The SVN will have a list of exercises (currently Ex1, Ex2 and 9 questions in Ex3) that you must do on your own to test your knowledge of the material and to help you to prepare for the labtests and exam.

Background Readings

• What/Why formal methods? Slides Chap. 1: Introduction.
• Textbook Chapter I (pages 1-16).

Tuesday: 01 slides MathsAndEngineering.pptx (why testing is not enough) and 02 slides BuildingSoftwareReliability.pptx (developing good software development skills such as contracts/assertions and good coding/testing methods).

Thursday: 03-Requirements slides. The notion of atomic requirements. The difference between R-statements (in the optative mood) and E-statements about the environment (in the indicative mood). Event-B mathematical models: contexts and machines. A simple bank as an example.

Required: You must do the first Exercise (Ex1-prop) in the SVN. This involves familarizing yourself with the Rodin tool, and using Rodin to do propositional logic in contexts.

Covered Rodin bank account in the 03-Requirements slides. Atomic requirements. Contexts verus machines in Event-B. The Rodin tool. Functions and function updates. Invariant perservation.

Complete the bank account example: using function update; modelling REQ 3 for credit limits as an invariant; introduce the set of accounts managed by the bank and associated invariant.

• Read the Rodin Users handbook up to and including Section 2.5.2 (its on the SVN and there are links to it from Resources).

• Bridge controller (reactive systems)
  • The initial Event-B model for the bridge controller (up to slide 33 of Chapter 2: Controlling cars on a bridge).
  • Required readings: Read up to end of the second refinement of chapter 2 from the sample textbook.

Topics covered by the bridge controller include

• Initial models and Proof rules for invariant preservation
• Refinement/correct by construction
• Proof rules for refinement
• Deadlock prevention and relative deadlock
• Divergence, Convergent events and variants
• Proof rules including SIM
• Controller events and Environment events

This week we start Chapter 4 of the optional textbook – A simple File Transfer Protocol (FTP).

• ftp slides

In the previous example, the program was reactive (i.e. it had to control an external situation such as cars on a bridge). This chapter deals with a protocol used on a computer network to transfer data from a sender to a receiver. The example will also allow us to extend our mathematical language with sets, functions and relations. As usual we will start with a requirements document. The initial model tells us what the protocol is supposed to achieve without telling us how to achieve it; how to achieve it will be dealt with in succesive refinements. Note that the model presented in the slides (using the notion of an anticipated event) is different than that of the textbook.

Required Reading: See SVN (folder 04-ftp): Read 04-ftp.pdf and 05-eventb-notation.pdf.

Tuesday's lecture: We did the second refinement in the ftp protocol in which we separate the sending and receiving agent. We had a lab session with Rodin, proving cross-products, powersets, relations and functions.

Thursday's lecture: Third and final refinement in the ftp protocol in which we add a parity bit. The distributed ftp protocol is now ready to be implemented in code (how would you write the program?) with a guarantee that it will terminate with the file properly transmitted from the sender to the receiver. Lab: prove the parity bit theorem.

Required Reading: In the SVN=⇒Rodin folder, study: ref-card.pdf

Tuesday's Lecture: Did a manual proof of the theorem needed for the theory of parity (in the ftp protocol). This theorem was hard to prove. The suggestion is to first do the proof manually, which then makes it easier to do in Rodin. Using this approach, we were able to derive a Lemma that was helpful in the Rodin proof. We also did the initial model of the celebrity example (from the Exercises). We showed how to formalize the problem in Event-B using a “knows” relation. We dicussed the indentity and inverse relations and showed how the Celebrity axioms could be written in predicate logic or set theory. The celebrity example is one of the exercises that you must do in advance of Labtest1. [Challenge: In class we issued the following challenge: write a program given that takes as input a set of people and a knows relation, and outputs which person is the celebrity.

Thursday's lecture: First Refinement of Celebrity. Then we start Chapter 15: Development of sequential programs. Binary search. Merging Rules.

Celebrity example ideas: Relations, functions, identity relation, inverse. Feasibility proof obligations for non-deterministic assignment, witness (WITH) for local variable refinements, convergence and proof obligations.

Required reading: Chapter 15.

Exercises: Up to an including Exercise 16.

Finish 3rd refinement of ftp protocol slides from slide 44 to the end.

Chapter XV: Development of sequential programs. Binary search. Merging Rules.

Celebrity example: Relations, functions, identity relation, inverse. Feasibility proof obligations for non-deterministic assignment, witness (WITH) for local variable refinements, convergence and proof obligations.

Required reading: all of chapter IV and chapter V (Event-B proof obligation rules).

Exercises: Do exercise 11 (develop model, refinemenents and discharge proof obligations for ftp example).

Event refinement proof obligation (from Hallersted-Event-B-Notation-2006.pdf in the SVN).

Use of Add Hypothesis (AH) and Case analysis (DC) in the theorem prover. Use RichPoor example.

Chapter XV: Development of sequential programs. Sort. Merging Rules.

Required reading: chapter XV as covered in class and all of chapter IX (Mathematical Language).

Exercises: Do exercise 12 (birthday book, data refinement, procedural refinement).

Injections, surjections and bijections in Event-B.

Requirements for the sorting algorithm. Initial specification using an anticipated event. First and second refinements leading to the use of merge rules for a loop within a loop. For the slides see Sequential Programs.

Tuesday: Data refinement and Procedural Refinement. Illustration of these concepts using the Birthday Book example in which we write an initial specification, do a data refinement, followed by a procedural refinement; finally a merge produces code.

BAG abstract datatype.

Tuesday: Dijkstra weakest precondition calculus and loop variants and invariants.Proving loop termination. Relationship of Dijkstra weakest precondition calculus to Event-B. Slides on the SVN.

Thursday: Review of arithmetic, set theory, predicate logic and Event-B invariant and refinement proof obligations. Translation between set theoretic statements and predicate logic. Re-write rules.

Work through a complete example: requirements document, initial specification, refinements etc.