2009: J Paul GibsonT&MSP-CSC 4504 : Langages formels et applications Event-B/Purse.1 CSC 4504 : Langages formels et applications (La méthode Event-B) J

2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/Purse.1

CSC 4504 : Langages formels et applications

(La méthode Event-B)

J Paul Gibson, A207

[email protected]

http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/

Purse

http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/Purse.pdf


Purse: Informal Specification of an interactive system

1. A purse contains coins2. Coins are positive integers, but not all integers have a corresponding coin3. We wish to start with an empty purse4. We allow 2 operations:

• Add a coin• Pay a certain (integer) sum (by removing the correct number of coins

from the purse, i.e by removing coins whose total is equal to the sum requested

Specify in an Event-B context

Specify in an Event-B machine


Purse context and simple test for two coins

Try to prove the theorem yourselves


Purse machine: Proof Obligations Generated Automatically by Tool


Interactive proof that add_coin respects the invariant





Add hypothesis (lemma)



Expand and autoprove



Add hypothesis from context?



Found a problem in specification

Should have written: PURSES = COINS → ℕ



Fix specification and proof obligations are discharged auotmatically


TASK TO ATTEMPT:

Try to specify the event pay_sum

In order to help you, first consider the event remove_coin

•We will first attempt to develop a new machine as a refinement of the first machine

•We see why this causes a problem – and get a better understanding of refinement

• We then specify remove_coin without refinement


Add remove_coin event by extending/refining Purse_mch0

State which variables of extended machine you which to use(As well as any new variables)

Taken from mch0

A new event that does not take into account any variant in mch0



New proof obligation to discharge



Problem: the refinement requires us to show that the new event does not change the state of the refined machine


Add remove_coin event to Purse_mch0

Proof obligation (PO) discharged automatically


Formal Methods Pedagogic Experiment (For next week?)

Class has to split into 2 groups

1) First build Java machine for Purse and add pay-sum method. Then, when you are sure the Java is correct specify the corresponding Event-B machine

2) First try to build Event-B machine of Purse including the pay-sum event. Then, implement the machine in Java.

Teams in each group (1 or more people) must record time spent on each part (Java and Event-B)


PaySum

15

510

Purse

Pay_sum(10)2

is nondeterministic =10 or5+5

Pay_sum(4) is not possible =« event not allowed »

Pay_sum(2)is deterministic =2

Documents

2009: J Paul GibsonT&MSP-CSC 4504 : Langages formels et applications Event-B/Purse.1 CSC 4504 : Langages formels et applications (La méthode Event-B) J