Solutions to the Model Exam COMP2111 13s1

Kai Engelhardt
Revision: 1.4 of Date: 2013/06/12 12:45:41

Answer to Question 1 These are screen shots from Rodin and quite small so I could t them onto the pages. Some denitions and invariants werent called for in the questions but made the presentation easier or POs easier to discharge.

Answer to Question 2 And the machine to go with the context:

Answer to Question 3 See answer 1. Answer to Question 4 See answers 1 and 2. Answer to Question 5 See answer 2. Answer to Question 6 To answer questions relating to POs, let us abbreviate the conjunction of all axioms listed in the context bag ctx by A and the conjunction of all invariants in bagA by I . Let G = t T c < M be the conjunction of adds guards. Let T = (c = c + 1 (t dom(b) b = b {t b(t) + 1}) (t / dom(b) b = b {t 1})) the before-after predicate of add derived from the two actions. There are three POs for add: Rodin would split some of these POs up. For instance, the one for invariant preservation would be split into one for each invariant, omitting those that hold trivially for some denition of trivially made by Rodin. well-denedness of the second action (trivial; not discussed) feasibility of the second action A I G b , c T 2

Recall from maths that to prove validity of such a formula we need to consider the free variables as implicitly universally quantied. The term variables here refers to all the free identiers, that is, not only the Event-B variables but also constants, set names, and primed variables occuring freely in the formula. To prove feasibility, we provide values for the existentially quantied variables b and c in line with T , that is, c is always c + 1 and b is changed only in t. How it changes in t depends on whether t is already in the bag. invariant preservation AI GT I Ill demonstrate once how to do this in detail, for each of the four conjuncts of I = inv1 inv4 inv5 inv6 . Using A we translate inv1 : b BAG into b T N1. From I we use that b T N1. Now there are two cases. (1) If t dom(b) then b = b {t b(t) + 1} which is of type T N1. (2) Otherwise, if t / dom(b) then b = b {t 1} is also of that type. From G and inv4 we know that c 0..M 1. Hence c = c + 1 1..M , which establishes inv4 . inv5 holds because inv5 is in I and res is not changed by add (formally: T = res = res ). inv6 follows from the axioms about bs in A, inv6, and T giving c = c + 1 = bs(b) + 1 = bs(b ). Answer to Question 7 Here are the two new events.

Answer to Question 8 For addnew, a guard PO and a simulation PO should be generated. The guard PO ensures that add must be enabled whenever addnew is. The PO is A I Gn G 3

where Gn is the conjunction of addnews guards. This is trivially true since addnew has all the guards of add (and one extra). A similar argument yields validity of addolds guard PO. addnews simulation PO is A I Gn Tn T where Tn is addnews before-after predicate c = c + 1 b = b {t 1}. This matches precisely the rst and last conjunct of T when taking grd3 into account. A similar argument establishes addolds simulation PO A I Go To T where Go is the conjunction of addolds guards and To is addolds before-after predicate c = c + 1 b = b {t b(t) + 1}. This time the second rather than third conjunct in T is matched. Answer to Question 9 The answer is cleaner when storing some of the useful denitions in another context. Again, much of this isnt necessary for the exam but I added it to help with cleanliness of the presentation and discharging POs. For starters one could omit everything labelled theorem.

Answer to Question 10 Let us abbreviate the conjunction of all axioms listed in the context bagC ctx by C and the conjunction of all invariants in bagC by J . The initialisation needs to establish the invariants, including the gluing invariants. The before-after predicate of the initialisation including the intialisation of bagA is T0 = (b = c = 0 res T B BUF l = 0 h = M ). We need to show A C T0 J 5

We discuss the conjuncts of J in order. The rst three, inv1inv5 clearly follow from the premises. (Even Rodin doesnt put up a ght.) For glueS1 we need to show that A C dom() = B [Bdom(0 M )] This follows from Bdom(0 M ) = , which in turn is a consequence of the axioms in bagC ctx. glueS2 is vacuously true since dom(b ) = dom() = . gluec is implied by c = 0, which we nd in T0 , and Bsize(0 M ) = 0, which is follows from the context. For add we note the guard G1 = t T Bsize(l h) < M , the witness predicates W1 = (glueS1 glueS2)[b ,B ,h /b,B,h ], and the before-after predicate T1 = (l = l h = (h + 1) mod (M + 1) B = B {h t}). We encounter POs relating to 1. well-denedness of the witness A C I J G1 T1 L(W1 ) (we wont discuss this; well-denedness POs wont feature in the exam) 2. feasibility of the witness A C I J G1 T1 b W1 The instantiation for b that works here is the one constructed in bagAs event add. 3. invariant preservation A C I J G1 T1 W1 J Here W1 helps alot to preserve all the gluing invariants. The other invariants are merely types and preserved by the actions. 4. action simulation A C I J G1 T1 W1 T Again W1 does all the heavy lifting from circular buers to bags by predicting the correct value for b . Answer to Question 11 Four possible answers are: {I (a, c, x)} A5 ; C5 {I (a, c, x)} {I (a, c, x)} A5 {I (a, fC (c, x), x)} {I (a, c, x)} C5 {I (fA (a, x), c, x)} {I (a, c, x)} true {I (fA (a, x), fC (c, x), x)} Answer to Question 12 No fairness constraints are needed. By the convergence argument for improve, after the initialisation, this event can only re nitely often, then its disabled and, for the execution to be maximal, Finish, which is now enabled, must re, setting final = TRUE. 6

Answer to Question 13 Now a weak fairness constraint is needed for Improve and Finish to guarantee that these events happen since otherwise skip could monopolise the execution. We show (n = 3 f = 1 k = 0 final = FALSE) intermediate stages: (n = 3 f = 1 k = 0 final = FALSE) (n = 3 f (n = 3 f (n = 3 f (n = 3 f (final = TRUE f = 6) via =1k =2k =6k =6k = 1 final = FALSE) = 2 final = FALSE) = 3 final = FALSE) = 3 final = TRUE)

All these steps can be proved with the resp rule with the helpful events being H = Improve for the rst 3 , and H = Finish for the last.