1 / 37

The B Method

The B Method. b y Péter Györök. Contents. Metadata The B language The Prover Demo. People behind it. Developed by Jean-Raymond Abrial Other people : G. Laffite , F. Mejia , I. McNeal Currently big companies and various universities maintain it

braden
Download Presentation

The B Method

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The B Method by Péter Györök

  2. Contents • Metadata • The B language • The Prover • Demo

  3. Peoplebehindit • Developedby Jean-Raymond Abrial • Otherpeople: G. Laffite, F. Mejia, I. McNeal • Currentlybigcompanies and variousuniversitiesmaintainit • ClearSy, Oxford University (Programming Research Group) • Subsidisedprojects

  4. History, origin, versions • Predecessor: Z-notation (alsobyAbrial) • Newestincarnation: Event-B • Tools: Atelier B, B4free, B-toolkit

  5. Primaryapplicationdomain • Software engineering • Specification • Design • Proof • Codegeneration • Safety-criticalsystems • Big companiesthatuseit: Siemens, Alstom, Systerel…

  6. Successstories • METEOR project – Paris Metro Line 14 • (Hungarianrelevance?) • Ariane 5 (rocket)

  7. System overview • B notationbasedongrouptheory and firstorderlogic • The method is heavilyfocusedonsystemdevelopment • Multipleversions of thesystem: abstractmachine -> refiniements -> implementation • The proofsarefortheconsistencybetweenversions • Syntax is expressedusingmathematicalsymbolsortheir ASCII equivalents (e.g. ! for ∀) • Lots of syntacticsugarforeasilywriting down expressions

  8. Languagefeatures • Types: basedonsettheoryTypesareeitherbasic (integer, bool, string, enum) orbuiltusingCartesianproduct, powersetorrecord • Typesinferredbytypingpredicates (∈, ⊂, ⊆, =) • The type of something is „thebiggestsetthatcontainsit” • The type of integer literals and expressions is ℤ • The type of a setliteralorexpression is p(set), e.g. ℤ∈ p(ℤ) • The type of a functionfrom X to Y is ℘(X × Y) • Distinction of „concrete” typesthatcan be usedinimplementation • Manyadvancedtypessuchasarray, sequence, relation, tree – eachwiththeirownset of operators

  9. Languagefeatures • Expressions and predicates • Predicatesusethesyntax of firstorderlogic • Expressions of varioustypesusethetypes’ specific operators • Lambdaexpressionsareallowed • Substitutions • Allow a predicateto be transformed ( [x := E] P ) • Resemblefeatures of an imperativelanguage • Alsosome „alien” features (precondition etc.) • Proofobligationsarederivedfromsubstitutions • Can be nondeterministic (buttheimplementation must be deterministic, cf. concretetypes)

  10. Languagefeatures • Sometypes of substitution • BEGIN…END • skip • := :() :∈ • PRE • ASSERT • IF • CASE • LET • VAR • ; • || • WHILE

  11. Languagefeatures • Machine • The „thing” thatwearereasoningabout • Resemblesclassesfrom OOP • Can be abstract, refinementorimplementation • Specialconstraintsapplytoimplementations • Elements of a machine: • Parameters and theirconstraints • Imports, sees, includes etc. • Sets (enumor „deferred”) • Abstract and concreteconstants, variables

  12. Languagefeatures • Elements of a machine • Properties, invariants • Values (!) • Initialisation and operations – expressedas a substitution • Operationscanhavemultiplereturnvalues • Assertions – thismakesitpossibletouse B as a mathematicalproofassistant

  13. Languagefeatures Example: addingassertionstohelpwith a proof. MACHINE MA CONCRETE_VARIABLES var INVARIANT var ∈INT ⋀ var2= 1 ASSERTIONS var = 1 ⋁var = - 1 ... END Typingpredicate This must be provenfromtheinvariant. Thenitcan be usedas a lemma inotherproofs.

  14. Languagefetaures • The B0 language • Restricted version of the B language • Usedforimplementationonly • Substitutionsareequivalenttoinstructions • Translatedto C(++), Ada etc.

  15. The Prover • Atelier B usesboth an automatic and interactiveprover • The basicconcept is theproofobligation (PO): Goal + hypotheses • The proverdoesn’t typecheck – that’s part of theproof! e.g. b = e1 + e2whereb∈ BOOL and e1∈ ℤ, e2 ∈ ℤ is a legalgoalwhich is unprovable • Well-definedness must be provedtoo e.g. 8/c is well-definedif c ≠ 0

  16. The Prover • Proofobligations • The types of thingsmatchup • The refinementsareconsistent • The initialisationsetstheinvariants and theoperationskeepthem • The operationsmeettheirpre/postconditions • Assertionsaretrue

  17. The Prover • Rules: inductive, deductiveand rewriting • Theory: a list of rules (higher index has priority) • Tactic: a list of theoriestosearchfor an applicablerule • Backwardtacticdividesthegoalintosubgoals • Forwardtacticgeneratesnewhypotheses • A fulltactic is thecombination of thetwo

  18. The Prover • Procedure of applyingthetactic: • Searchthebackwardtacticfor an applicablerule • Ifone is found, applyit and continuewiththenexttheory • Tilde (~) can be usedasthe „repeat” operator • The wholetactic is implicitlytilded • Foreverynewhypothesisgenerated, runtheforwardtacticwiththesameprocedure

  19. The Prover • The theory is fullycustomizable, evenwithinconsistentrules! • The provermightloopinfinitely • Proofobligationsarenormalized • Examples: n > mbecomesm+1 <= n,a⇔bbecomes (a⇒b) ∧ (b ⇒a),a ⊆bbecomesa ∈℘(b)

  20. The Prover • Commandscan be giventotheinteractiveprover • The proverwilltrytoprovewhat is neededtoexecutethecommand. Ifitfails, a newgoal is created • ae : Abstractexpression • P[…, expr, …]afterae(expr, y) becomeswell-defined(expr) ∧expr=y⇒ P[…, y, …]

  21. Commands • ah: Add Hypothesis • Ifthegoalwash1, …, hn⇒G,ah(P) replacesitwithh1, …, hn⇒Ph1, …, hn, P ⇒G • ct: proofbycontradiction • Replaces a goalh1, …, hn⇒Gwithh1, …, hn, ¬ G ⇒bfalse

  22. Commands • dc: DoCases • Ifthegoal is G, usedc(P) tosplititinto¬ P ⇒ GP⇒ G • se: SuggestforExist • Ifthegoal is∃(w1, …, wn).P(w1, …, wn)se(v1, …, vn) turnsitintoP(v1, …, vn)

  23. Commands • ap: ArithmeticProof • An automatedmechanismforprovingthingsaboutsystems of linearequations and inequations • pp: PredicateProver • Anotherautomatedsystem • pr: ProverCall • Yetanother (theseallsolvedifferentkinds of goals) • ar: ApplyRule • Justapplies a rule • dd: Deduction • For a goalP ⇒ Q, raisePinthehypothesisstackthenproveQ • ba: Back • cg: display CurrentGoal • qu: Quit

  24. Demo • The task: decideif a givennumber is prime

  25. Creating a project

  26. Adding a component • Let’s add somethingtotheempty project…

  27. Adding a component • Sincethis is ourfirstcomponent, theonlychoiceis „Machine”.

  28. Editing • Nowthatwehave a machine, doubleclickitonthe „Components” listtoedit

  29. InsertTheorem Here • Whatwewantto enter there: MACHINE prim OPERATIONS p ←is_prim ( n ) = PRE n ∈ [3 .. MAXINT] THEN p := bool(∀ i . ( i ∈ [ 2 .. n-1 ] ⇒( n modi ) ≠0 ) ) END END

  30. InsertTheorem Here • Whatitwilllooklikein B: Atelier B hatessingle-letteridentifierssowereduplicateeverything

  31. Adding an implementation IMPLEMENTATION prim_i REFINES prim OPERATIONS pp <-- is_prim ( nn ) = BEGIN VAR ll , kk IN ll:= TRUE ; kk:= nn ; WHILE ( 2 /= kk & ll = TRUE) DO IF nnmod (kk-1) = 0 THEN kk:= kk-1; ll:= FALSE ELSE kk:= kk-1 END INVARIANT ll: BOOL & nn: NAT & nn>= 3 & kk: 2..nn & (ll=TRUE => (! jj.(jj:kk..nn-1 => nnmodjj /=0))) & (ll=FALSE=> ( kk: 2..nn-1 & nnmodkk = 0)) VARIANT kk END ; pp :=ll END END END

  32. Generate PO’s • Click „Po”, then „F0” totrytoprove… InteractiveProoftime!

  33. InteractiveProver Double-clickone

  34. InteractiveProver • Nowwecan enter commands.

  35. Completingtheproof Here arethecommandstocompletetheproof: dc(jj = kk-1) pr ah(jj: kk..nn-1) pp(100) pr dc(ll$7777 = TRUE) dd ah(kk$7777 = 2) pr pp pr dd ah(ll$7777 = FALSE) pp dd pr se(kk$7777) pr

  36. Completingtheproof • Greenmeanssuccess!

  37. THE END

More Related