Construction of Abstract State Graphs for Understanding Event-B Models

Abstract

Event-B is a formal method that supports correctness by construction in system modeling using stepwise refinement. However, it is difficult to understand the rigorous behaviors of models from Event-B specifications, such as the reachable state space or the possible sequences of events. This is because the Event-B model is described in a style that lists events that have concurrently been enabled depending on their guard conditions. This paper proposes a method that helps in understanding the rigorous behaviors of an Event-B model by creating an abstract state graph. The core of our method involves dividing the concrete state space by using the guard conditions of individual events to extract states that are essential to enable possible transitions to be understood. Moreover, we further divided the state space by using the guard conditions of events in the models before refinement to support understanding of changes in behaviors between the models before and after refinement. Our unique approach facilitated finding of invariants that were not specified but held, which were useful for validation.

This work is partially supported by JSPS KAKENHI Grant Number 17H01727.

A Appendix

This appendix explains how we investigated the advanced and unique use described in Subsects. 3.5 and 4.4 to discover invariants that were stronger than the invariants described in the specifications by using a graph constructed with CASG. We used the Mac2 model and the specifications are in Abrial [1, Chap. 2].

We applied the first method and discovered three unreachable states from the graph. One of them is represented by

$$ a = 0 \wedge 0<b<d \wedge c=0 \wedge ml\_tl=il\_tl=red \wedge ml\_pass=il\_pass=true. $$

We then tried to add the predicate

$$ \lnot (a = 0 \wedge 0<b<d \wedge c=0 \wedge ml\_tl=il\_tl=red \wedge ml\_pass=il\_pass=true) $$

as an invariant to the Mac2 model on the Rodin platform [2]. As proof obligation is automatically discharged by them, the predicate is actually an invariant of the model. This invariant is equivalent to:

$$ (a = c = 0 \wedge ml\_tl=il\_tl=red \wedge ml\_pass=il\_pass=true) \Rightarrow (b=0 \vee b=d), $$

which means that if all the traffic lights are red, the flags are true and there are no cars on the bridge, then the number of cars on the island is zero or has reached its capacity. Developers can check if the situation is valid in the model.

We investigated the number of transitions in the Mac2 graph constructed by using CASG that could occur in the second method. We specified the range of the constant d from one to 10 because it seemed to be sufficient from our investigation of the model. We checked all 58 edges in the graph and discovered 16 edges that did not actually occur. One of them was the transition labeled \(IL\_in\) from the abstract state represented by:

$$ a>0 \wedge b \ge 0 \wedge a+b<d-1 \wedge c=0 \wedge ml\_tl=green \wedge il\_tl=red \wedge il\_pass=true $$

to another represented by:

$$\begin{aligned} \begin{aligned} a=c=0 \wedge b<d-1 \wedge ml\_tl=green \wedge il\_tl=red \wedge il\_pass=true \\ \wedge (b=0 \vee (b>0 \wedge ml\_pass=false)). \end{aligned} \end{aligned}$$

(1)

A concrete state where the transition can occur is:

$$ (a,b,c,d,ml\_tl,il\_tl,ml\_pass,il\_pass)=(1,1,0,4,green,red,false,true). $$

However, it is actually unreachable because the condition \(ml\_pass = false\) requires the event \(ML\_tl\_green\) to occur and \(ML\_out\_1\) and \(ML\_out\_2\) must not subsequently occur. There was some suggestion that the model always satisfies \(a>0 \Rightarrow ml\_pass=true\) because \(a>0\) means \(ML\_out\_1\) or \(ML\_out\_2\) has occurred at least once just after \(ML\_tl\_green\) has taken place. Then, we added it as an invariant to the Rodin platform, but its proof obligation was not automatically discharged. Due to an analysis of the failure of the proof, which is often used in Event-B, we added \((ml\_tl=red \wedge a+b \ne d) \Rightarrow a = 0\) as an invariant and all proof obligations were automatically discharged.

Finally, let us take Mac2 as an example of the third method. The abstract state represented by the predicate (1) does not satisfy the condition. All the transitions into it are labeled \(ML\_tl\_green\). Since \(ML\_tl\_green\) makes \(ml\_pass\) false, all concrete states where \(ml\_pass\) is true in the abstract state are unreachable. There was some suggestion that the predicate \(a=b=0 \wedge ml\_tl = green \Rightarrow ml\_pass = false\) was an invariant. Therefore, we added it and proof obligation was discharged.