the rodin platform for incremental modelling in event b
play

The Rodin Platform for Incremental Modelling in Event-B Stefan - PowerPoint PPT Presentation

Apr 28, 2023 •434 likes •1.12k views

The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deployproject.eu Outline Complex Systems Modelling in Event-B Interplay of proof and modelling Worked

  1. The Rodin Platform for Incremental Modelling in Event-B Stefan Hallerstede University of Southampton FMCO 2008, 22/10/2008 www.deploy‐project.eu

  2. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 2

  3. Design of complex systems • Need for rigorous modelling • The main purpose of modelling is reasoning – to improve our understanding of the system – to clarify assumptions about the system – to increase quality of system model • Need for refinement – Too many details to address final system directly 3

  4. Reasoning about complex systems • Requires rigorous reasoning – Formal notation – Formal reasoning • This is offered by formal proof – Why prove? • To incrementally improve a model • To take advantage of failing proofs – What to prove? • Proof obligations associated with each model 4

  5. List of core Event-B proof obligations • Feasibility of events • Invariant preservation by events • Refinement of events • Introduction of new events • Convergence of events • Enabledness of events 5

  6. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 6

  7. Example of an Event-B machine Invariant properties: • inv1 : A user is authorised to be in certain rooms parameters • inv2 : A user can be guards at most in one room ac3ons • inv3 : A user can only be in rooms where he is authorised to be 7

  8. Preservation of in ⊆ auth by event enter • Proof obligation: invariant in ⊆ auth guards u / ∈ dom( in ) u �→ r ∈ auth modified invariant ⊢ in ∪ { u �→ r } ⊆ auth 8

  9. Use of proof obligations for modelling • Modelling is an incremental activity Modelling Proof Obligations Proving • Proof obligations are automatically generated 9

  10. Creating a model incrementally • What does this mean? • We do not demonstrate the actual tool “Rodin” – But focus on essential features – Removed everything that could distract • Aim: – To illustrate method and tool – Not to get distracted by features of the Rodin tool • By way of an example – Access to a secure building 10

  11. Outline • Complex Systems Modelling in Event-B • Interplay of proof and modelling • Worked example: Access to secure building • Tool Animation • Conclusion 11

  12. Description of the secure access model • Abstract model – Users , Rooms – Entering/leaving rooms; adding/removing authorisations • Refined model – Tokens – Data-refinement of abstract model • The model itself is not of importance – But the way we create it is important 12

  13. Focus on three modelling scenarios • Adding events 1. Reasoning about guards and invariants • Refining an event 2. Reasoning about parameters 3. Reasoning about guards and invariants 13

  14. Layout of the modelling canvas Model Proof ☐ ☐ � ☐ Mode ☐ Proof ☐ Obliga3ons ☐ ☐ ☐ proof obliga3on: ☐ ☐ proof succeeded: � ☐ proof failed:  ☐ ☐ ☐ 14

  15. Colouring conventions for formulas Model Proof ☐ ☐ � constants are blue‐green parameters are red ☐ ☐ ☐ ☐ utok ( t ) �→ rtok ( t ) ∈ auth ☐ ☐ ☐ ☐ ☐ variables are blue ☐ ☐ 15

  16. Creation of the abstract model Model Proof Summary: ☐ ☐ � ☐ • Variables: in , auth ☐ ☐ • Events: ☐ ☐ – enter – enter building ☐ ☐ – leave – leave building ☐ ☐ – addAuth – add authorisation ☐ ☐ – remAuth – remove authorisation 16

  17. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ 17

  18. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 18

  19. Location and authorisation of users Model Proof ☐ invariants ☐ � inv 1 : auth ∈ User ↔ Room ☐ inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 19

  20. Location and authorisation of users Model Proof  invariants � inv 1 : auth ∈ User ↔ Room  inv 2 : in ∈ User � → Room ☐ inv 3 : in ⊆ auth ☐ ☐ ☐ initialisation ☐ act 1 : in := ∅ ☐ act 2 : auth := ∅ ☐ ☐ ☐ ☐ 20

  21. Entering a room Model Proof  event enter � any  u, r ☐ when ☐ grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 21

  22. Entering a room Model Proof  event enter � any  u, r ☐ when ☐ grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ Proof obliga3on: then ☐ act 1 : in := in ∪ { u �→ r } ☐ Preserva3on of end invariant inv3 ☐ ☐ ☐ 22

  23. Entering a room Model Proof Preservation of invariant inv3  in ⊆ auth �  u / ∈ dom( in ) ☐ u �→ r ∈ auth ☐ ☐ ⊢ ☐ ☐ Proof obliga3on: in ∪ { u �→ r } ⊆ auth ☐ ☐ Preserva3on of invariant inv3 ☐ ☐ ☐ 23

  24. Entering a room Model Proof Preservation of invariant inv3  in ⊆ auth �  u / ∈ dom( in ) ☐ u �→ r ∈ auth  ☐ ⊢ ☐ ☐ Proof obliga3on: in ∪ { u �→ r } ⊆ auth ☐ ☐ Preserva3on of invariant inv3 ☐ ☐ ☐ 24

  25. Entering a room Model Proof  event enter � any  u, r ☐ when  grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 25

  26. Entering a room Model Proof  event enter � any  u, r � when  grd 1 : u �∈ dom( in ) ☐ ☐ grd 2 : u �→ r ∈ auth ☐ then ☐ act 1 : in := in ∪ { u �→ r } ☐ end ☐ ☐ ☐ 26

  27. Leaving a room Model Proof  event leave � any  u � when  grd 1 : u ∈ dom( in ) ☐ ☐ then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 27

  28. Leaving a room Model Proof  event leave � any  u � when  grd 1 : u ∈ dom( in ) ☐ ☐ then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 28

  29. Leaving a room Model Proof  event leave � any  u � when  � grd 1 : u ∈ dom( in )  then ☐ act 1 : in := { u } ⊳ − in ☐ end ☐ ☐ ☐ ☐ 29

  30. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room ☐ then ☐ act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 30

  31. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room ☐ then ☐ act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 31

  32. Adding an authorisation Model Proof  event addAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth ∪ { u �→ r } ☐ end ☐ ☐ ☐ 32

  33. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r } ☐ end ☐ ☐ ☐ 33

  34. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r } ☐ end ☐ ☐ ☐ 34

  35. Removing an authorisation Model Proof  event remAuth � any  u, r � when  Proof obliga3on: � grd 1 : u ∈ User  grd 2 : r ∈ Room Preserva3on of  then invariant inv3  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 35

  36. Removing an authorisation Model Proof Preservation of invariant inv3  in ⊆ auth �  u ∈ User Possible remedies: � r ∈ Room • Modify ac3on:  ➞ Remove user u from building � ⊢  • Modify guard:  in ⊆ auth \ { u �→ r } ➞ Require user u not in building   • Modify guard:  ➞ Require user u not in room r ☐ u �→ r �∈ in ☐ 36

  37. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : r ∈ Room  then  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 37

  38. Removing an authorisation Model Proof  event remAuth � any  u, r � when  � grd 1 : u ∈ User  grd 2 : u �→ r �∈ in  then  act 1 : auth := auth \ { u �→ r }  end  ☐ ☐ 38

  39. Removing an authorisation Model Proof Preservation of invariant inv3  in ⊆ auth �  u ∈ User � u �→ r / ∈ in  � ⊢   in ⊆ auth \ { u �→ r }    ☐ ☐ 39

Recommend

Plugging external provers into the Rodin platform Laurent Voisin (Systerel) Rodin and Event-B

Plugging external provers into the Rodin platform Laurent Voisin (Systerel) Rodin and Event-B

Plugging external provers into the Rodin platform Laurent Voisin (Systerel) Rodin and Event-B An open platform for Event-B modelling and proving Designed to model reactive discrete systems by engineers (no PhD required) Based on the

373 views • 8 slides
SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu

SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu

SliceAndMerge: A Rodin Plug-in for Refactoring Refinement Structure of Event-B Machines Tsutomu Kobayashi (University of Tokyo), Aivar Kripsaar (RWTH Aachen University), Fuyuki Ishikawa (NII, Japan), and Shinichi Honiden (NII, Japan) Rodin

625 views • 39 slides
Theory Plug-in for Rodin 3.0 T.S. Hoang 1 A. Salehi 1 M. Butler 1 L. Voisin 2 1 ECS, University of

Theory Plug-in for Rodin 3.0 T.S. Hoang 1 A. Salehi 1 M. Butler 1 L. Voisin 2 1 ECS, University of

Theory Plug-in for Rodin 3.0 T.S. Hoang 1 A. Salehi 1 M. Butler 1 L. Voisin 2 1 ECS, University of Southampton, U.K. 2 Systerel, France RODIN Workshop 2016 Linz, Austria 23rd May 2015 From Rodin 2.8 to Rodin 3.0 (1/2) Major (necessary) changes

506 views • 17 slides
The Rodin Roadmap Commi.ee Laurent Voisin 2018-11-10 Development of the Rodin plaDorm

The Rodin Roadmap Commi.ee Laurent Voisin 2018-11-10 Development of the Rodin plaDorm

The Rodin Roadmap Commi.ee Laurent Voisin 2018-11-10 Development of the Rodin plaDorm Development used to take place in European projects: RODIN (2004-2007) DEPLOY (2008-2012) ADVANCE (2012-2014) Then switched to naSonal projects But

492 views • 5 slides
Incremental Event Calculus for Run-Time Reasoning Efthimis Tsilionis, Alexander Artikis, Georgios

Incremental Event Calculus for Run-Time Reasoning Efthimis Tsilionis, Alexander Artikis, Georgios

Incremental Event Calculus for Run-Time Reasoning Efthimis Tsilionis, Alexander Artikis, Georgios Paliouras NCSR Demokritos http://cer.iit.demokritos.gr/ 16 April 2019 Motivation for Incremental CER Motivation for Incremental CER Delayed

642 views • 45 slides
A Formalised Framework for Incremental Modelling of On-Chip Communication Peter B ohm

A Formalised Framework for Incremental Modelling of On-Chip Communication Peter B ohm

A Formalised Framework for Incremental Modelling of On-Chip Communication Peter B ohm University of Oxford Computing Laboratory Designing Correct Circuits, March 2010 Introduction Motivation Goal Design of verified high-performance,

775 views • 33 slides
Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and Simulation) A formal basis for (low-level) representation of all discrete event modelling formalisms and simulator implementations

492 views • 26 slides
Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and

Discrete EVent System specification (DEVS) Bernard Zeigler (1976 Theory of Modelling and Simulation) A formal basis for (low-level) representation of all discrete event modelling formalisms (and even others, after approximation)

660 views • 30 slides
Developing and Proving a Complicated System Model with Rodin Alexey Khoroshilov, Ilya

Developing and Proving a Complicated System Model with Rodin Alexey Khoroshilov, Ilya

June 2-3, 2014, Toulouse 5 th Rodin Workshop Developing and Proving a Complicated System Model with Rodin Alexey Khoroshilov, Ilya Shchepetkov {khoroshilov,shchepetkov}@ispras.ru Institute for System Programming of the Russian Academy of

261 views • 15 slides
Timed Discrete Event Modelling and Simulation extend State Automata with time in state

Timed Discrete Event Modelling and Simulation extend State Automata with time in state

Timed Discrete Event Modelling and Simulation extend State Automata with time in state equivalent to Event Graphs time to transition schedule events Hans Vangheluwe hv@cs.mcgill.ca Modelling and Simulation: Discrete

713 views • 54 slides
Dialogue Modelling, Language Processing Dynamics and Linguistic Knowledge Eleni

Dialogue Modelling, Language Processing Dynamics and Linguistic Knowledge Eleni

Linguistic knowledge: the relevance of dialogue Dialogue Modelling: new challenge, new data, new solutions Dynamic Syntax: incremental structure/content growth Grammar design Dialogue Modelling, Language Processing Dynamics and Linguistic

1.45k views • 120 slides
System Modelling and Design Refining Software Engineering Ken Robinson School of Computer

System Modelling and Design Refining Software Engineering Ken Robinson School of Computer

Outline System Modelling and Design Refining Software Engineering Ken Robinson School of Computer Science & Engineering The University of New South Wales, Sydney Australia Ken Robinson 2009 c mailto::k.robinson@unsw.edu.au Rodin

896 views • 67 slides
Modelling the Impact of Transmission Charging Options Project TransmiT Stakeholder Event 11 th

Modelling the Impact of Transmission Charging Options Project TransmiT Stakeholder Event 11 th

Modelling the Impact of Transmission Charging Options Project TransmiT Stakeholder Event 11 th August 2011 Date: 11 August 2011 Client : Ofgem Contents Background Objectives of the study Modelling methodology Key assumptions and

454 views • 16 slides
Constructive Identities for Physics Andrei Rodin 17 juillet 2014 Andrei Rodin Constructive

Constructive Identities for Physics Andrei Rodin 17 juillet 2014 Andrei Rodin Constructive

Outline Axiomatization of Physics Identity and Objecthood Conclusions Constructive Identities for Physics Andrei Rodin 17 juillet 2014 Andrei Rodin Constructive Identities for Physics Outline Axiomatization of Physics Identity and

936 views • 75 slides
From Event-driven modeling to Process monitoring Dr. Helge Hess IDS Scheer Event Processing

From Event-driven modeling to Process monitoring Dr. Helge Hess IDS Scheer Event Processing

From Event-driven modeling to Process monitoring Dr. Helge Hess IDS Scheer Event Processing Symposium 14 16 March 2006 Parallel session Workflow (BPM) IDS Scheer & ARIS Platform Platform IDS Scheer & ARIS Founded 1984 by

661 views • 30 slides
Extreme Event Modelling Zhou Introduction Theory and Liwei Wu Methods Asymptotic Supervisor:

Extreme Event Modelling Zhou Introduction Theory and Liwei Wu Methods Asymptotic Supervisor:

Extreme Event Modelling Liwei Wu Supervisor: Dr. Xiang Extreme Event Modelling Zhou Introduction Theory and Liwei Wu Methods Asymptotic Supervisor: Dr. Xiang Zhou Models Threshold Models Application Simulation of data from normal

671 views • 49 slides
Comprehensive Modelling Platform David anek, Jan Safr Cerven y, Matej Troj ak,

Comprehensive Modelling Platform David anek, Jan Safr Cerven y, Matej Troj ak,

Comprehensive Modelling Platform David anek, Jan Safr Cerven y, Matej Troj ak, Matej Hajnal, s Marek Havl k, Radoslav Doktor, Ondrej Lo t ak Lukr ecia Mertov a April 9, 2019 Systems Biology Laboratory,

197 views • 9 slides
M 0 for 48 Ca from charge-exchange reactions Vadim Rodin DBD11, Osaka, 16 / 11 / 2011

M 0 for 48 Ca from charge-exchange reactions Vadim Rodin DBD11, Osaka, 16 / 11 / 2011

M 0 for 48 Ca from charge-exchange reactions Vadim Rodin DBD11, Osaka, 16 / 11 / 2011 Introduction Nuclear 0 -decay ( = ) strong in-medium modification of the basic process dd uue e ( e e ) e - Light

799 views • 25 slides
Global Research Alliance Modelling Platform (GRAMP) Dr. Jagadeesh Yeluripati Aim of GRAMP :

Global Research Alliance Modelling Platform (GRAMP) Dr. Jagadeesh Yeluripati Aim of GRAMP :

Global Research Alliance Modelling Platform (GRAMP) Dr. Jagadeesh Yeluripati Aim of GRAMP : Increase understanding of the development of 1. the model through time Publicise the availability of different model code 2. versions for specific

602 views • 11 slides
Batch-Incremental vs. Instance-Incremental Learning in Dynamic and Evolving Data Jesse Read 1 ,

Batch-Incremental vs. Instance-Incremental Learning in Dynamic and Evolving Data Jesse Read 1 ,

Batch-Incremental vs. Instance-Incremental Learning in Dynamic and Evolving Data Jesse Read 1 , Albert Bifet 2 , Bernhard Pfahringer 2 , Geoff Holmes 2 1 Department of Signal Theory and Communications Universidad Carlos III Madrid, Spain 2

568 views • 19 slides
Incremental and Non-incremental Learning of Control Knowledge for Planning Daniel Borrajo Mill

Incremental and Non-incremental Learning of Control Knowledge for Planning Daniel Borrajo Mill

1 Incremental and Non-incremental Learning of Control Knowledge for Planning Daniel Borrajo Mill an joint work with Manuela Veloso, Ricardo Aler, and Susana Fern andez Universidad Carlos III de Madrid Avda. de la Universidad, 30. 28911

630 views • 59 slides
Extending Code Genera/on to Support Pla6orm-Independent Event-B Models Asieh Salehi, Michael

Extending Code Genera/on to Support Pla6orm-Independent Event-B Models Asieh Salehi, Michael

Extending Code Genera/on to Support Pla6orm-Independent Event-B Models Asieh Salehi, Michael Butler, Colin Snook University of Southampton, Southampton, United Kingdom 6th Rodin User and Developer Workshop, 23 May, 2016, Linz, Austria

452 views • 17 slides
RoboChart & RoboSim Modelling Robots and Collections Alvaro Miyazawa Department of Computer

RoboChart & RoboSim Modelling Robots and Collections Alvaro Miyazawa Department of Computer

RoboChart & RoboSim Modelling Robots and Collections Alvaro Miyazawa Department of Computer Science University of York January 23, 2019 Outline Introduction RoboChart RoboSim Collection modelling Robotic platform modelling 1 42

888 views • 59 slides
Stochastic Simulation Discrete simulation/event-by-event Bo Friis Nielsen Institute of

Stochastic Simulation Discrete simulation/event-by-event Bo Friis Nielsen Institute of

Stochastic Simulation Discrete simulation/event-by-event Bo Friis Nielsen Institute of Mathematical Modelling Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfni@dtu.dk Discrete event simulation Discrete event

341 views • 14 slides

More recommend