Chunks: Component Verification in CSP

Steve Schneider & Helen Treharne, SurreyNeil Evans, Southampton

http://www.csp-b.org

CSP Controlled B machines B machines as concurrent components (good for data-

rich aspects) CSP processes as controllers (good for patterns of

communication) Combination underpinned by CSP semantics for B Tap into tools for CSP and for B

B machine

CSP process

B operations

Example

MACHINE SwitchVARIABLES switchINITIALISATION switch := offOPERATIONS light = PRE switch = off THEN switch := on END;

dark = PRE switch = on THEN switch := off ENDEND

B machine CSP controller

Consistency Operations must be called within their

preconditions Established techniques available (based

on wp semantics) for establishing consistency between a controller and a controlled machine.

Consistency expressed as divergence-freedom

Divergence-freedom means operations called within their preconditions

Combining Components

• System divergence-free if each pair is

• System deadlock-free if CSP part is.

• System meets particular specs if CSP part does

CSP CSPCSP

B BB

Sorted? Not quite.Odd-Even example

MACHINE OddVARIABLES nnINVARIANT odd(nn)OPERATIONS odd_set(ii) = PRE odd(ii) THEN nn := ii END;jj <-- odd_get = jj := nnEND

MACHINE EvenVARIABLES mmINVARIANT even(mm)OPERATIONS even_set(ii) = PRE even(ii) THEN mm := ii END;jj <-- even_get = jj := mmEND

odd_get.7 odd_set.9

eopass.9

even_get.8 even_set.8

oepass.8

Component Consistency

MACHINE Odd…

odd_set(ii) = PRE odd(ii) THEN nn := ii END;…END

odd_get.m odd_set.n

eopass?n

oepass.m+1

Consistency relies on n being odd

Guarantees m even

<odd(n)>

{even(m)}

Introduceblocking assertion

divergingassertion

Consistency of ODD_CTRL’and Odd guarantees m evenunder assumption of n odd

Lifting state

Sometimes we need to relate assertions to the B state

To do this, we lift relevant state to the CSP level

transfer.tim

add.tim

but T not in CSP

Interaction

transfer.tim

add.timtake.tim

Decomposing requirements

Chunks – discharging proof obligations (chunks theorem) Split the network into chunks – each

assertion needs to be diverging in at least one chunk. Can be blocking in all others.

Chunks need to be divergence-free – this can be checked by FDR (for CSP parts) or by wp technique (CSP||B technique)

Then the system is divergence-free

Chunks

P<P>{P}

Every predicate must have a chunk where it diverges (verify)In other chunks it can block (assumption)

Current work More elaborate architectures (B

machines interact with more than one controller)

Hardware/software codesign Links to software development

methodology (industrial partner)

http://www.csp-b.org