summary of event b proof obligations
play

Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by - PowerPoint PPT Presentation

Jun 04, 2023 •351 likes •1.01k views

Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department of Computer Science Swiss Federal Institute of Technology Zrich (ETH Zrich) Bucharest DEPLOY 2-day Course, 14th-16th, July, 2010 J-R. Abrial

  1. Summary of Event-B Proof Obligations Jean-Raymond Abrial (edited by Thai Son Hoang) Department of Computer Science Swiss Federal Institute of Technology Zürich (ETH Zürich) Bucharest DEPLOY 2-day Course, 14th-16th, July, 2010 J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 1 / 65

  2. Purpose of this Presentation Prerequisite: Summary of Mathematical Notation (a quick review) 1 Summary of Event-B Notation 2 Examples developed in (2) will be used here Showing the various Event-B proof obligations (sometimes also called verification conditions) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 2 / 65

  3. Role of the Proof Obligation Generator The POs are automatically generated by a Rodin Platform tool called the Proof Obligation Generator This tool is run after the Static Checker (which static checks contexts or machine texts) The Proof Obligation Generator decides then what is to be proved The outcome are various sequents, which are transmitted to the provers performing automatic or interactive proofs J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 3 / 65

  4. Summary of the Main Rodin Platform Kernel Tools The Static Checkers: lexical analyser syntactic analyser type checker The Proof Obligation Generator The Provers J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 4 / 65

  5. Summary of the Main Rodin Platform Kernel Tools Contexts or Machines Proof Obligation Provers Static Checkers Generator Errors Proofs Proofs which cannot be done help improving the model J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 5 / 65

  6. Various Kinds of Proof Obligations Invariant preservation (initial model) (INV slide 9) Non-deterministic action feasibility (FIS slide 14) Guard strengthening in a refinement (GRD slide 18) Invariant preservation in a refinement (INV slide 22) Simulation (SIM slide 26) Numeric variant (NAT slide 30) Set variant (FIN slide 34) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 6 / 65

  7. Various Kinds of Proof Obligations (cont’d) Variant decreasing (VAR slide 38) Feasibility of a non-deterministic witness (WFIS slide 46) Proving theorems (THM slide 50) Well-definedness (WD slide 58) Guard strengthening when merging abstract events (MRG slide 62) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 7 / 65

  8. Outline of each Proof Obligation Purpose and naming Formal definition Where generated in the “search” example Application to the example J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 8 / 65

  9. Purpose of Invariant Preservation PO (INV) (for Initial Model) Ensuring that each invariant is preserved by each event. For an event “evt” and an invariant “inv” the name of this PO is: evt/inv/INV J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 9 / 65

  10. Formal Definition of Invariant Preservation (INV) (for Initial Model) s : seen sets c : seen constants evt v : variables any x where A ( s , c ) : seen axioms G ( x , s , c , v ) I ( s , c , v ) : invariants then evt : specific event v : | BAP ( x , s , c , v , v ′ ) x : event parameters end G ( x , s , c , v ) : event guards BAP ( x , s , c , v , v ′ ) : event before-after predicate i ( s , c , v ′ ) : modified specific invariant Axioms A ( s , c ) Invariants I ( s , c , v ) Guards of the event evt / inv / INV G ( x , s , c , v ) Before-after predicate of the event BAP ( x , s , c , v , v ′ ) ⊢ ⊢ Modified Specific Invariant i ( s , c , v ′ ) In case of the initialization event, I ( s , c , v ) is removed from the hypotheses J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 10 / 65

  11. Examples in Machine m_0a (INV) context = b initialisation ctx_0 status sets ordinary D then constants act1 : i := 1 n end f v axioms axm1 : n ∈ N axm2 : f ∈ 1 .. n → D search = b axm3 : v ∈ ran ( f ) status thm1 : n ∈ N 1 ordinary end any k where machine grd1 : k ∈ 1 .. n m_0a grd2 : f ( k ) = v sees then ctx_0 act1 : i := k variables end i invariants inv1 : i ∈ 1 .. n - Two invariant preservation POs are generated: events - initialisation / inv1 /INV . . . end - search / inv1 /INV J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 11 / 65

  12. Proof Obligation initialisation / inv1 /INV n ∈ N n ∈ N axm1 axm2 f ∈ 1 .. n → D f ∈ 1 .. n → D v ∈ ran ( f ) v ∈ ran ( f ) axm3 thm1 n ∈ N 1 n ∈ N 1 i ′ = 1 BA predicate ⊢ ⊢ ⊢ i ′ ∈ 1 .. n modified inv1 1 ∈ 1 .. n Simplification performed by the PO Generator = b initialisation status ordinary then act1 : i := 1 end Note that inv1 is not part of the hypotheses (we are in the initialisation event) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 12 / 65

  13. Proof Obligation search / inv1 /INV axm1 n ∈ N n ∈ N axm2 f ∈ 1 .. n → D f ∈ 1 .. n → D axm3 v ∈ ran ( f ) v ∈ ran ( f ) thm1 n ∈ N 1 n ∈ N 1 inv1 i ∈ 1 .. n i ∈ 1 .. n grd1 k ∈ 1 .. n k ∈ 1 .. n grd2 f ( k ) = v f ( k ) = v i ′ = k BA predicate ⊢ ⊢ ⊢ i ′ ∈ 1 .. n modified inv1 k ∈ 1 .. n Simplification performed by the PO Generator search b = status ordinary any k where In what follows, we’ll show the simplified form only grd1 : k ∈ 1 .. n grd2 : f ( k ) = v then act1 : i := k end J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 13 / 65

  14. Purpose of the Feasibility PO (FIS) Ensuring that each non-deterministic action is feasible. For an event “evt” and a non-deterministic action “act” in it, the name of this PO is: evt/act/FIS J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 14 / 65

  15. Formal Definition of the Feasibility PO (FIS) s : seen sets c : seen constants evt v : variables any x where A ( s , c ) : seen axioms G ( x , s , c , v ) I ( s , c , v ) : invariants then evt : specific event v : | BAP ( x , s , c , v , v ′ ) x : event parameters end G ( x , s , c , v ) : event guards BAP ( x , s , c , v , v ′ ) : event action Axioms A ( s , c ) Invariants I ( s , c , v ) Guards of the event evt / act / FIS G ( x , s , c , v ) ⊢ ⊢ ∃ v ′ · Before-after predicate ∃ v ′ · BAP ( x , s , c , v , v ′ ) J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 15 / 65

  16. Example in Machine m_0b (FIS) context ctx_0 sets initialisation = b D status constants ordinary n then f act1 : i := 1 v end axioms axm1 : n ∈ N axm2 : f ∈ 1 .. n → D axm3 : v ∈ ran ( f ) thm1 : n ∈ N 1 search = b end status ordinary then machine i : | i ′ ∈ 1 .. n ∧ f ( i ′ ) = v act1 : m_0b end sees ctx_0 variables i invariants - Among others, one feasibility PO is generated: inv1 : i ∈ 1 .. n events - search / act1 /FIS . . . end J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 16 / 65

  17. Proof Obligation search / act1 /FIS axm1 n ∈ N axm2 f ∈ 1 .. n → D axm3 v ∈ ran ( f ) thm1 n ∈ N 1 inv1 i ∈ 1 .. n grd no guard in event search ⊢ ⊢ ∃ i ′ · before-after predicate ∃ i ′ · i ′ ∈ 1 .. n ∧ f ( i ′ ) = v = search b status ordinary then i : | i ′ ∈ 1 .. n ∧ f ( i ′ ) = v act1 : end J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 17 / 65

  18. Purpose of the Guard Strengthening PO (GRD) Ensuring that the concrete guards in the refining event are stronger than the abstract ones. This ensures that when a concrete event is enabled then so is the corresponding abstract one. For a concrete event “evt” and an abstract guard “grd” in the corresponding abstract event, the name of this PO is: evt/grd/GRD J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 18 / 65

  19. Formal Def. of the Guard Strengthening PO (GRD) evt s : seen sets refines c : seen constants evt0 evt0 v : abstract variables any any w : concrete variables x y A ( s , c ) : seen axioms where where I ( s , c , v ) : abs. invts. g ( x , s , c , v ) H ( y , s , c , w ) J ( s , c , v , w ) : conc. invts. . . . with evt : specific concrete event then x : W ( x , y , s , c , w ) x : abstract event parameter . . . then y : concrete event parameter end . . . g ( x , s , c , v ) : abstract event specific guard end H ( y , s , c , w ) : concrete event guards Axioms A ( s , c ) Abstract invariants I ( s , c , v ) Concrete invariants J ( s , c , v , w ) Concrete event guards evt / grd / GRD H ( y , s , c , w ) witness predicate W ( x , y , s , c , w ) ⊢ ⊢ Abstract event specific guard g ( x , s , c , v ) It is simplified when there are no parameters J-R. Abrial (ETH-Zürich) Event-B Proof Obligations Bucharest, 14-16/07/10 19 / 65

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer

A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer

A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer Science, University of Manchester, UK Contents 1. Discrete Event-B Basics 2. Example 3. Proof Obligations 4. Refinement in Event-B 5.

281 views • 25 slides
Ch 11. Event Cognition Seminar on Event Cognition Summary of Event Cognition Event

Ch 11. Event Cognition Seminar on Event Cognition Summary of Event Cognition Event

Ch 11. Event Cognition Seminar on Event Cognition Summary of Event Cognition Event Cognition is Fundamental and Pervasive Perception, Language, Memory, Reasoning and Decision- making Event Cognition has a Long Past

311 views • 5 slides
+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an

+ proof obligations Automatic Verification of TLA with SMT solvers Stephan Merz and Hern an Vanzetto LPAR-18, M erida, Venezuela March 12th, 2012 1 + language The TLA Specification and verification language for (concurrent and

735 views • 27 slides
Obligations and Disputations Positio Burleys thesis An Obligational Sophism The Responsio

Obligations and Disputations Positio Burleys thesis An Obligational Sophism The Responsio

Obligations and Disputations Stephen Read Obligations Practice-based Philosophy of Logic and Disputations Walter Burley Obligational Mathematics, Amsterdam 31 Aug - 2 Sep 2009 Disputations The Responsio Antiqua Obligations and

1.62k views • 121 slides
Employment Laws and the New Normal: New Workplace Obligations, and a Look at Prior Obligations

Employment Laws and the New Normal: New Workplace Obligations, and a Look at Prior Obligations

JUNE 11, 2020 Employment Laws and the New Normal: New Workplace Obligations, and a Look at Prior Obligations Emily Erdman, Senior Employment Counsel, Cruise Rebecca Stephens, Senior Associate, Farella Braun + Martel Holly Sutton, Partner,

615 views • 45 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP

Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP

Presenting a live 90 minute webinar with interactive Q&A Insurers' Reporting Obligations Under Insurers Reporting Obligations Under Medicare Medicaid SCHIP Extension Act Complying with MMSEA Requirements for Non Group Health Plan Payers

638 views • 43 slides
Toward proof-theoretic semantics for the deontic cognitive event calculus Naveen Sundar

Toward proof-theoretic semantics for the deontic cognitive event calculus Naveen Sundar

Logic and Cognition Workshop ICLA 2019, Delhi March 2, 2019 Toward proof-theoretic semantics for the deontic cognitive event calculus Naveen Sundar Govindarajulu, Selmer Bringsjord Rensselaer AI & Reasoning Lab Rensselaer Polytechnic

918 views • 91 slides
One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share

One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share

One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share behavior (methods and instance variables) with a superclass. A class hierarchy shows how subclasses inherit from superclasses. Typically a single

208 views • 10 slides
One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share

One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share

One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share behavior (methods and instance variables) with a superclass. A class hierarchy shows how subclasses inherit from superclasses. Typically a single

217 views • 9 slides
One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share

One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share

One-Slide Summary Inheritance and Godel's Proof Inheritance allows a subclass to share behavior (methods and instance variables) with a superclass. A class hierarchy shows how subclasses inherit from superclasses. Typically a single

259 views • 8 slides
Nexus Reviews: Uncovering State Sales or Income Tax Obligations Sales or Income Tax Obligations

Nexus Reviews: Uncovering State Sales or Income Tax Obligations Sales or Income Tax Obligations

Presenting a live 110 minute teleconference with interactive Q&A Nexus Reviews: Uncovering State Sales or Income Tax Obligations Sales or Income Tax Obligations Designing an Effective Internal Process to Identify Potential Tax Exposures

1.06k views • 61 slides
Uncomputability, One-Slide Summary Viruses, OOP In a proof by contradiction , to show that A

Uncomputability, One-Slide Summary Viruses, OOP In a proof by contradiction , to show that A

Uncomputability, One-Slide Summary Viruses, OOP In a proof by contradiction , to show that A cannot exist you show that A implies the existence of X , some known-to-be-impossible thing. To show that A is undecidable or uncomputable , pick X

235 views • 8 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

451 views • 7 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

462 views • 6 slides
One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of

One-Slide Summary Godel and Computability A proof of X in a formal system is a sequence of steps starting with axioms. Each step must use a valid rule of inference and the final step must be X. All interesting logical systems are

112 views • 8 slides
Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet... Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener University of Kent, Canterbury November 18, 2011

429 views • 25 slides
Establishing the overall To explain why multiple models are required to document a

Establishing the overall To explain why multiple models are required to document a

Architectural Design Objectives To introduce architectural design and to discuss its importance Establishing the overall To explain why multiple models are required to document a software structure of a software architecture To

447 views • 23 slides
TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator

TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator

1 Context-Free Grammars TDT4205 Lecture #6 2 Weve recognized the words Regular Scanner expressions Generator Source Scanner Pairs of code (token, lexeme) Inside of compiler 3 Next comes statements That is, syntactic

513 views • 32 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Computational Morphology: Machine learning of morphology Yulia Zinova 09 April 2014 16 July

Computational Morphology: Machine learning of morphology Yulia Zinova 09 April 2014 16 July

Computational Morphology: Machine learning of morphology Yulia Zinova 09 April 2014 16 July 2014 . . . . . . Yulia Zinova Computational Morphology: Machine learning of morphology Introduction: History Disconnect between

852 views • 31 slides
Symbol Tables COMP 520: Compiler Design (4 credits) Alexander Krolik

Symbol Tables COMP 520: Compiler Design (4 credits) Alexander Krolik

COMP 520 Winter 2019 Symbol Tables (1) Symbol Tables COMP 520: Compiler Design (4 credits) Alexander Krolik alexander.krolik@mail.mcgill.ca MWF 8:30-9:30, TR 1080 http://www.cs.mcgill.ca/~cs520/2019/ COMP 520 Winter 2019 Symbol Tables (2)

878 views • 36 slides
SVERTS 2004 Workshop associated with UML 2004 Susanne Graf Verimag, Grenoble, France

SVERTS 2004 Workshop associated with UML 2004 Susanne Graf Verimag, Grenoble, France

IST-2001-33522 SVERTS 2004 Workshop associated with UML 2004 Susanne Graf Verimag, Grenoble, France Oystein Haugen University of Oslo, Norway Ileana Ober Verimag, Grenoble,

668 views • 42 slides
Syntax Analysis Reinhard Wilhelm Universitt des Saarlandes wilhelm@cs.uni-sb.de and Mooly

Syntax Analysis Reinhard Wilhelm Universitt des Saarlandes wilhelm@cs.uni-sb.de and Mooly

Syntax Analysis Syntax Analysis Reinhard Wilhelm Universitt des Saarlandes wilhelm@cs.uni-sb.de and Mooly Sagiv Tel Aviv University sagiv@math.tau.ac.il 23. Oktober 2009 Syntax Analysis Subjects Introduction The task of syntax

471 views • 18 slides

More recommend