Download presentation
Presentation is loading. Please wait.
1
1 “B is a method for specifying, designing, and coding software systems.” J.R. Abrial, The B-Book, Cambridge University Press
2
2
3
3
4
4
5
5
6
6 B4free
7
7
8
8
9
9
10
10
11
11
12
12
13
13
14
14
15
15
16
16
17
17
18
18
19
19
20
20
21
21
22
22
23
23
24
24
25
25
26
26
27
27
28
28
29
29 Exercise 1.7 A car park has 640 parking spaces. Give an abstract machine which specifies a system to control cars entering the car park. It should keep track of the cars currently in the car park, and should provide 3 operations: –Enter, which recorders the entry of a new car. This should occur only when the car park is not full; –Leave, which records the exit of a car from the car park; –Query, which outputs the number of cars currently in the car park.
30
30 MACHINE CarPark VARIABLES contents INVARIANT contents : NAT & contents <= 640 INITIALIZATION contents := 0 OPERATIONS enter = PRE contents < 640 THEN contents := contents + 1 END; leave = PRE contents > 0 THEN contents := contents – 1 END; nn <-- query = PRE true THEN nn := contents END
31
31
32
32
33
33
34
34
35
35
36
36
37
37
38
38
39
39
40
40
41
41
42
42
43
43 houseset, magazine := {}, {}
44
44
45
45
46
46
47
47
48
48
49
49
50
50
51
51
52
52
53
53
54
54
55
55
56
56
57
57
58
58
59
59
60
60
61
61
62
62
63
63
64
64
65
65
66
66
67
67
68
68
69
69
70
70
71
71
72
72
73
73
74
74
75
75
76
76
77
77
78
78
79
79
80
80
81
81
82
82
83
83
84
84
85
85
86
86
87
87
88
88
89
89
90
90
91
91 Substitutions Expression E is substituted for a free variable x by replacing all occurrences of x by E. Read as P with E for x.
92
92
93
93 Renaming bound variables to avoid variable capture If the variable being substituted does not occur free anywhere in the predicate then it is left unchanged.
94
94
95
95 Self test
96
96
97
97
98
98
99
99
100
100
101
101
102
102
103
103
104
104
105
105
106
106
107
107
108
108
109
109
110
110
111
111
112
112
113
113
114
114 The set of all possible states a machine can be in.
115
115
116
116 See Page 26 of the B-method.
117
117
118
118
119
119
120
120
121
121
122
122 P is a predicate which describes a set of states that may be reached after the performance of statement S. P is referred to as the post condition of S. The notation [S]P denotes a predicate which is true of any initial state from which is guaranteed to achieve P.
123
123
124
124 See Page 27 of the B-method.
125
125
126
126
127
127
128
128
129
129
130
130
131
131
132
132
133
133
134
134 [hh := min(houseset)](!hh.(hh:houseset=> hh < 163))
)](http://images.slideplayer.com./32/9810759/slides/slide_134.jpg "134 [hh := min(houseset)](!hh.(hh:houseset=> hh < 163))")
135
135
136
136
137
137
138
138
139
139
140
140
141
141
142
142
143
143
144
144 [a(4) := 7](a : NAT1 >+> NAT) =(a +> NAT =({4} +> NAT & 7 /: ran({4} <<| a)
 =(a +> NAT =({4} +> NAT & 7 /: ran({4} <<| a)](http://images.slideplayer.com./32/9810759/slides/slide_144.jpg "144 [a(4) := 7](a : NAT1 >+> NAT) =(a +> NAT =({4} +> NAT & 7 /: ran({4} <<| a)")
145
145 Other Constructs [IF E THEN S ELSE T END]P = (E & [S]P) or (not(E) & [T]P) [IF E THEN S ELSE T END]P = (E => [S]P) or (not(E) => [T]P)
![145 Other Constructs [IF E THEN S ELSE T END]P = (E & [S]P) or (not(E) & [T]P) [IF E THEN S ELSE T END]P = (E => [S]P) or (not(E) => [T]P)](http://images.slideplayer.com./32/9810759/slides/slide_145.jpg "145 Other Constructs [IF E THEN S ELSE T END]P = (E & [S]P) or (not(E) & [T]P) [IF E THEN S ELSE T END]P = (E => [S]P) or (not(E) => [T]P)")
146
146 [IF x<5 THEN x:=x+4 ELSE x:=x-3 END] (x<7) =(x<5 & [x:=x+4](x<7)) or ((not(x<5)) & [x:=x-3](x<7)) =(x =5) & (x-3<7)) = (x =5) & (x<10))
![146 [IF x<5 THEN x:=x+4 ELSE x:=x-3 END] (x<7) =(x<5 & [x:=x+4](x<7)) or ((not(x<5)) & [x:=x-3](x<7)) =(x =5) & (x-3<7)) = (x =5) & (x<10))](http://images.slideplayer.com./32/9810759/slides/slide_146.jpg "146 [IF x<5 THEN x:=x+4 ELSE x:=x-3 END] (x<7) =(x<5 & [x:=x+4](x<7)) or ((not(x<5)) & [x:=x-3](x<7)) =(x =5) & (x-3<7)) = (x =5) & (x<10))")
147
147
148
148
149
149
150
150
151
151
152
152
153
153
154
154
155
155
156
156
157
157
158
158
159
159
160
160
161
161
162
162
163
163
164
164
165
165
166
166
167
167
168
168
169
169 MACHINE Info(ITEM, sample, num) CONSTRAINTSsample:ITEM & num : NAT & num > card(ITEM) CONSTANTSstorage PROPERTIESstorage : NAT1 & storage <= num VARIABLEScurrent, next, previous INVARIANTcurrent <: ITEM & next : ITEM & previous : ITEM & next /= previous Exercise 5.1 Page 67 “the b-method” What are the proof obligations associated with the constraints below? Are they consistent?
170
170 # ITEM, sample, num.( ITEM /= {} & sample : ITEM & num : NAT & num > card(ITEM) ) Proof obligation associated with the constraints:
171
171 (ITEM /={} & sample:ITEM & num:NAT & num > card(ITEM)) => # storage. (storage : NAT1 & storage <= num) Proof obligation: It must be possible to find appropriate SETS and CONSTANTS.
172
172 (ITEM /={} & sample:ITEM & num:NAT & num>card(ITEM) & storage : NAT1 & storage <= num ) => # current, next, previous. ( current <: ITEM & next : ITEM & previous : ITEM & next /= previous ) Proof obligation: When all the parameters are set it must be possible for the machine to have variables that satisfy the invariant. What if ITEM={a}?
173
173 Summary of Proof Obligations:
174
174
175
175 Self tests (from “the b-method”) –Exercise 5.2 page 68 –Exercise 6.3 Page 89
176
176 Completing the Laws of [S]P
![176 Completing the Laws of [S]P](http://images.slideplayer.com./32/9810759/slides/slide_176.jpg "176 Completing the Laws of [S]P")
177
177
178
178
179
179
180
180 Non-determinism:
181
181
182
182
183
183
184
184 Sequences
Similar presentations
