the b method
DESCRIPTION
The B Method. b y Péter Györök. Contents. Metadata The B language The Prover Demo. People behind it. Developed by Jean-Raymond Abrial Other people : G. Laffite , F. Mejia , I. McNeal Currently big companies and various universities maintain it - PowerPoint PPT PresentationTRANSCRIPT
The B Method
by Péter Györök
Contents
• Metadata• The B language• The Prover• Demo
People behind it
• Developed by Jean-Raymond Abrial– Other people: G. Laffite, F. Mejia, I. McNeal
• Currently big companies and various universities maintain it
• ClearSy, Oxford University (Programming Research Group)• Subsidised projects
History, origin, versions
• Predecessor: Z-notation (also by Abrial)• Newest incarnation: Event-B
• Tools: Atelier B, B4free, B-toolkit
Primary application domain
• Software engineering– Specification– Design– Proof– Code generation
• Safety-critical systems• Big companies that use it: Siemens, Alstom,
Systerel…
Success stories
• METEOR project – Paris Metro Line 14– (Hungarian relevance?)
• Ariane 5 (rocket)
System overview
• B notation based on group theory and first order logic• The method is heavily focused on system development
– Multiple versions of the system: abstract machine -> refiniements -> implementation
– The proofs are for the consistency between versions• Syntax is expressed using mathematical symbols or
their ASCII equivalents (e.g. ! for )∀• Lots of syntactic sugar for easily writing down
expressions
Language features
• Types: based on set theoryTypes are either basic (integer, bool, string, enum) or built using Cartesian product, power set or record– Types inferred by typing predicates (∈, ⊂, ⊆, =)– The type of something is „the biggest set that contains it”– The type of integer literals and expressions is ℤ– The type of a set literal or expression is p(set), e.g. ℤ ∈ p( )ℤ– The type of a function from X to Y is (X × Y)℘– Distinction of „concrete” types that can be used in implementation– Many advanced types such as array, sequence, relation, tree – each
with their own set of operators
Language features• Expressions and predicates
– Predicates use the syntax of first order logic– Expressions of various types use the types’ specific operators– Lambda expressions are allowed
• Substitutions– Allow a predicate to be transformed ( [x := E] P )– Resemble features of an imperative language– Also some „alien” features (precondition etc.)– Proof obligations are derived from substitutions– Can be nondeterministic (but the implementation must be
deterministic, cf. concrete types)
Language features• Some types of substitution
– BEGIN…END– skip– := :() :∈– PRE– ASSERT– IF– CASE– LET– VAR– ;– ||– WHILE
Language features
• Machine– The „thing” that we are reasoning about– Resembles classes from OOP– Can be abstract, refinement or implementation– Special constraints apply to implementations– Elements of a machine:
• Parameters and their constraints• Imports, sees, includes etc.• Sets (enum or „deferred”)• Abstract and concrete constants, variables
Language features
– Elements of a machine• Properties, invariants• Values (!)• Initialisation and operations – expressed as a
substitution• Operations can have multiple return values• Assertions – this makes it possible to use B as a
mathematical proof assistant
Language featuresExample: adding assertions to help with a proof.
MACHINEMA
CONCRETE_VARIABLESvar
INVARIANTvar ∈ INT ⋀var2 = 1
ASSERTIONSvar = 1 ⋁ var = - 1
...END
This must be proven from the invariant.Then it can be used as a lemma in other proofs.
Typing predicate
Language fetaures
• The B0 language– Restricted version of the B language– Used for implementation only– Substitutions are equivalent to instructions– Translated to C(++), Ada etc.
The Prover
• Atelier B uses both an automatic and interactive prover
• The basic concept is the proof obligation (PO):Goal + hypotheses
• The prover doesn’t type check – that’s part of the proof! e.g. b = e1 + e2 where b BOOL and ∈ e1 , ∈ ℤ e2 is a legal ∈ ℤgoal which is unprovable
• Well-definedness must be proved tooe.g. 8/c is well-defined if c ≠ 0
The Prover
• Proof obligations– The types of things match up– The refinements are consistent– The initialisation sets the invariants and the
operations keep them– The operations meet their pre/postconditions– Assertions are true
The Prover
• Rules: inductive, deductive and rewriting• Theory: a list of rules (higher index has
priority)• Tactic: a list of theories to search for an
applicable rule– Backward tactic divides the goal into subgoals– Forward tactic generates new hypotheses– A full tactic is the combination of the two
The Prover
• Procedure of applying the tactic:– Search the backward tactic for an applicable rule– If one is found, apply it and continue with the next
theory– Tilde (~) can be used as the „repeat” operator– The whole tactic is implicitly tilded– For every new hypothesis generated, run the
forward tactic with the same procedure
The Prover
• The theory is fully customizable, even with inconsistent rules!
• The prover might loop infinitely• Proof obligations are normalized
– Examples: n > m becomes m+1 <= n,a ⇔ b becomes (a ⇒ b) (∧ b ⇒ a),a ⊆ b becomes a ∈ (℘ b)
The Prover
• Commands can be given to the interactive prover
• The prover will try to prove what is needed to execute the command. If it fails, a new goal is created
• ae : Abstract expression– P[…, expr, …] after ae(expr, y) becomes
well-defined(expr) ∧ expr=y ⇒ P[…, y, …]
Commands
• ah: Add Hypothesis– If the goal was h1, …, hn ⇒ G,
ah(P) replaces it withh1, …, hn ⇒ Ph1, …, hn, P ⇒ G
• ct: proof by contradiction– Replaces a goal h1, …, hn ⇒ G with
h1, …, hn, ¬ G bfalse⇒
Commands
• dc: Do Cases– If the goal is G, use dc(P) to split it into
¬ P ⇒ GP ⇒ G
• se: Suggest for Exist– If the goal is (∃ w1, …, wn).P(w1, …, wn)
se(v1, …, vn) turns it intoP(v1, …, vn)
Commands• ap: Arithmetic Proof
– An automated mechanism for proving things about systems of linear equations and inequations
• pp: Predicate Prover– Another automated system
• pr: Prover Call– Yet another (these all solve different kinds of goals)
• ar: Apply Rule– Just applies a rule
• dd: Deduction– For a goal P ⇒ Q, raise P in the hypothesis stack then prove Q
• ba: Back• cg: display Current Goal• qu: Quit
Demo
• The task: decide if a given number is prime
Creating a project
Adding a component
• Let’s add something to the empty project…
Adding a component
• Since this is our first component, the only choice is „Machine”.
Editing
• Now that we have a machine, double click it on the „Components” list to edit
Insert Theorem Here
• What we want to enter there:MACHINE primOPERATIONS p ← is_prim ( n ) = PRE n ∈ [3 .. MAXINT] THEN p := bool (∀ i . ( i ∈ [ 2 .. n-1 ] ⇒ ( n mod i ) ≠ 0 ) ) ENDEND
Insert Theorem Here
• What it will look like in B:
Atelier B hates single-letter identifiers so we reduplicate everything
Adding an implementationIMPLEMENTATION
prim_iREFINES
primOPERATIONS
pp <-- is_prim ( nn ) =BEGIN
VAR ll , kk INll := TRUE ;kk := nn ;WHILE ( 2 /= kk & ll = TRUE) DO
IF nn mod (kk-1) = 0 THENkk := kk-1;ll := FALSE
ELSEkk := kk-1
END INVARIANT
ll : BOOL &nn : NAT &nn >= 3 &kk : 2..nn &(ll=TRUE => (! jj.(jj:kk..nn-1 => nn mod jj /=0))) & (ll=FALSE=> ( kk: 2..nn-1 & nn mod kk = 0))
VARIANTkk
END ;pp :=ll
ENDEND
END
Generate PO’s
• Click „Po”, then „F0” to try to prove…
Interactive Proof time!
Interactive Prover
Double-click one
Interactive Prover
• Now we can enter commands.
Completing the proof
Here are the commands to complete the proof:dc(jj = kk-1)prah(jj: kk..nn-1)pp(100)pr
dc(ll$7777 = TRUE)ddah(kk$7777 = 2)prppprddah(ll$7777 = FALSE)ppddprse(kk$7777)pr
Completing the proof
• Green means success!
THE END