only available in the
Overture tool suite. Last but not least, significant progress has been made
on extending the generation and semi-automatic analysis of proof obligations,
whereby integration to the HOL theorem prover was achieved. Hence the state
of the art in VDM proof support reached in the nineties during the PROSPER
project was not only reestablished but also updated and improved significantly.
At the advent of the new DESTECS Seventh Framework EU project, which
will start in the fourth quarter of 2009, it seems a good idea to look ahead to the
future of Overture. Should the current line of development be continued, i.e.
by completing the “missing” VDMTools components into Overture, or should we
take different directions? How can we move forward, not only extending our tool
set, but also enlarging our user base. What is our target audience and what
are suitable areas to invest our efforts in? Where can we make a difference?
The purpose of this paper is to suggest a few of these directions and open the
door to discussions on the future of Overture. In the technical dimension, this
talk will address several issues: model driven architecture (MDA), co-simulation
and performance analysis, code-generation, proof support, model checking and
integration with other formal techniques. The purpose of this talk is to spark a
debate on the strategic research agenda for Overture for the next five years.
27
How Top-Level Engineers Learn and Investigate
VDM: Experiences in the Top SE Project
Fuyuki Ishikawa1, Kenji Taguchi1, and Shinichi Honiden1,2
1 GRACE Center,
National Institute of Informatics
2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo, Japan
2 Graduate School of Information Science and Technology,
The University of Tokyo
7-3-1 Hongo, Bunkyo-ku, Tokyo, Japan
Abstract. This paper reports and discusses experiences on education
of VDM in the Top SE program targeting software engineers in the in-
dustry. The program involves education of a variety of scientific methods
and tools with group exercises on practical problems, allowing students
to compare different approaches while understanding common principles,
e.g., VDM v.s. B-Method. In addition, the program involves graduation
studies where each student identifies and tackles their own problems.
Statistics on problem settings in the graduation studies provide interest-
ing insights into what top-level engineers tackle after learning VDM.
1 Introduction
Formal methods are attracting increasing attention from the software industry,
as software is getting more and more complex while efficiency and reliability of
software development is getting more and more significant. On the other hand,
there are still difficulties for industry developers to apply formal methods to prac-
tical system development, due to lack of appropriate knowledge and techniques
(e.g., mathematical knowledge), difficulties to determine proper approaches (e.g.,
modeling strategies) as well as lack of a variety of tools that match with their
requirements and contexts.
The Top SE program in Japan has provided a unique place to produce “su-
perarchitects” who can promote practical use of advanced, scientific methods
and tools, including formal methods, for tackling problems in software engineer-
ing [1, 2]. The Top SE program primarily targets engineers in the industry and
provides education on a variety of methods and tools by combining lecturers
from academia and the industry. The program provides more than education of
general, fundamental knowledge and techniques on methods and tools, in the
following two forms of activities.
Lecture Courses In the Top SE project, lecture courses are organized to in-
volve different methods and tools so that students can compare different
approaches while understanding common principles. Each course involves
28
group exercises where students jointly tackle practical problems while ex-
changing ideas on different approaches to the problems. The problems are
jointly developed by lecturers from academia and the industry.
Graduation Studies The Top SE program also includes graduation studies
where students identify and tackle their own problems using scientific ap-
proaches they have learned. The studies are finally evaluated in terms of
validity of problem setting, validity of approach (method/tool) selection,
and problem-solving ability (e.g., adequate abstraction).
This paper reports and discusses the experiences on VDM education based
on the principles described above in the Top SE project. This paper discusses
the lecture course design of VDM and graduation studies that tackle problems
by using VDM or problems in using VDM. The statistics on graduation studies
will clarify what kinds of issues the students (actually top-level engineers in the
industry) find significant and also solvable to some extent by themselves. It will
give interesting suggestions regarding roles of academia and the industry for
promotion of widespread, practical use of VDM.
The remainder of the paper is organized as follows. Section 2 describes the
principles and current status of the Top SE program. Section 3 describes the
design of the lecture course on VDM in the program. Section 4 reports actual
topics of graduation studies on VDM tackled by the students. Section 5 gives
some concluding remarks.
2 Top SE Program
2.1 Principles
In the software engineering area, there has been a gap between what are taught
in academia and what are required by the industry [3]. The Top SE program
in Japan is organized to bridge the industry-academia gap by providing a place
where academic and the industry jointly deliver knowledge and techniques for
practical use of advanced scientific methods and tools [1, 2].
Below summarizes the principles of the Top SE program.
Target Topics Topics cover software engineering, especially focusing on up-
stream processes where scientific methods and tools work effectively and
efficiently. As essential goals in software engineering, efficiency, reliability,
and changeability are investigated. In addition, security is also focused on as
it is now an essential aspect in a variety of systems. Hardware technologies
and social matters are not considered as primary topics.
Target Students As the original motivation is to deliver scientific approaches
to the industry, the primary target students are software engineers from the
industry. They know issues in software development well but do not know so
much about use of scientific methods and tools. Especially, engineers around
their 30’s are targeted as they have identified issues in software engineering
and are leading next-generation development processes. The program also
29
accepts graduation students of universities, who know scientific aspects well
and are eager to learn their application in practical software development.
For education of university students, the Top SE program also provides lec-
ture courses at universities, which puts more focuses on delivering practical
aspects to graduate students. This is out of the scope of this paper.
Produced Graduates The project defines “superarchitects” to produce, who
have knowledge and techniques of the following.
– Abstraction of practical problems into (semi) formal models, e.g., UML,
automata, formal specifications, and goal-oriented requirements models.
– Application of tools to concrete problems, e.g., digital, networked home
appliances.
– Adaptability to new technology and tools, e.g., identifying essential dif-
ferences and common principles in similar but different approaches.
– Ability to promote the technologies and tools, e.g., instructing develop-
ment teams.
Lecturers and Lecture Courses Lecturers from academia and the industry
are grouped and develop lecture course materials, which involve results of
software science from academia combined with practical problems (exercises)
settings from the industry. Lecture courses are organized to involve different
methods and tools so that students can compare different approaches while
understanding common principles. In addition, each course involves group
exercises where students jointly tackle practical problems while exchanging
ideas on different approaches to the problems even if using the same method
and tool.
Graduation Studies The students finally tackle graduation studies, for a few
months, where they identify and tackle their own problems using scientific
approaches they have learned. Students often determine to choose and apply
some methods and tools for their own problem areas, e.g., a workflow man-
agement system. Some students develop extension of existing methods and
tools so that the methods and tools are used more effectively and efficiently
for a certain class of problems, e.g., development of a model generator from
a specific format. Graduation studies are evaluated in terms of validity of
problem setting, validity of approach (method/tool) selection, and problem-
solving ability (e.g., adequate abstraction).
Detailed description and discussion on the principles of the Top SE project are
found in [1].
2.2 Current Status
The Top SE project had been fully sponsored by the Japanese government in its
setup phase of 5 years until March 2009. Below describes the status of the Top
SE project at the end of the setup phase (March 2009).
Students In March 2009, 30 students graduated. 4 of them were graduate stu-
dents (of universities) and the others were software engineers from the in-
dustry. 61 students graduated in total in the setup phase.
30
Lectures 21 lecture courses, classified in 6 series plus introductory courses,
were finally developed and provided for the third-term students as shown in
Table 1. Each lecture course involved 12 classes, each of which was held for
one hour and a half. Classes were held in the evening (16:30-18:00, 18:15-
19:45) on weekdays. Lecture courses were developed and operated by 25
lecturers, 15 from academia (universities or research institutes) and 10 from
the industry (companies). Each student must get through at least 8 courses
with credit for graduation.
Series Course
Foundations Fundamental Theories
Practice of Software Engineering
Architecture Component-based Development
Software Patterns
Aspect-Oriented Development
Formal Specification Formal Specifications (Foundations)
Formal Specifications (Applications)
Formal Specifications (Security)
Model Checking Verification of Design Models (Foundations)
Verification of Design Models (Applications)
Verification of Performance Models
Modeling and Verification of Concurrent Systems
Requirements Analysis Goal-Oriented Requirements Analysis
Requirements Elicitation and Identification
Security Requirements Analysis
Early Requirements Analysis
Implementation Techniques Testing
Program Analysis
Verification of Implementation Models
Management Software Metrics
Software Development Management
Table 1. Lecture Courses in the Top SE Program
After successful completion of the setup phase fully sponsored by the govern-
ment, the renewed Top SE project started in April 2009. In response to feedback
obtained in the setup phase, the educational system was renewed, e.g., the start
time of the lectures was moved to later in the evening. Although it became a
fee-paying education with some scholarship, 31 students joined and started to
study (almost the same number as that of the third-term students). Additional
features are being introduced, such as support for continuous, more advanced
studies at a partner graduate university after completion of the Top SE program.
31
3 Lecture Course on VDM
This section describes the design of the lecture course on VDM, together with
relationships with other lecture courses. The detailed principles for lecture course
development are discussed in [1]. The whole picture of all the lecture courses on
formal methods is described and discussed in [4].
3.1 Formal Specification Series
The Formal Specification series, including VDM, focuses on mathematical mod-
eling of system states and their changes through operation invocations. Accord-
ing to the principles described in Section 2.1, the series consists of three lecture
courses as illustrated in Figure 1.
VDM-SL 
(VDM-SL Toolbox)
B
(B4Free, Click'n'Prove)
VDM++ 
(VDM++ Toolbox)
B
(B4Free, Click'n'Prove)
Event-B
(RODIN)
Promela
(SPIN)
Z
(Z/EVES)
Lightweight Approach
Specification Animation
Construction by Correctness
Theorem Proving
Object-Oriented Modeling
Testing Frameworks
Stepwise Refinement into 
Implementation
Emerging Approach
Stepwise Refinement
Classical Approach
Theorem Proving
State Transitions
Temporal Logic
Obtaining Fundamental Knowledge and Techniques
while Contrasting Two Extreme Approaches
Discussing Application Processes
while Contrasting Two Extreme Approaches
FS1:
Foundations
FS2:
Applications
FS3:
Security
Discussing Application to Security Issues
while Comparing Different Approaches
Fig. 1. Formal Specification Series
FS1: Formal Specification (Foundations) This course delivers fundamen-
tal knowledge and techniques for the use of formal specification. Two differ-
ent methods are discussed to deliver common principles and different strate-
gies: B-Method aiming at correct derivation of implementation based on
theorem proving and VDM aiming at lightweight validation based on spec-
ification animation and testing. As tools, B4Free and Click’n’Prove [5] are
used for B-Method and VDM-SL Toolbox [6] for VDM. As a practical prob-
lem, a standard routing protocol for ad-hoc networks is investigated, which
is an emerging problem with clear specifications in natural languages. Here
B-Method is used to gradually introduce complexity by modeling distribu-
tion of data among nodes through stepwise refinement, while VDM is used
to model the behaviors of each node.
32
FS2: Formal Specification (Applications) This course delivers advanced
knowledge and techniques for the application of formal specification. B-
Method and VDM are used similarly to FS1, but more focus is put on differ-
ent levels of abstraction well as stepwise refinement through them. As tools,
B4Free and Click’n’Prove are used for B-Method and VDM++ Toolbox [6]
for VDM. As a practical problem, other aspects of the routing protocol for
ad-hoc networks is investigated.
FS3: Formal Specification (Security) This course delivers knowledge and
techniques for using formal specifications in development of secure systems.
Three different methods and tools are discussed with the same practical prob-
lem of access control in a hospital. The first is Event-B [7] with the RODIN
tool, where event-based modeling and stepwise refinement are investigated.
The second is the Z/EVES tool [8], where theorem proving is investigated.
The last is SPIN [9], where state transition-based modeling and temporal
properties are investigated.
As described above, VDM is taught in the courses of FS1 and FS2. In FS1,
the Foundations part, the principles of VDM and VDM Toolbox are taught
through use of VDM-SL. An example of event management system is investi-
gated, where users can reserve seats for events. The system involves constraints
such as event capacity and double booking prevention. First, a simple model is
discussed where only one event is considered as an introductory example. Here,
the system is modeled to keep a set of reservation records, which abstracts away
design strategies that aim at efficiency of implementation. Then a sophisticated
model is discussed where full functionalities are modeled as well as design strate-
gies. The data structure is changed to two maps, where indexing for two kinds
of queries are made efficient. As the reservation records are kept in two variables
redundantly (for the purpose of efficiency), additional constraints appear about
consistency between the variables. In FS2, VDM++ is taught with similar exam-
ples, while making use of various functionalities of VDM++ Toolbox, including
use of VDMUnit, test coverage measurement and Java code generation.
Both of FS1 and FS2 include group studies on a standard routing protocol
for ad-hoc networks, namely, OLSR [10]. In both the lecture courses, VDM is
used to model behaviors of each node, specifically, avoiding duplicate processing
and forwarding in FS1 and avoiding unnecessary multi-casting by examining
the network topology in FS2. In both the lecture courses, each group discusses
strategies of the following aspects.
Modeling Scope e.g., to model only the inside of a node or model the whole
network
Abstraction e.g., to eliminate trivial details in the message formats
Removal of Ambiguity e.g., the specified algorithm does not specify how to
handle a specific case
Verification e.g., what properties to be verified in what means (e.g., examining
outputs or checking postconditions?)
Each group, and each student, proposes different strategies and tries to justify
it while discussing other strategies proposed by other groups or other students.
33
These experiences make the students feel the difficulties in the essential task of
determining strategies for effective and efficient use of VDM.
3.2 Relationships with Other Lecture Courses
VDM education is complemented by learning related or different approaches to
software development, as follows.
Model Checking Series The Model Checking series provides lecture courses
that focus on mathematical modeling of software behaviors and their efficient
verification with automated tools, such as SPIN [9]. It complements VDM
by discussing exhaustive verification on models, which cannot be achieved
by verification through testing in VDM.
Program Analysis Course The Program Analysis Course teaches JML [11].
It complements VDM by discussing the same kind of verification targets,
i.e., invariants and pre/post-conditions, but targeting not abstract models
but source codes.
Testing Course The Testing Course teaches testing methods such as decision
tables. It complements VDM by discussing how to construct and evaluate
testing plans, which is essential when relying on verification through testing
in VDM.
3.3 Statistics
Table 3.3 shows how many students successfully got through some of the courses
with credit. It means the number of students who registered to the course, at-
tended the classes, and completed reports on personal exercises and group ex-
ercises. In the table, the number of students who attended each course is also
shown between parentheses (students who registered but not completed or who
audited). Here only 30 students who graduated in March 2009 are counted, as
previous graduates did not have the full lineup of 21 lecture courses described
in Table 1.
Series Course Students: completed (attended)
Formal Specification FS1 20 (27)
FS2 14 (20)
FS3 4 (5)
Model Checking MC1 17 (21)
Architecture CBD 21 (22)
MC1: Verification of Design Models (Foundations)
CBD: Component-Based Development
(Students in total: 30)
Table 2. Completion and Attendance at Lecture Courses on Formal Methods
34
FS1 and FS2, where VDM is taught, were both as popular as other lecture
courses, such as Verification of Design Models (Foundations), where SPIN [9] is
taught, as well as Component-based Development.
4 Graduation Studies on VDM
4.1 Overview
As described in Section 2.1, students identify and tackle their own problems in
their graduation studies. Many students have chosen topics on formal methods.
This paper classifies the topics as follows.
Case Study In this type of study, problems are identified in development of
some target systems, such as workflow management systems and web appli-
cations. Solutions are defined by choosing adequate formal methods/tools as
well as defining application strategies.
Domain-Specific Finer-Grained Support In this type of study, problems
are identified in application of formal methods/tools to development of sys-
tems in some domains, such as workflowmanagement systems and web appli-
cations. Solutions are defined by developing domain-specific methods/tools
that provide finer-grained support for application of general formal meth-
ods/tools.
Bridging Gaps between Different Methods/Tools In this type of study,
problems are identified in bridging between a task where formal methods/tools
are used and another task where other (formal or not formal) methods/tools
are used. Solutions are defined by developing methods/tools for combining
formal methods/tools with other (formal or not formal) methods/tools.
Extension of Methods/Tools In this type of study, problems are identified in
capabilities of existing formal methods/tools themselves regarding their own
purposes (e.g., verification). Solutions are defined by developing extension
of formal methods/tools.
4.2 Statistics
28 studies were related to formal methods, out of 61 studies, details of which
are described and discussed in [4]. Among them, 7 studies were about use of
VDM. This number is high, second to SPIN on which 11 studies were conducted.
This tendency would be somewhat unique in Japan. It would be because VDM
Toolbox is maintained by a Japanese company and a Japanese interface has
been provided. It would be also because of the well-known application case of
VDM for an IC card system, which is used extensively in Japanese people’s life
[12]. Students who chose VDM tended to claim that they would not be able
to introduce formal methods heavier than VDM, the lightweight one, to their
colleagues and companies.
Below enumerates the actual topics of graduation studies on VDM, according
to the classification in Section 4.1.
35
Case Study
– One of the studies used VDM for formal modeling and validation in
an experimental project involving a team at the company with which
the student works. It evaluated additional costs (man-hours) as well
as specification items additionally identified through the modeling and
validation, which would lead to much more cost if found in later phases.
– Another study modeled and verified constraints in advanced application
in the embedded reality area, that is, a glass through which the user can
see the information of the objects in his view.
Domain-Specific Finer-Grained Support
– One of the studies developed a metamodel to encode BMM (Business Mo-
tivation Model) [13] in VDM-SL so that BMM instances can be checked.
Bridging Gaps between Different Methods/Tools
– One of the studies investigated a method and tool that supports deriving
specifications in VDM from requirements obtained by using KAOS [14,
15].
– Another study investigated a method that derives VDM++ descriptions
from UML state-chart diagrams so that they are validated through spec-
ification animation.
– Another study investigated guidelines and patterns to inherit invariants
and pre/post-conditions, which were verified by VDM in an earlier phase,
to LTL formula in SPIN so that the proved properties are confirmed also
in the design phase, typically with concurrency.
Extension of Methods/Tools
– One of the studies defined refinement relationships in VDM++ as well as
proof obligations so that specific kinds of refinement relationships, which
have been recently dealt with in Event-B, can be explicitly modeled in
VDM [16].
Although the number of the studies is so small, the result shows that the
students find studies for Bridging Gaps between Different Methods/Tools sig-
nificant and solvable to some extent. It means, when students discusses among
themselves how they can solve their problems in software development in their
domains, by using VDM, they often find difficulties in connecting VDM with
other methods in the development process. On the other hand, it also means
the students, actually the top-level developers in the industry, can find initial
approaches to such issues.
5 Conclusion
The Top SE project has been established to deliver scientific approaches in soft-
ware engineering, including formal methods, to engineers in the industry. It pro-
vides lecture courses developed jointly by lecturers from academia and from the
industry, as well as opportunities of graduation studies where students identify
and tackle their own problems. This paper has reported and discussed experi-
ences on VDM education in the Top SE project. Students, mostly engineers in
36
the industry, were very eager to learn and investigate more effective and efficient
use of VDM.
The Top SE program has established its education system that accepts about
30 students per year. After discussion given in this paper, we believe the approach
of the program will promote practical use of formal methods including VDM,
where not only academia but also the industry develop practical support for
effective and efficient use of formal methods.
References
1. Honiden, S., Tahara, Y., Yoshioka, N., Taguchi, K., Washizaki, H.: Top SE: Ed-
ucating Superarchitects Who Can Apply Software Engineering Tools to Practical
Development in Japan. In: The 29th International Conference on Software Engi-
neering. (2007) 708–718
2. Top SE project (NII). http://www.topse.jp/
3. Beckman, K., Coulter, N., Khajenoori, S., Mead, N.R.: Collaborations: Closing
the industry-academia gap. IEEE Software 14(6) (1997) 49–57
4. Ishikawa, F., Taguchi, K., Yoshioka, N., Honiden, S.: What Top-Level Software
Engineers Tackles after Learning Formal Methods - Experiences from the Top SE
Project. In: The 2nd International FME Conference on Teaching Formal Methods
(TFM 2009). (2009 (to appear))
5. B Method - Presentation of B Method, B Language, and formal methods. http:
//www.bmethod.com/
6. VDM information web site. http://www.vdmtools.jp/
7. Rodin - rigorous open development environment for complex systems. http:
//rodin.cs.ncl.ac.uk/
8. Saaltink, M.: The Z/EVES System. In: The 10th International Conference of Z
Users on The Z Formal Specification Notation (ZUM’97). (1997) 72–85
9. SPIN - formal verification. http://spinroot.com/
10. Optimized link state routing protocol (olsr). http://www.ietf.org/rfc/rfc3626.
txt (2003)
11. The Java Modeling Language (JML). http://www.cs.ucf.edu/∼leavens/JML/
12. Kurita, T., Chiba, M., Nakatsugawa, Y.: Application of a Formal Specification
Language in the Development of the • •Mobile FeliCa • •IC Chip Firmware for
Embedding in Mobile Phone. In: The 15th International Symposium on Formal
Methods (FM 2008). (2008) 425–429
13. Bmm. http://www.omg.org/spec/BMM/
14. Goal-Driven Requirements Engineering: the KAOS Approach. http://www.info.
ucl.ac.be/∼avl/ReqEng.html
15. Nakagawa, H., Taguchi, K., Honiden, S.: Formal specification generator for KAOS:
Model transformation approach to generate formal specifications from KAOS re-
quirements models. In: The 22nd IEEE/ACM International Conference on Auto-
mated Software Engineering (ASE 2007). (2007) 531–532
16. Kawamata, Y., Sommer, C., Ishikawa, F., Honiden, S.: Specifying and checking
refinement relationships in vdm++. In: The 7th IEEE International Conference
on Software Engineering and Formal Methods (SEFM 2009). (2009)
37
Formalising Concurrent and Distributed Design
Patterns with VDM
Sune Wolff
Engineering College of Aarhus, Denmark
swo@iha.dk
Abstract. Design patterns have gained significant acceptance in industry, and
many software developers use them as important tools in their everyday work.
Considerable effort has been put into formalising the well known ”Gang of Four”
design pattern, but so far no one has attempted to formalise the ”POSA2” (Pattern-
Oriented Software Architecture - Volume 2) design patterns - some even ques-
tion the use of formalising these design patterns. This paper shows how three
”POSA2” design patterns have been formalised in VDM using a real-time ex-
tension. This is done using a case study, where a distributed data collection web
server is modelled. The paper will further elaborate upon what can be gained by
formalising design patterns, and gives a broader perspective of the advantages of
formally specified design patterns.
1 Introduction
Design patterns describe a proven solution for a recurring design problem that occur
within a certain context. In order to enable the use of design patterns in formal language
models and methods, several attempts have been made to give a formal representation of
these patterns [1,2,3]. All these articles describe formal representations of the so-called
”Gang of Four” design patterns [4]. These patterns are general enough to be applied to
basically any type of software system.
Software systems are increasingly built using a distributed architecture, where the
system is utilising multicore processors or is distributed over several hardware units.
These types of concurrent and networked systems introduce new challenges that the
original ”Gang of Four” patterns are not suited to solve. The so-called ”POSA2” pat-
terns [5] introduce solutions to a wide range of design problems for concurrent and
networked systems. These patterns have not previously been modelled using formal
methods.
Schmidt et al. [5] questions the use of formalising design patterns since there is a
fundamental difference in the desired outcome of using design patterns in the formal
world and in the mainstream world of software systems. They state that ”...formalisms
aim to capture a particular concept as precisely as possible.” whereas a pattern is a
”schema for solving a set of related problems, so it can be implemented repeatedly
without necessarily being exactly the same each time.” This observation is correct to
some extent, but it covers only one of the two main advantages of formal language
models: precision and abstraction. The ability to apply a higher level of abstraction to
hide unnecessary details is not covered at all in the statement from Schmidt et al.
38
This article shows how some of the ”POSA2” patterns can be modelled in the for-
mal language VDM++ using the real-time extension VICE (VDM In Constraint En-
vironment) [6,7,8]. The case study presented in this article applies a high level of ab-
straction to the formal model, in order to enable the model designer to focus on the
combination of several patterns instead of dealing with low level details of the individ-
ual patterns.
Each of the patterns are initially described using UML class diagrams. This graph-
ical modelling language is a strong tool in main-stream software development when
used to describe structure and functionality of software. By naming the different de-
pendencies, the system architect can implicitly describe the desired functionality of the
software. When this is combined with well known pattern names, even complex soft-
ware structures are made much more comprehensible.
Section 2 gives an introduction to VDM++ focussing on the real-time extension
VICE. Section 3 introduces the case study, where a web server is modelled in VICE
using a combination of three of the ”POSA2” patterns. A short introduction to each of
these patterns is given, followed by the VICE model of the pattern. Section 4 gives a
quick overview of the related work in the domain of formalisation of design patterns.
Finally, Section 5 includes concluding remarks regarding the work done, as well as the
use of formal representation of design patterns in general.
2 The Formal language
VDM has its origin in IBM’s Vienna Laboratory in the 1970s where Vienna Definition
Language was developed [9]. It later evolved into VDM which is a formal method con-
sisting of a collection of techniques for modelling, specifying and designing software
systems. In 1996 VDM’s specification language VDM-SL was ISO standardised [10],
and later the object-oriented extension VDM++ was created. Further extensions have
been made to VDM, most notably VICE (VDM In Constrained Environment) [6,11]
which supports the modelling of distributed and real-time systems. VDM is one of the
most mature formal methods, and have been successfully applied to a wide range of
industrial projects [9,12]. For all the model examples used to illustrate the case study in
Section 3 an ASCII syntax is used.
Since the case study of this paper uses the VDM++ real-time extension VICE, a
more in-depth description of this extension is needed. The notion of active and passive
classes is a part of the concurrent version of VDM++, but it is used extensively in
VICE as well. An active class has its own thread of control whereas a passive class is
manipulated from one of the active classes in the system. A thread can either run as a
sequence of statements (which may terminate at some point, or run indefinitely) or run
periodically. A new thread is generated each time the constructor is invoked, but it must
be started explicitly using the keyword start.
In order to describe distribution in VICE, two predefined classes BUS and CPU
are available in a special kind of class called a system. Instances of classes can be
deployed on a CPU,and communicates directly with other active instances of classes
either deployed on the same CPU, or over a BUS to active instances of classes deployed
on other CPUs. It is possible to specify the speed of a CPU along with its scheduling
39
mechanism such as ”First Come First Served” or ”Fixed Priority”. If the latter schedul-
ing mechanism is chosen, individual active classes deployed on the CPU get a priority
and is served based on this priority. In a similar way, the type of BUS along with its
bandwidth can be specified.
The notion of time is made very explicit in VICE. A special keyword time is
available, which represents the current elapsed time. Every operation call or other com-
putations have a default time for it, but this default time can be changed by the model
designer. This can be done by using the keywords duration or cycles. The former
describes a fixed time, whereas the later describes a time relative to the speed of the
CPU executing the operation.
Finally, operations can be specified as asynchronous in VICE, which allows the
caller to resume its own thread right after the call it invoked.
3 Web Server Case Study
Developing software systems using a distributed architecture can improve system per-
formance, reliability and scalability. There are many challenges to overcome when de-
signing a distributed system in order to ensure accessibility and general quality of ser-
vice of the system. As an example of a distributed system, a data collection web server
is chosen, where multiple clients connect to a central server that collects all the data
from the clients.
Fig. 1. Distributed Data Collection System
When designing a networked system like the distributed data collector, there are
several desirable non-functional requirements that needs to be fulfilled. Two of the more
important requirements are:
Performance: When the system is adapting to a greater strain from connecting clients,
the performance of the server should not be compromised.
Accessibility: The server should always be accessible, so that all clients are always
able to deliver their data.
40
The web server in this case study makes use of three ”POSA2” patterns [5] in order
to create a well documented and proven solution to these design challenges. The fol-
lowing three subsections give a theoretical overview of these three patterns, and Section
3.4 gives a brief description of the VDM model of the web server combining these three
patterns.
3.1 Half-sync/half-async
”The Half-sync/half-async architectural pattern decouples asynchronous and synchro-
nous service processing in concurrent systems, to simplify programming without unduly
reducing performance. The pattern introduces two intercommunicating layers, one for
asynchronous and one for synchronous service processing”[5].
Fig. 2. UML class diagram of the Half-sync/half-async pattern
The asynchronous service processing are usually short-lived low-level operations
like reading incoming requests from a socket, while the synchronous processing is more
long-lived, like processing the requests. In between the two layers is another passive
queueing layer which decouples the synchronous and asynchronous layers.
Concurrency is added to the pattern by having a single asynchronous entry point
which adds all incoming requests to the Queue, from which the Synchronous Services
(running in separate threads) process the requests. The main advantage of this pattern is
that it enables the server to process multiple requests simultaneously, and still maintain
a simple entry point into the application.
The implementation of the Half-sync/half-async pattern helps to increase perfor-
mance of the system, because several Synchronous Services can handle requests in
41
parallel running threads. At the same time, the system maintain the ability to accept
new requests because the Asynchronous Service is not tied up in handling requests.
The External Event Source can supply the system with new input via the operation
AddInput defined in the Asynchronous Service.
class AsyncService
instance variables
private inputBuffer : seq of TypeDef‘message := [];
private queue : Queue := Queue‘GetInstance();
operations
async public AddInput: TypeDef‘message ==> ()
AddInput(msg) ==
inputBuffer := inputBuffer ˆ [msg];

 
The active class AsyncService periodically tries to read from the input buffer, and
following this adds it to its queue, which is a singleton instance of the Queue class.
The two operations AddInput and GetInput are guarded by a mutual exclusion
permission predicate (mutex) in order to ensure synchronised access to the shared
resource inputBuffer. GetInput retrieves the next message from the queue. A
precondition ensures that the queue is not empty when trying to read a message from it.
This operation is just as simple as AddInput and is hence omitted.
operations
private PeriodicTask: () ==> ()
PeriodicTask() ==
if len inputBuffer > 0
then let msg : TypeDef‘message = GetInput()
in
queue.AddMessage(msg);
sync
mutex(AddInput, GetInput);
thread
periodic(800,0,0,0)(PeriodicTask)

 
In the periodic thread it is possible to specify the length of the period along with
jitter, delay and offset. The offset parameter describes how long the process is delayed
the first time it executes. Jitter describes the amount of inaccuracy in the length of the
period, and the delay determines the maximum allowed delay before a process should
be executed. In order to simplify the case study, only the length of the period is used.
The Queue reads the content of the new message, in order to determine which Syn-
chronous Service needs to be notified. A demultiplexing table manages sets of client
ID and Synchronous Services, so that the incoming messages can be dispatched to the
correct service. The demultiplexing table is modelled as a map in the VDM model.
42

class Queue
operations
public AddMessage: TypeDef‘message ==> ()
AddMessage(msg) ==
(if msg.type = <DataA>
then(AddMessageA(msg);
DemuxTable.GetSyncService(msg).Notification();)
...
);

 
The notification of a Synchronous Service is modelled as a simple counter, which
is increased at each notification. After the service has handled the request, this counter
is decreased again using the operation DecreaseNotification. This ensures that
the service always knows the amount of unhandled requests.
class SyncServiceA
instance variables
private notifications : nat := 0;
operations
async public Notification: () ==> ()
Notification() ==
notifications := notifications + 1;

 
The Synchronous Services are active classes running in periodic threads. If a Syn-
chronous Service has been notified, it will read the message from the Queue class, and
handle the new message. In order to model the time it takes to handle a certain message
relative to the speed of the CPU, the keyword cycles has been used.
private PeriodicTask: () ==> ()
PeriodicTask() ==
if GetNumberOfNotifications() > 0
then let msg : TypeDef‘message = Queue.GetMessageA()
in
(HandleMessage(msg);
DecreaseNotifications());
private HandleMessage: TypeDef‘message ==> ()
HandleMessage(msg) ==
cycles(35E6)
skip;
thread
periodic(1000,0,0,0)(PeriodicTask)

 
43
Since the actual functionality of the message handling is not important in this model,
it has been completely abstracted away. This is done using the keyword skip. By
specifying the number of cycles needed for the message handling, the model designer
can simulate the time spent without modelling any of the functionality of the operation.
This clearly shows one of the main advantages of formal models - namely the option of
abstracting unnecessary details away.
3.2 Reactor
”The Reactor architectural pattern allows event-driven applications to demultiplex
and dispatch service requests that are delivered to an application from one or more
clients”[5].
Fig. 3. UML class diagram of the Reactor pattern
The basic functionality of the Reactor pattern is as follows: The Reactor waits for
incoming connections on the Synchronous Event Demultiplexer, which is done by call-
ing the synchronous low-level operating system method select(). Upon return of this
method a list of active handles/sockets are returned. The Reactor will dispatch active
requests to a series of Event Handlers who in turn gains ownership of the active handles.
The active handles are associated with a certain Event Handler by registering handlers
(and handles) in the Reactor.
The Reactor pattern helps to ensure the accessibility of the server, since the main
responsibility of the Reactor class is to quickly demultiplex incoming requests to Event
Handlers. This ensures that the Reactor is ready to receive new requests, while the Event
Handlers handles previous requests.
In order to simplify the model it was chosen to abstract the lower level operating
system calls away, along with the notion of handles. This makes the Reactor pattern
quite simple to model, and all of the classes share functionality of other classes from
the Half-sync/half-async pattern. The Reactor is modelled similar to the Asynchronous
Service, and the Concrete Event Handlers are modelled similar to the Synchronous
Services. The Reactor uses a DemuxTable in order to demultiplex the incoming requests
to the correct Concrete Event Handler. Whenever a new connection has been made, the
44
Event Handler is registered in the DemuxTable, where the handle (or client ID in this
case study) is mapped to the Concrete Event Handler.
class DemuxTable
instance variables
public EventHandlerMap: map nat to EventHandler;
operations
public RegisterHandler: nat * EventHandler ==> ()
RegisterHandler(id, eh) ==
EventHandlerMap := EventHandlerMap munion {id |-> eh}
pre id not in set dom EventHandlerMap;

 
3.3 Acceptor
”The Acceptor/Connector design pattern decouples the connection and initialization of
cooperating peer services in a networked system from the processing performed by the
peer services after they are connected and initialized”[5].
Fig. 4. UML class diagram of the Acceptor pattern
Since this case study only focusses on the data collection server, only the acceptor
part of this pattern is modelled.
The central Dispatcher (in this case an instance of the Reactor described in Section
3.2) dispatches incoming requests to either the Acceptor (new incoming connections)
45
or one of the Service Handlers (the Event Handlers described in Section 3.2). Once
the new connection has been made, the opened handle is used by one of the Service
Handlers activated by the Acceptor. This separation is desirable since the functionality
required when creating a new connection differs greatly from the functionality required
for the following service handling.
This pattern expands the Reactor pattern described earlier but can be used in many
different applications even without this pattern. If an incoming message is a new con-
nection from a new client, the Acceptor is notified by the Dispatcher, and during the
periodic thread execution the Acceptor reads the message. The notification counter is
decreased and the new connections is handled.
class Acceptor
operations
private PeriodicTask: () ==> ()
PeriodicTask() ==
if GetNumberOfNotifications() > 0
then let msg : TypeDef‘message = ReadMsg()
in
(DecreaseNotifications();
HandleConnection(msg));
thread
periodic(1000,0,0,0)(PeriodicTask)

 
The Acceptor subsequently reads the content of the message in order to determine
which type of client data it contains. A new instance of the correct Concrete Ser-
vice Handler is created and the thread is activated by the Acceptor using the keyword
start.
private HandleConnection: TypeDef‘message ==> ()
HandleConnection(msg) ==
cycles(35E6)
if msg.dataType = <DataA>
then start(new ConcreteHandlerA(msg.clientID))
...

 
When a new Concrete Service Handler is created, it registers itself in the demulti-
plexing table, mapping the client ID of the incoming request to itself. This table is used
by the Reactor just as described in Section 3.1.
class ConcreteHandlerA
operations
public ConcreteHandlerA: nat ==> ConcreteHandlerA
ConcreteHandlerA(id) ==
(ID := id;
DemuxTable.RegisterHandler(id, self));

 
46
3.4 Combining the patterns
Fig. 5. UML class diagram of the web server
One of the most considerable challenges when using several design patterns, is com-
bining these patterns into a homogeneous pattern language [5]. The patterns should be
weaved together in such a way that it is still clear where the individual patterns are repre-
sented, but without duplicating functionality in several classes. By abstracting low-level
operating system calls, memory management etc. away, the model designer can focus
on the structure of the system, and how the different patterns should be combined in a
meaningful way. This is exactly what was done in the case study of this article, where
the notion of handles have been abstracted away in order to keep focus on the system
architecture. This is an important point that Schmidt et al. [5] have missed completely.
In contrast they claim that ”...the formalisms used to specify patterns are often large
and complex, which makes them hard to understand and use.”. Based on the simple
case study in this article we respectfully disagree with this statement.
As described in Section 2 the real-time extension of VDM++ called VICE intro-
duces the notion of CPU and BUS in order to enable the model design to create formal
models of distributed systems. This makes it very simple to try out different distribu-
tion strategies on a model level, and make a solid cost/benefit analysis of these different
strategies.
Figure 6 shows two examples of alternative system architectures which could be
interesting to explore. Example (a) utilises a single CPU executing 33 million instruc-
47
tions per second (MIPS) where the entire web server is deployed, whereas example (b)
uses two CPUs executing 22 and 11 MIPS connected by a BUS with a bandwidth of
72kbps. The Event Handlers are deployed on the fast CPU, since they require the most
computing power.
Fig. 6. Examples of alternative system architectures
In order to exemplify distribution in VICE, example (b) is shown below. The CPUs
and the BUS are modelled in a special system class called WS as an abbreviation
for ”web server”. Since the Acceptor creates all the concrete event handlers, these are
automatically deployed on the CPU running the Acceptor.
system WS
instance variables
cpu1 : CPU := new CPU(<FCFS>, 22E6);
cpu2 : CPU := new CPU(<FCFS>, 11E6);
bus1 : BUS := new BUS(<FCFS>, 72E3, {cpu1, cpu2});
public static Acceptor : Acceptor := new Acceptor();
public static Reactor : Reactor := new Reactor();
operations
public WS: () ==> WS
WS() ==
(cpu2.deploy(Reactor);
cpu1.deploy(Acceptor));

 
An Eclipse plug-in called ”showtrace” can display execution traces graphically en-
abling the system architect to inspect the behaviour of the system. This tool was used
in order to inspect the two examples, and compare the execution traces.
The comparison in Figure 7 clearly shows the advantage of using two CPUs: The
Reactor running on cpu2 can read new incoming requests while the Event Handlers
running on cpu1 can continue handling previous requests.
For a system architect it is a huge advantage to be able to simulate different distribu-
tion strategies compared to trying out the same strategies on target candidate hardware.
A system architect can use this in order to find any potential bottlenecks in the system
48
Fig. 7. Showtrace comparison of the two examples
design. Different distribution strategies can be benchmarked against each other with-
out having to deploy any code to the target platforms. Since the ”POSA2” patterns are
designed to solve design problems in concurrent and networked systems, the ability to
make this kind of analysis can be an invaluable tool.
4 Related Work
Several approaches has been proposed to formally specify design patterns by using
predefined formal languages or using proprietary notations.
Alencar et al. [2] uses the Abstract Data View concept in order to formalise a wide
range of ”Gang of Four” patterns [4] as well as some more general design patterns like
the ”Pipes and Filters”. The main focus of the paper is to reason about the design of
these patterns as well as formally proving their properties.
Lano et al. [1] makes use of the Object Calculus as a semantic framework in order
to formally prove that various design patterns applies a refinement transformation to a
system. Their focus is on proving that a system maintains its original functionality after
a design pattern has been applied. This has been proven for a large range of the ”Gang
of Four” patterns [4].
Lauder and Kent [13] uses a visual notation in order to precisely describe the
essence of design patterns. By using three different types of diagrams they create a very
general yet very precise description of the chosen design pattern: ”Abstract Factory”
[4].
Rauf et al. [3] formalises several of the ”Gang of Four” patterns [4] using Object-Z.
The role of each design pattern is formulated into a ” role meta-model”, which is further
utilised in the formalisation of the pattern.
All of these papers focus on formalising one or more of the ”Gang of Four” patterns
[4]. None of these papers address patterns suited for concurrent and networked systems,
though, which is the main contribution of this paper.
Mikkonen [14] uses the ”DisCo method” to formalise the ”Mediator” and ”Ob-
server” patterns [4]. DisCo is a specification method which enables the developer to
49
specify and model interactions at a high level of abstraction. The main focus of the
paper is combining the two patterns into a homogeneous system.
Taibi [15] uses the pattern composition process of the ”Balanced Pattern Specifica-
tion Language” (BPSL) in order to combine the ”Observer” and ”Mediator” pattern [4].
The purpose of BPSL is to guide software designers in deciding when and how to use
design patterns. The main result of Taibis work was developing a composition process
which systematically can compose existing BPSL specifications.
Again, the ”Gang of Four” patterns [4] are in focus in these two papers and con-
currency issues in networked systems are not addressed. Instead, both papers describe
how two or more formalised design patterns can be combined. It would be interesting to
make use of similar approaches in order have a more formal approach to combining the
”POSA2” patterns [5] used in the case study of this paper, without introducing semantic
inconsistencies.
5 Concluding Remarks
Most of the ”Gang of Four” patterns [4] have been widely accepted in the software in-
dustry and have been applied to a diverse range of software applications. The ”POSA2”
patterns [5], and especially the combination of several of these, are more complex both
in their structure and functionality. In order to gain confidence in the chosen patterns
and their functionality, a high level formal model as the one shown in the case study
of this article can be a great tool. Greater confidence in the use of these more complex
design patterns can help to increase the acceptance of them in the software industry.
Some of the ”POSA2” patterns such as the ”Component Configurator” [5] utilises
dynamic loading of external libraries (DLL). A similar functionality is not directly
available in VDM++, but attempts have been made in order to combine VDM models
with C++ legacy code [16]. This approach enables the model designer to dynamically
extend a formal model in a similar way as software applications makes use of DLLs.
This extension is outside the formal world though, and hence got no guarantee for se-
mantics of this part.
Formalising design patterns should not only be seen as an attempt to create a general
formal representation of the given pattern, but also as a tool used in order to improve
system design and implementation quality. Schmidt et al. [5] also acknowledges this
use of formalising instances of patterns, instead of attempting to create a general formal
specification of the design patterns.
Formalising instances of design patterns for concurrent and networked systems is
generally applicable to other formalisms where it is possible to express object-oriented
structures. VICE is unique when it comes to modelling distributed systems though.
Since distribution is a core part of networked systems, VICE has some major advantages
over many other formal languages when one wishes to experiment with the capacity of
different execution units.
Acknowledgements Thanks are due to Peter Gorm Larsen for discussions on the main
focus of this paper as well as many other issues related to this paper.
50
References
1. Kevin Lano, J.B., Goldsack, S.: Formaling design patterns. In: Northern Formal Methods
Workshop, Springer-Verlag (September 1996)
2. P.S.C.A˜lencar, D.C., Lucena, C.: A Formal Approach to Architectureal Design Patterns.
In Gaudel, M.C., Woodcock, J., eds.: FME’96: Industrial Benefit and Advances in Formal
Methods, Springer-Verlag (March 1996) 576–594
3. Irum Rauf, A.N., Khokhar, M.: Formalizing object oriented design patterns with object-z.
10th IEEE International Multitopic Conference (December 2006) 269–274
4. E.Gamma, R.Helm, R., J.Vlissides: Design Patterns. Elements of Reusable Object-Oriented
Software. Addison-Wesley Professional Computing Series. Addison-Wesley Publishing
Company (1995)
5. Douglas Schmidt, Michael Stal, H.R., Buschmann, F.: Pattern-Oriented Software Architec-
ture Volume 2 - Pattern for Concurrent and Networket Objects. First edn. Wiley (2000)
6. Mukherjee, P., Bousquet, F., Delabre, J., Paynter, S., Larsen, P.G.: Exploring Tim-
ing Properties Using VDM++ on an Industrial Application. In Bicarregui, J., Fitzger-
ald, J., eds.: Proceedings of the Second VDM Workshop. (September 2000) Available at
www.vdmportal.org.
7. Verhoef, M., Larsen, P.G.: Enhancing VDM++ for Modeling Distributed Embedded Real-
time Systems. Technical Report (to appear), Radboud University Nijmegen (March 2006) A
preliminary version of this report is available on-line at http://www.cs.ru.nl/∼marcelv/vdm/.
8. Larsen, P.G., Fitzgerald, J., Wolff, S.: The process of developing distributed real-time sys-
tems using vdm/vice,. Submitted for journal publication (January 2009)
9. J. S. Fitzgerald and P. G. Larsen and M. Verhoef: Vienna development method. Wiley
Encyclopedia of Computer Science and Engineering (2008) edited by Benjamin Wah, John
Wiley & Sons, Inc.
10. P. G. Larsen and B. S. Hansen and H. Brunn N. Plat and H. Toetenel and D. J. Andrews and
J. Dawes and G. Parkin and others: Information technology – Programming languages, their
environments and system software interfaces – Vienna Development Method – Specification
Language – Part 1: Base language (December 1996)
11. Verhoef, M., Larsen, P.G., Hooman, J.: Modeling and Validating Distributed Embedded
Real-Time Systems with VDM++. In Misra, J., Nipkow, T., Sekerinski, E., eds.: FM 2006:
Formal Methods, Lecture Notes in Computer Science 4085 (2006) 147–162
12. Fitzgerald, J., Larsen, P.G., Sahara, S.: VDMTools: advances in support for formal modeling
in VDM. Volume 43. (February 2008) 3–11
13. Lauder, A., Kent, S.: Precise visual specification of design patterns. In: Proceedings of
ECOOP ’98, Springer-Verlag (1998) 114–134
14. Mikkonen, T.: Formalizing Design Patterns. In: Proceedings of the 1998 International Con-
ference on Software Engineering, IEEE (1998) 115–124
15. Taibi, T.: Formalising Design Patterns Composition. In: IEE Proceedings - Sofwtare, IEEE
(June 2006) 127–136
16. Fro¨hlich, B., Larsen, P.G.: Combining VDM-SL Specifications with C++ Code. In Gaudel,
M.C., Woodcock, J., eds.: FME’96: Industrial Benefit and Advances in Formal Methods,
Springer-Verlag (March 1996) 179–194
51
