CAPÍTULO III: METODOLOGÍA
3.7 Aspectos éticos
3.7.2 Consentimiento informado a madre de familia
The Why3 platform and languages provide a library for primitives data types. This library can be found on the tool web-site¹. We specialized it for the modeling of our type system. We provide in Table 7.3 the mapping between the concrete metaclasses of our type system metamodel, its corresponding type name, its containing theory, and if applicable the standard Why3 type and theory it relies on.
Meta-class name Why3 type name and theory Why3 standard library theory
TBoolean boolean_type from blocklibrary_scalar.Boolean Bool.bool from bool.Bool TRealSingle tRealSingle from blocklibrary_scalar.RealSingle real from real.RealInfix TRealDouble tRealDouble from blocklibrary_scalar.RealDouble real from real.RealInfix TRealInteger tRealInteger from blocklibrary_scalar.RealInteger int from int.Int
TString string_type from blocklibrary_string.String – Table 7.3: Mapping between our type system and the Why3 types
Numeric data types definitions
The numeric data types definition from the standard library are appropriate for our needs. We decided to mostly rely on them in our implementation. TBooolean, TRealSingle, and TRealDouble are thus directly mapped to already existing standard Why3 types. The data types names choice have been done according to the GeneAuto data types terminology.
In the TRealInteger metaclass, the value of an instance is dependent on the nBits and signed attributes. In dataflow languages like Simulink, the type system allows the use of a specific definition of integer data types. We distinguished between multiple implementations of the integer data type according to the number of bits required for their representation (8, 16 or 32) and if they are signed of not. As an ex- ample of type definition, we give the declaration for a 32 bits signed TRealInteger in the SignedInt32 theory detailed in Listing 7.4. The RealInteger theory is holding the definition for the TRealInteger data type as modeled in the data types metamodel, whereas the SignedInt32 theory is the concrete def- inition for the 32 bits signed integer. We add a predicate: limit_tRealSignedInt32 in the theory allowing to constrain the allowed maximum and minimum values for an element of this type.
7.3. WHY3 LIBRARIES
library MinMaxExtractInv {
2 type signed realInt TInt16 of 16 bits
type realDouble TDouble
type enum MinMaxFunction {Min ,Max}
blocktype MinMax {
7 variant MinMaxParameters {
parameter FunctionParam : MinMaxFunction
parameter NbInputs : TInt16 { invariant ocl { NbInputs.value >= 1 } }
}
variant MinMaxInScalars extends MinMaxParameters {
12 in data In1 : TDouble [1 .. *] { invariant ocl { In1 ->size () = NbInputs.value } }
}
variant MinMaxOutScalar {
out data Out : TDouble
}
17 mode MinOutputScalarMultipleInputsScalars implements allof( MinMaxOutScalar ,MinMaxInScalars)
{
modeinvariant ocl { NbInputs.value > 1 }
modeinvariant ocl { FunctionParam.value = MinMaxFunction ::Min }
22 definition bal = compute_MinOutScalarMultipleInputsScalars {
postcondition ocl {
In1 ->forAll(i| i.value >= Out.value) }
var res = In1 [0]. value;
27 for (var i = 1; i < (size(In1)); i = i + 1){ if (res > In1[i]. value){
res = In1[i]. value; } } 32 Out.value = res; } compute compute_MinOutScalarMultipleInputsScalars }
mode MaxOutputScalarMultipleInputsScalars implements allof(MinMaxOutScalar , MinMaxInScalars) {
37 modeinvariant ocl { NbInputs.value > 1 }
modeinvariant ocl { FunctionParam.value = MinMaxFunction ::Max }
definition bal = compute_MaxOutScalarMultipleInputsScalars {
postcondition ocl {
In1 ->forAll(i| i.value <= Out.value)
42 }
var res = In1 [0]. value;
for (var i = 0; i < (size(In1)); i = i + 1){ if (res < In1[i]. value){
res = In1[i]. value;
47 } } Out.value = res; } compute compute_MaxOutScalarMultipleInputsScalars 52 } } }
7.3. WHY3 LIBRARIES
1 theory RealInteger
use import bool.Bool
use import int.Int
type tRealInteger 6
constant nBits : int
constant signed : bool
constant max_RealInteger : int
end 11
theory SignedInt32
use import int.Int
use import bool.Bool
16 constant nBits_signed_32 : int = 32
constant signed_signed_32 : bool = True
constant max_RealInteger_signed_32 : int = 2147483648
type tRealSignedInt32 = int 21
clone export RealInteger with
constant nBits = nBits_signed_32 ,
constant signed = signed_signed_32 ,
constant max_RealInteger = max_RealInteger_signed_32 ,
26 type tRealInteger = tRealSignedInt32
predicate limit_tRealSignedInt32 (x : tRealSignedInt32 ) =
(- max_RealInteger_signed_32 ) <= x <= ( max_RealInteger_signed_32 - 1) end
Listing 7.4: TRealInteger 32 bits signed definition in Why3
Interested reader can find our complete specification for data types in Appendix D.1.1. String related data types definitions
At the time we implemented that part, in the Why3 standard library, the String data type was only avail- able as a WhyML module. We needed for our purpose to be able to use it also in theories. We thus devel- oped three theories in this purpose:
• Char theory defining the tChar record type holding the simple definition for a character as a record type whose single field is an integer value named code. This code refers to the UTF8 table values for the corresponding character. This theory is detailed in Appendix D.1.3. We define two functions applicable on tChar typed elements:
– toLower_char : tChar → tChar returning the value of the parameter as a lower case character.
Its attached lemmas define the conditions for its application, the operation applies only if the code value is between 32 and 90 (included).
– toUpper_char : tChar→ tChar returning the value of the parameter as an upper case character.
As previously its attached lemmas define the conditions for its application.
• Utf8 theory containing relevant UTF8 values mapping as constants. This theory is partly detailed in Appendix D.1.3.
• String theory containing the definition for the string_type type composed of a list of tChar elements. String theory is defined in Listings 7.5 and 7.6. We define two specific functions that can be used on string_type typed elements:
– concat : string_type → string_type → string_type returning the concatenation of the two
parameters (detailed in Listing 7.5). This Why theory includes both the function definition and its formalisation through lemmas.
7.3. WHY3 LIBRARIES
theory String
(* see module string . String *)
use import int.Int
use import Char
5 use import list.Length
use import list.Append
use import list.List
use import list.Mem
use import list.NthNoOpt
10 use import blocklibrary_common .CommonFunctions
type string_type = list tChar
function concat (s1 s2: string_type) : string_type = s1 ++ s2
15
lemma concat_length: forall s1 , s2: string_type.
length (concat s1 s2) = length s1 + length s2
lemma concat_l_cons: forall s1 , s2: string_type , c1: tChar.
20 concat (Cons c1 s1) s2 = Cons c1 (concat s1 s2)
lemma concat_r_cons: forall s1 , s2: string_type , c1: tChar.
concat s1 (Cons c1 s2) = concat (concat s1 (Cons c1 Nil)) s2
25 lemma concat_l_nil: forall s1 , s2: string_type.
(s1 = Nil -> concat s1 s2 = s2)
lemma concat_r_nil: forall s1 , s2: string_type.
(s2 = Nil -> concat s1 s2 = s1) 30
lemma concat_l_mem: forall s1 , s2: string_type , c1: tChar.
mem c1 s1 -> mem c1 (concat s1 s2)
lemma concat_r_mem: forall s1 , s2: string_type , c1: tChar.
35 mem c1 s2 -> mem c1 (concat s1 s2)
function toLower (s1: string_type) : string_type
axiom toLower_content: forall s1: string_type , i: int.
40 0 <= i < length s1 -> nth i (toLower s1) = toLower_char (nth i s1)
function toUpper (s1: string_type) : string_type
axiom toUpper_content: forall s1: string_type , i: int.
45 0 <= i < length s1 -> nth i (toUpper s1) = toUpper_char (nth i s1)
Listing 7.5: String theory definition in Why
– subString : string_type→ int → int → string_type returning the subset of elements contained
between two indexes (both included) of the first argument (detailed in Listing 7.6). This Why theory includes both the function definition and its formalisation through lemmas.
Char and String theories are highly inspired from their namesake standard library modules available on the Why3 platform website.