mirror of
				https://github.com/smyalygames/checklist-tester.git
				synced 2025-10-25 14:57:40 +02:00 
			
		
		
		
	refactor(dissertation): cleanup VDM model
This commit is contained in:
		
							parent
							
								
									443255342c
								
							
						
					
					
						commit
						19aaeedf27
					
				| @ -35,7 +35,6 @@ types | |||||||
|     --@doc The state a switch can be in |     --@doc The state a switch can be in | ||||||
|     SwitchState = <OFF> | <MIDDLE> | <ON>; |     SwitchState = <OFF> | <MIDDLE> | <ON>; | ||||||
| 
 | 
 | ||||||
| 	--@LF why have a type kist as a rename? |  | ||||||
|     ItemState = SwitchState; --@TODO | Button | ... |     ItemState = SwitchState; --@TODO | Button | ... | ||||||
| 
 | 
 | ||||||
|     --@doc A switch, with the possible states it can be in, and the state that it is in |     --@doc A switch, with the possible states it can be in, and the state that it is in | ||||||
| @ -93,10 +92,8 @@ types | |||||||
| 
 | 
 | ||||||
|     --@doc Item of a checklist, e.g. Landing gear down |     --@doc Item of a checklist, e.g. Landing gear down | ||||||
|     ChecklistItem :: |     ChecklistItem :: | ||||||
|         --@LF again, empty string here doesn't make sense. |  | ||||||
|         procedure : Dataref |         procedure : Dataref | ||||||
|         type : ItemType |         type : ItemType | ||||||
|         --TODO Check is not only SwitchState |  | ||||||
|         check : SwitchState |         check : SwitchState | ||||||
|         checked : bool; |         checked : bool; | ||||||
| 
 | 
 | ||||||
| @ -107,15 +104,12 @@ types | |||||||
|         inv i == i.item.type = i.checklistItem.type; |         inv i == i.item.type = i.checklistItem.type; | ||||||
| 
 | 
 | ||||||
|     --@doc A section of a checklist, e.g. Landing Checklist |     --@doc A section of a checklist, e.g. Landing Checklist | ||||||
|     --@LF shouldn't this be non-empty? What's the point to map a checklist name to an empty procedure? Yes. |  | ||||||
|     Procedure = seq1 of ChecklistItem |     Procedure = seq1 of ChecklistItem | ||||||
|         inv p ==  |         inv p ==  | ||||||
|             --@LF the "trick" for "false not in set S" is neat. It forces a full evaluation, rather than short circuited (i.e. stops at first false). |  | ||||||
|             --    I presume this was intended. |  | ||||||
|             false not in set {  |             false not in set {  | ||||||
|                 let first = p(x-1).checked, second = p(x).checked in  |                 let first = p(x-1).checked, second = p(x).checked in  | ||||||
|                 	--@LF boolean values don't need equality check |                 	--@LF boolean values don't need equality check | ||||||
|                     second => first--((first = true) and (second = false)) |                     second => first | ||||||
|                 | x in set {2,...,len p}}; |                 | x in set {2,...,len p}}; | ||||||
| 
 | 
 | ||||||
| functions | functions | ||||||
| @ -123,36 +117,16 @@ functions | |||||||
|     --@doc Finds the index of the next item in the procedure that needs to be completed |     --@doc Finds the index of the next item in the procedure that needs to be completed | ||||||
|     procedure_next_item_index: Procedure -> nat1 |     procedure_next_item_index: Procedure -> nat1 | ||||||
|     procedure_next_item_index(p) == |     procedure_next_item_index(p) == | ||||||
|         hd [ x | x in set {1,...,len p} & not p(x).checked ]--p(x).checked = false] |         hd [ x | x in set {1,...,len p} & p(x).checked = false ] | ||||||
|     pre |     pre | ||||||
|         -- Checks procedure has not already been completed |         -- Checks procedure has not already been completed | ||||||
|         not procedure_completed(p)--procedure_completed(p) = false |         procedure_completed(p) = false | ||||||
|     post |     post | ||||||
|     	-- Checks that the index of the item is the next one to be completed |     	-- Checks that the index of the item is the next one to be completed | ||||||
|         --@LF your def is quite confusing (to me) |  | ||||||
|         --@LF how do you know that RESULT in inds p? Well, the definition above okay. |  | ||||||
|         --    but you can't know whether p(RESULT-1) will! What if RESULT=1? p(RESULT-1)=p(0) which is invalid! |  | ||||||
|         (not p(RESULT).checked) |         (not p(RESULT).checked) | ||||||
|     	and  |     	and  | ||||||
|     	(RESULT > 1 => p(RESULT-1).checked) |     	(RESULT > 1 => p(RESULT-1).checked); | ||||||
|         --p(RESULT).checked = false |  | ||||||
|         --and if RESULT > 1 then  |  | ||||||
|         --    p(RESULT-1).checked = true |  | ||||||
|         --else  |  | ||||||
|         --    true |  | ||||||
|         ; |  | ||||||
| 
 | 
 | ||||||
|     -- --@doc Checks if all the procedures have been completed |  | ||||||
|     -- check_all_proc_completed: Checklist -> bool |  | ||||||
|     -- check_all_proc_completed(c) == |  | ||||||
|     --     false not in set { procedure_completed(c(x)) | x in set {1,...,len c} }; |  | ||||||
| 
 |  | ||||||
|     -- --@doc Gives the index for the next procedure to complete |  | ||||||
|     -- next_procedure: Checklist -> nat1 |  | ||||||
|     -- next_procedure(c) == |  | ||||||
|     --     hd [ x | x in set {1,...,len c} & not procedure_completed(c(x))] |  | ||||||
|     -- post |  | ||||||
|     --     RESULT <= len c; |  | ||||||
| 
 | 
 | ||||||
|     --@doc Checks if the procedure has been completed |     --@doc Checks if the procedure has been completed | ||||||
|     procedure_completed: Procedure -> bool |     procedure_completed: Procedure -> bool | ||||||
| @ -162,19 +136,13 @@ functions | |||||||
|     --@doc Checks if the next item in the procedure has been completed |     --@doc Checks if the next item in the procedure has been completed | ||||||
|     check_proc_item_complete: Procedure * Aircraft -> bool |     check_proc_item_complete: Procedure * Aircraft -> bool | ||||||
|     check_proc_item_complete(p, a) == |     check_proc_item_complete(p, a) == | ||||||
|         --@LF here you have a nice lemma to prove: procedure_next_item_index(p) in set inds p!  |  | ||||||
|         --	  I think that's always true |  | ||||||
|         let procItem = p(procedure_next_item_index(p)), |         let procItem = p(procedure_next_item_index(p)), | ||||||
|         	--@LF here you can't tell whether this will be true? i.e. procItem.procedure in set dom a.items? |  | ||||||
|             item = a.items(procItem.procedure) in |             item = a.items(procItem.procedure) in | ||||||
|              |  | ||||||
|             --TODO need to be able to check for different types of Items |  | ||||||
|             procItem.check = item.object.position |             procItem.check = item.object.position | ||||||
|     pre |     pre | ||||||
|         procedure_completed(p) = false |         procedure_completed(p) = false | ||||||
|         --@LF perhaps add  |         and | ||||||
|         --and |         p(procedure_next_item_index(p)).procedure in set dom a.items | ||||||
|         --p(procedure_next_item_index(p)).procedure in set dom a.items?   |  | ||||||
|         ; |         ; | ||||||
| 
 | 
 | ||||||
|     --@doc Marks next item in procedure as complete |     --@doc Marks next item in procedure as complete | ||||||
| @ -226,7 +194,6 @@ functions | |||||||
|     --@doc Moves any type of Item |     --@doc Moves any type of Item | ||||||
|     move_item: ItemObject * ItemState -> ItemObject |     move_item: ItemObject * ItemState -> ItemObject | ||||||
|     move_item(i, s) == |     move_item(i, s) == | ||||||
|         -- if is_Switch(i) then (implement later) |  | ||||||
|             let switch: Switch = i.object in |             let switch: Switch = i.object in | ||||||
|                 if check_switch_onoff(switch) and (s <> <MIDDLE>) and switch.middlePosition then |                 if check_switch_onoff(switch) and (s <> <MIDDLE>) and switch.middlePosition then | ||||||
|                     mk_ItemObject(i.type, move_switch(move_switch(switch, <MIDDLE>), s)) |                     mk_ItemObject(i.type, move_switch(move_switch(switch, <MIDDLE>), s)) | ||||||
| @ -235,7 +202,6 @@ functions | |||||||
|     pre |     pre | ||||||
|         wf_item_itemstate(i, s) |         wf_item_itemstate(i, s) | ||||||
|         and not check_item_in_position(i, s); |         and not check_item_in_position(i, s); | ||||||
|         -- and wf_switch_move(i.object, s); |  | ||||||
| 
 | 
 | ||||||
|     --@doc Moves a specific switch in the aircraft |     --@doc Moves a specific switch in the aircraft | ||||||
|     move_switch: Switch * SwitchState -> Switch |     move_switch: Switch * SwitchState -> Switch | ||||||
| @ -260,7 +226,6 @@ functions | |||||||
|     --@doc Checks if the item is already in position for the desired state for that item |     --@doc Checks if the item is already in position for the desired state for that item | ||||||
|     check_item_in_position: ItemObject * ItemState -> bool |     check_item_in_position: ItemObject * ItemState -> bool | ||||||
|     check_item_in_position(i, s) == |     check_item_in_position(i, s) == | ||||||
|         -- if is_Switch(i) then (implement later) |  | ||||||
|             i.object.position = s |             i.object.position = s | ||||||
|     pre |     pre | ||||||
|         wf_item_itemstate(i,s); |         wf_item_itemstate(i,s); | ||||||
| @ -268,10 +233,7 @@ functions | |||||||
|     --@doc Checks if the Item.object is the same type for the ItemState |     --@doc Checks if the Item.object is the same type for the ItemState | ||||||
|     wf_item_itemstate: ItemObject * ItemState -> bool |     wf_item_itemstate: ItemObject * ItemState -> bool | ||||||
|     wf_item_itemstate(i, s) == |     wf_item_itemstate(i, s) == | ||||||
|         (is_Switch(i.object) and is_SwitchState(s) and i.type = <SWITCH>) |         (is_Switch(i.object) and is_SwitchState(s) and i.type = <SWITCH>); | ||||||
|         --TODO check that the item has not already been completed before moving item |  | ||||||
|         --TODO add other types of Items |  | ||||||
|         ; |  | ||||||
| 
 | 
 | ||||||
|     --@doc Checks if the move of the Switch is a valid |     --@doc Checks if the move of the Switch is a valid | ||||||
|     wf_switch_move: Switch * SwitchState -> bool |     wf_switch_move: Switch * SwitchState -> bool | ||||||
| @ -290,83 +252,3 @@ functions | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| end Checklist | end Checklist | ||||||
| 
 |  | ||||||
| /* |  | ||||||
| //@LF always a good idea to run "qc" on your model. Here is its output. PO 21 and 22 show a problem. |  | ||||||
| //@LF silly me, this was my encoding with the cases missing one pattern :-). I can see yours has no issues. Good. |  | ||||||
| 
 |  | ||||||
| > qc |  | ||||||
| PO #1, PROVABLE by finite types in 0.002s |  | ||||||
| PO #2, PROVABLE by finite types in 0.0s |  | ||||||
| PO #3, PROVABLE by finite types in 0.0s |  | ||||||
| PO #4, PROVABLE by finite types in 0.0s |  | ||||||
| PO #5, PROVABLE by finite types in 0.0s |  | ||||||
| PO #6, PROVABLE by finite types in 0.0s |  | ||||||
| PO #7, PROVABLE by finite types in 0.0s |  | ||||||
| PO #8, PROVABLE by finite types in 0.0s |  | ||||||
| PO #9, PROVABLE by finite types in 0.001s |  | ||||||
| PO #10, PROVABLE by finite types in 0.001s |  | ||||||
| PO #11, PROVABLE by direct (body is total) in 0.003s |  | ||||||
| PO #12, PROVABLE by witness s = mk_Switch(<MIDDLE>, true) in 0.001s |  | ||||||
| PO #13, PROVABLE by direct (body is total) in 0.001s |  | ||||||
| PO #14, PROVABLE by witness k = mk_Knob(1, [-2]) in 0.0s |  | ||||||
| PO #15, PROVABLE by direct (body is total) in 0.0s |  | ||||||
| PO #16, PROVABLE by witness t = 0 in 0.0s |  | ||||||
| PO #17, PROVABLE by direct (body is total) in 0.001s |  | ||||||
| PO #18, PROVABLE by witness t = mk_Throttle(0, 0) in 0.001s |  | ||||||
| PO #19, PROVABLE by direct (body is total) in 0.002s |  | ||||||
| PO #20, PROVABLE by witness i = mk_ItemObject(<KNOB>, mk_Knob(1, [-1])) in 0.002s |  | ||||||
| PO #21, FAILED in 0.002s: Counterexample: type = <BUTTON>, object = mk_Knob(1, [-1]) |  | ||||||
| Causes Error 4004: No cases apply for <BUTTON> in 'Checklist' (formal/checklist.vdmsl) at line 119:13 |  | ||||||
| ---- |  | ||||||
| ItemObject': total function obligation in 'Checklist' (formal/checklist.vdmsl) at line 118:13 |  | ||||||
| (forall mk_ItemObject'(type, object):ItemObject'! & |  | ||||||
|   is_(inv_ItemObject'(mk_ItemObject'!(type, object)), bool)) |  | ||||||
| 
 |  | ||||||
| PO #22, FAILED by direct in 0.005s: Counterexample: type = <BUTTON> |  | ||||||
| PO #23, PROVABLE by witness type = <KNOB>, object = mk_Knob(1, [-1]) in 0.002s |  | ||||||
| PO #24, PROVABLE by direct (body is total) in 0.001s |  | ||||||
| PO #25, PROVABLE by witness i = mk_ItemAndChecklistItem(mk_ItemObject(<KNOB>, mk_Knob(1, [-1])), mk_ChecklistItem([], <KNOB>, <MIDDLE>, true)) in 0.001s |  | ||||||
| PO #26, MAYBE in 0.003s |  | ||||||
| PO #27, MAYBE in 0.003s |  | ||||||
| PO #28, MAYBE in 0.002s |  | ||||||
| PO #29, PROVABLE by witness p = [mk_ChecklistItem([], <BUTTON>, <MIDDLE>, true)] in 0.001s |  | ||||||
| PO #30, MAYBE in 0.002s |  | ||||||
| PO #31, MAYBE in 0.001s |  | ||||||
| PO #32, MAYBE in 0.003s |  | ||||||
| PO #33, MAYBE in 0.002s |  | ||||||
| PO #34, MAYBE in 0.001s |  | ||||||
| PO #35, MAYBE in 0.002s |  | ||||||
| PO #36, MAYBE in 0.009s |  | ||||||
| PO #37, MAYBE in 0.008s |  | ||||||
| PO #38, MAYBE in 0.007s |  | ||||||
| PO #39, MAYBE in 0.009s |  | ||||||
| PO #40, MAYBE in 0.002s |  | ||||||
| PO #41, MAYBE in 0.001s |  | ||||||
| PO #42, MAYBE in 0.001s |  | ||||||
| PO #43, MAYBE in 0.002s |  | ||||||
| PO #44, MAYBE in 0.002s |  | ||||||
| PO #45, MAYBE in 0.003s |  | ||||||
| PO #46, MAYBE in 0.002s |  | ||||||
| PO #47, MAYBE in 0.002s |  | ||||||
| PO #48, MAYBE in 0.001s |  | ||||||
| PO #49, MAYBE in 0.001s |  | ||||||
| PO #50, MAYBE in 0.0s |  | ||||||
| PO #51, MAYBE in 0.0s |  | ||||||
| PO #52, MAYBE in 0.005s |  | ||||||
| PO #53, PROVABLE by trivial p in set (dom checklist) in 0.001s |  | ||||||
| PO #54, MAYBE in 0.006s |  | ||||||
| PO #55, MAYBE in 0.0s |  | ||||||
| PO #56, MAYBE in 0.001s |  | ||||||
| PO #57, MAYBE in 0.001s |  | ||||||
| PO #58, MAYBE in 0.001s |  | ||||||
| PO #59, MAYBE in 0.001s |  | ||||||
| PO #60, MAYBE in 0.001s |  | ||||||
| PO #61, MAYBE in 0.001s |  | ||||||
| PO #62, MAYBE in 0.0s |  | ||||||
| PO #63, PROVABLE by finite types in 0.001s |  | ||||||
| PO #64, PROVABLE by finite types in 0.001s |  | ||||||
| PO #65, PROVABLE by finite types in 0.001s |  | ||||||
| PO #66, MAYBE in 0.001s |  | ||||||
| >  |  | ||||||
| */ |  | ||||||
| @ -2,7 +2,6 @@ | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| \begin{document} | \begin{document} | ||||||
| \section{SQL Schemas} |  | ||||||
| \begin{listing}[!htbp] | \begin{listing}[!htbp] | ||||||
| \inputminted[ | \inputminted[ | ||||||
|   linenos, |   linenos, | ||||||
|  | |||||||
										
											Binary file not shown.
										
									
								
							| @ -80,6 +80,8 @@ | |||||||
| 
 | 
 | ||||||
| \author{Anthony Berg (200871682)\\ | \author{Anthony Berg (200871682)\\ | ||||||
| Supervisor: Leo Freitas\\\\ | Supervisor: Leo Freitas\\\\ | ||||||
|  | CSC3094 - BSc Computer Science (G400)\\ | ||||||
|  | Newcastle University\\\\ | ||||||
| Word Count: \wordcount} | Word Count: \wordcount} | ||||||
| \title{Testing Quick Reference Handbooks in Flight Simulators} | \title{Testing Quick Reference Handbooks in Flight Simulators} | ||||||
| 
 | 
 | ||||||
| @ -135,7 +137,7 @@ with areas of improvement for me throughout the project. | |||||||
| \chapter{Formal Model} | \chapter{Formal Model} | ||||||
| \subfile{chapters/appendix/formal.tex} | \subfile{chapters/appendix/formal.tex} | ||||||
| 
 | 
 | ||||||
| \chapter{Database} | \chapter{Database Schemas} | ||||||
| \subfile{chapters/appendix/database.tex} | \subfile{chapters/appendix/database.tex} | ||||||
| 
 | 
 | ||||||
| % References | % References | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Anthony Berg
						Anthony Berg