Proving Response Properties of Event-B Machines COMP2111 13s1

Kai Engelhardt
Revision: 1.2 of Date: 2013/05/07 05:33:49

1 Introduction This note is about proving so-called response properties [2]. We introduce a notation p q as a shorthand for p q and adapt some of Manna&Pnuelis proof rules to Event-B. The Event-B examples used here are collected in the byoTL.zip Rodin project.

1.1 simpleA The rst machine, simpleA, motivates why we need to insist on maximal executions only, As Hoang and Abrial did in [1]. Without maximality, we cannot argue that there will be any events occurring in an execution, let alone innitely many, as we would like to assert. It would still take some more work to actually prove that (a) any maximal execution of this machine must be innite and (b) both events occur innitely often in each (maximal) execution. Lets postpone that work until we have the machinery to do such proofs. 1.2 simpleC1 The second machine, simpleC1, illustrates the point that Event-B renement does not preserve such properties: this machine renes simpleA but has nite maximal executions as well as innite ones. 1.3 simpleC2 The third machine, simpleC2, again renes simpleA. It introduces a new variable, transientfault, and a third event, twiddle. Maximality of executions is no longer enough to guarantee point (b) above because such an execution could just have an innite tail of twiddle occurrences. To retain (b), we need weak fairness for the two

other events, either as a group WF(twiddle,decrement) or individually, WF(twiddle), WF(decrement). For simplicity, we restrict attention to the latter in this note. 1.4 simpleC2a The machine simpleC2b renes simpleC2 by strengthening the guard and removing the non-determinism of spike. We still require the fairness constraints from simpleC2 to assert (b). 1.5 simpleC2b The machine simpleC2b renes simpleC2 by adding the guard transientfault = FALSE to the spike event. Again, this is entirely acceptable in Event-B, but it means that in order to guarantee (b), we now need strong fairness for spike. 2 Slightly More Formal 2.1 Event-B light Lets formalise the notions mentioned above in the context of an Event-B machine Machine M Variables v Invariant J Events INITIALISATION THEN a0 END (i WHERE gi THEN ai END)iI I chose to ignore event parameters to simplify the presentation. Having them is orthogonal to the problem discussed in this note. The names of M s events are the elements i I . States s are mappings from v to values. Invariant J and guards gi are predicates, interpreted as mappings from states to B. Actions ai are also predicates, but from two states to B. The rst state is as for guards whereas the second state is used

to evaluate all primed occurrences of variables. Every Event-B action can be translated into the general form v : |P (v, v ) for some predicate P . E.g., the action n := n + 1 translates to n = n + 1. For simplicity we assume that all our ai are given as such predicates. When translating and assignment into this form, it is required that variables in the machine that do not occur on the left hand side of the assignment are explicitely modelled as not changing. Example 2.1 To translate simpleA into the form above, we set M v J a0 I gdecrement adecrement gspike aspike = simpleA =n =nN =n=5 = {decrement, spike} =n>0 =n =n1 =n<2 =n >1

We use the convention that a primed predicate (guard, invariant, or other) is the predicate with primes on all variables. For instance, J in the example above is n N. With that convention we can briey recall some of the POs we already know from Event-B. INITIALISATION/INV a0 J INITIALISATION/FIS v (a0 ) i/INV J gi ai J i/FIS J gi v (ai ) Example 2.2 For simpleA this amounts to INITIALISATION/INV n = 5 n N INITIALISATION/FIS n (n = 5) decrement/INV n N n > 0 n = n 1 n N decrement/FIS n N n > 0 n (n = n 1) spike/INV n N n < 2 n > 1 n N spike/FIS n N n < 2 n (n > 1) which are all trivially valid. Rodin thinks so, too.

2.2 Fairness and Response Properties 2.2.1 Adding Fairness Constraints to M Denition 2.3 An innite execution of M is weakly fair for an event i i i is innitely often disabled or innitely often taken. In LTL we could express this as |= gi taken = i, assuming we have an auxiliary variable taken that is updated with every event to store the name of that event. Similarly, an innite execution is strongly fair for an event i i i is eventually disabled forever or innitely often taken. In LTL we could express this as |= gi taken = i.

01 01

01

10

Note that it does not make sense to talk about fairness for nite maximal executions. We now allow to append an additional part to Event-B machines to specify fairness constraints. For the time being, we limit ourselves to a set of constraints of the form WF(i) to express a weak fairness assumption for an event i I . Later on we may extend this to include also SF(i) for strong fairness or F (G), where F {WF, SF} and G I . For the remainder, let W I be such that M contains WF(i) for each i W . Example 2.4 In simpleC2 Ive added WF(decrement) and WF(spike) as comments, so here W = {twiddle, decrement}. Now we would like to prove (b) from the introduction, but how? 2.2.2 Proof Rules for Response Properties The rst few rules state simple logical properties of p p p q, q p r p p, p q, p q p r, q (p q ) r qq r r independent of the machine. rx trns mon disj

The next rule makes claims only for (maximal, weakly fair for for W ) executions of M rather than all innite sequences of states. It also assumes that the usual Event-B POs have been proved already. hW J pq i I (J gi ai q ) J gh ah q J q gh p q

resp

Lets see this rule in action by proving n = 4 dened1 by M v J a0 I

n = 3 for simpleC2a. That machine is

= simpleC2 = n, t =nNtB = n = 5 t = false = {decrement, spike, twiddle} gdecrement = n > 0 adecrement = n , t = n 1, t gspike = n = 0 aspike = n , t = 5, t gtwiddle = true atwiddle = n , t = n, t W = {decrement, spike} We instantiate resp with h = decrement p = = (n = 4) q=n=3 check all the premises and conclude the desired n = 4 n = 3. By replacing the numbers we can derive a whole chain n = 5 n=4 n=3 n=2 n=1 n = 0. With h = spike we can show n = 0 n = 5. Now we have proved a circle of disjoint leads-to predicates, one of which is established by the initialisation. That nally implies that each of the predicates must be true innitely often for every (. . . ) execution of simpleC2a. This last step could be formalised as a rule: a0 p q, p

01

(q p), q p

(p q )

nfty

Where do we need to use any of the other rules? Lets try to show n = 1 for simpleC2. We no longer have n = 1 n = 0. But we can show n = 1 n = 1 just the same, using e.g. h = decrement. We rewrite n = 1 to n = 0 n > 1 and show n = 0 n > 1 with h = spike. For n > 1 n > 1 we use rx. We put them together rst with disj to yield n = 0 n > 1 n > 1 and then with trns to reach n=1 n > 1. The missing piece of the puzzle is n > 1 n = 1, which technically requires a more elaborate rule than resp because there is no single transition that necessarily
1

01

Ive renamed transtientfault to t for brevity.

establishes n = 1 in one go. Instead we need to resort to reasoning that resembles termination proofs for loops, namely, reasoning about well-founded orders. Here all that is quite simple because every spike means that we can have precisely n 1 successive decrement events happening before n = 1. The proof rule for that is slightly more involved than Im prepared to elaborate here and its a straightforward adaptation of Manna&Pnuelis rule well in [2]. References [1] T. S. Hoang and J.-R. Abrial. Reasoning about liveness properties in Event-B. In S. Qin and Z. Qiu, editors, Formal Methods and Software Engineering - 13th International Conference on Formal Engineering Methods, ICFEM 2011, Durham, UK, October 26-28, 2011. Proceedings, volume 6991 of LNCS, pages 456471. SpringerVerlag, 2011. [2] Z. Manna and A. Pnueli. Tools and rules for the practicing verier. In R. F. Rashid, editor, Computer Science: A 25th Anniversary Commemorative, pages 121156. ACM Press and Addison-Wesley Publishing Co., 1991.