-A simple refinement-based method for constructing algorithms, 2009. Alone. -Refinement-based ... Access control systems: relating policy models and Event B models like in RBAC, TMAC, ORBAC. Distributed algorithms: ... Organizing the global interactions between modelling and proving. Rules of J.-R. Abrial and of C.
Refinement-based Guidelines for Constructing Algorithms Dominique Méry Université Henri Poincaré Nancy 1 Meeting at Schloss Dagstuhl September 13-18, 2009
Introduction
3 Contributing to guidelines and hints for developing correct algorithms or systems. 3 Focusing on abstraction and refinement. 3 Teaching (sequential and/or distributed) programming methodology based on the refinement. 3 Applying the medicine to myself when teaching: set theory, pre/post, invariant, safety, proof obligations, refinement, case studies. 3 Developing case studies: code generation, system engineering, distributed systems, medical devices, . . . 3 Playing with tools: Atelier B, RODIN, . . .
Summary
3 Refinement-based modelling in action 3 Guideline 1 : Local computation model into Event B 3 Guideline 2 : Call as Event 3 Perspectives
Guidelines for applying formal methods
3 Relating the world of algorithms and the world of (Event B) models 3 Providing as much as possible mechanized steps 3 Making proofs as simple as possible 3 Helping to derive invariants from definitions
Summary
3 Refinement-based modelling in action 3 Guideline 1 : Local computation model into Event B 3 Guideline 2 : Call as Event 3 Perspectives
Refinement-based modelling in action
3 Abstraction and refinement of features, 2000 with D. Cansell 3 Incremental Proof of the Producer/Consumer Property for the PCI Protocol, 2002 with D. Cansell, G. Gopalkrishnan, S. Jones. 3 A Mechanically Proved and Incremental Development of IEEE 1394 Tree Identify Protocol, 2003, with J.-R. Abrial and D. Cansell. 3 The challenge of QoS for digital television services-. EBU Technical Review (avril 2005) with D. Abraham, D. Cansell, C. Proch. 3 -Formal and Incremental Construction of Distributed Algorithms: On the Distributed Reference Counting Algorithm, 2006 with D. Cansell.
Refinement-based modelling in action
3 Refinement: A Constructive Approach to Formal Software Design for a Secure e-voting Interface-, 2007 with D. Cansell and P. Gibson. 3 Incremental Parametric Development of Greedy Algorithms, 2007, with D. Cansell. 3 System-on-Chip Design by Proof-based Refinement, 2009 with D. Cansell and C. Proch 3 -A simple refinement-based method for constructing algorithms, 2009. Alone. 3 -Refinement-based guidelines for algorithmic systems-. Alone. International Journal of Software and Informatics (2009),
Next refinement-based modelling
3 Cryptologic algorithms: Event B development, combining cryptologic properties, modeling attacks. 3 Access control systems: relating policy models and Event B models like in RBAC, TMAC, ORBAC 3 Distributed algorithms: integration of local computation models into Event B, tool B2VISIDIA, algorithms of naming, election etc 3 Medical devices: modelling the pacemaker, interacting with cardiologists, ...
Summary
3 Refinement-based modelling in action 3 Guideline 1 : Local computation model into Event B 3 Guideline 2 : Call as Event 3 Perspectives
Local computation models
3 Rewriting Rules Y
X
X0
Z
Y0
Z0
•−−−−−−− −• −• −→ • −−−−−−− with X 0 = f1(X, Y, Z), Y 0 = f2(X, Y, Z) and Z 0 = f3(X, Y, Z).
3 Leader election d
1
d−1
NE
•−−−−−−− − • −→ • −−−−−−− −• 0
E
• −→ •
3 Relabelling sequences as serialization of a distributed computation (Mazurkie
Local computation models into Event B
3 Rewriting Rules WHEN Y
X
Z
•−−−−−−− −• THEN Y0
X0
Z0
−• • −−−−−−− X, Y, Z : |(X 0 = f1(X, Y, Z) ∧ Y 0 = f2(X, Y, Z) ∧ Z 0 = f3(X, Y, Z)) END
3 Leader election d
1
d−1
NE
•−−−−−−− − • −→ • −−−−−−− −• 0
E
• −→ •
Local computation models into Event B
M0
SEES -
C
LINK -
COQ − library
REFINES ?
M1 REFINES mapping
V
�
REFINES -
M2 . . .
?
VM1
3 The context C: we are stating properties of graphs.
3 The machine M0: for instance, the election of a leader
3 The refinement of M0 into M1 expresses that the machine M1 expresses the inductive property allowing to express the computation in the local computation model. 3 The next refinement of M1 is a refinement for producing a set of events corresponding to a LCi assumption. 3 Finally, V is derived from VM1; mapping checks that VM1 is LCi.
Local computation models into Event B
3 Leader election algorithms wrt different graphs 3 Naming algorithm 3 Consensus? 3 B2VISIDIA tool 3 Probabilistic algorithms
Summary
3 Refinement-based modelling in action 3 Guideline 1 : Local computation model into Event B 3 Guideline 2 : Call as Event 3 Perspectives
Guideline 2: development of sequential algorithms PROCEDURE PROC(x; VAR y) PRECONDITION P (x) POSTCONDITION Q(x, y)
3 Using the design-by-contract approach 3 Progressive introduction of the methodology on non-trivial examples. 3 Introduction of concepts of programming (call-by-value,...) and of modelling (constants, axioms, . . . ) 3 Using diagrams to improve the communication with students through definitions (dynamic programming) 3 Organizing the global interactions between modelling and proving. 3 Rules of J.-R. Abrial and of C. Morgan.
Call as Event Guideline call−as−event
CALL call ?
PREPOST
-
REFINEMENT mapping
PROCEDURE
�
?
M
SEES -
PB
EXTENDS SEES -
?
CM
3 CALL is the call of the PROCEDURE 3 PREPOST is the machine containing the events stating the pre- and postconditions of CALL and PROCEDURE, and M is the refinement machine of PREPOST, with events including control points defined in CM. 3 The call-as-event transformation produces a model PREPOST and a context PB from CALL. 3 The mapping transformation allows us to derive an algorithmic procedure that can be mechanized. 3 PROCEDURE is a node corresponding to a procedure derived from the refinement model M. CALL is an instantiation of PROCEDURE using parameters x and y. 3 M is a refinement model of PREPOST, which is transformed into PROCEDURE by applying structuring rules. It may contain events corresponding to calls of other procedures.
Three problems to solve
3 Presenting the method: Computing binomial coefficients 3 Illustrating one classical example: Sorting by insertion 3 Using the dynamic programming: Floyd’s algorithm
Filling the Call as Event Guideline call−as−event
CALL call ?
?PREPOST
-
REFINEMENT mapping
?PROCEDURE
�
SEES -
?PB
EXTENDS ?
?M
SEES
? -
?CM
3 PB: using textbooks for deriving axioms and theorems. 3 CALL: using a programming language like JML or Spec#
Problem 1: Computing the binomial coefficients call−as−event
bn(n,k,vcoef)
-
SEES
BN1
-
BN0
* � ��
REFINEMENT
call
mapping
?
bn
SEES ����
�
��
?
��
��
BN2
3 The computation of binomial coefficients is based on Pascal’s triangle and we define it as a partial function c. 3 Data n and k are defined in the context called BN 0. 3 The call bn(n, k, vcoef ) is translated as an event which is simply setting vcoef to c(n 7→ k). 3 The refinement BN 2 produces a collection of events analysing the different steps of the computations required for computing the value of c(n 7→ k).
Comments on the application 1
3 Pascal’s triangle provides a graphical guide for writing d’s definition into BN 0. 3 We have introduced another graphical structure for supporting the case analysis related to the values of n and k and the introduction of control flow.
3 The world of mathematics is defining a value c(n 7→ k) and the world of computing will derive a process using c and its definition for producing the same value. ...
Comments on the application 1 3 The refinement i is guided by three cases for the call instances: Either k is 0, or k is n, or is neither 0, nor n.
3 Let us consider the difficult case: k 6= 0 and k 6= n: ∀k ∈ {1, . . . n − 1}.
�n�
k
=
� n − 1�
k−1
+
� n − 1�
k
(1)
� � � n−1 n−1 Using the same event for computing k−1 and k . �
These events are translated into a recursive call by the mapping. the final computing event is computing the value of the sum of the two values.
l = start ∧ n ∈ N ∧ k ∈ N �
H
�
�
�
k∈1..n−1∧k6=0∧k6=n
H
�
H
H
�
�
�
H
�
�
H
H
�
H
k=n
H
�
��
� � �
��
H
�
k=0 H H H
�
HH
HH
H
?
l = start ∧ k 6= 0 ∧ k 6= n
l = start ∧ k = n
HH j
l = start ∧ k = 0
calls
?
l = callingx ∧ k 6= 0 ∧ k 6= n
computing2
callingx
computing1
?
l = callingy ∧ k 6= 0 ∧ k 6= n∧ vtcoefx = c(n − 1, k − 1)
callingy
?
l = endcalling ∧ k 6= 0 ∧ k 6= n∧ vtcoefx = c(n − 1, k − 1)∧ vtcoefy = c(n − 1, k)
?
?
l = end ∧ k = n ∧ vcoef = 1
l = end ∧ k = 0 ∧ vcoef = 1 ��
HH
HH
H
computing3 k=n HH H HH HH H H j ?
�
k=0 �� �� ��
HH
��
�� �� �
� ��
Comments on the application 1
3
INVARIANTS inv1 : l ∈ LOC inv3 : vtcoef x ∈ N inv4 : vtcoef y ∈ N inv5 : l ∈ {callx, cally, endcalling} ⇒ k 6= 0 ∧ n 6= 0 ∧ k < n inv6 : l = cally ⇒ vtcoef x = c(n − 1 7→ k − 1) inv7 : l = endcalling ⇒ vtcoef y = c(n − 1 7→ k) ∧ vtcoef x = c(n − 1 7→ k − 1) inv8 : l = end ⇒ vcoef = c(n 7→ k)
3 The refinement produces 42 proof obligations and 2 were manual. The other proof obligations are automatically discharged. Note: The example is simple and the function c is easy to define. The invariant is built by analysing the expression of the computed value.
Problem 2: Sorting by insertion call−as−event
insert-sort(m,t,st)
-
SEES
IS1
-
IS0
* � ��
SEES
REFINEMENT
call
�
� ��
�
� ��
��
?
insert-sort
mapping �
?
��
�
IS2
3 The problem is to sort an array t between 1 and m, where dom(t) = 1..n and m ≤ n. 3 The sorting can be done by sorting the array from 1 to m − 1 and then to insert the value t(m) at the right position in 1..m. 3 The insertion event is considered as a call of procedure: the subproblem is solved in the same way by applying the guideline.
c = start ∧ m ∈ N ∧ t = st �
�
�
�
�
� m6=1 sorting call � � � � � � �� � � � � �
m=1
?
c = start ∧ m = 1 ∧ t = st
c = start ∧ m 6= 1 ∧ t = st
tosortingcall
?
c = sortingcall ∧ m 6= 1 ∧ t = st
sortingcall
sortingm=1 ?
c =�insertioncall ∧ m 6= 1∧ st = a.t(m) ∧ sorted(a) ∃a. ∧permutation(s(1..m − 1), a)
�
insertioncall ?
c = end ∧ m 6= 1∧ permutation(t, st) ∧ sorted(st) c = end ∧ m = 1 ∧ sorted(st(1..m) ?
HH
HH
H
m6=1 HH HH HH
m=1
HH j
?
c = end ∧sorted(st(1..m)) ∧permutation(s, r)
Comments on Problem 2
3 The diagram gives the different events of the refinement model IS2; it contains an event called sortingcall, which is sorting the array t between the value 1 to m − 1 3 the event insertioncall which is inserting the value t(m) at the right position in the array sorted between 1 and m − 1. 3 This last event can not be translated into an algorithmic expression and should be considered as defining a new problem which is the insertion of a value in a sorted array. 3 We re-apply the guideline by starting a new development for solving the insertion problem. 3 We use a diagram for illustrating the insertion of t(m) into the values of st(1..m − 1).
Problem 3: Floyd’s algorithm call−as−event
spath(l,a,b,g,D,FD)
-
SPATH1
SEES -
REFINEMENT
call
mapping
?
spath
�
CSPATH1
EXTENDS ?
SPATH2
SEES
3 spath is built from events of SPATH2 3 FD states if the path exists 3 D contains the cost of the minimal path, if it exists
? -
CPATH2
The Event B Context
3 The distance function d is defined inductively from bottom to top according to the dynamic programming principle 3 When d(k 7→ i 7→ j) = v: there is a path from i to j with cost v and intermediate nodes are smaller than k. 3 The optimality property is derived from the definition of d itself, 3 axm1 : d ∈ N × N × N → 7 N
Axioms for the partial function d 3
axm5 : ∀i·i ∈ N ⇒ 0 7→ i 7→ i ∈ dom(d) ∧ d(0 7→ i 7→ i) = 0
� 3
axm6 : ∀i, j, k·
3
axm7 : ∀i, j, k· ⇒ �
3
axm8 : ∀i, j, k· ⇒ �
axm9 : ∀i, j, k·
�
⇒ ( k 7→ i 7→ j ∈ dom(d) ∧ d(k 7→ i 7→ j) = d(k − 1 7→ i 7→ j) )
k − 1 7→ i 7→ j ∈ dom(d) ∧ k − 1 7→ i 7→ k ∈ dom(d) ∧ k − 1 7→ k 7→ j ∈ dom(d) ∧ d(k − 1 7→ i 7→ j) ≤ d(k − 1 7→ i 7→ k) + d(k − 1 7→ k 7→ j) k 7→ i 7→ j ∈ dom(d) ∧ d(k 7→ i 7→ j) = d(k − 1 7→ i 7→ j)
k 7→ i 7→ j ∈ dom(d) ∧ d(k 7→ i 7→ j) = d(k − 1 7→ i 7→ k) + d(k − 1 7→ k 7→ j)
k − 1 7→ i 7→ j ∈ / dom(d) ∧ k − 1 7→ i 7→ k ∈ dom(d) ∧ k − 1 7→ k 7→ j ∈ dom(d)
⇒ k 7→ i 7→ j ∈ dom(d)
�
�
k − 1 7→ i 7→ j ∈ dom(d) ∧ k − 1 7→ i 7→ k ∈ dom(d) ∧ k − 1 7→ k 7→ j ∈ dom(d) ∧ d(k − 1 7→ i 7→ j) > d(k − 1 7→ i 7→ k) + d(k − 1 7→ k 7→ j)
� 3
k − 1 7→ i 7→ j ∈ dom(d) ∧ (k − 1 7→ i 7→ k ∈ / dom(d) ∨ k − 1 7→ k 7→ j ∈ / dom(d))
�
SPATH1 : pre/post specification
INVARIANTS inv1 : D ∈ N × N → 7 N inv2 : F D ∈ BOOL EVENT shortestpathOK WHEN grd1 : l 7→ a 7→ b ∈ dom(d) THEN act1 : D(a 7→ b) := d(l 7→ a 7→ b) act2 : F D := T RU E END EVENT shortestpathKO WHEN grd1 : l 7→ a 7→ b ∈ / dom(d) THEN act1 : F D := F ALSE END
/ ∗ N = 1 . . n−1 ∗ / void shortestpath ( i n t l , i n t a , i n t b , i n t g [ ] [ n ] , i n t ∗D, i n t ∗FD) { i n t D1 , D2 , D3 , FD1 , FD2 , FD3 ;
∗FD = 0 ; FD1=0;FD2=0;FD3=0; i f ( l ==0) { i f ( g [ a ] [ b ] != NONE) { ∗FD = 1 ; ∗D = g [ a ] [ b ] ; } } else { shortestpath ( l −1,a , b , g,&D1,&FD1 ) ; i f ( FD1 == 1 ) { shortestpath ( l −1,a , l , g,&D2,&FD2 ) ; i f ( FD2==1) { shortestpath ( l −1, l , b , g,&D3,&FD3 ) ; i f ( FD3==1) { i f ( D1 < D2+D3 ) { ∗ D= D1 ; } else { ∗ D=D2+D3 ; } ; ∗FD = 1 ; } else { ∗ D=D1; ∗ FD= 1 ; } } else { ∗ D=D1; ∗ FD= 1 ; } } else { if ( FD2 == 1 && FD3==1) { ∗ D=D2+D3 ; ∗FD= 1 ; } else { ∗ FD= 0 ; } ; } }}
Proof obligations Model CSPATH1 SPATH1 SPATH2 Global
Total 8 5 493 506
Auto 8 4 317 329
Manual 0 1 176 177
Reviewed 0 0 0 0
Undischarged 0 0 0 0
3 Proof Obligations are related to d. 3 The prover provides an effective help for completing the invariant.
Technical Justifications: defining traces
3 Let M be an E VENT B machine and C a context seen by M . 3 Let y be the list of variables of M , 3 Let E be the set of events of M, 3 let Init(y) be the predicate defining the initial values of y in M . The temporal framework of M is defined by the TLA specification denoted Spec(M ):
Init (y) ∧ 2[Next ]y ∧ WFy (Next ), where Next ≡ ∃e ∈ E.BA(e)(y, y 0).
Technical Justifications: liveness properties Suppose that PB is a context and PREPOST is a machine corresponding to a problem stating calls of a procedure. Suppose that the following diagram is validated: call−as−event
CALL
-
PREPOST
SEES -
PB
We assume that the preconditions are defined by P , i.e., P1, . . . , Pn, and the postcondition is defined by Q. Then for any i in 1..n, PREPOST satisfies Pi(x, y) ; Q(x, y).
Technical Justifications: refinement diagrams A refinement diagram for M, P , and Q over L and A is an acyclic labelled graph over A with labels from G or E satisfying the following rules.
3 There is a unique input node P with at least one outgoing arrow. 3 There is a unique output node Q with no outgoing arrows. 3 If R is related to S by a unique arrow labelled e ∈ E, then It satisfies the property R ; S
∀c, x, c0 , x0 .R(c, x) ∧ I(M )(c, x) ∧ BA(e)(c, x, c0 , x0 ) ⇒ S(c0 , x0 ) ∀c, x.R(c, x) ∧ I(M )(c, x) ⇒ ∃c0 , x0 .BA(e)(c, x, c0 , x0 ) If R ≡ c = l1 ∧ A(x) and S ≡ c = l2 ∧ B(x), then l1 6= l2 and `(R)=l1, `(S)=l2.
3 If R is related to S1, . . . , Sp, then
Each arrow R to Si is labelled by a guard gi ∈ G.
For any i in 1..p the following conditions hold. � R ∧ I(M ) ∧ gi(x) ⇒ Si ∀j.j ∈ 1..p ∧ j 6= i ∧ R ∧ I(M ) ∧ gi(x) ⇒ ¬gj (x) R ∧ I(M ) ⇒ ∃i ∈ 1..p.gi.
3 For each e ∈ E, there is only one instance of e in the diagram.
We use P RE(D) for P and P OST (D) for Q.
Technical Justifications: a simple refinement diagram
c = start ∧ P P1 �� � �
�� � ��
�� � �
HH
H
c = start ∧ Pn �
call1 HH
H
HH j H
Pn HH HH H
HH j H
...
c = start ∧ P1 HH HH HH
HH
�
�
� �� �
c = end ∧ Q
�
�� � � ��
calln
Technical Justifications: refinement diagram and liveness Let M be a machine and let D = (A, C, M, P, Q, G, E) be a refinement diagram for M . 1. If M satisfies P ; Q and Q ; R, it satisfies P ; R.
2. If M satisfies P ; Q and R ; Q, it satisfies (P ∨ R) ; Q.
3. If I is invariant for M and if M satisfies P ∧ I ; Q, then M satisfies P ; Q.
4. If I is invariant for M and if M satisfies P ∧ I ⇒ Q, then M satisfies P ; Q. 5. Let M be a machine and let D = (A, C, M, P, Q, G, E) be a refinement diagram for M . If e P −→ Q is a link of D for the machine M , then M satisfies P ; Q. 6. Let M be a machine, and let D = (A, C, M, P, Q, G, E) be a refinement diagram for M . If P and Q are two nodes of D such that there is a path in D from P to Q and any path from P can be extended in a path containing Q, then M satisfies P ; Q. Let M be a machine and let D = (A, C, M, P, Q, G, E) be a refinement diagram for M . Then M satisfies (c = start ∧ P RE(D)) ; (c = end ∧ P OST (D)).
Summary
3 Refinement-based modelling in action 3 Guideline 1 : Local computation model into Event B 3 Guideline 2 : Call as Event 3 Perspectives
Concluding Remarks and Future Works
3 Automatic process for producing an algorithm from the E VENT B models. 3 Management of problems and subproblems 3 Distributed algorithms: work in progress 3 Plugins for the translation, B2VISIDIA and time pattern 3 Current works: cryptologic algorithms, access control systems, distributed algorithms, medical devices. . .
