Lecture 02 java

8/12/2019 Lecture 02 java

1/42

COMP2111 Lecture 2

Session 1, 2013

Semantics, Refinement

Kai Engelhardt

Revision: 1.1

1
http://find/http://goback/


2/42

A definition of refinement

Given a pair of programs called concrete and abstract,

the concrete programrefinesthe abstract programcorrectly whenever the use of the concrete program doesnot lead to an observation which is not also anobservation of the abstract program. [GM93]

Definition (refinement)

Given a class Progof programs, a set O of observations, and afunction[[.]]Prog P(O)that maps each program to the setof observations that can be made when running the program, say

that SProg refinesT Prog whenever[[S]] [[T]], that is, ifeach observation made of program S is a potential observation ofprogramT.

The three parameters of this definition are Prog, O, and[[.]].

2
http://find/


3/42

What does this have to do with Event-B?

The basic building block of an Event-B specification is a machine(AM). It consists of a couple of declarations, eg, constraints,variables, sets, invariant, initialisation, and operations. We could

use AMs as Prog.Event-B specifications express whata (component of) a system issupposed to provide at its interface. Event-B then guides towardsan implementation of an Event-B specification.It claims that any implementation for which all arising proof

obligation have been discharged satisfies the specification.

3
http://find/


4/42

How can we be sure?

We can be sure (in a mathematical sense), because AMs have aformal semantics, theres a formal definition ofrefinementbetweensemantic objects denoted by AMs, and it can be shown that, whenall proof obligations arising are discharged, it follows that theformal refinement criterion is satisfied.Consequently, Event-B is a soundmethod for proving refinement,meaning that if Event-B says its a refinement on the syntacticlevel then it is a refinement on the semantic level.

NB:There are refinements between AMs for which the proofobligations cant be discharged. Therefore, Event-B is incomplete.

4


5/42

Isolating the underlying principle

Well study a simplified version which, at first glance, doesnt bearmuch resemblance to Event-B. We make the followingsimplifications:

no distinction between syntax and semantics, only math

no parameters for operations

Whats left?

states

named operationsinitialisation (and finalisation)

5
http://find/


6/42

Whats inside an operation?

In Event-B, an operation takes the pre-state and the actualparameters into account when constraining the post-stateSince we abolished parameters, all thats left to observe of an

operation is what it does to the program variables. An observationthus is a pair consisting of an initial state and a final state:

O def=

This matches the setting of sequential, imperative programs, asyou know them from, e.g., COMP1927.

6


7/42

Option 1: total functions on statesPrograms should be deterministic. This means that the only sets

of observations we consider in this option are those sets of pairsrepresentingtotal functions on . So the mathematical object[[A]]denoted by A is an element of .

[[A]]

Example

7


8/42

Option 2: binary relations on states

Total functions on states cant model non-determinism, however,non-determinism helps us to postpone making decisions to later(implementation) stages and to keep the spec as simple andabstract as possible. In other words, even though programs shouldbe deterministic, specs need not and often should not.

Example

A server has a bag of tasks that are to be done by a family ofclients. The most natural way to model dishing out a task to anunoccupied client is to pick anytask from the bag. As soon as

there is more than one task in the bag, the operation isnon-determinstic. An implementation would need to represent thebag of tasks, say, by a queue of bounded length, and provide adeterministic implementation for all operations.

8
http://find/


9/42

If we relax the requirement that A be functional, we end up with A(denoting) a binary relation on.

[[A]] P( )

where P(S) ={T :T S}is for powerset. In Event-B wedwrite

[[A]]

Example

9
http://find/


10/42

Example

Flipping a coin fairly is not properly specifiable in B. Doing sorequires means to express probabilistic aspects of a systems not

available in Ba

.aCarroll Morgan, Ken Robinson, and Thai Son Hoang (now with the Rodin

team at ETH Zurich) once worked at CSE on an ARC-funded project to build aprobabilistic version of the B tool, a predecessor of Rodin.

10
http://find/


11/42

Option 3: binary relations on states + divergence

Binary relations ondont expresstermination. The interpretationof [[A]]is that there exists a computation ofA starting in

state and terminating in state . This means neither that allcomputation ofA started in necessarily terminate, nor that sucha computation, if it terminates, does so in if theres = suchthat [[A]].

11


12/42

Option 3 contd

The minimal remedy is to add a special bottom element, , toso the new state space becomes = {}. This special state

is introduced to make divergence observable. In this model,observations are pairs Having a pair in[[A]]means that computation ofAbeginning in might not terminate. Absence of meansthat termination is guaranteed when starting the computation in .

12


13/42

Option 3 contdDealing with binary relations on is quite tedious because oneeither has to change the definition of refinement to somethingother than or throw in all pairs as soon as ispresent, just to be able to refine non-termination by anyterminating behaviour.

[[A]]

Example

13
http://goforward/http://find/http://goback/


14/42

Option 4: weakest precondition predicatetransformer

A more abstract way to think about operations is to ask what is itthat we want our operations to do?One perfectly reasonable answer is establish certain conditions on

the post-state.We could model operations by functions from sets of post-states tosets of pre-states. Such functions are called predicate transformers.So A could be (denoting) a total function on the set P()of allsubsets of.

[[A]] : P() P()

This 4th option is the basis of the model underlying Event-B.

14


15/42

A maplet of a predicate transformer

Example

15


16/42

Intuition

Question

What does it mean when A(post) =pre?

Answer

When the operation A is invoked while the system is in a state

contained in pre, then A is guaranteed to terminate in a statecontained in post.

Question (Self test)

What isA()?

Answer

the set of all states for which A is guaranteed to terminate .

16
http://find/


17/42

Tiny Examples: A State Space

Let ={x, y} {0, 1}. There are 4 states: ={{x 0, y 0}, {x 0, y 1}, {x 1, y 0}, {x 1, y 1}}, or,pictorially:

x

y

0

0 1

1

17


18/42

Tiny Examples: A Total Function on States

Let P=x := (y+ 1) mod 2. According to Option 1 its semantics[[P]]has the type, that is, its a total function on.

x

y

0

0 1

1

x

y

0

0 1

1

18
http://find/


19/42

Tiny Examples: A Binary Relation on States

Consider Q=x: {0, 1}. We cant express its semantics as a total

function on states as above. Its relational semantics[[Q]] has thetype , that is, its a binary relation on.

x

y

00 1

1

x

y

00 1

1

19
http://find/


20/42

Tiny Examples: A Binary Relation on States #2

Consider R=while x= 0 do x: {0, 1} y := (y+ 1)mod 2end. The relational semantics[[x: {0, 1} y := (y+ 1)mod 2]]of its body is:

x

y

0

0 1

1

x

y

0

0 1

1

20
http://find/


21/42

Tiny Examples: A Binary Relation on States #3

The loop test x= 0can also be interpreted as a binary relation:

x

y

0

0 1

1

x

y

0

0 1

1

When started in a state satisfying x= 0, program Rcan terminateor diverge.

21
http://find/


22/42

Sequential Composition

Sequential composition (;) in syntax maps to relationalcomposition (; in Event-B) in semantics.

P;Q={(a, c) : b((a, b)P (b, c)Q)}

22
http://find/


23/42



P;Q={(a, c) : b((a, b)P (b, c)Q)}

;

23
http://find/


24/42


25/42



P;Q={(a, c) : b((a, b)P (b, c)Q)}

25
http://find/


26/42


27/42

Whats outside an operation?

Does it operate in a state space that only knows about the

variables, say, a, introduced by the AM? No, especially in ourmodel, this is insufficient.An initialisation should introduce and, well, initialise variables a,but it might want to do so depending on values of variables outside

the AM as one could do by providing actual parameters to an AM.Similarly, an operation might take actual parameter values intoaccount and return values that are used outside the AM. All thissuggests that, to model these aspects of the behaviour and to beable to observe this, one needs more than just a. What that

more is in practice depends on the context of an AM. For ourpurposes, it suffices to fix one such context and then talk aboutreplacing one AM (the spec) in that context by another AM (theimplementation).

27
http://find/


28/42

Why do we need variables outside?

Let Ibe the so-calledunit state space, {} V, containing a singlestate1that gives no value to any variable. If we indeed limited ourattention to just a an initialisation were a binary relation in I .

A finalisation were inI. Consequently, thered be only onepossible observation 11. So all thats observable of a sequenceof operations is whether its computation potentially terminates butall the information about what these operations did to the outsideis lost.

28


29/42

Definition (data type)

Given a finite set of variables x P(Var), called normal variables,

another (disjoint) finite set of variablesa

P

(Var), calledrepresentation variables, and a finite index set J, define state

spacesandA by def= x VandA

def= (x a) V. Let

AjA A for jJ. Let initialization AI A, and

finalization AF A . Then we call

A= (AI, (Aj)jJ,AF)

a data type.

Data types can be understood as semantic objects representing simplified

Event B machines. They are mathematical objects, not Event-B syntax.

What we observe of a data type depends on the sequence of operations

we choose to invoke. To compare observations of two data types

executing the same sequence of operations we need to brace the

sequences in initialisations and finalisations.29


30/42

Refinement

Definition (data type refinement)Data type C= (CI, (Cj)jJ,CF) refinesdata typeA= (AI, (Aj)jJ,AF)iff, for all finite sequences sJ

:

CI;Cs(1);Cs(2); . . . ;Cs(|s|);CF AI;As(1);As(2); . . . ;As(|s|);AF

AI As(1) As(2) As(|s|) AF

CI

Cs(1) Cs(2) Cs(|s|)

CF

30


31/42

How to prove refinement?

Instead of proving infinitely many proof obligations directly we useinduction on the length ofs.

31
http://find/


32/42

A closer look at the induction suggested reveals that we need tofind a refinement relation RA C connecting abstractstates to concrete ones. Once weve found such a relation, theinduction goes through as soon as we can discharge2 + |J| proofobligations:

CI AI;R (1)

R;CjAj;R , for all jJ (2)

R;CF AF (3)

32

The proof technique consisting of these proof obligations is known


33/42

The proof technique consisting of these proof obligations is knownin the literature as forward simulation (ordownward simulation).These names were inspired by how the induction proceeds (left to

right), resp., what direction the refinement relations has (fromabstract down to concrete states).

33


34/42

That this proposed proof technique indeed established refinementis the subject of the theorem below. This theorem proves once andfor all that proof obligations (1)(3) are sufficientconditions forrefinement. If we can discharge these proof obligations for a givenpair of data types, we dont have to worry about giving another

induction proof.

Theorem (soundness of forward simulation)

If (1)(3) then C refinesA.

34

P f
http://find/


35/42

Proof

by induction on the length of the sequence sJ of operation

names.Let B= (BI, (Bj)jJ,BF)and define a function that turnssequences of operation names into binary relations by sequentiallycomposing operations of a data type.

seq(B, ) =id

seq(B, sj) = seq(B, s);Bj

Then our proof obligation for data refinement between C and Abecomes

sJ (CI; seq(C, s);CF AI;seq(A, s);AF) (4)

35
http://find/


36/42

(4) is unsuitable as induction claim. What works is

sJ (R; seq(C, s) seq(A, s);R) (5)

Once we have that, we can conclude, for any sJ

R;seq(C, s) seq(A, s);RR; seq(C, s);CF seq(A, s);R;CFR; seq(C, s);CF seq(A, s);AF

AI;R;seq(C, s);CF AI;seq(A, s);AF

CI;seq(C, s);CF AI; seq(A, s);AF

36
http://find/


37/42

(5) follows by induction:base case s=

R;seq(C, ) =R; id

=R=id;R= seq(A, );R

inductive case s=s j for some jJ and s J

R; seq(C, s j) =R; seq(C, s);Cj by def. of seq

seq(A, s);R;Cj by the ind. hyp.

seq(A, s);Aj;R by (2)

= seq(A, s j);R by def. of seq

37

I l t f f d i l ti
http://find/


38/42

Incompleteness of forward simulation

There are refinements between data types that cannot be provenusing forward simulation only.

Example

Consider the following two data types Aand Cwith only twooperations (index set J=

{1, 2

}).

A=AI, (Ai)i{1,2},AF

C=

CI, (Ci)i{1,2},CF

AI ={ a0} CI ={ c0}A1 ={a0 a1, a0 a2} C1 ={c0 c1}

A2 ={a1 a3, a2 a4} C2 ={c1 c3, c1 c4}AF ={a3 , a4 } CF ={c3 , c4 }

38

Example
http://find/


39/42

Example

The only sequence of operations worth investigating for either datatype is[1, 2]because all other sequences, when enclosed in

initialisation and finalisation, equal the empty relation. For datatype C, when enclosed in initialization and finalization, theinteresting sequence CI;C1;C2;CF is the relation { , }.Enclosed sequence AI;A1;A2;AF denotes { , }; thus Crefines A.

CI

AI

C1

A1

C2

A2

CF

AF

R

c0 c1c3

c4

a0a1

a2

a3

a4

39
http://find/


40/42

Example

Assume R is a forward simulation relation between(AI, (Aj)j{1,2},AF)and(CI, (Cj)j{1,2},CF)where the relationsin question are those depicted above.

1 CI AI;R, thus,(a0, c0)R.

2 R;C1A1;R, thus, one of(a1, c1)and(a2, c1)is in R.W.l.o.g. assume that(a1, c1) R.

3 R;C2A2;R, thus,(a3, c4)R.

4 R;CF AF, which implies, that(a3, )AF, however, AF

is only {(a3, ), (a4, )}contradiction!

40
http://find/


41/42

Consequently, forward simulation is incomplete. It is beyond thescope of this course to show that the combination of forwardsimulation with backward simulation, that is, a proof techniquethat can be seen as the mirror image of forward simulation, is

complete[dRE98]. Backward simulation can be derived in thesame way as forward simulation, only with the wave of inclusionsgoing right to left, i.e., backward.

41
http://find/


42/42

Willem-Paul de Roever and Kai Engelhardt.Data Refinement: Model-Oriented Proof Methods and theirComparison.Number 47 in Cambridge Tracts in Theoretical Computer

Science. Cambridge University Press, 1998.Paul H. B. Gardiner and Carroll C. Morgan.A single complete rule for data refinement.Formal Aspects of Computing, 5(4):367382, 1993.

42

Lecture 02 java

Documents

Transcript of Lecture 02 java