summary of event b proof obligations
play

Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by - PowerPoint PPT Presentation

Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department of Computer Science Swiss Federal Institute of Technology Zrich (ETH Zrich) Bucharest DEPLOY 2-day Course, 14th-16th, July, 2010 J-R. Abrial


  1. Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department of Computer Science Swiss Federal Institute of Technology Zürich (ETH Zürich) Bucharest DEPLOY 2-day Course, 14th-16th, July, 2010 J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 1 / 65

  2. Purpose of this Presentation Prerequisite: Summary of Mathematical Notation (a quick review) 1 Summary of Event-B Notation 2 Examples developed in (2) will be used here Showing the various Event-B proof obligations (sometimes also called verification conditions) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 2 / 65

  3. Role of the Proof Obligation Generator The POs are automatically generated by a Rodin Platform tool called the Proof Obligation Generator This tool is run after the Static Checker (which static checks contexts or machine texts) The Proof Obligation Generator decides then what is to be proved The outcome are various sequents, which are transmitted to the provers performing automatic or interactive proofs J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 3 / 65

  4. Summary of the Main Rodin Platform Kernel Tools The Static Checkers: lexical analyser syntactic analyser type checker The Proof Obligation Generator The Provers J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 4 / 65

  5. Summary of the Main Rodin Platform Kernel Tools Contexts or Machines Proof Obligation Provers Static Checkers Generator Errors Proofs Proofs which cannot be done help improving the model J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 5 / 65

  6. Various Kinds of Proof Obligations Invariant preservation (initial model) (INV slide 9) Non-deterministic action feasibility (FIS slide 14) Guard strengthening in a refinement (GRD slide 18) Invariant preservation in a refinement (INV slide 22) Simulation (SIM slide 26) Numeric variant (NAT slide 30) Set variant (FIN slide 34) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 6 / 65

  7. Various Kinds of Proof Obligations (cont’d) Variant decreasing (VAR slide 38) Feasibility of a non-deterministic witness (WFIS slide 46) Proving theorems (THM slide 50) Well-definedness (WD slide 58) Guard strengthening when merging abstract events (MRG slide 62) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 7 / 65

  8. Outline of each Proof Obligation Purpose and naming Formal definition Where generated in the “search” example Application to the example J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 8 / 65

  9. Purpose of Invariant Preservation PO (INV) (for Initial Model) Ensuring that each invariant is preserved by each event. For an event “evt” and an invariant “inv” the name of this PO is: evt/inv/INV J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 9 / 65

  10. Formal Definition of Invariant Preservation (INV) (for Initial Model) s : seen sets c : seen constants evt v : variables any x where A ( s , c ) : seen axioms G ( x , s , c , v ) I ( s , c , v ) : invariants then evt : specific event v : | BAP ( x , s , c , v , v ′ ) x : event parameters end G ( x , s , c , v ) : event guards BAP ( x , s , c , v , v ′ ) : event before-after predicate i ( s , c , v ′ ) : modified specific invariant Axioms A ( s , c ) Invariants I ( s , c , v ) Guards of the event evt / inv / INV G ( x , s , c , v ) Before-after predicate of the event BAP ( x , s , c , v , v ′ ) ⊢ ⊢ Modified Specific Invariant i ( s , c , v ′ ) In case of the initialization event, I ( s , c , v ) is removed from the hypotheses J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 10 / 65

  11. Examples in Machine m_0a (INV) context = b initialisation ctx_0 status sets ordinary D then constants act1 : i := 1 n end f v axioms axm1 : n ∈ N axm2 : f ∈ 1 .. n → D search = b axm3 : v ∈ ran ( f ) status thm1 : n ∈ N 1 ordinary end any k where machine grd1 : k ∈ 1 .. n m_0a grd2 : f ( k ) = v sees then ctx_0 act1 : i := k variables end i invariants inv1 : i ∈ 1 .. n - Two invariant preservation POs are generated: events - initialisation / inv1 /INV . . . end - search / inv1 /INV J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 11 / 65

  12. Proof Obligation initialisation / inv1 /INV n ∈ N n ∈ N axm1 axm2 f ∈ 1 .. n → D f ∈ 1 .. n → D v ∈ ran ( f ) v ∈ ran ( f ) axm3 thm1 n ∈ N 1 n ∈ N 1 i ′ = 1 BA predicate ⊢ ⊢ ⊢ i ′ ∈ 1 .. n modified inv1 1 ∈ 1 .. n Simplification performed by the PO Generator = b initialisation status ordinary then act1 : i := 1 end Note that inv1 is not part of the hypotheses (we are in the initialisation event) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 12 / 65

  13. Proof Obligation search / inv1 /INV axm1 n ∈ N n ∈ N axm2 f ∈ 1 .. n → D f ∈ 1 .. n → D axm3 v ∈ ran ( f ) v ∈ ran ( f ) thm1 n ∈ N 1 n ∈ N 1 inv1 i ∈ 1 .. n i ∈ 1 .. n grd1 k ∈ 1 .. n k ∈ 1 .. n grd2 f ( k ) = v f ( k ) = v i ′ = k BA predicate ⊢ ⊢ ⊢ i ′ ∈ 1 .. n modified inv1 k ∈ 1 .. n Simplification performed by the PO Generator search b = status ordinary any k where In what follows, we’ll show the simplified form only grd1 : k ∈ 1 .. n grd2 : f ( k ) = v then act1 : i := k end J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 13 / 65

  14. Purpose of the Feasibility PO (FIS) Ensuring that each non-deterministic action is feasible. For an event “evt” and a non-deterministic action “act” in it, the name of this PO is: evt/act/FIS J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 14 / 65

  15. Formal Definition of the Feasibility PO (FIS) s : seen sets c : seen constants evt v : variables any x where A ( s , c ) : seen axioms G ( x , s , c , v ) I ( s , c , v ) : invariants then evt : specific event v : | BAP ( x , s , c , v , v ′ ) x : event parameters end G ( x , s , c , v ) : event guards BAP ( x , s , c , v , v ′ ) : event action Axioms A ( s , c ) Invariants I ( s , c , v ) Guards of the event evt / act / FIS G ( x , s , c , v ) ⊢ ⊢ ∃ v ′ · Before-after predicate ∃ v ′ · BAP ( x , s , c , v , v ′ ) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 15 / 65

  16. Example in Machine m_0b (FIS) context ctx_0 sets initialisation = b D status constants ordinary n then f act1 : i := 1 v end axioms axm1 : n ∈ N axm2 : f ∈ 1 .. n → D axm3 : v ∈ ran ( f ) thm1 : n ∈ N 1 search = b end status ordinary then machine i : | i ′ ∈ 1 .. n ∧ f ( i ′ ) = v act1 : m_0b end sees ctx_0 variables i invariants - Among others, one feasibility PO is generated: inv1 : i ∈ 1 .. n events - search / act1 /FIS . . . end J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 16 / 65

  17. Proof Obligation search / act1 /FIS axm1 n ∈ N axm2 f ∈ 1 .. n → D axm3 v ∈ ran ( f ) thm1 n ∈ N 1 inv1 i ∈ 1 .. n grd no guard in event search ⊢ ⊢ ∃ i ′ · before-after predicate ∃ i ′ · i ′ ∈ 1 .. n ∧ f ( i ′ ) = v = search b status ordinary then i : | i ′ ∈ 1 .. n ∧ f ( i ′ ) = v act1 : end J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 17 / 65

  18. Purpose of the Guard Strengthening PO (GRD) Ensuring that the concrete guards in the refining event are stronger than the abstract ones. This ensures that when a concrete event is enabled then so is the corresponding abstract one. For a concrete event “evt” and an abstract guard “grd” in the corresponding abstract event, the name of this PO is: evt/grd/GRD J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 18 / 65

  19. Formal Def. of the Guard Strengthening PO (GRD) evt s : seen sets refines c : seen constants evt0 evt0 v : abstract variables any any w : concrete variables x y A ( s , c ) : seen axioms where where I ( s , c , v ) : abs. invts. g ( x , s , c , v ) H ( y , s , c , w ) J ( s , c , v , w ) : conc. invts. . . . with evt : specific concrete event then x : W ( x , y , s , c , w ) x : abstract event parameter . . . then y : concrete event parameter end . . . g ( x , s , c , v ) : abstract event specific guard end H ( y , s , c , w ) : concrete event guards Axioms A ( s , c ) Abstract invariants I ( s , c , v ) Concrete invariants J ( s , c , v , w ) Concrete event guards evt / grd / GRD H ( y , s , c , w ) witness predicate W ( x , y , s , c , w ) ⊢ ⊢ Abstract event specific guard g ( x , s , c , v ) It is simplified when there are no parameters J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 19 / 65

Recommend


More recommend