Formal Specification And Verification

Transcription

Winter 2010/2011
Prof. P. H. Schmitt
I NSTITUT F ÜR T HEORETISCHE I NFORMATIK
KIT – Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft
www.kit.edu
Refinement
Theory
2/24
Event-B machines
An Event-B machine M is given by the following components
1. Context C declaring carrier sets, constants and predefined sets as
e.g., Z. Furthermore a conjunction A of axioms is asserted in C.
2. A finite vector of variables v = (v1 , . . . , vk )
3. A conjunction of invariants I(v )
4. A finite set of events E, containing a designated initialising event
e0 .
For simplicity we will assume that there is only one initialising
event in E.
5. Every event e ∈ E consists of a formula ge (v ), called the guard of
e and an action part.
For the initialising event we have ge0 (v ) = >.
The effect of the action part is described by a formula Be (v , v 0 ),
called the before-after-predicate.
For the initialising event Be0 must not depend on the variables v .
3/24
States
Let M be an Event-B machine.
1. The set of states S of M is the set of all valuations of the variables
v.
2. A sequence of states s0 , . . . sn , . . . is called a trace for M if there is
a matching sequence e0 , e1 , . . . en , . . . of events with e0 the
initialising event, such that
2.1 For every i, 0 < i A ` gei (si−1 )
state si−1 satisfies the guard of event ei .
2.2 For every i, 0 < i A ` Bei (si−1 , si )
the pair of states si−1 , si satisfies the before-after-predicate of event
ei .
2.3 A ` Be0 (s0 )
3. A state s ∈ S is called reachable if there is a finite trace s0 , . . . sn
ending in s i.e., sn = s.
4. A state s is called a deadlock if for all e ∈ E \ {e0 , skip} we get
A 6` ge (s).
Is Bei (si−1 , si ) a formula?
4/24
CONTEXT ListSumCtx (Review)
SETS
Natbag
Bag (=List) of natural numbers
CONSTANTS
sum
summation over bags
cons
constructor
nil
constructor
AXIOMS
def 1 : nil ∈ Natbag
def 2 : cons ∈ Natbag × N → Natbag
def 3 : sum ∈ Natbag → N
sum1 : ∀l, n·(l ∈ Natbag ∧ n ∈ N ⇒
sum(cons(l 7→ n)) = n + sum(l))
Definition of summation wrt. constructors
axm3 : sum(nil) = 0
Definition of summation wrt. constructors
END
5/24
MACHINE Abstract-ListSum (Review)
SEES ListSumCtx
VARIABLES
S
list
the sum of all added values
internal storage for all current values
INVARIANTS
inv 2 : list ∈ Natbag
inv 1 : S ∈ N
inv 3 : S = sum(list)
S is always the sum of all current values
EVENTS
Initialisation
Event ADD =
b
6/24
MACHINE Abstract-ListSum (Review)
EVENTS
Initialisation
begin
act2 : list := nil
act1 : S := 0
end
Event ADD =
b
any
value
where
grd1 : value ∈ N
then
act1 : list := cons(list 7→ value)
act3 : S := sum(cons(list 7→ value))
end
END
7/24
Example
Some States of the ListSum Machine
s0
s1
s2
s3
s4
list
S
list
S
list
S
list
S
list
S
=
=
=
=
=
=
=
=
=
=
nil
0
cons(nil,5)
5
cons(cons(nil,5),2)
7
cons(nil,3)
3
cons(cons(cons(nil,5),2)5)
12
Some Traces
s0 , s1 , s2 , s4 and s0 , s3
Invariant: S = sum(list) state s2 satisfies the invariant, S = sum(list), if
7 = sum(cons(cons(nil,5),2))
8/24
Invariants
Definition
We say that an Event-B machine M satisfies its invariants if for every
reachable state s
A ` I(s)
Lemma
If we can verify for a given Event-B machine M the proof obligations
INIT A ` Be0 (v ) ⇒ I(v )
INV For all e ∈ E \ {e0 , skip}
A ` I(v ) ∧ Be (v , v 0 ) ⇒ I(v 0 )
then M is satisfies its invariants.
9/24
Example
MACHINE WeakInvariant
VARIABLES
x, y, u
INVARIANTS
typing : x, y , u ∈ N
inv : u ≥ 0
EVENTS
Initialisation
begin
init : x, y, u := 1, 0, 0
end
Event ADD =
b
END
10/24
Example (cont.)
MACHINE WeakInvariant
EVENTS
Event ADD =
b
any
z
where
grd1 : z ∈ Z
then
addxy : x, y := x + z, y + z
diff : u := x − y
end
END
11/24
Analysing the Example
I
We can easily convince ourselves that the invariant of the
machine weakInvariant is true.
I
But the proof that event ADD preserve the invariant u ≥ 0 fails
I
This arises from the fact that presevation of invariants has to be
proved for all event starting in all states that satisfy the invariant,
not only the reachable states.
I
Remedy: strengthen the invariant by adding x ≥ y .
12/24
Feasible Events
Definition
An event e ∈ E is called feasible if
A ` I(v ) ∧ ge (v ) ⇒ ∃v 0 Be (v , v 0 )
is provable.
Comment: For an infeasible event e there can still be at least one
state s such that I(s) ∧ ge (s) and ∃v 0 Be (s, v 0 ) are provable. Thus an
infeasable event may well contribute to reachability.
The proof obligation that all events be feasable is thus not necessary
to establish that an Event-B machine satisfies its invariants, but an
infeasable event is surely an indication that something is wrong. E.g., it
could be that a stronger guard should be used.
13/24
Simple Refinement
Definition
Let N and M be Event-B machines with common context C.
N is called a simple refinement of M if
for any finite trace s1c , . . . , snc of N with associated sequence e1c , . . . , enc
of events
there is a trace s1a , . . . , sna of M with associated sequence e1a , . . . , ena of
events such that
1. The glue invariant J(sia , sic ) is provable for all 0 ≤ i ≤ n.
2. The eic is declared to be a refinement of the event eia for all
0 ≤ i ≤ n.
In (2) we allow eia = skip.
The general case that machine M sees context D a and N sees
context D c can be reduced to the considered case by C = D a ∪ D c .
14/24
Criterion For Simple Refinement
Lemma
Let M be an Event-B machine that satisfies its invariants.
Let N be another Event-B machine with common context C.
N is a simple refinement of M if
I
every event ec ∈ EN is a refinement of an event ea ∈ EM
and the following proof obligations are satisfied:
REFINE A ` I(x) ∧ J(x, y) ∧ Bec (y, y 0 ) ⇒ ∃x 0 (Bea (x, x 0 ) ∧ J(x 0 , y 0 ))
is true for all events ec ∈ EN that refine an event
ea ∈ EM \ {e0 , skip}.
REFINE-Skip A ` I(x) ∧ J(x, y) ∧ Bec (y, y 0 ) ⇒ J(x, y 0 )
is true for all new events ec ∈ EN i.e. those refining skip.
REFINE-Init A ` Beoc (y ) ⇒ ∃x(Be0a (x) ∧ J(x, y ))
Here I is the invariant for M and J is the glue invariant.
15/24
Strengthening of the Guard
Lemma
Let M and N be Event-B machines, ea ∈ EM and ec ∈ EN such that
1
ea is feasible
2 A ` I(x) ∧ J(x, y) ∧ gec (y ) ⇒ gea (x)
strengthening the guard
3 A ` J(x, y ) ∧ Bea (x, x 0 ) ∧ Bec (y , y 0 ) ⇒ J(y , y 0 )
compatibility of before-after-predicates
then the REFINE proof obligation for ea and ec is satisfied.
16/24
Informal Proof
By the definition of the REFINE proof obligation we have to show
A ` I(x) ∧ J(x, y) ∧ Bec (y , y 0 ) ⇒ ∃x 0 (Bea (x, x 0 ) ∧ J(x 0 , y 0 ))
By strengthening of the guard we get
A ` I(x) ∧ J(x, y ) ∧ Bec (y, y 0 ) ⇒ gea (x)
Here we use A ` Be (v , v 0 ) ⇒ ge (v ). Using feasability of ea we get
A ` I(x) ∧ J(x, y ) ∧ Bec (y, y 0 ) ⇒ ∃x 0 Bea (x, x 0 )
Compatibility of the before-after-predicate leads to
A ` I(x) ∧ J(x, y) ∧ Bec (y , y 0 ) ⇒ ∃x 0 (Bea (x, x 0 ) ∧ J(x 0 , y 0 ))
as desired.
17/24
Example (strengthening of the guard)
MACHINE Abstract-AbsolutListSum SEES ListSumCtx
VARIABLES
S the sum of all added absolute values
list internal storage for all current values
INVARIANTS
inv1 S ∈ Z
inv2 list ∈ Zbag
inv3 S = sum(list) S = the sum of all current absolute values.
EVENTS
initialization list := nil k S := 0
ADD
Any value where value ∈ Z
list := cons(list 7→ abs(value)) k
S := sum(cons(list 7→ abs(value)))
END
18/24
Example (strengthening of the guard)
MACHINE C-AbsolutListSum refines Abstract-AbsolutListSum
SEES ListSumCtx
VARIABLES
S the sum of all added absolute values
2 list internal storage for all current values
INVARIANTS
inv1 S ∈ Z
inv2 list ∈ Zbag
inv3 S = sum(list) S = the sum of all current absolute values.
EVENTS
..
.
END
19/24
Example (continued)
EVENTS
initialization list := nil k S := 0
ADD1 refines ADD
Any value where value ∈ Z & value ≥ 0
list := cons(list 7→ value) k
S := sum(cons(list 7→ value))
ADD2 refines ADD
Any value where value ∈ Z & value < 0
list := cons(list 7→ −value) k
S := sum(cons(list 7→ −value))
END
20/24
Refinement Proof Obligation
ADD1 refines ADD
General Case
A
A
`
`
I(x) ∧ J(x, y) ∧ Bec (y, y 0 ) ⇒ ∃x 0 (Bea (x, x 0 ) ∧ J(x 0 , y 0 ))
I(x) ∧ ∃v (v ∈ Z ∧ v ≥ 0 ∧
list 0 = cons(list 7→ v ) ∧ S 0 = sum(cons(list 7→ v ))))
⇒ ∃v (v ∈ Z ∧
list 0 = cons(list 7→ abs(v )) ∧ S 0 = sum(cons(list 7→ abs(v ))))
Strengthening of the Guard
A
A
A
`
`
`
I(x) ∧ J(x, y) ∧ gec (y ) ⇒ gea (x)
I(x) ∧ v ∈ Z ∧ v ≥ 0∧ ⇒ v ∈ Z
J(x, y ) ∧ Bea (x, x 0 ) ∧ Bec (y , y 0 ) ⇒ J(y , y 0 )
I(x) ∧ v ∈ Z ∧ v ≥ 0 ∧
list1 = cons(list 7→ v ) ∧ S1 = sum(cons(list 7→ v )) ∧
list2 = cons(list 7→ abs(v )) ∧ S2 = sum(cons(list 7→ abs(v )))
⇒ list1 = list2 ∧ S1 = S2
21/24
Preservation of Termination
Definition
A simple refinement from M to N is called
termination preserving
if there is no infinite trace (si )i≥0 for the concrete machine N with
matching sequence (ei )i≥0 of events from EN
such that for some n all ej with j ≥ n are new.
22/24
Preservation of Termination
Lemma
Let N be a simple refinement of M. If the following proof obligation is
satisfied
VARIANT A ` I(x) ∧ J(x, y) ∧ Be (y , y 0 ) ⇒ V (y ) > V (y 0 )
for alll new events e ∈ EN . Where V is a function on a
well-founded domain (D, >).
then the refinement is termination preserving.
23/24
Proof
If the refinement were not termination preserving there would
according to the above definition be an infinite trace
(si )i≥0
for N with matching sequence
(ei )i≥0
such that all ej for j ≥ n are new.
Since we assumed the VARIANT proof obligation to be satisfied this
would lead to V (sn ) > V (sn+1 ) > . . . > V (sj ) > . . ..
This contradicts the well-foundedness of the ordering (D, >).
24/24

Formal Specification And Verification

Transcription

Similar documents

nformatik-Kolloquium - Österreichische Gesellschaft für Informatik

was ist informatik? - Lehrstuhl Technische Informatik der MLU Halle

Satz von Kuratowski - Algorithmik I

Wochenbericht Nr - Rotary Club Zermatt