SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu Kobayashi (University of Tokyo), Aivar Kripsaar (RWTH Aachen University), Fuyuki Ishikawa (NII, Japan), and Shinichi Honiden (NII, Japan) Rodin Workshop 2016 May 23, 2016 Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 1 / 23
Modeling in Event-B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 2 / 23
Modeling in Event-B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 2 / 23
Modeling in Event-B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 2 / 23
Modeling in Event-B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 2 / 23
Modeling in Event-B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 2 / 23
Modeling in Event-B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 2 / 23
Motivation Refinement design and specifications Designing refinement = designing target system’s aspects of interest e.g., Focus on the outside traffic lights on the mainland ↓ Specify/verify properties of them If traffic light is green , # cars outside ≤ capacity Our goal Modify refinement design of existing specification → improve understandability, maintainability, extensibility Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 3 / 23
Example of Motivation Problem Somtimes we make refinements with many additional variables/invariants To specify several aspects in a step Solution Refinement decomposition Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 4 / 23
Refactoring of Refinement – Decomposition refines Abstract Concrete machine machine Abstract Concrete variables variables refines refines Abstract Medium Concrete machine machine machine Abstract Medium Concrete variables variables variables Decomposition of refinement Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 5 / 23
Goal of Refinement Decomposition refines M A M C V A V C V B Input ◮ Proved machines M A and M C ◮ A set of variables V B (subset of V C , slicing criteria) Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 6 / 23
Goal of Refinement Decomposition M A M C refines refines V A V C M B V B Input ◮ Proved machines M A and M C ◮ A set of variables V B (subset of V C , slicing criteria) Output: Intermediate machine M B such that ◮ M C refines M B and M B refines M A ◮ M B is specified in V B Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 6 / 23
Restriction on V B Variables in the machines: V C V A Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 7 / 23
Restriction on V B Variables in the machines: V C V A newly replaced introduced inherited Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 7 / 23
Restriction on V B Variables in the machines: V C V A V B Arbitrary V B : Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 7 / 23
Restriction on V B Variables in the machines: V C V A V B Arbitrary V B : Some variables are in V A and V C but not V B ! Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 7 / 23
Restriction on V B Variables in the machines: V C V A V B => V B should be a superset of V A ∩ V C Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 7 / 23
Approach to Decomposing Refinement 1. Slicing from original machines M C and M A by finding specifications that can be expressed by V B 2. Mending for consistency by providing complementary predicates to fill the gap originated from slicing Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 8 / 23
Slicing Find predicates that can be expressed by V B e.g., M C ( TL Island ∈ V C ) M B ( TL Island �∈ V B ) Invariants Invariants TL Mainland = red ∨ TL Island = red TL Mainland = green ⇒ n → = 0 TL Mainland = green ⇒ n → = 0 slice Event leave _ island − − − → Event leave _ island when when TL Island = green 1 ≤ n Island 1 ≤ n Island then then n ′ Island = n Island − 1 n ′ Island = n Island − 1 n ′ → = n → + 1 n ′ → = n → + 1 end end Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 9 / 23
Intermediate Machine is Not Always Consistent M A M C consistent? consistent? consistent? M B Sometimes we need to guarantee these consistencies Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 10 / 23
Refactoring of Refinement – Composition refines refines Abstract Medium Concrete machine machine machine Abstract Medium Concrete variables variables variables refines Abstract Concrete machine machine’ Abstract Medium Concrete variables variables variables Composition of refinement Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 11 / 23
Refactoring of Refinement – Composition V Conc V Medium V Abst Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 12 / 23
Refactoring of Refinement – Composition V ' Conc V Abst Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 12 / 23
SliceAndMerge : Implementation Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 13 / 23
Intermediate Machine is Not Always Consistent M A M C consistent? consistent? consistent? M B Sometimes we need to guarantee these consistencies Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 14 / 23
Variables and Provability of Proof Obligations Preservation of TL Mainland ’s property by “leaving from island” Invariants TL Mainland = red ∨ TL Island = red Guards TL Island = green Before-after predicates · · · n ′ → = n → + 1 ⊢ ⊢ Invariant after the event TL Mainland = green ⇒ n ′ → = 0 Provability in {concrete, medium} machine Concrete machine Provable. ∵ TL Mainland � = green from hypotheses Because of TL Island -related predicates ◮ either TL Mainland or TL Island is red ◮ TL Island is green Medium machine Not provable Because of lack of TL Island -related predicates Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 15 / 23
Mending by Adding Complementary Predicates Idea Original machines are consistent M B lacks essential predicates for consistencies because of vocabulary limitations ↓ Find essential predicates Express them in vocabulary of V B and mend M B with them Ways of mending include: Heuristics such as extracting a predicate P from P ∧ Q Analyzing the proof (as described in previous slide) 1 Trace the proof of original machine’s consistency 2 Infer the complementary predicates from that Using Craig’s interpolation theorem ? Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 16 / 23
Case Study: Decomposing Refinement Example Model of flight formation of satellites ◮ by an experienced modeler ◮ high-quality, but include large refinement steps ⋆ 72 invariants in one refinement Result Decomposed refinements into multiple steps Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 17 / 23
Results Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 18 / 23
Extracting Parts of Machines for Reuse V Conc V Medium V Abst Reusable part Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 19 / 23
Extracting Parts of Machines for Reuse V ' Conc V Abst Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 19 / 23
Extracting Parts of Machines for Reuse V ' Conc V Abst V ' Medium Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 19 / 23
Case Study: Extracting Authentication Parts of LAC Original model: location access controller Persons move between locations connected with turnstiles Persons are authorized to enter certain locations Persons insert their ID card in card readers on turnstiles Turnstiles communicate with a controller via messages ◮ authentication, movement of a person, indicator light, . . . New model: consoles, servers, and monitors Location have consoles with card readers and monitors. Authorized persons can login server by inserting ID card to the reader Controller try to find an unoccupied monitor in a room Consoles communicate with a controller via messages Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 20 / 23
Concluding Remarks Summary Aiming at modify refinement structure of existing machines Slicing before mending / merging SliceAndMerge v1.0 coming soon? Future work Constructing systematic methods for mending Planning refinement for various use cases Finding other use cases ◮ Planting specifications in other methods (e.g., VDM)? ◮ . . . Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 21 / 23
Interpolation Theorem (Craig interpolation) If a sequent Hyp ⊢ Goal is provable, there exists an interpolant I such that All symbols of I occur in both Hyp and Goal Hyp ⊢ I and I ⊢ Goal are provable Example of interpolant TL Mainland = red ∨ TL Island = red TL Island = green interpolates n ′ → = n → + 1 ← − − − − − − − TL Mainland � = green ⊢ TL Mainland = green ⇒ n ′ → = 0 Tsutomu Kobayashi (UTokyo) SliceAndMerge Rodin Workshop 2016 22 / 23
Recommend
More recommend