B Specification Example

Transcription

1 B Specification Example Peter H. Schmitt Universität Karlsruhe P. Schmitt: Formal Specification and Verification of Software p.1

2 Task: Lift Controller 1. In every lift cabin there is a series of push buttons, one for each floor. Once pressed they light up and register a request to move to the indicated floor. Illumination stops when the destination floor is reached. P. Schmitt: Formal Specification and Verification of Software p.2

3 Task: Lift Controller (Contd.) 2. On every floor there are two push-buttons, one for downward and one for upward request. Exceptions are the first and last floor, where only one button for the only possible direction exists. Once pressed the buttons stay lit till a lift cabin stops and moves on into the desired direction. The control algorithm should minimize the waiting time for both, up and down, request. P. Schmitt: Formal Specification and Verification of Software p.3

4 Task: Lift Controller (Contd.) 3. When no further request are to be served the lift remains at its last stop, doors closed. 4. Every request on every floor must eventually be served. All floors are served with equal priority. 5. All floors requested within a lift cabin must eventually be reached. Open request will be served following the order of their appearance. 6. There is an emergency switch in every lift. Activation of this switch will be forwarded to the maintenance service. The lift will be considered out of order. There is a mechanism in every lift to undo the emergency state. P. Schmitt: Formal Specification and Verification of Software p.4

5 The Lift Machine MACHINE Lift SETS LIFT; DIRECTIONS = {up, dn} CONSTANTS ground, top PROPERTIES ground NAT top NAT ground < ltop DEFINITIONS FLOOR = ground... top VARIABLES moving, floor, dir, in, out INVARIANTS moving LIFT floor LIFT FLOOR dir LIFT DIRECTIONS in FLOOR DIRECTIONS out LIFT FLOOR (ground dn) in (top up) in moving (out floor) = INITIALIZATION in, out, moving =,, in ran(moving (floor dir)) =, floor, dir = LIFT {ground}, LIFT {up} P. Schmitt: Formal Specification and Verification of Software p.5

6 Lift Machine: Operations (Part 1) MACHINE Lift (continued) OPERATIONS Request Floor(l, f ) = PRE l LIFT f FLOOR (l moving floor(l) f ) THEN out := out {l f } END; Request Lift(f, d) = PRE f FLOOR d DIRECTIONS (f, d) (ground, dn) (f, d) (top, up) (f, d) ran(moving (floor dir)) THEN in := in {f d} END; P. Schmitt: Formal Specification and Verification of Software p.6

7 Definitions for the Lift Machine MACHINE Lift (continued) DEFINITIONS attracted up(l) = (dom(in) out[{l}]) ((floor(l) + 1)... top) ; attracted dn(l) = (dom(in) out[{l}]) (ground... (floor(l) 1)) ; can continue up(l) = (l floor(l)) out (floor(l) dir(l) in attracted up(l); can continue dn(l) = (l floor(l)) out (floor(l) dir(l) in attracted dn(l); P. Schmitt: Formal Specification and Verification of Software p.7

8 Lift Machine: Operations (Part 2) MACHINE Lift OPERATIONS (continued) Continue up(l) = PRE l moving dir(l) = up can continue up(l) THEN floor(l) := floor(l) + 1 END; Continue up(l) = analog Stop up(l) = PRE l moving dir(l) = up can continue up(l) THEN moving := moving {l} out := out {l floor(l)} in := in {floor(l) dir(l)} END; Stop dn(l) = analog P. Schmitt: Formal Specification and Verification of Software p.8

9 Lift Machine: Operations (Part 3) MACHINE Lift OPERATIONS (continued) Depart up(l) = PRE l LIFT moving dir(l) = up attracted up(l) THEN moving := moving {l} floor(l) := floor(l) + 1 END; Depart dn(l) = analog Change up to dn(l) = PRE l LIFT moving dir(l) = up attracted up(l) attracted dn(l) THEN in := in {floor(l) dn} dir(l) := dn Change dn to up(l) = analog P. Schmitt: Formal Specification and Verification of Software p.9

10 Syntax of formulas in B Syntactic Definition Category Formula F F F F F Variable F (Predicate) [Variable := Expression]F Expression = Expression Expression Set Expressions Variable [Variable := Expression]E Expression, Expression choice(set) Set Variables Variable Variable, Variable Sets Set Set (Set) {Variable F } BIG P. Schmitt: Formal Specification and Verification of Software p.10

11 Definitional Extensions Symbol Definition X Y x (x X x Y ) proper subset X Y X Y X = Y subset X Y X, Y ordered pair X Y {a a X Y Y } union X Y {a a X Y Y } intersection X Y (X Y ) relation dom(r) {a a X b (b Y (a b) r)} domain of a relation r X Y ran(r) {a a X b (b Y (b a) r)} range of a relation r X Y X Y {r r X Y a, b, c partial function (a b r a c r b = c) X Y {r r X Y dom(r) = X (total) function Z r {a, b (a, b) R a Z } Restriction of the domain Z r {a, b (a, b) R a Z } Anti-restriction of the domain r s {a, b, c (a.b) r (a, c) s} direct product of relations P. Schmitt: Formal Specification and Verification of Software p.11

12 The Meaning of Invariants moving (out floor) = x, y ((x, y) floor x moving (x, y) out) P. Schmitt: Formal Specification and Verification of Software p.12

13 The Meaning of Invariants moving (out floor) = x, y ((x, y) floor x moving (x, y) out) If lift a stops at floor f, requests to move to floor a will be ignored. P. Schmitt: Formal Specification and Verification of Software p.12

14 The Meaning of Invariants moving (out floor) = x, y ((x, y) floor x moving (x, y) out) If lift a stops at floor f, requests to move to floor a will be ignored. in ran(moving (floor dir)) = a, f, d (a moving (a, f) floor (a, d) dir (f, d) in) P. Schmitt: Formal Specification and Verification of Software p.12

15 The Meaning of Invariants moving (out floor) = x, y ((x, y) floor x moving (x, y) out) If lift a stops at floor f, requests to move to floor a will be ignored. in ran(moving (floor dir)) = a, f, d (a moving (a, f) floor (a, d) dir (f, d) in) If a lift stops at floor f ready to move in direction d then request from floor f to move in direction d will be ignored. P. Schmitt: Formal Specification and Verification of Software p.12

16 A Definition of Distance Comparision d e dist(f, d, g, e) f > g up up 2 (top ground) f + g + 2 dn 2 top f g + 1 dn up f + g ground dn f g f = g up up 0 dn 2 top f g + 1 dn up f + g ground dn 0 f = g up up g f dn 2 top f g + 1 dn up f + g ground dn 2 (top ground) g + f + 2 P. Schmitt: Formal Specification and Verification of Software p.13

17 Proof Obligation for Change up to dn I l LIFT moving dir(l) = up attracted up(l) attracted dn(l) (g, e) ((g, e) in {floor(l) dn} dist(floor(l), dn, g, e) < dist(floor(l), dir(l), g, e)) P. Schmitt: Formal Specification and Verification of Software p.14

18 Abstraction for Change_up_to_dn Change up to dn(l) = PRE l LIFT moving dir(l) = up attracted up(l) attracted dn(l) THEN Decrease Distances(l) END P. Schmitt: Formal Specification and Verification of Software p.15

19 Definition of Decrease_Distances(l) Decrease Distances(l) = PRE l LIFT THEN moving, floor, dir, lin, out : I in in 0 out out 0 (g, e) ((g, e) in dist(floor(l), dir(l), g, e) < dist(floor 0 (l), dir 0 (l), g, e) END P. Schmitt: Formal Specification and Verification of Software p.16

20 Example: Machine 1 MACHINE Little Example 1 VARIABLES y INVARIANT y (NAT 1 ) INITIALIZATION y := OPERATIONS enter(n) = PRE n NAT 1 THEN y := y {n} END; m maximum = PRE y THEN m := max(y) END; END P. Schmitt: Formal Specification and Verification of Software p.17

21 Example: Machine 2 MACHINE Little Example 2 VARIABLES z INVARIANT z NAT INITIALIZATION z := 0 OPERATIONS enter(n) = PRE n NAT 1 THEN z := max{z, n} END; m maximum = PRE z 0 THEN m := z END; END P. Schmitt: Formal Specification and Verification of Software p.18