Software development using B method. Julien Cervelle LACL - UPEC

Similar documents
Functions. How is this definition written in symbolic logic notation?

Complexity Theory. Compiled By : Hari Prasad Pokhrel Page 1 of 20. ioenotes.edu.np

Functions 2/1/2017. Exercises. Exercises. Exercises. and the following mathematical appetizer is about. Functions. Functions

Functions. Def. Let A and B be sets. A function f from A to B is an assignment of exactly one element of B to each element of A.

ECS 20 Lecture 9 Fall Oct 2013 Phil Rogaway

2. Functions, sets, countability and uncountability. Let A, B be sets (often, in this module, subsets of R).

1.3 Functions and Equivalence Relations 1.4 Languages

2.3: FUNCTIONS. abs( x)

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

4. Definition: topological space, open set, topology, trivial topology, discrete topology.

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

Slides for Faculty Oxford University Press All rights reserved.

Z Notation. June 21, 2018

1KOd17RMoURxjn2 CSE 20 DISCRETE MATH Fall

FOUNDATIONS OF THE B METHOD. Dominique Cansell, Dominique Méry 1 INTRODUCTION. 1.1 Overview of B. Computing and Informatics, Vol.

The Event-B Modelling Notation

COMPUTABILITY THEORY AND RECURSIVELY ENUMERABLE SETS

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

1. M,M sequential composition: try tactic M; if it succeeds try tactic M. sequential composition (, )

Tutorial on the event-based B method

CS 242. Fundamentals. Reading: See last slide

Formal specification in Event-B

Formal Methods. CITS5501 Software Testing and Quality Assurance

Some notes about Event-B and Rodin

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

3. Determine whether f is a function from the set of all bit strings to the set of integers if

Comparing sizes of sets

Lambda Calculus and Type Inference

Practice Final. Read all the problems first before start working on any of them, so you can manage your time wisely

FMSE: Lecture 1. The Specification Language Z: Introduction

EDAA40 At home exercises 1

Hoare Logic: Proving Programs Correct

2 A topological interlude

Functions (4A) Young Won Lim 5/8/17

Deductive Program Verification with Why3, Past and Future

CSC Discrete Math I, Spring Sets

MATH 139 W12 Review 1 Checklist 1. Exam Checklist. 1. Introduction to Predicates and Quantified Statements (chapters ).

THE DOLD-KAN CORRESPONDENCE

Lectures 20, 21: Axiomatic Semantics

Basic Properties The Definition of Catalan Numbers

CITS5501 Software Testing and Quality Assurance Formal methods

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Program Analysis: Lecture 02 Page 1 of 32

Computer Science and Mathematics. Part I: Fundamental Mathematical Concepts Winfried Kurth

Lambda Calculus. Type Systems, Lectures 3. Jevgeni Kabanov Tartu,

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Figure 1.1: This is an illustration of a generic set and its elements.

Formal Systems II: Applications

Functions (4A) Young Won Lim 3/16/18

1. Draw the state graphs for the finite automata which accept sets of strings composed of zeros and ones which:

LOGIC AND DISCRETE MATHEMATICS

Lecture Notes: Hoare Logic

An Interesting Way to Combine Numbers

MATH 22 MORE ABOUT FUNCTIONS. Lecture M: 10/14/2003. Form follows function. Louis Henri Sullivan

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

T. Background material: Topology

Sets 1. The things in a set are called the elements of it. If x is an element of the set S, we say

Introduction to the Lambda Calculus

Lecture 2 : Counting X-trees

Programming Languages Third Edition

To illustrate what is intended the following are three write ups by students. Diagonalization

UML Class Model Abstract Syntax and Set-Based Semantics

Point-Set Topology 1. TOPOLOGICAL SPACES AND CONTINUOUS FUNCTIONS

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Conceptual modeling of entities and relationships using Alloy

6. The Bounded Re-transmission Protocol. Jean-Raymond Abrial

An Annotated Language

The Language of Sets and Functions

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

1.3 Primitive Recursive Predicates and Bounded Minimalization

Manifolds. Chapter X. 44. Locally Euclidean Spaces

Decision Procedures for Equality Logic. Daniel Kroening and Ofer Strichman 1

Discrete Mathematics Lecture 4. Harper Langston New York University

CMPSCI 250: Introduction to Computation. Lecture #7: Quantifiers and Languages 6 February 2012

2. There are 7 people to be seated at a round table. How many seating arrangements are possible? How many times must they change places so that

Phil 320 Chapter 1: Sets, Functions and Enumerability I. Sets Informally: a set is a collection of objects. The objects are called members or

Towards a Logical Reconstruction of Relational Database Theory

Math 205B - Topology. Dr. Baez. February 23, Christopher Walker

Announcements. Problem Set 3 due Friday, October 21. Alternate Midterm Times. Drop by office hours! Ask questions at

Reasoning About Imperative Programs. COS 441 Slides 10

M3P1/M4P1 (2005) Dr M Ruzhansky Metric and Topological Spaces Summary of the course: definitions, examples, statements.

13 th Annual Johns Hopkins Math Tournament Saturday, February 19, 2011 Automata Theory EUR solutions

Logic-Flow Analysis of Higher-Order Programs

Elementary Recursive Function Theory

MA651 Topology. Lecture 4. Topological spaces 2

Functions and Sequences Rosen, Secs. 2.3, 2.4

Lecture IV - Further preliminaries from general topology:

Cardinality Lectures

Crash Course in Monads. Vlad Patryshev

Abstract Combinatorial Games

Continuous functions and homeomorphisms

Handout 9: Imperative Programs and State

The Further Mathematics Support Programme

Software Construction

An introduction to Category Theory for Software Engineers*

Let A(x) be x is an element of A, and B(x) be x is an element of B.

A set with only one member is called a SINGLETON. A set with no members is called the EMPTY SET or 2 N

Math 221 Final Exam Review

Pure Lambda Calculus. Lecture 17

Transcription:

Software development using B method Julien Cervelle LACL - UPEC

Outline Introduction B abstract machine First order logic of set theory Substitutions Proof obligations Refinement

Introduction B method was invented by Jean-Raymond Abrial Member of the Green team who win the contest of the US department of defense designing Ada language, late 80ies Designed the Z specification language based on set theory Designed the B language to add the refinement notion and a proof obligation system

Main concepts Formal specification of software Data Operations Constraints Tools which ensure everything thing written meet the specifications Proof obligations Invariant conservation Post-condition, pre-condition, loop invariant and variant Refinement which allows to gradually reach the final software

Outline Introduction B abstract machine First order logic of set theory Substitutions Proof obligations Refinement

Data structures in B Comes from the ZF set theory Base elements are sets and integers (and reals though they are not yet implemented) Every complex data structures are based on these elements Relations are sets of ordered pairs Function are relations Sequences and arrays are functions

Typing Difference with the ZF set theory Integers are not sets ordered pairs are a special construct (and not a,b ={{a},{a,b}}) Everything must be properly typed Symbols are not introduced with their types (like in the C language) Typing is done in the logical formula which specifies the symbol Location of typing Invariant for state variables Precondition for operation parameter Selection formula for set comprehension {x φ(x)}

B abstract machine The internal data of the machine is called its state It consists in variables which contains all values needed to perform the machine tasks The environment can perform operations on the machine An operation has possibly an input and possibly an output It can consult and modify the variables The B abstract machine look like an instance of some class Complete different philosophy from OO software development One software = one machine

B abstract machine component Symbols CONSTANTS VARIABLES OPERATIONS Specification PROPERTIES INVARIANT Substitutions

Example MACHINE Counter CONSTANTS max_value PROPERTIES max_value N₁ VARIABLES count INVARIANT count N count max_value INITIALISATION count:=0 OPERATIONS inc = PRE count<max_value THEN count:=count+1 END; dec = PRE count>0 THEN count:=count-1 END; reset = count:=0; set(value) = PRE value N₁ value max_value THEN count:=value END; value get = value:=count END

Outline Introduction B abstract machine First order logic of set theory Substitutions Proof obligations Refinement

First order logic and set theory Usual first order logic Φ ψ, φ ψ, φ x.(φ), x.(φ) Sets and ordered pairs (x,y) but better noted (x y) Set by extension {m 1, m 2,, m n } Set comprehension {x φ} or generally {x,y, φ} Predicate are carried by sets through set comprehension Predicate PRED(x), true if x meets some condition c Would be the constant PRED={x x meets c}

Operations on sets Usual operator E F, E F, E-F, E F x E, E F Power set A type can be used as a set (e.g. F=N {v}) Power set of E is P(E) Set of finite sets of E is F(E)

Relations Relations between two sets (or types) E and F are subsets of E F E F = {x,y x E y F} = {x y x E y F} = {(x,y) x E y F} Relations play an important role in B No object notion in B Just some seldom used record notion To add an attribute att of type E to some data D we add a relation E D named att to the machine

Example MACHINE StudentTable SETS Student; Lesson; Teacher VARIABLES teaches,follows INVARIANT teaches Teacher Lesson follows Student Lesson INITIALISATION teaches: Teacher Lesson follows: Student Lesson END

Partial functions Functions are special kind of relations Partial function allows at most one y in relation with some x E F = {R R E F x y z.(x y R x z R z=y)} Total function requires exactly one y in relation with any x E F = {R R E F x.(x E y.(x y R))} Usual notion of surjectivity, injectivity and bijectivity For total or partial functions Allows to simply specified cardinalities (databases definition) Each has its notation:

Example MACHINE StudentTable SETS Student; Lesson; Teacher VARIABLES has_teacher,follows INVARIANT has_teacher Lesson Teacher follows Student Lesson INITIALISATION has_teacher: Lesson Teacher follows: Student Lesson END

Operations on relation and functions Inverse Composition Domain and codomain (range) Transitive closure Image R[E] = {y x.(x E x y R)} Domain and codomain restrictions, if R E F: G R = R G F, G R = R-G F R G = R E G, R G = R-E G Relation overridding

Outline Introduction B abstract machine First order logic of set theory Substitutions Proof obligations Refinement

Substitution A formal description of how to modify the variables Looks like a method of an object Is defined using first order logic Can be non-deterministic Can have parameters and return values

Some substitutions x:=y means x becomes equal to y counter := 0, has_teacher(b_method):=johnson IF φ THEN s1 ELSE s2 END IF param>max_value THEN x:=max_value ELSE x:=param END x:(φ) means x becomes as φ (previous value of x is denoted by x$0) normalize = x:(x<=max_value) Can be generalized as x,y, :(φ) normalize = x,max_value:(x<=max_value) x: E means x becomes any member of E (useful for initialization)

Other substitutions ANY, LET allows to use temporary constants With a given value (LET) With a given property (ANY) SELECT, CASE, IF allows to chose the substitution depending on conditions From the value of an expression (CASE) Test sequentially (IF) Chosen non-deterministically among true formulas (SELECT) PRE is a special substitution to add preconditions to operations

Parallelism If multiple variable are to be modified, the substitutions are done in parallel x:=y y:=x allows to swap the content of variables Can be written x,y:(x=y$0 y=x$0) No sequential operation of loop in B except for the last refinement (called implementation)

Outline Introduction B abstract machine First order logic of set theory Substitutions Proof obligations Refinement

B method The core of B method is to proof in a software the the specification is correct The initialization must make the variable verifies the invariant Each operation must maintain the invariant Each written formula must be sound Writing f(x) generates the proof obligation that x dom(f) Taking the maximum of E generates E and E has an upper bound Note that this makes non commutative x dom(f) f(x)=12 is correct but not f(x)=12 x dom(f)

B tools Software for B method is Atelier-B http://www.atelierb.eu/en/telecharger-latelier-b It comes with automated tools for proof Predicate prover Mono-lemma prover Mini prover Interactive prover (was people want to avoid)

Substituting logical formula The key notion behind proof obligation generation is the weakest precondition If S is a substitution and φ a formula, [S]φ is the weakest formula such that If the variables verifies [S]φ and one applies S Then the variables verifies φ once S applied For instance, [x:=x+1]x=5 is x=4 The automated process replaces x by x+1 in x=5 and obtains x+1=5 [x: R]x 0 is R N The automated process produces x.(x R x 0)

Outline Introduction B abstract machine First order logic of set theory Substitutions Proof obligations Refinement

Refinement Refinement allows two things Data refinement Allows to narrow the state of the machine to go toward the implementation The refinement requires a gluing invariant which describe how the original state is computed from the refined state Detail refinement Allows to add more details to what is to be done by the machine This refinement can adds variables to the machine The two refinement can be mixed up

Example: Data refinement Abstract machine Queue of maximum length MAX Taking values from a set E Represented by: f N E begin,end N Concrete machine Circular buffer Represented by: array: an array of length MAX offset 0..MAX-1 length 0..MAX f array length begin end offset

Example: Detail refinement Abstract machine Door control system status {OPEN,CLOSE} light {RED, GREEN} status=close light=red Concrete machine open_angle 0..120 /*degree*/ light2 {RED,YELLOW,GREEN} open_angle = 0 light2 = RED open_angle 1..90 light2 = YELLOW open_angle 91..120 light2 = GREEN

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback