Structuring for Reuse: from B to EventB

1
Structuring for Reuse from B to Event-B
Mike Poppleton, DSSE
2
Outline

• Classical B recap
• Structuring in classical B
• Event-B recap
• Towards structuring in Event-B
• Fusion of events and models
• Conclusion

3
Classical B quick recap

• Model-based formal method, obvious LTS semantics
• Unit of modularity MACHINE
• Static information SETS, CONSTANTS, PROPERTIES
• Dynamic state VARIABLES, INVARIANT
• Behaviour INITIALIZATION, OPERATIONS
• A partial Module Interconnection Language (MIL)
• INCLUDES, EXTENDS, PROMOTES
• IMPORTS, SEES

4
Classical B quick recap II

• The atom of behaviour the substitution
• x Exp(x,s,c)
• x Pred(x0,x,s,c)
• x ? SetExp()
• is elaborated in the GSL (generalised
  substitution language)
• PRE Pred THEN Sub END
• CHOICE Sub1 OR Sub2 END
• SELECT Pred1 THEN Sub1 WHEN Pred2 THEN Sub2
  ELSE ... END
• ANY z WHERE Pred(z,x) THEN Sub(z,x) END
• typically x Exp(z,x)
• IF Pred THEN Sub1 ELSE Sub2 END
• etc

5
Structuring in Classical B Operation-level

• Remember
• B acts via call-/invocation-based preconditioned
  operations
• Event-B acts via occurrence of enabled guarded
  events
• Conditional substitutions
• IF-THEN(-ELSE), SELECT(-ELSE), CASE(-ELSE)
• Nesting of substitutions within such
• (shades of von Neumann SSIR )
• Operation call (of included by including machine
  operation)

6
Structuring in B Machine-level

• M INCLUDES N internal reuse
• M, N variables, operations distinct Concatenate
  defns, conjoin predicates
• operation call
• o ? opM(i) SubsExp (ao ? opN(ai))
• is realised by a substituted substitution
• fo, fi ao, ai ltfull text of definition of
  fo ? opN(fi)gt

7
Structuring in B Machine-level II

• M INCLUDES N
• But
• Included N ops not externally visible from M
• In including op, at most one op of a given
  including machine can be called
• Encapsulation included vars writable only by
  included ops
• ? Machine inclusion restriction on op call is
  presumably to guarantee variable distinctness ?

8
Structuring in B Machine-level II

• M PROMOTES N.op1, N.op2 (M INCLUDES N)
• M EXTENDS N externally visible reuse
• named/ all included ops become full ops of
  including machine (ie externally visible)
• ? but these ops are NOT internally callable ?

9
Structuring in B Machine-level III

• M USES N elaborated inclusion 2-step multiple
  reuse
• M1, M2, M3 variables distinct
• M1 -USES? M2 ?USES- M3
• INCLUDES
• M
• M1, M3 reuse static part of M2 without re-copying
  M2s text
• M1, M3 can read M2 vars, cannot use M2 ops
• M INCLUDES M1,M2,M3

10
Structuring in B Implementation-level

• M SEES N implementation-level, for flexible
  visibility across the development tree
• M, N variables distinct
• Seen machine independence ? Seeing INVARIANT
  cannot see seen VARIABLES
• Contrast with INCLUDES/USES specification-level
• including/using INVARIANT can see included/used
  VARIABLES

11
Questions

• Why were these structuring mechanisms removed in
  the evolution to Event-B ?
• Elaborate and awkward visibility rulesets and POs
• Elaborate and awkward stucturing mechanism
  (havent discussed REFINEMENTs, IMPLEMENTATIONs,
  IMPORT, SEES)
• And said structuring can be inconsistent
  (Rouzaud, Potet, 1999)
• ??
• Should/can any of these mechanisms be introduced
  into Event-B (and if so, how) ?

12
Answers ?

• Atomic conditional transition
• No use separate event for each conditional
  branch
• Rely on event scheduling
• ! But lose control over invocation
• INCLUDES for internal operation call
• No, as for (1.)
• PROMOTES/EXTENDS
• Yes, would like the reuse
• USES
• Would like the reuse without awkward MIL
  mechanisms to avoid multiple machine text copies
  (ie need more sophisticated textual composition)

13
Event-B

• Whats the evolution from Classical B ?
• ? Abrial doc

14
Event-B events consistency

• MACHINE M, axioms P, invariant I, event e,
  variable v
• e ANY t WHERE Q(t,v) THEN v F(t,v) END
• guard G ? t.Q(t,v)
• before-after predicate
• E ? t.(Q(t,v) ? v F(t,v))
• consistency
• P ? I(v) ? G(v) ? E(v,v) ? I(v)

15
Event-B events consistency

• MACHINE M, axioms P, invariant I, event e,
  variable v
• e ANY t WHERE Q(t,v) THEN v F(t,v) END
• guard G ? t.Q(t,v)
• before-after predicate
• E ? t.(Q(t,v) ? v F(t,v))
• consistency
• P ? I(v) ? G(v) ? E(v,v) ? I(v)

16
Simple composition in Event-B (1)

• Variables, events disjoint ie PROMOTES/EXTENDS/U
  SES
• M(v, ei) N(w, fj)
• concatenate definitions, conjoin predicates
• No conflict independent product of two models
• Enabledness increases
• Consistency is preserved trivially
• IMN(v,w) IM(v) ? IN(w) eMN eM
  skipN

17
Simple composition in Event-B (2)

• (2) variables disjoint, events intersect ie new
  (to Event-B)
• eM ANY t WHERE QM(t,v) THEN v FM(t,v) END
• guard ? t. QM(t,v) b-a pred ? t.(QM(t,v) ?
  v FM(t,v))
• eN ANY u WHERE QN(u,w) THEN w FN(u,w) END
• guard ? u. QN(u,w) b-a pred ? u.(QN(u,w) ?
  w FN(u,w))
• ?
• eMN ANY t,u WHERE QM(t,v) ? QN(u,w)
• THEN v FM(t,v) w FN(u,w) END
• guard ? t,u. (QM(t,v) ? QN(u,w))
• b-a pred ? t,u.(QM(t,v) ? QN(u,w) ? v
  FM(t,v) ? w FN(u,w))

18
Consistency for composition (2) ?

• Enabledness OK
• ? t. QM(t,v) , ? u. QN(u,w) ? ? t,u. (QM(t,v)
  ? QN(u,w))
• (but we lose independent enabledness )
• Consistency OK
• distribution of ? through ? in combined guard,
  b-a predicate
• NB No communication between events

19
Fusion composition in Event-B (3)

• Variables intersect, events intersect ie new
• NB (1, 2) are special cases of (3)

20
Fusion compositional composition
21
(No Transcript)