The Event-B Method A closer view to the method An example
The Event-B Method An Introduction1 Victor Rivera Innopolis University Technologies and Software Development Institute Software Engineering Lab.
October 29, 2015
1
Material taken from Modeling in Event-B by J.-R. Abrial. Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
1
The Event-B Method Motivation Modelling vs Programming Another variants
2
A closer view to the method The Parachute Strategy Event-B Components Proofs
3
An example
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Motivation Modelling vs Programming Another variants
To build faultless systems! Users rely on system on daily basis (e.g. bank transaction, or even critical systems: airplane software). They do not expect malfunctioned system (Ariane 5!). Our job as developers, among many other things, is to deliver safe systems! (how?)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Motivation Modelling vs Programming Another variants
A solution could be: to start with the modelling of the system in a very abstract and compact way to prove that everything is correct to add more details of the system (proving that we are modelling the same initial system) to finally end up with a correct implementation of the system
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Motivation Modelling vs Programming Another variants
Programming It refers to the activity of constructing a piece of formal text that is supposed to instruct the computer how to fulfil certain tasks. Modelling It refers to the activity of build a system within which there is a certain piece of software When modelling, we do not have to say what is to be done, but to explain and formalise what we can observe.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Motivation Modelling vs Programming Another variants
Variants of formal development of systems
Principle If the model of a system has a property, so does the real system. EventB To design to guarantee all properties are met.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Motivation Modelling vs Programming Another variants
Variants of formal development of systems
Principle If the model of a system has a property, so does the real system. Model Checking To design and then to check if all properties are met.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Motivation Modelling vs Programming Another variants
Variants of formal development of systems
Principle If the model of a system has a property, so does the real system. Design By Contract To implement a software at the same time to prove its properties.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
1
The Event-B Method
2
A closer view to the method
3
An example
Victor Rivera
The Parachute Strategy Event-B Components Proofs
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
The idea is to place oneself mentally above a system and what could we observe from there? could we see some laws of the system that seems to be obeyed?
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Example: Controlling Cars on a Bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Abstract View (observe)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Abstract View (observe) The system is controlling cars on a bridge between the mainland and an island
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Abstract View (observe) The system is controlling cars on a bridge between the mainland and an island
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Abstract View (laws) There are cars entering/exiting the mainland. The number of cars on the bridge and the island is limited
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Abstract View (laws) There are cars entering/exiting the mainland. The number of cars on the bridge and the island is limited
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
There is a bridge that connects the island with the mainland
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
There is a bridge that connects the island with the mainland
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
If a car from mainland wants to enter the island needs to pass by the bridge. The bridge is one way or the other, not both at the same time
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
If a car from mainland wants to enter the island needs to pass by the bridge. The bridge is one way or the other, not both at the same time
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
There are two traffic lights that control the entrance to the bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
There are two traffic lights that control the entrance to the bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
A green mainland traffic light implies safe access to the bridge. A green island traffic light implies safe access to the bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
A green mainland traffic light implies safe access to the bridge. A green island traffic light implies safe access to the bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
There are sensors placed at the entrance and exit of the mainland and island.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (observe)
There are sensors placed at the entrance and exit of the mainland and island.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
The sensors are used to detect the presence of cars entering or leaving the bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Let’s go down with the parachute - more detailed (laws)
The sensors are used to detect the presence of cars entering or leaving the bridge.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Notions of the system
By observing the system we can identify two kind of notions: a notion of objects (e.g. cars, traffic lights, people) this notion constitutes the state of the model (static notion)
a notion of movement (e.g. cars, traffic lights, people) this notion constitutes the events of the model (dynamic notion)
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Notions of the system
By observing the system we can identify two kind of notions: a notion of objects (e.g. cars, traffic lights, people) this notion constitutes the state of the model (static notion)
a notion of movement (e.g. cars, traffic lights, people) this notion constitutes the events of the model (dynamic notion)
How can we encode these observations?
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
The Event-B Method
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Description
Event-B is a formal modelling language for (mainly) reactive systems. It allows the modelling of complete systems (software plus hardware devices). It is based on Action Systems: describes the state space of a system (static notion) and the possible actions that can be executed in it (dynamic notion).
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Description Event-B models are complete developments of discrete transition systems. How it works! users write an abstract model of a program and define properties over it, and then transform the model into an implementation via a series of refinement steps. Each refinement adds more detail and properties to the system. The behaviour of each refinement is provably consistent with the behaviour of the previous step. Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Event-B models are composed of contexts (static part) They define constants, uninterpreted sets and their properties expressed as axioms. machines (dynamic part) They define variables and their properties, and state transitions expressed as events.
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Relationship between Machines and Contexts
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Context Format
context ctx sets S constants c axioms X (s, c) theorems T (s, c) end
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Machine Format
machine M sees ctx variables v invariants I (s, c, v ) variant E (s, c, v ) events e end
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Event Format
event evt any x where G (s, c, v , x) then A(s, c, v , x) end
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
We need to formally prove the consistency of machines, e.g. the machine invariant always hold there is not deadlock a model Mi+1 is indeed a refinement of a previous model Mi
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
We need to formally prove the consistency of machines, e.g. the machine invariant always hold there is not deadlock a model Mi+1 is indeed a refinement of a previous model Mi for this, a set of Proof Obligations are generated and we need to discharge them all!
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
The Parachute Strategy Event-B Components Proofs
Invariant Preservation
Event − B event event evt any x where G (s, c, v , x) then v : | BA(x, s, c, v , v 0 ) end
PO generated (INV) X (s, c) I (s, c, v ) G (s, c, v , x) BA(x, s, c, v , v 0 ) ` I (s, c, v 0 )
Sequent H ` G : under the hypotheses H, prove the goal G .
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
An example using the Event-B Method
Victor Rivera
The Event-B Method
The Event-B Method A closer view to the method An example
Thank you!
Victor Rivera
The Event-B Method
