1 / 95

CSC 4504 : Langages formels et applications (La méthode Event-B) J Paul Gibson, A207

CSC 4504 : Langages formels et applications (La méthode Event-B) J Paul Gibson, A207 paul.gibson@it-sudparis.eu http://www-public. it-sudparis.eu /~gibson/Teaching/Event-B/. Proof http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/Proof.pdf. Thanks to Jean-Raymond Abrial.

timberly-richardson
Télécharger la présentation

CSC 4504 : Langages formels et applications (La méthode Event-B) J Paul Gibson, A207

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSC 4504 : Langages formels et applications (La méthode Event-B) J Paul Gibson, A207 paul.gibson@it-sudparis.eu http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/ Proof http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/Proof.pdf Thanks to Jean-Raymond Abrial T&MSP-CSC 4504 : Langages formels et applications

  2. Language of Predicates T&MSP-CSC 4504 : Langages formels et applications

  3. Language of Predicates: Classical Results T&MSP-CSC 4504 : Langages formels et applications

  4. Language of Predicates: Classical Results T&MSP-CSC 4504 : Langages formels et applications

  5. Language of Predicates: Classical Results T&MSP-CSC 4504 : Langages formels et applications

  6. Language of Predicates: Classical Results T&MSP-CSC 4504 : Langages formels et applications

  7. Language of Predicates: Classical Results T&MSP-CSC 4504 : Langages formels et applications

  8. Language of Predicates: Refining the language T&MSP-CSC 4504 : Langages formels et applications

  9. Predicates & Expressions • A Predicate is a formal text that can be PROVED • An Expression DENOTES AN OBJECT. • A Predicate denotes NOTHING. • An Expression CANNOT BE PROVED • Predicates and Expressions are INCOMPATIBLE. T&MSP-CSC 4504 : Langages formels et applications

  10. VARIABLES, PROPOSITIONS AND PREDICATES T&MSP-CSC 4504 : Langages formels et applications

  11. WHAT CAN WE DO WITH A PREDICATE ? T&MSP-CSC 4504 : Langages formels et applications

  12. SUBSTITUTION T&MSP-CSC 4504 : Langages formels et applications

  13. UNIVERSAL QUANTIFICATION T&MSP-CSC 4504 : Langages formels et applications

  14. Well-formedness • Each occurrence of an identifier in a formula (that is a predicate or an expression) • can be either free or bound. • Intuitively, a free occurrence of an identifier • refers to a declaration of that identifier in a scope outside of the formula, • while a bound occurrence corresponds to a local declaration introduced by a quantifier • in the formula itself. • For a formula to be considered well-formed, we ask that, beyond being syntactically • correct, it also satisfies the two following conditions: • 1. Any identifier that occurs in the formula, should have only free occurrences • or bound occurrences, but not both. • 2. Any identifier that occurs bound in the formula, should be bound in exactly • one place (i.e., by only one quantifier). T&MSP-CSC 4504 : Langages formels et applications

  15. Well-formedness: checking automatically There are pages of rules for checking this on the abstract syntax of Event-B expressions. For example: T&MSP-CSC 4504 : Langages formels et applications

  16. Type Checking Type checking consists of checking, statically, that a formula is meaningful in a certain context. For that, we associate a type with each expression that occurs in a formula. This type is the set of all values that the expression can take. Then, we check that the formula abides by some type checking rules. Those rules enforce that the operators used can be meaningful. Unfortunately, type checking, as it is a static check, cannot by itself prove that a formula is meaningful. For some operators, like integer division, we will also need to check some additional dynamic constraints (e.g., that the denominator is not zero). T&MSP-CSC 4504 : Langages formels et applications

  17. Type Checking A type denotes the set of values that an expression can take. Moreover, we want this set to be derived statically, based on the form of the expression and the context in which it appears. As a consequence, a type can take one of the three following forms: T&MSP-CSC 4504 : Langages formels et applications

  18. Type Checking A type variable is a meta-variable that can denote any type. We shall use lowercase Greek letters to denote type variables. A typing environment represents the context in which a formula is to be type checked. A typing environment is a partial function from the set of all identifiers to the set of all possible types. For instance, the typing environment T&MSP-CSC 4504 : Langages formels et applications

  19. Type Checking - Rules There are pages of rules for checking this on the abstract syntax of Event-B expressions. For example: T&MSP-CSC 4504 : Langages formels et applications

  20. Type Checking – Rules (Example) T&MSP-CSC 4504 : Langages formels et applications

  21. Dynamic Checking Static checks are not enough to ensure that a formula is meaningful. For instance, expression x÷y passes all the static checks described above, nevertheless it is meaningless if y is zero. The aim of dynamic checking is to detect these kind of meaningless formulas. This is done by generating (and then proving) some well-definedness lemma. T&MSP-CSC 4504 : Langages formels et applications

  22. Dynamic Checking (Well-definedness WD) WD lemmas for predicates T&MSP-CSC 4504 : Langages formels et applications

  23. Dynamic Checking (Well-definedness WD) WD lemmas for binary and unary expressions T&MSP-CSC 4504 : Langages formels et applications

  24. Dynamic Checking (Well-definedness WD) WD lemmas for other expressions T&MSP-CSC 4504 : Langages formels et applications

  25. Inference Rules: for (automated) reasoning • “Ich wollte zunächst einmal einen Formalismus aufstellen, der dem wirklichen Schließen möglichst nahe kommt. So ergab sich ein „Kalkül des natürlichen Schließens”. • (“First I wished to construct a formalism that comes as close as possible to actual reasoning. Thus arose a "calculus of natural deduction".) • — Gentzen, Untersuchungen über das logische Schließen (Mathematische Zeitschrift 39, pp.176-210, 1935) T&MSP-CSC 4504 : Langages formels et applications

  26. Inference Rules: for (automated) reasoning Antécédent nom Conséquent Tabular Notation T&MSP-CSC 4504 : Langages formels et applications

  27. Inference Rules: for (automated) reasoning T&MSP-CSC 4504 : Langages formels et applications

  28. Inference Rules: for (automated) reasoning Les règles d’inférence pour ^ T&MSP-CSC 4504 : Langages formels et applications

  29. Inference Rules: for (automated) reasoning Les règles d’inférence pour ^ T&MSP-CSC 4504 : Langages formels et applications

  30. Inference Rules: for (automated) reasoning Les règles d’inférence pour ¬ règles de contradiction ( “reductio ad absurdum”) T&MSP-CSC 4504 : Langages formels et applications

  31. Inference Rules: for (automated) reasoning Une preuve ( à la main) T&MSP-CSC 4504 : Langages formels et applications

  32. Principe général d’un prouveur de prédicats • • On procède par induction sur la syntaxe du but P d’un séquent HYP |- P. • règles appliqué en arrière (backward). • • On ne monte en hypothèse (utilisation de DED) que des • – prédicats simples (pas de ^, =>, . . .) ou • – prédicats quantifiés universellement (∀) et normalisés • • on s’arrête avec un axiome ou sur HYP |- FAUX en cherchant une contradiction • dans les hypothèses. • • sinon on relance une preuve en cherchant de nouvelles instanciations pour les • variables des prédicats quantifiés (filtre + unification). T&MSP-CSC 4504 : Langages formels et applications

  33. Règles d’un prouveur de prédicats (génériques) opération générique T&MSP-CSC 4504 : Langages formels et applications

  34. Règles d’un prouveur de prédicats (^) générique Instantiation with /\ T&MSP-CSC 4504 : Langages formels et applications

  35. Règles d’un prouveur de prédicats (=>) générique => Tactique gagnante: On utilise =>4 en dernier T&MSP-CSC 4504 : Langages formels et applications

  36. Règles d’un prouveur de prédicats (not) générique T&MSP-CSC 4504 : Langages formels et applications

  37. Règles d’un prouveur de prédicats (les axioms) T&MSP-CSC 4504 : Langages formels et applications

  38. Les prédicats quantifiés T&MSP-CSC 4504 : Langages formels et applications

  39. Event-B is heavily influenced by Floyd-Hoare logic • Floyd­Hoare Logic is a method of reasoning mathematically about imperative programs. • It is the basis of most mechanized program verification systems • Tony Hoare introduced the notation {P} C {Q}, called a partial correctness specification for specifying what a program does, where: • C is a program (code) from the programming language whose programs are being specified • P and Q are conditions on the program variables used in C T&MSP-CSC 4504 : Langages formels et applications

  40. Meaning of Hoare's Notation • {P} C {Q} is true if • whenever C is executed in a state satisfying P • and if the execution of C terminates • then the state in which C terminates satisfies Q • Example: {X = 1} X := X + 1 {X = 2} • P is the condition that the value of X is 1 • Q is the condition that the value of X is 2 • C is the assignment command X := X + 1 (i.e. `X becomes X + 1') • {X = 1} X := X + 1 {X = 2} is clearly true • {X = 1} X := X + 1 {X = 3} is clearly false • BE CAREUL with partial correctness: • {X = 1} WHILE true do skip {Y=3} is true T&MSP-CSC 4504 : Langages formels et applications

  41. Total Correctness • Informally: • Total correctness = Termination + Partial correctness • Total correctness is the ultimate goal • It is usually easier to show partial correctness and termination separately • Termination is usually straightforward to show, but there are examples where it is not, e.g.: no one knows whether the program below terminates for all values of X • WHILE X > 1 DO • IF ODD(X) THEN X := (3 × X) + 1 ELSE X := X DIV 2 • Where the expression X DIV 2 evaluates to the result of rounding down X/2 to a whole number T&MSP-CSC 4504 : Langages formels et applications

  42. Specification can be Tricky • "The program must set Y to the maximum of X and Y" • [True] C [Y = max(X, Y)] • A suitable program (C)?: • IF X >= Y THEN Y := X ELSE SKIP • Another? • IF X >= Y THEN X := Y ELSE SKIP • Or even? • Y := X • WARNING: Later we will be able to prove that all these programs are "correct" • WHY?: The postcondition "Y = max(X, Y)" says "Y is the maximum of X and Y in the final state" T&MSP-CSC 4504 : Langages formels et applications

  43. SKIP: possibly the simplest axiomatisation • Syntax: SKIP • Semantics: the state is unchanged • The SKIP Axiom : • |- {P} SKIP {P} • It is an axiom schema • P can be instantiated with arbitrary predicate calculus formulae (statements) • Instances of the SKIP axiom are: • |- {Y = 2} SKIP {Y = 2} • |- {True} SKIP {True} • |- {R = X + (Y × Q)} SKIP {R = X + (Y ×Q)} T&MSP-CSC 4504 : Langages formels et applications

  44. Substitution Notation and assignment axiom: the most difficultaxiomatisation • Define P [E/V ] to mean the result of replacing all occurrences of V in P by E • read P [E/V ] as `P with E for V ' • for example: (X + 1 > X)[Y + Z/X] = ((Y + Z) + 1 > Y + Z) • Think of this notation as the `cancellation law': • V [E/V ] = E • which is analogous to the cancellation property of fractions: • v × (e/v) = e • The Assignment Axiom • |-{P [E/V ]} V := E {P} • Where V is any variable, E is any expression, P is any statement • and the notation P [E/V ] denotes the result of substituting the • term E for all occurrences of the variable V in the statement P . • Example: • |-{X + 1 = n + 1} X := X + 1 {X = n + 1} |- can be proven T&MSP-CSC 4504 : Langages formels et applications

  45. Precondition Strengthening is a typical development step • Recall that • |- S 1 , . . . , |- Sn • |-S • means |- S can be deduced from |- S 1 , . . . , |- Sn • Using this notation, the rule of precondition strengthening is: • |- P => P’ , |-{P’} C {Q} • |- {P} C {Q} T&MSP-CSC 4504 : Langages formels et applications

  46. Postcondition Weakening • Just as the previous rule allows the precondition of a partial correctness specification to be strengthened, the following one allows us to weaken the postcondition: • |- {P} C {Q’}, |- Q’ => Q • |- {P} C {Q} The rules precondition strengthening and postcondition weakening are sometimes called the rules of consequence T&MSP-CSC 4504 : Langages formels et applications

  47. Existential Quantification T&MSP-CSC 4504 : Langages formels et applications

  48. Comparing the Quantification Rules T&MSP-CSC 4504 : Langages formels et applications

  49. Classical Results T&MSP-CSC 4504 : Langages formels et applications

  50. Classical Results T&MSP-CSC 4504 : Langages formels et applications

More Related