1 B is a method for specifying, designing, and coding software systems. J.R. Abrial, The B-Book,...
184
1 “B is a method for specifying, designing, and coding software systems.” J.R. Abrial, The B-Book, Cambridge University Press
-
Upload
emil-cooper -
Category
Documents
-
view
218 -
download
0
description
3
Transcript of 1 B is a method for specifying, designing, and coding software systems. J.R. Abrial, The B-Book,...
1
“B is a method for specifying, designing, and coding software systems.”J.R. Abrial, The B-Book, Cambridge University Press
2
3
4
5
6
B4free
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Exercise 1.7A car park has 640 parking spaces. Give an abstract machine which specifies a system to control cars entering the car park. It should keep track of the cars currently in the car park, and should provide 3 operations:– Enter, which recorders the entry of a new car.
This should occur only when the car park is not full;
– Leave, which records the exit of a car from the car park;
– Query, which outputs the number of cars currently in the car park.
30
MACHINE CarParkVARIABLES contentsINVARIANT contents : NAT & contents <= 640INITIALIZATION contents := 0OPERATIONSenter =
PRE contents < 640THEN contents := contents + 1END;
leave =PRE contents > 0THEN contents := contents – 1END;
nn <-- query =PRE trueTHEN nn := contentsEND
END
31
32
33
34
35
36
37
38
39
40
41
42
43houseset, magazine := {}, {}
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
t parentancestor
parentyzparentzx
PERSONzzyxparentancestor
,,.,
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Substitutions
xEP /
Expression E is substituted for a free variable x byreplacing all occurrences of x by E.Read as P with E for x.
GOaliceCHESSalice
xaliceGOxCHESSx
/
92
zyxxyzyxyx /
2)(.
/2)(.
oldlimitpagePERSONpp
limitoldlimitlimitpagePERSONpp
93
3.
/3./3.
nmmmlimitnlimitmmm
limitnlimitnnn
Renaming bound variables to avoid variable capture
limitmmm
nlimitmmmnlimitnnn
./50.
/50.
If the variable being substituted does not occur free anywhere inthe predicate then it is left unchanged.
94
nxxxGFEP ,...,/,..., 21
zyxyx
yxzyxyxyx
,/,
95
Self test
servennextnnservenn
serveservenextnnservenn
/4.)2(
/14.)1(
2
2
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
The set of all possiblestates a machine canbe in.
115
116
See Page26 of theB-method.
117
118
119
120
121
122
P is a predicate which describes a set of states that may be reachedafter the performance of statement S.P is referred to as the post condition of S.
The notation [S]P denotes a predicate which is true ofany initial state from which is guaranteed to achieve P.
123
124
See Page27 of theB-method.
125
126
127
128
129
130
131
132
133
134
[hh := min(houseset)](!hh.(hh:houseset=> hh < 163))
135
136
137
138
139
140
141
142
143
144
[a(4) := 7](a : NAT1 >+> NAT)
= (a <+ {(4,7)}) : NAT1 >+> NAT
= ({4} <<| a) : NAT1 >+> NAT &7 /: ran({4} <<| a)
145
Other Constructs
[IF E THEN S ELSE T END]P =(E & [S]P) or (not(E) & [T]P)
[IF E THEN S ELSE T END]P =(E => [S]P) or (not(E) => [T]P)
146
[IF x<5 THEN x:=x+4 ELSE x:=x-3 END] (x<7)
= (x<5 & [x:=x+4](x<7)) or((not(x<5)) & [x:=x-3](x<7))
= (x<5 & (x+4<7)) or ((x>=5) & (x-3<7))
= (x<5 & x<3) or ((x>=5) & (x<10))
= (x<3) or ((x>=5) & (x<10))
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
MACHINE Info(ITEM, sample, num)CONSTRAINTS sample:ITEM &
num : NAT &num > card(ITEM)
CONSTANTS storagePROPERTIES storage : NAT1 &
storage <= num
VARIABLES current, next, previous
INVARIANT current <: ITEM &next : ITEM &previous : ITEM &next /= previous
Exercise 5.1 Page 67 “the b-method”What are the proof obligations associated with the constraints below?Are they consistent?
170
# ITEM, sample, num .(ITEM /= {} &sample : ITEM &num : NAT &num > card(ITEM))
Proof obligation associated with the constraints:
171
(ITEM /={} & sample:ITEM & num:NAT & num > card(ITEM))
=>
# storage . (storage : NAT1 & storage <= num)
Proof obligation: It must be possible to find appropriateSETS and CONSTANTS.
172
( ITEM /={} & sample:ITEM & num:NAT &num>card(ITEM) &
storage : NAT1 & storage <= num )=># current, next, previous . (
current <: ITEM &next : ITEM &previous : ITEM &next /= previous
)
Proof obligation: When all the parameters are set it must bepossible for the machine to have variables that satisfy theinvariant.
What ifITEM={a}?
173
END S THEN P PRE operationeach for
][ 5.][ 4.. 3.., 2.
. 1.
ISPICBITCBIvCBBkStC
Cp
Summary of Proof Obligations:
174
175
• Self tests (from “the b-method”)– Exercise 5.2 page 68– Exercise 6.3 Page 89
176
Completing the Laws of [S]P
nnnn xxEEPPEExx
yxFEPPFEyx
xEPPEx
,...,/,...,,...,:,...,
,/,,:,
/:
1111
177
PP skip
PTEPSE
PTSE
ENDELSETHENIF
PTEPSE
PTSE
ENDELSETHENIF
?ENDTHENIF PSE
178
PVeEeEeEPTeE
PTeEPTeE
P
VTe
TeTe
E
n
nnnn ...
...
ENDELSE
THENOR...OR
THENORTHENEITHER
OFCASE
21
22
11
22
11
179
aEiaPPEia /,:)(
180
PTQx
PTQx
.
ENDTHENWHEREANY
Non-determinism:
PTQxx
PTQxx
n
n
.,...,ENDTHENWHERE,...,ANY
1
1
xzPSzzPSx /.:
181
PSExx
PSExxLET
.
ENDINBE
182
PTPSPTS ENDORCHOICE
PSPSPS
PSSS
n
n
...END...ORORCHOICE
21
21
183
184
• Sequences
