Automatic Refinement Checking for B

Abstract: Abstract. While refinement is at the heart of the B Method, so far no automatic refinement checker has been developed for it. In this paper we present a refinement checking algorithm and implementation for B. It is based on using an operational semantics of B, obtained in practice by the ProB animator. The refinement checker has been integrated into ProB toolset and we present various case studies and empirical results in the paper, showing the algorithm to be surprisingly effective. The algorithm checks that … Show more

“…The experiments were all run on a multiprocessor system with 4 AMD Opteron 870 Dual Core 2 GHz processors, running SUSE Linux 10.1, SICStus Prolog 3.12.5 (x86 64-linux-glibc2.3) and ProB version 1.2.0. 5 scheduler0.mch and scheduler1.ref are the machines presented in [15]. The scheduler machine is a variation of scheduler0.mch, and is taken from [13].…”

“…Characterising a B operation of the form X ←− op(Y ) as a predicate in this way gives rise to a labelled transition relation on states: state s is related to state s by event op.a.b, denoted by s → M op.a.b s , when P (a, s, s , b) holds. Further details may be found in [15]. We also add a special state root, where we define root → M initialise s if s satisfies the initialisation and the properties clause.…”

“…This ensures that we do not miss out deadlocks or reachable classes of symmetric states by checking just a single representative of a class. It also ensures that we do not miss out on traces (up to renaming); which is important for B's refinement notion and will enable us (in future) to use permutation flooding for symmetry reduction during refinement checking [15].…”

“…In previous work [14], we have presented the ProB animator and model checker to support those activities. Implemented in Prolog, the ProB tool supports automated consistency checking and deadlock checking of B machines and has been recently extended for automated refinement checking [15], also allowing properties to be expressed in CSP [4].…”

Symmetry Reduction for B by Permutation Flooding

“…The experiments were all run on a multiprocessor system with 4 AMD Opteron 870 Dual Core 2 GHz processors, running SUSE Linux 10.1, SICStus Prolog 3.12.5 (x86 64-linux-glibc2.3) and ProB version 1.2.0. 5 scheduler0.mch and scheduler1.ref are the machines presented in [15]. The scheduler machine is a variation of scheduler0.mch, and is taken from [13].…”

“…Characterising a B operation of the form X ←− op(Y ) as a predicate in this way gives rise to a labelled transition relation on states: state s is related to state s by event op.a.b, denoted by s → M op.a.b s , when P (a, s, s , b) holds. Further details may be found in [15]. We also add a special state root, where we define root → M initialise s if s satisfies the initialisation and the properties clause.…”

“…This ensures that we do not miss out deadlocks or reachable classes of symmetric states by checking just a single representative of a class. It also ensures that we do not miss out on traces (up to renaming); which is important for B's refinement notion and will enable us (in future) to use permutation flooding for symmetry reduction during refinement checking [15].…”

“…In previous work [14], we have presented the ProB animator and model checker to support those activities. Implemented in Prolog, the ProB tool supports automated consistency checking and deadlock checking of B machines and has been recently extended for automated refinement checking [15], also allowing properties to be expressed in CSP [4].…”

Symmetry Reduction for B by Permutation Flooding

“…Presumably this technique could be extended to generate powersimulations for arbitrary refinements, although this is not discussed in [5]. On the other hand [14] does describe automatic verification of arbitrary refinements in B using the ProB model checker [13]. That technique uses ProB to construct a relation from concrete states to sets of abstract states which is in effect the power co-predicate of a cosimulation for the refinement, so this complements our refinement proof method rather well.…”

A Practical Single Refinement Method for B

Issues in Implementing a Model Checker for Z