Machine, refinement, implementation a := 1 || || b := 1 ANY x WHERE x ∈ S a := 1 ; ; b := 1 Predicated-based IF b := 1 || || a := 1 Choice Let bindings Sequencing Precondition Abstract machine Become such that Simultaneous operations While loop x : (x ∈ INT ∧ x < 20) not deterministic Sequencing Choice Let bindings Precondition Refinements Become such that Simultaneous operations While loop Choice Let bindings Sequencing Precondition Implementation Become such that Simultaneous operations While loop Substitutions 12
Machine, refinement, implementation a := 1 || || b := 1 ANY x WHERE x ∈ S a := 1 ; ; b := 1 Predicated-based IF b := 1 || || a := 1 Choice Let bindings Sequencing Precondition M a Abstract machine k i Become such that Simultaneous operations While loop n g x : (x ∈ INT ∧ x < 20) not deterministic p r o g Sequencing Choice Let bindings Precondition r a Refinements m Become such that Simultaneous operations While loop m o r e c o Choice Let bindings Sequencing Precondition n c Implementation r e Become such that Simultaneous operations While loop t e Substitutions 12
More substitutions Machine Refinement Implementation Block Y Y Y Identical Y Y Y Becomes Equal Y Y Y Precondition Y Y N Assertion Y Y Y Bounded choice Y Y N IF conditional Y Y Y Conditional Bounded choice Y Y N Case Conditional Y Y Y Unbounded choice Y Y N Local Definition Y Y N Becomes Element of Y Y N Becomes such that Y Y N Local Variable N Y Y Sequencing N Y Y Operation Call Y Y Y While Loop N N Y Simultaneous Y Y N 13
B language 14
B language S1 S2 State oriented 14
B language S1 S2 State oriented Hoare logic � � ��� 14
B language S1 S2 State oriented ���� y := 3 �� � 3� Hoare logic � � ��� � � 2 x := x*x �� � 4� 14
B language S1 S2 State oriented ���� y := 3 �� � 3� Hoare logic � � ��� � � 2 x := x*x �� � 4� ASSIGNMENT ���/�� � ≔ � ��� 14
B language S1 S2 State oriented ���� y := 3 �� � 3� Hoare logic � � ��� � � 2 x := x*x �� � 4� � � � , � � ��� ASSIGNMENT COMPOSITION ���/�� � ≔ � ��� � �; � ��� 14
B language S1 S2 State oriented ���� y := 3 �� � 3� Hoare logic � � ��� � � 2 x := x*x �� � 4� � � � , � � ��� � ∧ � � � , �� ∧ � � ��� ASSIGNMENT COMPOSITION CONDITIONAL ���/�� � ≔ � ��� � �; � ��� � if � then � else � end ��� 14
B language S1 S2 State oriented ���� y := 3 �� � 3� Hoare logic � � ��� � � 2 x := x*x �� � 4� � � � , � � ��� � ∧ � � � , �� ∧ � � ��� ASSIGNMENT COMPOSITION CONDITIONAL ���/�� � ≔ � ��� � �; � ��� � if � then � else � end ��� � ∧ � � ��� WHILE � while � do � done ��� ∧ �� 14
B language S1 S2 State oriented ���� y := 3 �� � 3� Hoare logic � � ��� � � 2 x := x*x �� � 4� � � � , � � ��� � ∧ � � � , �� ∧ � � ��� ASSIGNMENT COMPOSITION CONDITIONAL ���/�� � ≔ � ��� � �; � ��� � if � then � else � end ��� � → � � , � � � � � , � � → � � ∧ � � ��� CONSEQUENCE WHILE � � ��� � while � do � done ��� ∧ �� 14
B language 15
B language Arithmetic 15
B language � � � � � � � � � � Arithmetic 15
B language � � � � � � � � � � Arithmetic � � 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Functions and relations 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… Sets 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… Sets Set comprehension, generalized union & intersections 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… Sets Set comprehension, generalized union & intersections Records 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… Sets Set comprehension, generalized union & intersections Records Trees 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… Sets Set comprehension, generalized union & intersections Records Trees Sequences 15
B language � � � � � � � � � � Arithmetic � � ∏ ∑ Partial / total functions, surjections, lambda, Functions and relations domain/range manipulations, closure, inversions… Sets Set comprehension, generalized union & intersections No algebraic data types Records Trees Sequences 15
Proofs with B
How does B method handles proofs? Abstract machine Component Refinements Implementation 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component Refinements Implementation 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS predicate1 ∧ predicate2 ∧ ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS Prove all predicates predicate1 ∧ predicate2 ∧ ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS Prove all predicates predicate1 ∧ predicate2 ∧ ... INITIALISATION var1 := expr || var2 := expr 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS Prove all predicates predicate1 ∧ predicate2 ∧ ... For each initialization, prove INITIALISATION invariant conservations var1 := expr || var2 := expr 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS Prove all predicates predicate1 ∧ predicate2 ∧ ... For each initialization, prove INITIALISATION invariant conservations var1 := expr || var2 := expr OPERATIONS varOutput1 ← fun1(i1, i2, ...) = ... varOutput2 ← fun2(i1, i2, ...) = ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS Prove all predicates predicate1 ∧ predicate2 ∧ ... For each initialization, prove INITIALISATION invariant conservations var1 := expr || var2 := expr OPERATIONS varOutput1 ← fun1(i1, i2, ...) = Show each operation ... conserve invariants varOutput2 ← fun2(i1, i2, ...) = ... 17
How does B method handles proofs? MACHINE Name(input1, input2, ...) Abstract machine Component CONSTRAINTS Refinements input1 ∈ INT ∧ input2 ∈ INT ... Implementation CONSTANTS cst1, cst2, ... VARIABLES var1, var2, ... Proof Obligations INVARIANT var1 + var2 ∈ {x . X**(1/2) ∈ � } ∧ ... ASSERTIONS Prove all predicates predicate1 ∧ predicate2 ∧ ... For each initialization, prove INITIALISATION invariant conservations var1 := expr || var2 := expr OPERATIONS varOutput1 ← fun1(i1, i2, ...) = Show each operation ... conserve invariants varOutput2 ← fun2(i1, i2, ...) = ... 17
Proving with B method: interactive only 18
Proving with B method: interactive only 18
Proving with B method: interactive only 18
Proving with B method: interactive only 18
Proving with B method: interactive only 18
Proving with B method: interactive only 18
Proving with B method: interactive only 18
How does B method internally prove things? First, expressions are normalized 19
How does B method internally prove things? First, expressions are normalized � � � � � 1 � � 19
How does B method internally prove things? First, expressions are normalized � � � � � 1 � � S ⊆ �1,2,3� � ∈ ���� 1 ∪ 2 ∪ �3�� 19
How does B method internally prove things? THEORY SimplifyX IS Theory files: list of rules (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) ; (bfalse => a) == btrue ; (a => btrue) == btrue ; (btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => 20 #x.(a & b) == (#x.a & b)
How does B method internally prove things? THEORY SimplifyX IS Theory files: list of rules (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) 10.000 lines of rules ; (bfalse => a) == btrue ; (a => btrue) == btrue ; (btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => 20 #x.(a & b) == (#x.a & b)
How does B method internally prove things? THEORY SimplifyX IS Theory files: list of rules (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) 10.000 lines of rules ; (bfalse => a) == btrue User can add rules ; (a => btrue) == btrue ; No safe core (btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => 20 #x.(a & b) == (#x.a & b)
How does B method internally prove things? THEORY SimplifyX IS Theory files: list of rules (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) 10.000 lines of rules ; (bfalse => a) == btrue User can add rules ; (a => btrue) == btrue ; Still, we can prove a No safe core (btrue => a) == a rule before adding it ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & (x\b) => 20 #x.(a & b) == (#x.a & b)
How does B method internally prove things? THEORY SimplifyX IS Theory files: list of rules (i => (j => k)) == (i & j => k) ; (a => bfalse) == not(a) 10.000 lines of rules ; (bfalse => a) == btrue User can add rules ; (a => btrue) == btrue ; Still, we can prove a No safe core P == btrue rule before adding it ; (btrue => a) == a ; (bvrb(x)) & (x\a) => #x.a == a ; (bvrb(x)) & 20 (x\b)
Recommend
More recommend
