An Introduction to Modelling with the Original BMethod

1
An Introduction toModelling with the Original
B-Method
B User Group 3rd November 2006 Andy Edmunds
2

• Two parts of the talk
• A summary of the B-Method
• An example model

What is B?

• B is a method, a notation and a mathematical
  theory.
• method
• defines a structured, rigorous development
  process
• notation
• using Abstract Machine Notation (as syntactic
  sugar), to specify
• behaviour, designed to be similar to constructs
  used by
• programmers.
• But it is a modelling language
• theory
• mathematical underpinning - set theory, first
  order predicate calculus.

3
What is B for?

• Modelling software systems
• at a functional level.
• to create dependable software systems.
• Used in safety and business critical systems.
• - criticisms
• FM seen as slow
• difficult to understand
• does not address all the problems.
• i.e. rubbish in leads to rubbish out.

4
Features used to Specify Models

• state   - deferred sets   - constants   -
  variables (still represented by sets)
• behaviour (operations)   - guarding
  (blocking)  - preconditions (aborting)
• invariant - predicates that describe properties
  of the system.
• predicates must evaluate true at all times, in B
• - typing of variables
• consistent models (1) - self consistency
• discharge proof obligations to ensure operations
• do not violate the invariant
• Abstract Machines, Refinements, and
  Implementations

5
Features to aid the Development Process

• composition   - includes, sees, promotes etc.
• (makes other machines/features visible with
  access restrictions) - imports (for
  implementations similar to Libraries in C/Java)
• refinement   - data refinement - specifying
  more information about a type.   - operation
  refinement - strengthen guards, weaken
  preconditions     any operation can refine
  skip used in Event-B.   - changes to state
  are the same in abstract as refinement but new
  state can be introduced.   - gluing invariant
  relates the state of the refinement to the
  abstract machine.
• consistent models (2) - a refinement is
  consistent with its abstraction and self
  consistent when the proof obligations
  of the gluing invariant, and other invariants,
  are discharged.
• B0 notation for implementations - links B to
  C,C,ADA.
• - is like B but with program-like constructs, and
  no preconditions, non-determinism.

6
The Modelling approach according to the B-method

• Take an abstract view of a software system.
• create an abstract specification from analysis
  obtaining the correct abstraction is key,
  include only relevant information
• can be from, or during, requirements analysis
  (but formal modelling can feed
• changes back into the requirements).- a high
  level view - allowing non-determinism/under-specif
  ication
• The most abstract specification is the root node
  of a tree
• What does the model describe?   - It models the
  state of a system and the changes that occur when
  operations are invoked.    - Each jump from
  one state to the next is modelled with atomic
  operations.    - Intermediate state is not
  visible.

7

• Why refine?   - To add more detail, remove
  non-determinism, move towards implementation.
    - but refinement is hard!! However, insight is
  gained into the system through the process.   -
  complexity can be handled by decomposition, and
  there are proposals for partitioning at the
  highest level of abstraction.
• Now for an example,
• - model of array objects (like in Java arrays)
• - two equivalent abstract models
• - no refinement

8
array_Set (set of possible instances)
Array Instances of type Integer
0..
capacity-1
Operations Constructor newArrayObject()
Operation Integer get(Integer i) Operation
set(Integer I, Integer v)
9
/ Violation of PRE is always a failure.
Someone else will handle the problem . PRE
will eventually be turned into guards (IF,
or Assertion handling, Exceptions) /
/ Guard not satisfied gives rise to
blocking behaviour , refusal. The
problem is handled by us! (Conditional
waits, IF, Assertions, Exceptions) /
10
Helping the prover
For the example one remaining PO to be
discharged interactively.
Use sl to select the following
hypotheses, capacity3 dom(contents)
arrayObject contents arrayObject? (0..2 -gt
INT)
Use ah to add the following hypotheses, 0INT 0
..capacity-1 0..2 0-gt0,1-gt0,2-gt0
(0..2-gtINT)