Introducing Data Decomposition into VDM for Tractable
Development of Programs
(Institute of Computer Software at Nanjing University. Nar~jing 210093. P.R, China)
Formal program development by VDM comprises not only data reifications from abstract model to
concrete model but also suitable operation decompositions. Usually, these two kinds of development steps
are done independently with the order of " operation decompositions after data reifications". Furthermore,
data reifications and operation decompositions are based on the whole model because no model split is
allowed. If, however, larger specifications are aimed at, it is very important to provide support for model
split and suitably interweave it with data reifieation and operation decomposition. In this paper, we
introduce a new concept---data decomposition which is based on the ideas of model split, modularisation
and operation decomposition, and combine it with VDM to form a more general formal development
method DD-VDM. As a result, a more flexible development strategy can be adopted and the development
complexity can bc cffectively controlled.
VDM is denotational and model-based [11131171. It embraces formal specification and verified design.
The formal specification comprises: (1) a definition of the set of states(normally including invariants); (2)
a definition of possible initial states (often exactly one); (3) a collection of operations whose external
variables are the part of the states. Usually, the state-space(i.e, set of states) is described by using very
abstract mathematically oriented data types such as sets, sequences and mappings. Each operation is
described by a pair of predicates: the pre-condition and the post-condition. For an operation to be valid,
the satisfiability rule must be met. The verified design includes data reification and operation
decomposition. In the data reification, certain design decisions are made and a reified model is produced.
Then, a retrieve function which relates the concrete states to the abstract states is given. The reified
specification (i.e., specification on reified model) can then be shown to satisfy the abstract specification
(i.e., specification on abstract model) by discharging proof obligations such as the Adequacy rule tbr
states, the Domain and Result rules for operations. The reified specification becomes the abstract
specification for the next step in the development, and the process is continued until a model is reached
which is expressed in the implementation language. At this stage, however, the operations are still
specified: their pre- and post-condition say what should be done and not how to do it. Post-conditions are
not--in general---executable. Thus, a procedure of operation decomposition is necessary. The process of
operation decomposition develops implementations(for operations) in terms of the primitives available in
the language and support software.
The following observations can be made about VDM.