COMP2111 Lecture 2 Session 1, 2013

Semantics, Renement
Kai Engelhardt

Revision: 1.1

A denition of renement
Given a pair of programs called concrete and abstract, the concrete program renes the abstract program correctly whenever the use of the concrete program does not lead to an observation which is not also an observation of the abstract program. [GM93] Denition (renement) Given a class Prog of programs, a set O of observations, and a function [[.]] Prog P(O) that maps each program to the set of observations that can be made when running the program, say that S Prog renes T Prog whenever [[S ]] [[T ]], that is, if each observation made of program S is a potential observation of program T . The three parameters of this denition are Prog , O, and [[.]].
2

What does this have to do with Event-B?

The basic building block of an Event-B specication is a machine (AM). It consists of a couple of declarations, eg, constraints, variables, sets, invariant, initialisation, and operations. We could use AMs as Prog . Event-B specications express what a (component of) a system is supposed to provide at its interface. Event-B then guides towards an implementation of an Event-B specication. It claims that any implementation for which all arising proof obligation have been discharged satises the specication.

How can we be sure?

We can be sure (in a mathematical sense), because AMs have a formal semantics, theres a formal denition of renement between semantic objects denoted by AMs, and it can be shown that, when all proof obligations arising are discharged, it follows that the formal renement criterion is satised. Consequently, Event-B is a sound method for proving renement, meaning that if Event-B says its a renement on the syntactic level then it is a renement on the semantic level. NB: There are renements between AMs for which the proof obligations cant be discharged. Therefore, Event-B is incomplete.

Isolating the underlying principle

Well study a simplied version which, at rst glance, doesnt bear much resemblance to Event-B. We make the following simplications: no distinction between syntax and semantics, only math no parameters for operations Whats left? states named operations initialisation (and nalisation)

Whats inside an operation?

In Event-B, an operation takes the pre-state and the actual parameters into account when constraining the post-state Since we abolished parameters, all thats left to observe of an operation is what it does to the program variables. An observation thus is a pair consisting of an initial state and a nal state: O = This matches the setting of sequential, imperative programs, as you know them from, e.g., COMP1927.
def

Option 1: total functions on states

Programs should be deterministic. This means that the only sets of observations we consider in this option are those sets of pairs representing total functions on . So the mathematical object [[A]] denoted by A is an element of . [[A]]

Example

Option 2: binary relations on states

Total functions on states cant model non-determinism, however, non-determinism helps us to postpone making decisions to later (implementation) stages and to keep the spec as simple and abstract as possible. In other words, even though programs should be deterministic, specs need not and often should not. Example A server has a bag of tasks that are to be done by a family of clients. The most natural way to model dishing out a task to an unoccupied client is to pick any task from the bag. As soon as there is more than one task in the bag, the operation is non-determinstic. An implementation would need to represent the bag of tasks, say, by a queue of bounded length, and provide a deterministic implementation for all operations.

If we relax the requirement that A be functional, we end up with A (denoting) a binary relation on . [[A]] P( ) where P(S ) = { T : T S } is for powerset. In Event-B wed write [[A]]

Example

Example Flipping a coin fairly is not properly speciable in B. Doing so requires means to express probabilistic aspects of a systems not available in Ba .
Carroll Morgan, Ken Robinson, and Thai Son Hoang (now with the Rodin team at ETH Z urich) once worked at CSE on an ARC-funded project to build a probabilistic version of the B tool, a predecessor of Rodin.
a

10

Option 3: binary relations on states + divergence

Binary relations on dont express termination. The interpretation of [[A]] is that there exists a computation of A starting in state and terminating in state . This means neither that all computation of A started in necessarily terminate, nor that such a computation, if it terminates, does so in if theres = such that [[A]].

11

Option 3 contd

The minimal remedy is to add a special bottom element, , to so the new state space becomes = {}. This special state is introduced to make divergence observable. In this model, observations are pairs Having a pair in [[A]] means that computation of A beginning in might not terminate. Absence of means that termination is guaranteed when starting the computation in .

12

Option 3 contd
Dealing with binary relations on is quite tedious because one either has to change the denition of renement to something other than or throw in all pairs as soon as is present, just to be able to rene non-termination by any terminating behaviour. [[A]] Example

13

Option 4: weakest precondition predicate transformer

A more abstract way to think about operations is to ask what is it that we want our operations to do? One perfectly reasonable answer is establish certain conditions on the post-state. We could model operations by functions from sets of post-states to sets of pre-states. Such functions are called predicate transformers. So A could be (denoting) a total function on the set P() of all subsets of . [[A]] : P() P() This 4th option is the basis of the model underlying Event-B.

14

A maplet of a predicate transformer

Example

15

Intuition
Question What does it mean when A(post ) = pre ? Answer When the operation A is invoked while the system is in a state contained in pre , then A is guaranteed to terminate in a state contained in post . Question (Self test) What is A()? Answer the set of all states for which A is guaranteed to terminate .
16

Tiny Examples: A State Space

Let = {x , y } {0, 1}. There are 4 states: = {{x 0, y 0}, {x 0, y 1}, {x 1, y 0}, {x 1, y 1}}, or, pictorially:

0 0

y
1

17

Tiny Examples: A Total Function on States

Let P = x := (y + 1) mod 2. According to Option 1 its semantics [[P ]] has the type , that is, its a total function on .

0 0

1 0

y
1

y
1

18

Tiny Examples: A Binary Relation on States

Consider Q = x : {0, 1}. We cant express its semantics as a total function on states as above. Its relational semantics [[Q ]] has the type , that is, its a binary relation on .

0 0

1 0

y
1

y
1

19

Tiny Examples: A Binary Relation on States #2

Consider R = while x = 0 do x : {0, 1} y := (y + 1) mod 2 end. The relational semantics [[x : {0, 1} y := (y + 1) mod 2]] of its body is:

0 0

1 0

y
1

y
1

20

Tiny Examples: A Binary Relation on States #3

The loop test x = 0 can also be interpreted as a binary relation:

0 0

1 0

y
1

y
1

When started in a state satisfying x = 0, program R can terminate or diverge.

21

Sequential Composition

Sequential composition (;) in syntax maps to relational composition (; in Event-B) in semantics. P ; Q = { (a, c ) : b ((a, b ) P (b , c ) Q ) }

22

Sequential Composition

Sequential composition (;) in syntax maps to relational composition (; in Event-B) in semantics. P ; Q = { (a, c ) : b ((a, b ) P (b , c ) Q ) }

23

Sequential Composition

Sequential composition (;) in syntax maps to relational composition (; in Event-B) in semantics. P ; Q = { (a, c ) : b ((a, b ) P (b , c ) Q ) }

24

Sequential Composition

Sequential composition (;) in syntax maps to relational composition (; in Event-B) in semantics. P ; Q = { (a, c ) : b ((a, b ) P (b , c ) Q ) }

25

The choice

For the sake of simplicity well stick to the 2nd option. Recall that that implies that well be ignoring termination issues.

26

Whats outside an operation?

Does it operate in a state space that only knows about the variables, say, a, introduced by the AM? No, especially in our model, this is insucient. An initialisation should introduce and, well, initialise variables a, but it might want to do so depending on values of variables outside the AM as one could do by providing actual parameters to an AM. Similarly, an operation might take actual parameter values into account and return values that are used outside the AM. All this suggests that, to model these aspects of the behaviour and to be able to observe this, one needs more than just a. What that more is in practice depends on the context of an AM. For our purposes, it suces to x one such context and then talk about replacing one AM (the spec) in that context by another AM (the implementation).
27

Why do we need variables outside?

Let I be the so-called unit state space, {} V, containing a single state 1 that gives no value to any variable. If we indeed limited our attention to just a an initialisation were a binary relation in I . A nalisation were in I . Consequently, thered be only one possible observation 1 1. So all thats observable of a sequence of operations is whether its computation potentially terminates but all the information about what these operations did to the outside is lost.

28

Denition (data type) Given a nite set of variables x P(Var ), called normal variables, another (disjoint) nite set of variables a P(Var ), called representation variables, and a nite index set J , dene state def def spaces and A by = x V and A = (x a) V. Let Aj A A for j J . Let initialization AI A , and nalization AF A . Then we call A = (AI , (Aj )j J , AF ) a data type.
Data types can be understood as semantic objects representing simplied Event B machines. They are mathematical objects, not Event-B syntax. What we observe of a data type depends on the sequence of operations we choose to invoke. To compare observations of two data types executing the same sequence of operations we need to brace the sequences in initialisations and nalisations.
29

Renement
Denition (data type renement) Data type C = (CI , (Cj )j J , CF ) renes data type A = (AI , (Aj )j J , AF ) i, for all nite sequences s J : CI ; Cs (1) ; Cs (2) ; . . . ; Cs (|s |) ; CF AI ; As (1) ; As (2) ; . . . ; As (|s |) ; AF

AI

As (1)

As (2)

As (|s |)

AF

CI Cs (1) Cs (2)

CF Cs (|s |)

30

How to prove renement?

Instead of proving innitely many proof obligations directly we use induction on the length of s .

31

A closer look at the induction suggested reveals that we need to nd a renement relation R A C connecting abstract states to concrete ones. Once weve found such a relation, the induction goes through as soon as we can discharge 2 + |J | proof obligations: CI AI ; R R ; Cj Aj ; R , for all j J R ; CF AF (1) (2) (3)

32

The proof technique consisting of these proof obligations is known in the literature as forward simulation (or downward simulation). These names were inspired by how the induction proceeds (left to right), resp., what direction the renement relations has (from abstract down to concrete states).

33

That this proposed proof technique indeed established renement is the subject of the theorem below. This theorem proves once and for all that proof obligations (1)(3) are sucient conditions for renement. If we can discharge these proof obligations for a given pair of data types, we dont have to worry about giving another induction proof. Theorem (soundness of forward simulation) If (1)(3) then C renes A.

34

Proof
by induction on the length of the sequence s J of operation names. Let B = (BI , (Bj )j J , BF ) and dene a function that turns sequences of operation names into binary relations by sequentially composing operations of a data type. seq(B , ) = id seq(B , s j ) = seq(B , s ); Bj Then our proof obligation for data renement between C and A becomes s J (CI ; seq(C , s ); CF AI ; seq(A, s ); AF ) (4)

35

(4) is unsuitable as induction claim. What works is s J (R ; seq(C , s ) seq(A, s ); R ) Once we have that, we can conclude, for any s J R ; seq(C , s ) seq(A, s ); R R ; seq(C , s ); CF seq(A, s ); R ; CF R ; seq(C , s ); CF seq(A, s ); AF AI ; R ; seq(C , s ); CF AI ; seq(A, s ); AF CI ; seq(C , s ); CF AI ; seq(A, s ); AF (5)

36

(5) follows by induction: base case s = R ; seq(C , ) = R ; id = R = id ; R = seq(A, ); R inductive case s = s j for some j J and s J R ; seq(C , s j ) = R ; seq(C , s ); Cj seq(A, s ); R ; Cj seq(A, s ); Aj ; R = seq(A, s j ); R by def. of seq by the ind. hyp. by (2) by def. of seq

37

Incompleteness of forward simulation

There are renements between data types that cannot be proven using forward simulation only. Example Consider the following two data types A and C with only two operations (index set J = {1, 2}). A = AI , (Ai )i {1,2} , AF AI = { a0 } A1 = {a0 a1 , a0 a2 } A2 = {a1 a3 , a2 a4 } AF = {a3 , a4 } C CI C1 C2 CF = CI , (Ci )i {1,2} , CF = { c0 } = {c0 c1 } = {c1 c3 , c1 c4 } = {c3 , c4 }

38

Example The only sequence of operations worth investigating for either data type is [1, 2] because all other sequences, when enclosed in initialisation and nalisation, equal the empty relation. For data type C , when enclosed in initialization and nalization, the interesting sequence CI ; C1 ; C2 ; CF is the relation { , }. Enclosed sequence AI ; A1 ; A2 ; AF denotes { , }; thus C renes A. A1 a1 A2 a2 a3 AF a4

AI

a0

CI

R c0 C1 c1 c3 C2 c4 CF

39

Example Assume R is a forward simulation relation between (AI , (Aj )j {1,2} , AF ) and (CI , (C j )j {1,2} , CF ) where the relations in question are those depicted above.
1 2

CI AI ; R , thus, (a0 , c0 ) R . R ; C1 A1 ; R , thus, one of (a1 , c1 ) and (a2 , c1 ) is in R . W.l.o.g. assume that (a1 , c1 ) R . R ; C2 A2 ; R , thus, (a3 , c4 ) R . R ; CF AF , which implies, that (a3 , ) AF , however, AF is only {(a3 , ), (a4 , )}contradiction!

3 4

40

Consequently, forward simulation is incomplete. It is beyond the scope of this course to show that the combination of forward simulation with backward simulation, that is, a proof technique that can be seen as the mirror image of forward simulation, is complete [dRE98]. Backward simulation can be derived in the same way as forward simulation, only with the wave of inclusions going right to left, i.e., backward.

41

Willem-Paul de Roever and Kai Engelhardt. Data Renement: Model-Oriented Proof Methods and their Comparison. Number 47 in Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1998. Paul H. B. Gardiner and Carroll C. Morgan. A single complete rule for data renement. Formal Aspects of Computing, 5(4):367382, 1993.

42