1

“B is a method for specifying, designing, and coding software systems.”J.R. Abrial, The B-Book, Cambridge University Press

2

3

4

5

6

B4free

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

Exercise 1.7A car park has 640 parking spaces. Give an abstract machine which specifies a system to control cars entering the car park. It should keep track of the cars currently in the car park, and should provide 3 operations:– Enter, which recorders the entry of a new car.

This should occur only when the car park is not full;

– Leave, which records the exit of a car from the car park;

– Query, which outputs the number of cars currently in the car park.

30

MACHINE CarParkVARIABLES contentsINVARIANT contents : NAT & contents <= 640INITIALIZATION contents := 0OPERATIONSenter =

PRE contents < 640THEN contents := contents + 1END;

leave =PRE contents > 0THEN contents := contents – 1END;

nn <-- query =PRE trueTHEN nn := contentsEND

END

31

32

33

34

35

36

37

38

39

40

41

42

43houseset, magazine := {}, {}

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

t parentancestor

parentyzparentzx

PERSONzzyxparentancestor

,,.,

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

Substitutions

xEP /

Expression E is substituted for a free variable x byreplacing all occurrences of x by E.Read as P with E for x.

GOaliceCHESSalice

xaliceGOxCHESSx

/

92

zyxxyzyxyx /

2)(.

/2)(.

oldlimitpagePERSONpp

limitoldlimitlimitpagePERSONpp

93

3.

/3./3.

nmmmlimitnlimitmmm

limitnlimitnnn

Renaming bound variables to avoid variable capture

limitmmm

nlimitmmmnlimitnnn

./50.

/50.

If the variable being substituted does not occur free anywhere inthe predicate then it is left unchanged.

94

nxxxGFEP ,...,/,..., 21

zyxyx

yxzyxyxyx

,/,

95

Self test

servennextnnservenn

serveservenextnnservenn

/4.)2(

/14.)1(

2

2

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

The set of all possiblestates a machine canbe in.

115

116

See Page26 of theB-method.

117

118

119

120

121

122

P is a predicate which describes a set of states that may be reachedafter the performance of statement S.P is referred to as the post condition of S.

The notation [S]P denotes a predicate which is true ofany initial state from which is guaranteed to achieve P.

123

124

See Page27 of theB-method.

125

126

127

128

129

130

131

132

133

134

[hh := min(houseset)](!hh.(hh:houseset=> hh < 163))

135

136

137

138

139

140

141

142

143

144

[a(4) := 7](a : NAT1 >+> NAT)

= (a <+ {(4,7)}) : NAT1 >+> NAT

= ({4} <<| a) : NAT1 >+> NAT &7 /: ran({4} <<| a)

145

Other Constructs

[IF E THEN S ELSE T END]P =(E & [S]P) or (not(E) & [T]P)

[IF E THEN S ELSE T END]P =(E => [S]P) or (not(E) => [T]P)

146

[IF x<5 THEN x:=x+4 ELSE x:=x-3 END] (x<7)

= (x<5 & [x:=x+4](x<7)) or((not(x<5)) & [x:=x-3](x<7))

= (x<5 & (x+4<7)) or ((x>=5) & (x-3<7))

= (x<5 & x<3) or ((x>=5) & (x<10))

= (x<3) or ((x>=5) & (x<10))

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

MACHINE Info(ITEM, sample, num)CONSTRAINTS sample:ITEM &

num : NAT &num > card(ITEM)

CONSTANTS storagePROPERTIES storage : NAT1 &

storage <= num

VARIABLES current, next, previous

INVARIANT current <: ITEM &next : ITEM &previous : ITEM &next /= previous

Exercise 5.1 Page 67 “the b-method”What are the proof obligations associated with the constraints below?Are they consistent?

170

# ITEM, sample, num .(ITEM /= {} &sample : ITEM &num : NAT &num > card(ITEM))

Proof obligation associated with the constraints:

171

(ITEM /={} & sample:ITEM & num:NAT & num > card(ITEM))

=>

# storage . (storage : NAT1 & storage <= num)

Proof obligation: It must be possible to find appropriateSETS and CONSTANTS.

172

( ITEM /={} & sample:ITEM & num:NAT &num>card(ITEM) &

storage : NAT1 & storage <= num )=># current, next, previous . (

current <: ITEM &next : ITEM &previous : ITEM &next /= previous

)

Proof obligation: When all the parameters are set it must bepossible for the machine to have variables that satisfy theinvariant.

What ifITEM={a}?

173

END S THEN P PRE operationeach for

][ 5.][ 4.. 3.., 2.

. 1.

ISPICBITCBIvCBBkStC

Cp

Summary of Proof Obligations:

174

175

• Self tests (from “the b-method”)– Exercise 5.2 page 68– Exercise 6.3 Page 89

176

Completing the Laws of [S]P

nnnn xxEEPPEExx

yxFEPPFEyx

xEPPEx

,...,/,...,,...,:,...,

,/,,:,

/:

1111

177

PP skip

PTEPSE

PTSE

ENDELSETHENIF

PTEPSE

PTSE

ENDELSETHENIF

?ENDTHENIF PSE

178

PVeEeEeEPTeE

PTeEPTeE

P

VTe

TeTe

E

n

nnnn ...

...

ENDELSE

THENOR...OR

THENORTHENEITHER

OFCASE

21

22

11

22

11

179

aEiaPPEia /,:)(

180

PTQx

PTQx

.

ENDTHENWHEREANY

Non-determinism:

PTQxx

PTQxx

n

n

.,...,ENDTHENWHERE,...,ANY

1

1

xzPSzzPSx /.:

181

PSExx

PSExxLET

.

ENDINBE

182

PTPSPTS ENDORCHOICE

PSPSPS

PSSS

n

n

...END...ORORCHOICE

21

21

183

184

• Sequences