1 “B is a method for specifying, designing, and coding software systems.” J.R. Abrial, The B-Book, Cambridge University Press

2

3

4

5

6 B4free

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29 Exercise 1.7 A car park has 640 parking spaces. Give an abstract machine which specifies a system to control cars entering the car park. It should keep track of the cars currently in the car park, and should provide 3 operations: –Enter, which recorders the entry of a new car. This should occur only when the car park is not full; –Leave, which records the exit of a car from the car park; –Query, which outputs the number of cars currently in the car park.

30 MACHINE CarPark VARIABLES contents INVARIANT contents : NAT & contents <= 640 INITIALIZATION contents := 0 OPERATIONS enter = PRE contents < 640 THEN contents := contents + 1 END; leave = PRE contents > 0 THEN contents := contents – 1 END; nn <-- query = PRE true THEN nn := contents END

31

32

33

34

35

36

37

38

39

40

41

42

43 houseset, magazine := {}, {}

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91 Substitutions Expression E is substituted for a free variable x by replacing all occurrences of x by E. Read as P with E for x.

92

93 Renaming bound variables to avoid variable capture If the variable being substituted does not occur free anywhere in the predicate then it is left unchanged.

94

95 Self test

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114 The set of all possible states a machine can be in.

115

116 See Page 26 of the B-method.

117

118

119

120

121

122 P is a predicate which describes a set of states that may be reached after the performance of statement S. P is referred to as the post condition of S. The notation [S]P denotes a predicate which is true of any initial state from which is guaranteed to achieve P.

123

124 See Page 27 of the B-method.

125

126

127

128

129

130

131

132

133

134 [hh := min(houseset)](!hh.(hh:houseset=> hh < 163))

135

136

137

138

139

140

141

142

143

144 [a(4) := 7](a : NAT1 >+> NAT) =(a +> NAT =({4} +> NAT & 7 /: ran({4} <<| a)

145 Other Constructs [IF E THEN S ELSE T END]P = (E & [S]P) or (not(E) & [T]P) [IF E THEN S ELSE T END]P = (E => [S]P) or (not(E) => [T]P)

146 [IF x<5 THEN x:=x+4 ELSE x:=x-3 END] (x<7) =(x<5 & [x:=x+4](x<7)) or ((not(x<5)) & [x:=x-3](x<7)) =(x =5) & (x-3<7)) = (x =5) & (x<10))

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169 MACHINE Info(ITEM, sample, num) CONSTRAINTSsample:ITEM & num : NAT & num > card(ITEM) CONSTANTSstorage PROPERTIESstorage : NAT1 & storage <= num VARIABLEScurrent, next, previous INVARIANTcurrent <: ITEM & next : ITEM & previous : ITEM & next /= previous Exercise 5.1 Page 67 “the b-method” What are the proof obligations associated with the constraints below? Are they consistent?

170 # ITEM, sample, num.( ITEM /= {} & sample : ITEM & num : NAT & num > card(ITEM) ) Proof obligation associated with the constraints:

171 (ITEM /={} & sample:ITEM & num:NAT & num > card(ITEM)) => # storage. (storage : NAT1 & storage <= num) Proof obligation: It must be possible to find appropriate SETS and CONSTANTS.

172 (ITEM /={} & sample:ITEM & num:NAT & num>card(ITEM) & storage : NAT1 & storage <= num ) => # current, next, previous. ( current <: ITEM & next : ITEM & previous : ITEM & next /= previous ) Proof obligation: When all the parameters are set it must be possible for the machine to have variables that satisfy the invariant. What if ITEM={a}?

173 Summary of Proof Obligations:

174

175 Self tests (from “the b-method”) –Exercise 5.2 page 68 –Exercise 6.3 Page 89

176 Completing the Laws of [S]P

177

178

179

180 Non-determinism:

181

182

183

184 Sequences