CSC 4504 : Langages formels et applications (La méthode Event-B) J Paul Gibson, A207 paul.gibson@it-sudparis.eu http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/ Proof http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/Proof.pdf Thanks to Jean-Raymond Abrial 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates: Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates: Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates: Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates: Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates: Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Language of Predicates: Refining the language 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Predicates & Expressions A Predicate is a formal text that can be PROVED An Expression DENOTES AN OBJECT. A Predicate denotes NOTHING. An Expression CANNOT BE PROVED Predicates and Expressions are INCOMPATIBLE. 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications VARIABLES, PROPOSITIONS AND PREDICATES 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications WHAT CAN WE DO WITH A PREDICATE ? 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications SUBSTITUTION 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications UNIVERSAL QUANTIFICATION 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Well-formedness Each occurrence of an identifier in a formula (that is a predicate or an expression) can be either free or bound. Intuitively, a free occurrence of an identifier refers to a declaration of that identifier in a scope outside of the formula, while a bound occurrence corresponds to a local declaration introduced by a quantifier in the formula itself. For a formula to be considered well-formed, we ask that, beyond being syntactically correct, it also satisfies the two following conditions: 1. Any identifier that occurs in the formula, should have only free occurrences or bound occurrences, but not both. 2. Any identifier that occurs bound in the formula, should be bound in exactly one place (i.e., by only one quantifier). 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Well-formedness: checking automatically There are pages of rules for checking this on the abstract syntax of Event-B expressions. For example: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Type Checking Type checking consists of checking, statically, that a formula is meaningful in a certain context. For that, we associate a type with each expression that occurs in a formula. This type is the set of all values that the expression can take. Then, we check that the formula abides by some type checking rules. Those rules enforce that the operators used can be meaningful. Unfortunately, type checking, as it is a static check, cannot by itself prove that a formula is meaningful. For some operators, like integer division, we will also need to check some additional dynamic constraints (e.g., that the denominator is not zero). 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Type Checking A type denotes the set of values that an expression can take. Moreover, we want this set to be derived statically, based on the form of the expression and the context in which it appears. As a consequence, a type can take one of the three following forms: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Type Checking A type variable is a meta-variable that can denote any type. We shall use lowercase Greek letters to denote type variables. A typing environment represents the context in which a formula is to be type checked. A typing environment is a partial function from the set of all identifiers to the set of all possible types. For instance, the typing environment 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Type Checking - Rules There are pages of rules for checking this on the abstract syntax of Event-B expressions. For example: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Type Checking – Rules (Example) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Dynamic Checking Static checks are not enough to ensure that a formula is meaningful. For instance, expression x÷y passes all the static checks described above, nevertheless it is meaningless if y is zero. The aim of dynamic checking is to detect these kind of meaningless formulas. This is done by generating (and then proving) some well-definedness lemma. 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Dynamic Checking (Well-definedness WD) WD lemmas for predicates 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Dynamic Checking (Well-definedness WD) WD lemmas for binary and unary expressions 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Dynamic Checking (Well-definedness WD) WD lemmas for other expressions 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning “Ich wollte zunächst einmal einen Formalismus aufstellen, der dem wirklichen Schließen möglichst nahe kommt. So ergab sich ein „Kalkül des natürlichen Schließens”. (“First I wished to construct a formalism that comes as close as possible to actual reasoning. Thus arose a "calculus of natural deduction".) — Gentzen, Untersuchungen über das logische Schließen (Mathematische Zeitschrift 39, pp.176-210, 1935) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning Antécédent nom Conséquent Tabular Notation 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning Les règles d’inférence pour ^ 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning Les règles d’inférence pour ^ 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning Les règles d’inférence pour ¬ règles de contradiction ( “reductio ad absurdum”) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Inference Rules: for (automated) reasoning Une preuve ( à la main) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Principe général d’un prouveur de prédicats • On procède par induction sur la syntaxe du but P d’un séquent HYP |- P. règles appliqué en arrière (backward). • On ne monte en hypothèse (utilisation de DED) que des – prédicats simples (pas de ^, =>, . . .) ou – prédicats quantifiés universellement (∀) et normalisés • on s’arrête avec un axiome ou sur HYP |- FAUX en cherchant une contradiction dans les hypothèses. • sinon on relance une preuve en cherchant de nouvelles instanciations pour les variables des prédicats quantifiés (filtre + unification). 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Règles d’un prouveur de prédicats (génériques) opération générique 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Règles d’un prouveur de prédicats (^) générique Instantiation with /\ 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Règles d’un prouveur de prédicats (=>) générique => Tactique gagnante: On utilise =>4 en dernier 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Règles d’un prouveur de prédicats (not) générique 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Règles d’un prouveur de prédicats (les axioms) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Les prédicats quantifiés 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Event-B is heavily influenced by Floyd-Hoare logic FloydHoare Logic is a method of reasoning mathematically about imperative programs. It is the basis of most mechanized program verification systems Tony Hoare introduced the notation {P} C {Q}, called a partial correctness specification for specifying what a program does, where: C is a program (code) from the programming language whose programs are being specified P and Q are conditions on the program variables used in C 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Meaning of Hoare's Notation {P} C {Q} is true if whenever C is executed in a state satisfying P and if the execution of C terminates then the state in which C terminates satisfies Q Example: {X = 1} X := X + 1 {X = 2} P is the condition that the value of X is 1 Q is the condition that the value of X is 2 C is the assignment command X := X + 1 (i.e. `X becomes X + 1') {X = 1} X := X + 1 {X = 2} is clearly true {X = 1} X := X + 1 {X = 3} is clearly false BE CAREUL with partial correctness: {X = 1} WHILE true do skip {Y=3} is true 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Total Correctness Informally: Total correctness = Termination + Partial correctness Total correctness is the ultimate goal It is usually easier to show partial correctness and termination separately Termination is usually straightforward to show, but there are examples where it is not, e.g.: no one knows whether the program below terminates for all values of X WHILE X > 1 DO IF ODD(X) THEN X := (3 × X) + 1 ELSE X := X DIV 2 Where the expression X DIV 2 evaluates to the result of rounding down X/2 to a whole number 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Specification can be Tricky "The program must set Y to the maximum of X and Y" [True] C [Y = max(X, Y)] A suitable program (C)?: IF X >= Y THEN Y := X ELSE SKIP Another? IF X >= Y THEN X := Y ELSE SKIP Or even? Y := X WARNING: Later we will be able to prove that all these programs are "correct" WHY?: The postcondition "Y = max(X, Y)" says "Y is the maximum of X and Y in the final state" 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications SKIP: possibly the simplest axiomatisation Syntax: SKIP Semantics: the state is unchanged The SKIP Axiom : |- {P} SKIP {P} It is an axiom schema P can be instantiated with arbitrary predicate calculus formulae (statements) Instances of the SKIP axiom are: |- {Y = 2} SKIP {Y = 2} |- {True} SKIP {True} |- {R = X + (Y × Q)} SKIP {R = X + (Y ×Q)} 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Substitution Notation and assignment axiom: the most difficult axiomatisation Define P [E/V ] to mean the result of replacing all occurrences of V in P by E read P [E/V ] as `P with E for V ' for example: (X + 1 > X)[Y + Z/X] = ((Y + Z) + 1 > Y + Z) Think of this notation as the `cancellation law': V [E/V ] = E which is analogous to the cancellation property of fractions: v × (e/v) = e The Assignment Axiom |- {P [E/V ]} V := E {P} Where V is any variable, E is any expression, P is any statement and the notation P [E/V ] denotes the result of substituting the term E for all occurrences of the variable V in the statement P . Example: |- {X + 1 = n + 1} X := X + 1 {X = n + 1} |- can be proven 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Precondition Strengthening is a typical development step Recall that |- S 1 , . . . , |- Sn |-S means |- S can be deduced from |- S 1 , . . . , |- Sn Using this notation, the rule of precondition strengthening is: |- P => P’ , |-{P’} C {Q} |- {P} C {Q} 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Postcondition Weakening Just as the previous rule allows the precondition of a partial correctness specification to be strengthened, the following one allows us to weaken the postcondition: |- {P} C {Q’}, |- Q’ => Q |- {P} C {Q} The rules precondition strengthening and postcondition weakening are sometimes called the rules of consequence 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Existential Quantification 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Comparing the Quantification Rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Classical Results 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Refining our Language: Equality (with classical results) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Refining our Language: Set Theory 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Basic Set Operator Memberships (Axioms) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Set Inclusion and Extensionality Axiom 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Classical Results with Relation Operators Relations (like r, q and p) between Sets (like S) containing elements (like a and b) 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Applying a Function 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Invariant Preservation 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Invariant Preservation 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Invariant Preservation 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Invariant Preservation: the rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Invariant Preservation: the rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Invariant Preservation: the rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Deadlock Freedom 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Event interpretation for refinement proofs The execution of this event is enabled whenever there exist some values x and y such that the guard P is true, then z is assigned x+y 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Event interpretation – Example This event is always enabled (there always exists a natural number x > 10) The result of the event is that z is assigned an arbitrary natural number greater than 10. The event is equivalet to 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Refinement is used to transform an abstract machine into a concrete machine which does the same computation, but possibly using a different data structure and/or different internal execution can be refined (possibly) into Also if in the abstract machine we have a nondeterministic event, then this could be refined into a deterministic one in the concrete machines : 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Names of context proof obligations: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Names of machine proof obligations: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Names of refinement proof obligations: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Names of variant proof obligations: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Names of Witness proof obligations: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Names of Deadlock Freeness proof obligations: At the moment, the deadlock freeness proof obligation generation is incomplete. If you need it, you can generate it yourself as a theorem saying the the disjunction of the abstract guards imply the disjunction of the concrete guards. 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules The following rewrite rules are applied automatically in a systematic fashion from left to right either in the goal or in the selected hypotheses. 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications The Automatic Post-tactic: Rewrite rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Automatic inference rules The following inference rules are applied automatically in a systematic fashion at the end of each proof step. They have the following possible effects: • they discharge the goal, • they simplify the goal and add a selected hypothesis, • they simplify the goal by decomposing it into several simpler goals, • they simplify a selected hypothesis, • they simplify a selected hypothesis by decomposing it into several simpler selected hypotheses. 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Automatic inference rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Automatic inference rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Automatic inference rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Automatic inference rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Automatic inference rules 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Preferences for the Auto-prover The auto-prover can be configured by means of a preference page, which can be obtained as follows: press the ”Window” button on the top tooolbar. On the coming menu, press the ”Preferences” button. On the coming menu, press the ”Event-B” menue, then the ”Sequent Prover’, and finally the ”Auto-Tactic” button. This yields the following window: 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Interactive inference rules: through the red buttons in prover window 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Interactive inference rules: through the red buttons in prover window … many more 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications
T&MSP-CSC 4504 : Langages formels et applications Interactive inference rules: through the red buttons in prover window 2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications