Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of...
Transcript of Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of...
![Page 1: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/1.jpg)
Summary of Event-B Proof Obligations
Jean-Raymond Abrial(edited by Thai Son Hoang)
Department of Computer ScienceSwiss Federal Institute of Technology Zürich (ETH Zürich)
Bucharest DEPLOY 2-day Course, 14th-16th, July, 2010
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 1 / 65
![Page 2: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/2.jpg)
Purpose of this Presentation
Prerequisite:
1 Summary of Mathematical Notation (a quick review)
2 Summary of Event-B Notation
Examples developed in (2) will be used here
Showing the various Event-B proof obligations(sometimes also called verification conditions)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 2 / 65
![Page 3: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/3.jpg)
Role of the Proof Obligation Generator
The POs are automatically generated by a Rodin Platform toolcalled the Proof Obligation Generator
This tool is run after the Static Checker (which static checkscontexts or machine texts)
The Proof Obligation Generator decides then what is to beproved
The outcome are various sequents, which are transmittedto the provers performing automatic or interactive proofs
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 3 / 65
![Page 4: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/4.jpg)
Summary of the Main Rodin Platform Kernel Tools
The Static Checkers:
lexical analyser
syntactic analyser
type checker
The Proof Obligation Generator
The Provers
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 4 / 65
![Page 5: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/5.jpg)
Summary of the Main Rodin Platform Kernel Tools
Proofs
Generator
Proof Obligation
Contexts or Machines
ProversStatic Checkers
Errors
Proofs which cannot be done help improving the model
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 5 / 65
![Page 6: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/6.jpg)
Various Kinds of Proof Obligations
Invariant preservation (initial model) (INV slide 9)
Non-deterministic action feasibility (FIS slide 14)
Guard strengthening in a refinement (GRD slide 18)
Invariant preservation in a refinement (INV slide 22)
Simulation (SIM slide 26)
Numeric variant (NAT slide 30)
Set variant (FIN slide 34)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 6 / 65
![Page 7: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/7.jpg)
Various Kinds of Proof Obligations (cont’d)
Variant decreasing (VAR slide 38)
Feasibility of a non-deterministic witness (WFIS slide 46)
Proving theorems (THM slide 50)
Well-definedness (WD slide 58)
Guard strengthening when merging abstract events(MRG slide 62)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 7 / 65
![Page 8: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/8.jpg)
Outline of each Proof Obligation
Purpose and naming
Formal definition
Where generated in the “search” example
Application to the example
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 8 / 65
![Page 9: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/9.jpg)
Purpose of Invariant Preservation PO (INV)(for Initial Model)
Ensuring that each invariant is preserved by each event.
For an event “evt” and an invariant “inv” the name of this PO is:evt/inv/INV
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 9 / 65
![Page 10: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/10.jpg)
Formal Definition of Invariant Preservation (INV)(for Initial Model)
evtany x where
G(x, s, c, v)then
v :| BAP(x, s, c, v , v ′)end
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : invariantsevt : specific eventx : event parametersG(x, s, c, v) : event guardsBAP(x, s, c, v , v ′) : event before-after predicatei(s, c, v ′) : modified specific invariant
AxiomsInvariantsGuards of the event evt/inv/INVBefore-after predicate of the event`
Modified Specific Invariant
A(s, c)I(s, c, v)G(x, s, c, v)BAP(x, s, c, v , v ′)`
i(s, c, v ′)
In case of the initialization event, I(s, c, v) is removed from the hypotheses
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 10 / 65
![Page 11: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/11.jpg)
Examples in Machine m_0a (INV)context
ctx_0sets
Dconstants
nfv
axiomsaxm1 : n ∈ Naxm2 : f ∈ 1..n→ Daxm3 : v ∈ ran(f )thm1 : n ∈ N1
end
machinem_0a
seesctx_0
variablesi
invariantsinv1 : i ∈ 1 .. n
events. . .
end
initialisation b=status
ordinarythen
act1 : i := 1end
search b=status
ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
- Two invariant preservation POs are generated:
- initialisation/inv1/INV
- search/inv1/INV
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 11 / 65
![Page 12: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/12.jpg)
Proof Obligation initialisation/inv1/INV
axm1axm2axm3thm1BA predicate`
modified inv1
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ′ = 1`
i ′ ∈ 1 .. n
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1
`1 ∈ 1 .. n
Simplification performedby the PO Generator
initialisation b=status
ordinarythen
act1 : i := 1end
Note that inv1 is not part of the hypotheses (we are in the initialisation event)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 12 / 65
![Page 13: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/13.jpg)
Proof Obligation search/inv1/INV
axm1axm2axm3thm1inv1grd1grd2BA predicate`
modified inv1
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nk ∈ 1 .. nf (k) = vi′ = k`
i′ ∈ 1 .. n
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nk ∈ 1 .. nf (k) = v
`k ∈ 1 .. n
Simplification performedby the PO Generator
search b=status
ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
In what follows, we’ll show the simplified form only
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 13 / 65
![Page 14: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/14.jpg)
Purpose of the Feasibility PO (FIS)
Ensuring that each non-deterministic action is feasible.
For an event “evt” and a non-deterministic action “act” in it,the name of this PO is:
evt/act/FIS
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 14 / 65
![Page 15: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/15.jpg)
Formal Definition of the Feasibility PO (FIS)
evtany x where
G(x , s, c, v)then
v :| BAP(x , s, c, v , v ′)end
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : invariantsevt : specific eventx : event parametersG(x , s, c, v) : event guardsBAP(x , s, c, v , v ′) : event action
AxiomsInvariantsGuards of the event evt/act/FIS`∃v ′ · Before-after predicate
A(s, c)I(s, c, v)G(x , s, c, v)`∃v ′ · BAP(x , s, c, v , v ′)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 15 / 65
![Page 16: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/16.jpg)
Example in Machine m_0b (FIS)context
ctx_0sets
Dconstants
nfv
axiomsaxm1 : n ∈ Naxm2 : f ∈ 1..n→ Daxm3 : v ∈ ran(f )thm1 : n ∈ N1
end
machinem_0b
seesctx_0
variablesi
invariantsinv1 : i ∈ 1 .. n
events. . .
end
initialisation b=status
ordinarythen
act1 : i := 1end
search b=status
ordinarythen
act1 : i :| i′ ∈ 1 .. n ∧ f (i′) = vend
- Among others, one feasibility PO is generated:
- search/act1/FIS
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 16 / 65
![Page 17: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/17.jpg)
Proof Obligation search/act1/FIS
axm1axm2axm3thm1inv1grd`∃i ′ · before-after predicate
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nno guard in event search`∃i ′ · i ′ ∈ 1 .. n ∧ f (i ′) = v
search b=status
ordinarythen
act1 : i :| i ′ ∈ 1 .. n ∧ f (i ′) = vend
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 17 / 65
![Page 18: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/18.jpg)
Purpose of the Guard Strengthening PO (GRD)
Ensuring that the concrete guards in the refining eventare stronger than the abstract ones.
This ensures that when a concrete event is enabledthen so is the corresponding abstract one.
For a concrete event “evt” and an abstract guard “grd”in the corresponding abstract event, the name of this PO is:
evt/grd/GRD
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 18 / 65
![Page 19: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/19.jpg)
Formal Def. of the Guard Strengthening PO (GRD)
evt0any
xwhere
g(x, s, c, v). . .
then. . .
end
evtrefines
evt0any
ywhere
H(y, s, c, w)with
x : W (x, y, s, c, w)then
. . .end
s : seen setsc : seen constantsv : abstract variablesw : concrete variablesA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v, w) : conc. invts.evt : specific concrete eventx : abstract event parametery : concrete event parameterg(x, s, c, v) : abstract event specific guardH(y, s, c, w) : concrete event guards
AxiomsAbstract invariantsConcrete invariantsConcrete event guards evt/grd/GRDwitness predicate`
Abstract event specific guard
A(s, c)I(s, c, v)J(s, c, v, w)H(y, s, c, w)W (x, y, s, c, w)`
g(x, s, c, v)
It is simplified when there are no parameters
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 19 / 65
![Page 20: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/20.jpg)
Example in Mch m_1a Refining Mch m_0a (GRD)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
- Among others, two guardstrengthening POs are generated:
- search/grd1/GRD
- search/grd2/GRD
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines
searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
(abstract-)search b=status ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 20 / 65
![Page 21: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/21.jpg)
Proof Obligation search/grd2/GRD
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1agrd1 (concrete)witness predicate`
grd2 (abstract)
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) = vj + 1 = k`
f (k) = v
search b=status
ordinaryrefines
searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
(abstract-)search b=status
ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 21 / 65
![Page 22: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/22.jpg)
Purpose of Invariant Preservation PO (INV)(for a Refinement)
Ensuring that each concrete invariant is preserved by each pairof concrete and abstract events.
For an event “evt” and a concrete invariant “inv” the name of thisPO is:
evt/inv/INV
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 22 / 65
![Page 23: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/23.jpg)
Formal Definition of Invariant Preservation (INV)(for a Refinement)
evt0any
xwhere
. . .then
v :| BA1(v, v′, . . .)end
evtrefines
evt0any
ywhere
H(y, s, c, w)with
x : W1(x, y, s, c, w)
v′ : W2(y, v′, s, c, w)then
w :| BA2(w, w′, . . .)end
s : seen setsc : seen constantsv : abstract vrblsw : concrete vrblsA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v, w) : conc. invts.evt : concrete eventx : abstract prmy : concrete prmH(y, s, c, w) : concrete guardsBA2(w, w′, . . .) : abstract actionj(s, c, v′, w′) : modified specific invariant
AxiomsAbstract invariantsConcrete invariantsConcrete event guards evt/act/SIMwitness predicatewitness predicateConcrete before-after predicate`
Modified Specific Invariant
A(s, c)I(s, c, v)J(s, c, v, w)H(y, s, c, w)W1(x, y, s, c, w)
W2(y, v′, s, c, w)
BA2(w, w′, . . .)`
j(s, c, v′, w′)
In case of the initialization event, I(s, c, v) and J(s, c, v, w) is removed from the hypotheses
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 23 / 65
![Page 24: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/24.jpg)
Example in Mch m_1a Refining Mch m_0a (INV)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
- Among others, four invariantpreservation POs are generated:
- progress/inv1/INV
- progress/inv2/INV
- initialization/inv1/INV
- initialization/inv2/INV
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines
searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
(abstract-)search b=status ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 24 / 65
![Page 25: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/25.jpg)
Proof Obligation progress/inv1/INV
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1agrd1 (concrete)`
modified specific invariant
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) 6= v`
j + 1 ∈ 0 .. n − 1
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 25 / 65
![Page 26: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/26.jpg)
Purpose of the Simulation PO (SIM)
Ensuring that each action in a concrete event simulates thecorresponding abstract action
This ensures that when a concrete event is “executed” thenwhat it does is not contradictory with what the correspondingabstract event does.
For a concrete event “evt” and an action “act” inabstract event, the name of this PO is:
evt/act/SIM
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 26 / 65
![Page 27: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/27.jpg)
Formal Definition of the Simulation PO (SIM)
evt0any
xwhere
. . .then
v :| BA1(v, v′, . . .)end
evtrefines
evt0any
ywhere
H(y, s, c, w)with
x : W1(x, y, s, c, w)
v′ : W2(y, v′, s, c, w)then
w :| BA2(w, w′, . . .)end
s : seen setsc : seen constantsv : abstract vrblsw : concrete vrblsA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v, w) : conc. invts.evt : concrete eventx : abstract prmy : concrete prmH(y, s, c, w) : concrete guardsBA1(v, v′) : abstract actionBA2(w, w′) : concrete action
AxiomsAbstract invariantsConcrete invariantsConcrete event guards evt/act/SIMwitness predicatewitness predicateConcrete before-after predicate`
Abstract before-after predicate
A(s, c)I(s, c, v)J(s, c, v, w)H(y, s, c, w)W1(x, y, s, c, w)
W2(y, v′, s, c, w)
BA2(w, w′, . . .)`
BA1(v, v′, . . .)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 27 / 65
![Page 28: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/28.jpg)
Example in Mch m_1a Refining Mch m_0a (SIM)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
- Among others, one simulation POis generated:
- search/act1/SIM
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines
searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
(abstract-)search b=status
ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 28 / 65
![Page 29: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/29.jpg)
Proof Obligation search/act1/SIM
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1agrd1 (concrete)witness predicate`
before-after predicate (abstract)
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) = vj + 1 = k`
k = j + 1
search b=status
ordinaryrefines
searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
(abstract-)search b=status
ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 29 / 65
![Page 30: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/30.jpg)
Purpose of the Numeric Variant PO (NAT)
Ensuring that under the guards of each convergent eventa proposed numeric variant is indeed a natural number
For a convergent event “evt”, the name of this PO is:evt/NAT
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 30 / 65
![Page 31: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/31.jpg)
Formal Definition of the Numeric Variant PO (NAT)
machinem
refines. . .
sees. . .
variablesv
invariantsI(s, c, v)
events. . .
variantn(s, c, v)
end
evtstatus
convergentany x where
G(x, s, c, v)then
Aend
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v , w) : conc. invts.evt : specific eventx : event parametersG(x, s, c, v) : event guardsn(s, c, v) : numeric variant
Axioms and theoremsAbstract invariants and theoremsConcrete invariants and theoremsEvent guards evt/NAT`
a numeric variant is a natural number
A(s, c)I(s, c, v)J(s, c, v , w)G(x, s, c, v)`
n(s, c, v) ∈ N
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 31 / 65
![Page 32: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/32.jpg)
Example in Mch m_1a Refining Mch m_0a (NAT)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
- Among others, one numeric variant POis generated:
- progress/NAT
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines
searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 32 / 65
![Page 33: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/33.jpg)
Proof Obligation progress/NAT
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1agrd1 (concrete)`
variant is a natural number
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) 6= v`
n − j ∈ N
machinem_1a
refinesm_0a
. . .variant
n − jevents
. . .end
progress b=status
convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 33 / 65
![Page 34: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/34.jpg)
Purpose of the Set Variant PO (FIN)
Ensuring that a proposed set variant is indeed a finite set
The name of this PO is:FIN
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 34 / 65
![Page 35: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/35.jpg)
Formal Definition of the Set Variant (FIN)
machinem
refines. . .
sees. . .
variablesv
invariantsJ(s, c, v , w)
events. . .
variantt(s, c, v)
end
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v , w) : conc. invts.t(s, c, v) : set variant
AxiomsAbstract invariantsConcrete invariants FIN`
Finiteness of set variant
A(s, c)I(s, c, v)J(s, c, v , w)`
finite(t(s, c, v))
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 35 / 65
![Page 36: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/36.jpg)
Example in Mch m_1b Refining Mch m_0b (FIN)
machinem_1b
refinesm_0b
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [i .. j]thm1 : v ∈ f [j + 1 .. n]
variantj .. n
events. . .
end
- Among others, one finiteness POis generated
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines searchwhen
grd1 : f (j + 1) = vthen
act1 : i := j + 1end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 36 / 65
![Page 37: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/37.jpg)
Proof Obligation FIN
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1a`
variant is finite
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v /∈ f [j + 1 .. n]`
finite(j .. n)
machinem_1b
refinesm_0b
. . .variant
j .. nevents
. . .end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 37 / 65
![Page 38: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/38.jpg)
Purpose of the Numeric Variant Decreasing PO (VAR)
Ensuring that each convergent event decreases theproposed numeric variant
For a convergent event “evt”, the name of this PO is:evt/VAR
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 38 / 65
![Page 39: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/39.jpg)
Numeric Variant Decreasing (VAR)
evtstatus
convergentany x where
G(x, s, c, w)then
v :| BAP(x, s, c, w, w ′)end
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v , w) : conc. invts.evt : specific eventx : event parametersG(x, s, c, v) : event guardsBAP(x, s, c, w, w ′) : event before-after predicaten(s, c, w) : numeric variant
Axioms and theoremsAbstract invariants and theoremsConcrete invariants and theoremsGuards of the event evt/VARBefore-after predicate of the event`
Modified variant smaller than variant
A(s, c)I(s, c, v)J(s, c, v , w)G(x, s, c, w)BAP(x, s, c, w, w ′)`
n(s, c, w ′) < n(s, c, w)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 39 / 65
![Page 40: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/40.jpg)
Example in Mch m_1a Refining Mch m_0a (VAR)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
- Among others, one numeric variant decreasing POis generated:
- progress/VAR
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 40 / 65
![Page 41: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/41.jpg)
Proof Obligation progress/VAR
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1agrd1 (concrete)`
variant is a natural number
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) = v`
n − (j + 1) < n − j
machinem_1a
refinesm_0a
. . .variant
n − jevents
. . .end
progress b=status
convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 41 / 65
![Page 42: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/42.jpg)
Purpose of the Set Variant Decreasing PO (VAR)
Ensuring that each convergent event decreases theproposed set variant
For a convergent event “evt”, the name of this PO is:evt/VAR
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 42 / 65
![Page 43: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/43.jpg)
Formal Def. of the Set Variant Decreasing PO (VAR)
evtstatus
convergentany x where
G(x, s, c, w)then
v :| BAP(x, s, c, w, w ′)end
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v , w) : conc. invts.evt : specific eventx : event parametersG(x, s, c, v) : event guardsBAP(x, s, c, w, w ′) : event before-after predicatet(s, c, w) : set variant
Axioms and theoremsAbstract invariants andtheoremsConcrete invariants andtheoremsGuards of the event evt/VARBefore-after predicate of the event`
Modified variant strictly included in variant
A(s, c)I(s, c, v)J(s, c, v , w)G(x, s, c, v)BAP(x, s, c, w, w ′)`
t(s, c, w ′) ⊂ t(s, c, w)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 43 / 65
![Page 44: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/44.jpg)
Example in Mch m_1b Refining Mch m_0b (VAR)
machinem_1b
refinesm_0b
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantj .. n
events. . .
end
- Among others, one variant decreasing POis generated:
- progress/VAR
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines searchwhen
grd1 : f (j + 1) = vthen
act1 : i := j + 1end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 44 / 65
![Page 45: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/45.jpg)
Proof Obligation progress/VAR
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1ainv2 (concrete)grd1 (concrete)`
variant is a natural number
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) = v`
j + 1 .. n ⊂ j .. n
machinem_1b
refinesm_0b
. . .variant
j .. nevents
. . .end
progress b=status
convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 45 / 65
![Page 46: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/46.jpg)
Purpose of the Witness Feasibility PO (WFIS)
Ensuring that each witness proposed in the witness predicateof a concrete event indeed exists
For a concrete event “evt”, and an abstract parameter x thename of this PO is:
evt/x /WFIS
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 46 / 65
![Page 47: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/47.jpg)
Formal Definition of the Witness Feasibility PO (WFIS)
evtrefines
evt0any
ywhere
H(y , s, c, w)with
x : W (x , y , s, c, w)then
. . .end
s : seen setsc : seen constantsv : abstract variablesw : concrete variablesA(s, c) : seen axiomsI(s, c, v) : abs. invts.J(s, c, v , w) : conc. invts.evt : specific concrete eventx : abstract event parametery : concrete event parameterH(y , s, c, w) : concrete event guardsW (x , y , s, c, w) : witness predicate
AxiomsAbstract invariantsConcrete invariantsConcrete event guards evt/x/WFIS`∃x ·Witness
A(s, c)I(s, c, v)J(s, c, v , w)H(y , s, c, w)`∃x ·W (x , y , s, c, w)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 47 / 65
![Page 48: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/48.jpg)
Example in Mch m_1a Refining Mch m_0a (WFIS)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
- Among others, one witness feasibility POis generated:
- search/k/WFIS
initialisation b=status ordinarythen
act1 : i := 1act2 : j := 0
end
search b=status ordinaryrefines searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
progress b=status convergentwhen
grd1 : f (j + 1) 6= vthen
act1 : j := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 48 / 65
![Page 49: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/49.jpg)
Proof Obligation search/k /WFIS
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)thm1 of m_1agrd1 (concrete)`∃k · variant predicate
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]v ∈ f [j + 1 .. n]f (j + 1) = v`∃k · j + 1 = k
search b=status ordinaryrefines searchwhen
grd1 : f (j + 1) = vwith
k : j + 1 = kthen
act1 : i := j + 1end
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 49 / 65
![Page 50: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/50.jpg)
Purpose of a Context Theorem PO (THM)
Ensuring that a proposed context theorem is indeed provable
Theorems are important in that they might simplify some proofs
For a theorem “thm” in a context, the name of this PO is:thm/THM
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 50 / 65
![Page 51: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/51.jpg)
Formal Definition of the Context Theorem PO (THM)
contextctx
extends. . .
setss
constantsc
axiomsA(s, c). . .thm : P(s, c). . .
end
s : seen setsc : seen constantsA(s, c) : seen axioms and previous theoremsP(s, c) : specific theorem
Axioms` thm/THM
Theorem
A(s, c)`
P(s, c)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 51 / 65
![Page 52: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/52.jpg)
Example in Context ctx_0 (THM)
contextctx_0
setsD
constantsnfv
axiomsaxm1 : n ∈ Naxm2 : f ∈ 1..n→ Daxm3 : v ∈ ran(f )thm1 : n ∈ N1
end
One theorem PO is generated: thm1/THM
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 52 / 65
![Page 53: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/53.jpg)
Proof Obligation thm1/THM
axm1axm2axm3`thm1
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )`n ∈ N1
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 53 / 65
![Page 54: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/54.jpg)
Purpose of a Machine Theorem PO (THM)
Ensuring that a proposed machine theorem is indeed provable
Theorems are important in that they might simplify some proofs
For a theorem “thm” in a machine, the name of this PO is:thm/THM
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 54 / 65
![Page 55: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/55.jpg)
Formal Definition of the Machine Theorem PO (THM)
machinem0
refines. . .
sees. . .
variablesv
invariantsI(s, c, v). . .thm : P(s, c, v). . .
events. . .
end
s : seen setsc : seen constantsv : variablesA(s, c) : seen axiomsI(s, c, v) : invariants and previous thms.P(s, c, v) : specific theorem
AxiomsInvariants` thm/THM
Theorem
A(s, c)I(s, c, v)`
P(s, c, v)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 55 / 65
![Page 56: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/56.jpg)
Example in Mch m_1a Refining Mch m_0a (THM)
machinem_1a
refinesm_0a
seesctx_0
variablesij
invariantsinv1 : j ∈ 0 .. n − 1inv2 : v /∈ f [1 .. j]thm1 : v ∈ f [j + 1 .. n]
variantn − j
events. . .
end
Among others, one theorem PO is generated: thm1/THM
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 56 / 65
![Page 57: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/57.jpg)
Proof Obligation thm1/THM
axm1axm2axm3thm1 of ctx_0inv1 (abstract)inv1 (concrete)inv2 (concrete)`thm1 of m_1a
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nj ∈ 0 .. n − 1v /∈ f [1 .. j]`v ∈ f [j + 1 .. n]
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 57 / 65
![Page 58: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/58.jpg)
Purpose of a Well-definedness PO (WD)
Ensuring that a potentially ill-defined axiom, theorem, invariant,guard, action, variant, or witness is indeed well-defined
For a given modeling element (axm, thm, inv, grd, act),or a variant, or a witness x in an event evt, the names are:
axm/WD, thm/WD, inv/WD, grd/WD, act/WD, VWD, evt/x /WWD
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 58 / 65
![Page 59: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/59.jpg)
Formal Definition of the Well-definedness PO (WD)
It depends on the potentially ill-defined expression
inter (S) S 6= ∅Tx · x ∈ S ∧ P(x) | T (x) ∃ x · x ∈ S ∧ P(x)
f (E)f is a partial functionE ∈ dom(f )
E/F F 6= 0
E mod F F 6= 0
card(S) finite(S)
min(S)S ⊆ Z∃x · x ∈ Z ∧ (∀n · n ∈ S ⇒ x ≤ n)
max(S)S ⊆ Z∃x · x ∈ Z ∧ (∀n · n ∈ S ⇒ x ≥ n)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 59 / 65
![Page 60: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/60.jpg)
Examples in Machine m_0a (WD)
contextctx_0
sets Dconstants n, f , vaxioms
axm1 : n ∈ Naxm2 : f ∈ 1..n→ Daxm3 : v ∈ ran(f )thm1 : n ∈ N1
end
machinem_0a
sees ctx_0variables
iinvariants
inv1 : i ∈ 1 .. nevents
. . .end
initialisation b=status
ordinarythen
act1 : i := 1end
search b=status
ordinaryany
kwhere
grd1 : k ∈ 1 .. ngrd2 : f (k) = v
thenact1 : i := k
end
- One well-definedness PO is generated:
- search/grd2/WD
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 60 / 65
![Page 61: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/61.jpg)
Proof Obligation search/grd2/WD
axm1axm2axm3thm1inv1grd1`WD conditions for grd2
n ∈ Nf ∈ 1 .. n→ Dv ∈ ran(f )n ∈ N1i ∈ 1 .. nk ∈ 1 .. n`k ∈ dom(f ) ∧ f ∈ Z 7→ D
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 61 / 65
![Page 62: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/62.jpg)
Grd Strengthening when Merging Abs Events (MRG)
evt01any
xwhere
G1(x , s, c, v)then
Aend
evt02any
xwhere
G2(x , s, c, v)then
Aend
evtrefines
evt01evt02
anyx
whereH(x , s, c, v)
thenA
end
Axioms and theoremsAbstract invariants and theoremsConcrete event guards evt/MRG`
Disjunction of abstract guards
A(s, c)I(s, c, v)H(x , s, c, v)`
G1(x , s, c, v) ∨G2(x , s, c, v)
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 62 / 65
![Page 63: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/63.jpg)
Summary of all POs of the Examples (1)
Context ctx_0
thm1/THM
Machine m_0a
initialisation/inv1/INV
search/gdr2/WD
search/inv1/INV
Machine m_0b
initialisation/inv1/INV
search/inv1/INV
search/act1/WD
search/act1/FIS
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 63 / 65
![Page 64: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/64.jpg)
Summary of all POs of the Examples (2)
Machine m_1a
thm1/THM
initialisation/inv1/INV
initialisation/inv2/INV
search/gdr1/WD
search/k /WFIS
search/gdr1/GRD
search/gdr2/GRD
search/act1/SIM
progress/gdr1/WD
progress/inv1/INV
progress/inv2/INV
progress/VAR
progress/NAT
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 64 / 65
![Page 65: Summary of Event-B Proof Obligationsdeploy-eprints.ecs.soton.ac.uk/234/19/po-slides.pdfSummary of the Main Rodin Platform Kernel Tools TheStatic Checkers: lexical analyser syntactic](https://reader033.fdocuments.in/reader033/viewer/2022050112/5f496baa328eb625ee6375fd/html5/thumbnails/65.jpg)
Summary of all POs of the Examples (3)
Machine m_1b
thm1/THM
FIN
initialisation/inv1/INV
initialisation/inv2/INV
search/gdr1/WD
search/act1/SIM
progress/gdr1/WD
progress/inv1/INV
progress/inv2/INV
progress/VAR
J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 65 / 65