Managing LTL properties in Event-B refinement
Steve Schneider, Helen Treharne, Heike Wehrheim, David Williams
aa r X i v : . [ c s . S E ] J u l Managing LTL properties in Event-B refinement
Steve Schneider , Helen Treharne ,Heike Wehrheim , and David M. Williams University of Surrey, England, UK University of Paderborn, Germany VU University Amsterdam
Abstract.
Refinement in Event-B supports the development of systemsvia proof based step-wise refinement of events. This refinement approachensures safety properties are preserved, but additional reasoning is re-quired in order to establish liveness and fairness properties. In this paperwe present results which allow a closer integration of two formal meth-ods, Event-B and linear temporal logic. In particular we show how aclass of temporal logic properties can carry through a refinement chainof machines. Refinement steps can include introduction of new events,event renaming and event splitting. We also identify a general livenessproperty that holds for the events of the initial system of a refinementchain. The approach will aid developers in enabling them to verify lineartemporal logic properties at early stages of a development, knowing theywill be preserved at later stages. We illustrate the results via a simplecase study.
Event-B [1] is a step-wise development method with excellent tools: Rodin plat-form [2] providing proof support and ProB [11] providing model checking. AsHoang and Abrial [10] clearly state the focus of verification within Event-B hasbeen on the safety properties of a system to ensure that “something (bad) neverhappens”. Typically, this has been done via the discharging of proof obligations.Nonetheless, the use of linear temporal logic (LTL) to specify temporal livenessproperties has also been prevelant, for example in its application within the ProBtool [12]. The challenge is to identify more natural ways of integrating Event-Band LTL, so that LTL properties can be preserved by Event-B refinement, whichis not currently the case in general.Event-B describes systems in terms of machines with state, and events whichare used to update the state. Events also have guards , which are conditions forthe event to be enabled. One (abstract) machine may be refined by another(concrete) machine, using a refinement step . A linking invariant captures how theabstract and concrete states are related, and each abstract event must be refinedby one or more concrete events whose state transformations match the abstractone in the sense of preserving the linking invariant. Refinement is transitive, soa sequence of refinement steps, known as a refinement chain , will result in aconcrete machine which is a refinement of the original abstract one.
Schneider, Treharne, Wehrheim, Williams
A particular feature provided by Event-B is the introduction of new eventsin a refinement step—events which do not refine any abstract event. This allowsfor refinements to add finer levels of granularity and concretisation as the designdevelops; there are many examples in [1]. These new events are invisible atthe abstract level (they correspond to the abstract state not changing), and wegenerally need to verify that they cannot occur forever. Event-B makes use of labels to keep track of the status of events as a refinement chain progresses.Event-B labels are anticipated , convergent and ordinary . The labelling of eventsin Event-B form part of the core of a system description but their inclusionis primarily to support the proof of safety properties and ensuring that eventscannot occur forever: convergent events must decrease a variant and anticipatedevents cannot increase it. In this paper all newly introduced events must beconvergent or anticipated, and anticipated events must become convergent atsome stage. As an initial example, consider a Lift machine with two events top and ground , representing movement to the top and to the ground floor. This canbe refined by a machine
Lift ′ introducing two new anticipated events openDoors and closeDoors . The events top and ground are blocked when the doors are open,but enabled when the doors are closed.Linear temporal logic provides a specification language for capturing proper-ties of executions of systems, and is appropriate for reasoning about liveness andfairness. For example, we might verify for Lift that whenever top occurs, theneventually ground will occur. However, this is not guaranteed for its refinement
Lift ′ : it may be that the doors open and close repeatedly forever following the top event, thus never reaching the next ground event. Alternatively it may bethat the system deadlocks with the doors open, again preventing ground fromoccurring. Hence we see that LTL properties are not automatically preservedby Event-B refinement. In the first case we would require some assurance that openDoors and closeDoors cannot repeat forever without the lift moving; in thesecond case we require some liveness property on closeDoors to prevent termi-nation with the doors open.In this paper we present results for when temporal logic properties can becarried through Event-B refinement chains. The results generalise to events thatare split—refined by several events—during a refinement chain. We also identifyconditions on temporal logic properties that make them suitable for use in a re-finement chain, since some properties are not preserved by Event-B refinement(for example, the property “ closeDoor never occurs” holds for Lift but not forits refinement
Lift ′ ). The results are underpinned by our process algebra un-derstanding of the Event-B semantics, in particular the traces, divergences andinfinite traces semantics used for CSP and applied to Event-B in [15].The paper is organised as follows: Section 2 provides the necessary Event-Brefinement background and the refinement strategy we use in the paper. Section 3introduces a running example. Section 4 defines the LTL we use. Sections 5 and 6present and illustrate the main theoretical results. Proofs are included in theAppendix. We put our work into the context of related work in Section 7 andour future work in Section 8. anaging LTL properties in Event-B refinement 3 An Event-B development is defined using machine s. A machine M contains avector of variables and a set of events. The alphabet of M , α M , is the set of eventsdefined in M . Each event evt i has the general form evt i b = any x where G i ( x , v ) then v : | BA i ( v , x , v ′ ) end , where x represents the parameters of the event, theguard G i ( x , v ) is the condition for the event to be enabled. The body is givenby v : | BA i ( v , x , v ′ ) whose execution assigns to v any value v ′ which makes the before-after predicate BA i ( v , x , v ′ ) true. This simplifies to evt i b = when G i ( v ) then v : | BA i ( v , v ′ ) end when there are no parameters, since the guard and the before-after predicate does not refer to the parameters x .Variables of a machine are initialised in an initialisation event init and areconstrained by an invariant I ( v ). The Event-B approach to semantics is to asso-ciate proof obligations with machines. The key proof obligation, INV , is that allevents must preserve the invariant. There is also a proof obligation on a machinewith respect to deadlock freedom which means that a guard of at least one eventin M is always enabled. When this obligation holds M is deadlock free . An Event-B development is a sequence of B machines linked by a refinementrelationship. In this paper we use M and M ′ when referring to a refinementbetween an abstract machine M and a concrete machine M ′ whereas a chain ofrefinements is referred to using numbered subscripts, i.e., M , M i , . . . , M n , torepresent the specific refinement levels.A refinement machine can introduce new events and split existing events.We omit the treatment of merging events in this paper. New events are treatedas refinements of skip , i.e., evt ′ i does not refine an event in M . Note that whensplitting events, M ′ has several events evt ′ i refining a single event evt i .A machine M is considered to be refined by M ′ if the given linking invariantJ on the variables between the two machines is established by their initialisa-tion, and preserved by all events. This requirement is captured by the INV REF proof obligation. Formally, we denote the refinement relation between two ma-chines, written M M ′ , when all the following proof obligations hold: feasibility FIS REF , guard strengthening
GRD REF and simulation
INV REF . Feasibility ofan event is the property that, if the event is enabled (i.e., the guard is true),then there is some after-state. Guard strengthening requires that when a con-crete event is enabled, then so is the abstract one. Finally, simulation ensure theoccurrence of events in the concrete machine can be matched in the abstract one(including the initialization event). Further details of these proof obligations canbe found in [1].In Section 1 we introduced the three kinds of labelling of events in Event-B: anticipated ( a ), convergent ( c ) and ordinary ( o ) and noted that convergent eventsare those which must not execute forever whereas anticipated events provide a Schneider, Treharne, Wehrheim, Williams selectBiscuit ( o ) selectBiscuit ( o ) selectBiscuit ( o ) selectBiscuit ( o ) selectChoc ( o ) selectChoc ( o ) selectChoc ( o ) selectChoc ( o ) dispenseBiscuit ( o ) dispenseBiscuit ( o ) dispenseBiscuit ( o ) dispenseBiscuit ( o ) dispenseChoc ( o ) dispenseChoc ( o ) dispenseChoc ( o ) dispenseChoc ( o ) pay ( a ) pay ( a ) pay ( c ) refund ( c ) refund ( o ) refund ( o ) refill ( c ) refill ( o ) VM VM VM VM Fig. 1: Events and their annotations in the Vending Machine developmentmeans of deferring consideration of divergence-freedom until later refinementsteps. The proof obligation that deals with divergences is
WFD REF . It requiresthat the proposed variant V of a refinement machine satisfies the appropriateproperties: that it is a natural number, that it decreases on occurrence of anyconvergent event, and that it does not increase on occurrence of any anticipatedevent. Therefore, we augment the previous refinement relation with WFD REF such that M W M ′ . Ordinary events can occur forever and therefore WFD REF is not applicable for such events.
Event-B has a strong but flexible refinement strategy which is described in [9].In [15] we also discussed different Event-B refinement strategies and charac-terised them with respect to the approaches documented by Abrial in [1] andsupported by the Rodin tool. In this paper we focus on the simplest strategy, andthe one most commonly used. The strategy has the following set of restrictionson a refinement chain M W M W . . . W M n :1. all events in M are labelled ordinary. This set of events is referred to as O .2. each event of M i is refined by at least one event of M i +1 ;3. each new event in M i is either anticipated or convergent, where i > M i +1 which refines an anticipated event of M i is itself eitherconvergent or anticipated;5. refinements of convergent or ordinary events of M i are ordinary in M i +1 .6. no anticipated events remain in the final machine.Figure 1 illustrates our development strategy for a vending machine, detailedin Section 3, where C i is the set of convergent events within M i , and O i is theset of ordinary events within M i .For example, O = { selectBiscuit , selectChoc , dispenseBiscuit , dispenseChoc } and C = ∅ in VM . In VM we note that C = { refund } . In VM we notethat C = { refill } and in VM we have C = { pay } . Thus we denote C all = C ∪ C ∪ C . anaging LTL properties in Event-B refinement 5 In this paper we define a trace of M to be either an infinite sequences of events( a , c or o ), i.e., h e , e , . . . i or a finite sequence of events, i.e., h e , . . . , e k − i wherethe machine M deadlocks after the occurrence of the final event. Traces corre-spond to maximal executions of machines. Plagge and Leuschel in [14] provideda definition of an infinite or finite path π of M in terms of a sequence of eventsand their intermediate states. In order to distinguish notation we use u to repre-sent a trace without the intermediate states. We need not consider the particularstates within a trace in our reasoning which is based on infinite traces. When amachine M is deadlock free all of its traces are infinite. We use the functions ofconcatenation ( a ), projection ( ↾ ) and length ( et al. in [15] based on the weakest precondition semantics of [13,6] for actionsystems and CSP. In [15] there are two key results that enable us to reason aboutinfinite sequences of convergent and ordinary events in this paper. Firstly, thefollowing predicate captures that if an infinite trace u performs infinitely manyevents from C then it has infinitely many events from O , where C and O aresets of events. Definition 1. CA ( C , O )( u ) b = ( u ↾ C ) = ∞ ⇒ u ↾ O ) = ∞ ) C and O will be used to capture convergent and ordinary events through adevelopment. For an Event-B machine M the above means that it does notdiverge on its C events . This is precisely what we get when we prove WFD REF but the above definition describes the result on traces.The second result from [15], restated as Theorem 1, allows us to concludethat there are no infinite sequences of convergent events in the final machineof a refinement chain M n . The function g , n defines a compositional mappingfor all concrete events to abstract events in terms of a function mapping f ateach refinement level where f i +1 : α M i +1 α M i and f i +1 ( evt i +1 ) = evt i ⇔ evt i +1 refines evt i . (Note that g , is the identity function.) Definition 2. g i , j = f j ; f j − ; . . . ; f i Theorem 1.
If M W M W . . . W M n thenM n sat CA ( g − , n ( C ) ∪ . . . ∪ g − i , n ( C i ) ∪ . . . ∪ C n , g − , n ( O ))The result for our example is simply VM sat CA ( C all , O ) since there is norenaming: each function mapping f i is the identity. In Section 2.3 we introduced a development strategy for a vending machine.Figures 2, 3, 4 and 5 illustrate a development chain from vending machine VM , VM , VM to VM ; there are no anticipated events in VM . Note the numbers Schneider, Treharne, Wehrheim, Williams machine VM variables chosen invariant chosen ⊆ { choc , biscuit } events init b = chosen := {} selectBiscuit b = status : ordinary when biscuit chosen then chosen := chosen ∪ { biscuit } end selectChoc b = status : ordinary when choc chosen then chosen := chosen ∪ { choc } end dispenseBiscuit b = status : ordinary when biscuit ∈ chosen then chosen := chosen − { biscuit } end dispenseChoc b = status : ordinary when choc ∈ chosen then chosen := chosen − { choc } endend Fig. 2: VM of the vending machines start from one. We introduce VM in Section 6. Thus M in Theorem 1 corresponds to VM etc. VM is a simple machine that supports the selection and dispensing of choco-lates and biscuits via four events: selectBiscuit , selectChoc , dispenseBiscuit and dispenseChoc . We abbreviate their names in the narrative to sb , sc , db and dc respectively. The first refinement step introduces VM and the notion of pay-ing and refunding. The pay event in VM is always enabled and allows positivecredit to be input. The machine allows a biscuit to be chosen if it has not alreadybeen chosen and additionally provided a payment has been made; a chocolateselection is similar. Hence the guards of all four of the original events sb , sc , db and db are strengthened. The guard of the refund event means that credit cannotbe refunded for selected items and cannot occur forever since it is convergent.Importantly, the refundEnabled flag is introduced so that it is only true after adispense and prevents infinite loops of the pay followed by refund . VM introduces the notion of stocked items and a new refill event. We couldhave chosen many different guards for the refill event. For example, we couldhave labelled it anticipated with a guard of true . Instead we have made an un-derspecification where the stock can be restocked when there may be no biscuitsor no chocolates, and established convergence. Again the guard of the four orig-inal events have been strengthened so that they are only enabled when theappropriate stocked item is in stock. But now db and dc also capture the non-deterministic notion of running out or not of their respective items. The guardof refund remains unchanged. The guard of pay has been strengthened so thatit is only enabled when there is stock but this is not strong enough to preventit happening infinitely often, hence it remains anticipated in VM .The final machine, VM , is a straightforward data refinement which intro-duces the capacity of the machine. Apart from highlighting the refinement rela- anaging LTL properties in Event-B refinement 7 machine VM variables credit , chosen , refundEnabled invariant credit ∈ N ∧ chosen ⊆ { choc , biscuit } ∧ refundEnabled ∈ BOOL variant if refundEnabled = FALSE then else events init b = credit := 0 || chosen := {} || refundEnabled := FALSE pay b = status : anticipated any x where x ∈ N then credit := credit + x end || refundEnabled := FALSE end selectBiscuit b = status : ordinary when credit > ∧ biscuit chosen ∧ credit > card ( chosen ) then chosen := chosen ∪ { biscuit } end selectChoc b = status : ordinary when credit > ∧ choc chosen ∧ credit > card ( chosen ) then chosen := chosen ∪ { choc } end dispenseBiscuit b = status : ordinary when credit > ∧ biscuit ∈ chosen then credit := credit − || chosen := chosen − { biscuit } || refundEnabled := TRUE end dispenseChoc b = status : ordinary when credit > ∧ choc ∈ chosen then credit := credit − || chosen := chosen − { choc } || refundEnabled := TRUE end refund b = status : convergent when credit > card ( chosen ) ∧ refundEnabled := TRUE then credit := card ( chosen ) || refundEnabled := FALSE endend
Fig. 3: VM tionship between stocked and chocStock and biscuitStock note the strengtheningof the guard of refill so that vending machine should only be refilled when thereis no stock. Also the guard of pay is strengthened so that it becomes convergent. In this paper we use the grammar for the LTL operators presented by Plaggeand Leuschel [14]: φ ::= true | [ x ] | ¬ φ | φ ∨ φ | φ U φ Schneider, Treharne, Wehrheim, Williams machine VM variables credit , chosen , refundEnabled , stocked invariant credit ∈ N ∧ chosen ⊆ { choc , biscuit } ∧ stocked ⊆ { choc , biscuit } ( choc ∈ chosen ⇒ choc ∈ stocked ) ∧ ( biscuit ∈ chosen ⇒ biscuit ∈ stocked ) variant card { choc , biscuit } − stocked events init b = . . . || stocked := { choc , biscuit } pay b = status : anticipated any x where x ∈ N ∧ stocked = ∅ then credit := credit + x end || refundEnabled := FALSE end selectBiscuit b = status : ordinary when . . . ∧ biscuit ∈ stocked then chosen := chosen ∪ { biscuit } end selectChoc b = status : ordinary when . . . ∧ choc ∈ stocked then chosen := chosen ∪ { choc } end dispenseBiscuit b = status : ordinary when credit > ∧ biscuit ∈ chosen ∧ biscuit ∈ stocked then . . . || any x where x ⊆ { biscuit } then stocked := stocked − x end end dispenseChoc b = status : ordinary when credit > ∧ choc ∈ chosen ∧ choc ∈ stocked then . . . || any x where x ⊆ { choc } then stocked := stocked − x end end refund b = status : ordinary . . . refill b = status : convergent when choc / ∈ stocked ∨ biscuit / ∈ stocked then stocked := { choc , biscuit } endend Fig. 4: VM A machine M satifies φ , denoted M | = φ , if all traces of M satisfy φ . Thedefinition for u to satisfy φ is defined by induction over φ as follows: u | = trueu | = [ x ] ⇔ u = h x i a u u | = ¬ φ ⇔ it is not the case that u | = φ u | = φ ∨ φ ⇔ u | = φ or u | = φ u | = φ U φ ⇔ ∃ k ≥ . ∀ i < k . u i | = φ and u k | = φ where u n is u with the first n elements removed, i.e., u = h x , . . . , x n − i a u n .From these operators Plagge and Leuschel derived several additional opera-tors, including: conjunction ( φ ∧ φ ), finally (or eventually) ( F φ ), and globally(or always) ( G φ ), in the usual way; we also use these operators, and for explic- anaging LTL properties in Event-B refinement 9 machine VM constants capacity properties capacity > variables credit , chosen , refundEnabled , chocStock , biscuitStock invariant credit ≤ capacity ∧ chosen ⊆ { choc , biscuit } ∧ refundEnabled ∈ BOOL ∧ chocStock ≤ capacity ∧ biscuitStock ≤ capacity ∧ ( choc / ∈ stocked ⇒ chocStock = 0) ∧ ( choc ∈ stocked ⇒ chocStock ≥ ∧ ( biscuit / ∈ stocked ⇒ biscuitStock = 0) ∧ ( biscuit ∈ stocked ⇒ biscuitStock ≥ variant max { ( chocStock + biscuitStock ) − credit , } events init b = . . . || chocStock := capacity || biscuitStock := capacity pay b = status : convergent any x where x ∈ N ∧ ( chocStock + biscuitStock ) > credit then credit := credit + x end || refundEnabled := FALSE end selectChoc b = status : ordinary when . . . ∧ chocStock > then chosen := chosen ∪ { choc } end selectBiscuit b = status : ordinary when . . . ∧ biscuitStock > then chosen := chosen ∪ { biscuit } end dispenseBiscuit b = status : ordinary when credit > ∧ biscuit ∈ chosen ∧ biscuitStock > then . . . || chocStock := chocStock − end dispenseChoc b = status : ordinary when credit > ∧ choc ∈ chosen ∧ chockStock > then . . . || chocStock := chocStock − end refund b = status : ordinary . . . refill b = status : ordinary when chocStock = 0 ∧ biscuitStock = 0 then chocStock := capacity || biscuitStock := capacity endend Fig. 5: VM itness we also provide direct definitions for them: u | = φ ∧ φ ⇔ u | = φ and u | = φ u | = F φ ⇔ ∃ i ≥ . u i | = φ u | = G φ ⇔ ∀ i ≥ . u i | = φ We omit atomic propositions on states since our traces are only dealing withevents and not paths of states and transitions. We also omit the next operator,see Section 7. In this paper our running example uses globally, finally, or andimplies.For example, the informal specification for the
Lift given in Section 1, thatwhenever top happens then eventually ground will happen, could be written as G ([ top ] ⇒ F [ ground ]) From our running VM example, the predicate GF [ selectBiscuit ] expresses that selectBiscuit occurs infinitely often: at any point there is always some occurrenceof selectBiscuit at some point in the future. We use this construction in the VMproperties introduced in Section 5. For example, we have φ given as φ = ( ¬ GF [ selectBiscuit ]) ⇒ G ([ selectChoc ] ⇒ F [ dispenseChoc ])This states that provided selectBiscuit only occurs finitely often (i.e. eventuallystops), then whenever selectChoc occurs then dispenseChoc will eventually occur.It will also be useful to identify the events mentioned explicitly in an LTLformula φ . This set is called the alphabet of φ . This is written α ( φ ), similar tothe use of α M for the alphabet of machine M . For LTL formulae it is definedinductively as follows: Definition 3. α ( true ) = {} α ([ x ]) = { x } α ( ¬ φ ) = α ( φ ) α ( φ ∨ φ ) = α ( φ ) ∪ α ( φ ) α ( φ ∧ φ ) = α ( φ ) ∪ α ( φ ) α ( φ U φ ) = α ( φ ) ∪ α ( φ ) α ( F φ ) = α ( φ ) α ( G φ ) = α ( φ )For example, we have α ( φ ) = { selectBiscuit , selectChoc , dispenseChoc } for φ above. In this section we provide results to demonstrate when properties are preservedby refinement chains. Firstly, we consider chains which do not contain any re-naming/splitting of events in a machine. Hence, each function mapping f i for M i . . . M n is the identity. The first result is a general result identifying a par-ticular temporal property that will always hold for all refinement chains whichabide by the rules of the strategy presented in Section 2.3. The second resultgiven in Lemma 2 concerns the preservation of temporal properties that wouldbe proposed by a specifier. We have already observed from the vending machineexample that new events can be introduced during a refinement, e.g., pay , re-fill , etc.. We aim for such properties to hold even though new anticipated andconvergent events are being introduced.Lemma 1 states that M n at the end of the refinement chain will alwayseventually perform one of the events of the initial machine M . In other words, M n will perform infinitely many of the initial events. This means that the eventsintroduced along the refinement chain cannot occur forever at the expense of theoriginal events. In our example, α M = O . anaging LTL properties in Event-B refinement 11 Lemma 1.
If M W M W . . . W M n and M n is deadlock free and M n does not contain any anticipated events then M n | = GF ( W e ∈ α M [ e ])Next we provide a definition which is used in Lemma 2 below and it enablesus to gain insights into the kinds of temporal properties that are appropriateto be proposed and have the potential of being preserved through a refinementchain. Definition 4 describes a maximal execution satisfying a property φ . Theexecution may include some events which do not have an impact on whether theproperty holds or not therefore we can restrict the maximal execution to includeonly those events that impact on the property. Definition 4.
Let β be a set of events. Then φ is β -dependent if α ( φ ) ⊆ β andu | = φ ⇔ ( u ↾ β ) | = φ . An example of a β -dependent property is GF ( pay ) where β = { pay } . If u | = GF ( pay ) then u ↾ pay | = GF ( pay ), and vice versa. Conversely, ¬ G ( pay )is not { pay } -dependent. For example, if u = h pay , refill , pay , pay , . . . i then u | = ¬ G ( pay ) but u ↾ { pay } 6| = ¬ G ( pay ).As another example, define β = { sb , sc , db , dc } . Then G ( sb ∨ sc ∨ db ∨ dc )is not β -dependent. This is exemplified by any trace u which contains eventsother than those in β . In this case u ↾ { sb , sc , db , sc } | = G ( sb ∨ sc ∨ db ∨ dc ) but u = G ( sb ∨ sc ∨ db ∨ dc ). VM exhibits such traces. Observe that this propertyholds for VM but not for VM : it is not preserved by refinement. Since it is not β -dependent Lemma 2 below is not applicable for this property.Our main result for this section identifies conditions under which an LTLproperty φ will be preserved in a refinement chain. The conditions are as follows: – by the end of the refinement chain there should be no outstanding antic-ipated events (and so all newly introduced events have been shown to beconvergent), as given by restriction 6 of the Development Strategy of Sec-tion 2.3; – the final machine in the refinement chain must be deadlock-free; and – all of the events that have an effect on whether or not φ is true are alreadypresent in M i ( φ is β -dependent for some β ⊆ α M i ).These conditions are enough to ensure that φ is preserved through refinementchains. This means that M i can be checked for φ , and we can be sure that theresulting system M n will also satisfy it.The lemma is formally expressed as follows: Lemma 2.
If M i | = φ and M i W . . . W M n and ≤ i < n and M n is deadlock free and M n does not contain any anticipated events and φ is β -dependent and β ⊆ α M i then M n | = φ . We consider the application of the above Lemmas to our running example onthe refinement chain VM W VM W VM W VM In this case we obtain immediately from Lemma 1 that VM | = GF ([ selectBiscuit ] ∨ [ selectChoc ] ∨ [ dispenseBiscuit ] ∨ [ dispenseChoc ])Any execution of VM will involve infinitely many occurrences of some of theseevents. The newly introduced events pay , refund , refill cannot be performedforever without the occurrence of the original events.We consider some further properties to illustrate the applicability of Lemma 2.Taking VM to be the first machine in the refinement chain, we can consider thefollowing temporal properties φ for VM : φ = G ([ selectChoc ] ∨ [ selectBiscuit ] ⇒ F ([ dispenseChoc ] ∨ [ dispenseBiscuit ])) φ = ( ¬ GF [ selectBiscuit ]) ⇒ G ([ selectChoc ] ⇒ F [ dispenseChoc ]) φ = ( ¬ GF [ selectChoc ]) ⇒ G ([ selectBiscuit ] ⇒ F [ dispenseBiscuit ]) φ = G ([ selectChoc ] ⇒ F [ dispenseChoc ]) φ = G ([ selectBiscuit ] ⇒ F [ dispenseBiscuit ])We note that each of the properties are β -dependent. Next we consider whether VM | = φ i for each i ∈ ..
5. Note that in fact VM = φ and VM = φ since there is a trace for which the properties fail, e.g., in the case of φ the h sc , sb , db , sb , db , . . . i we could have an infinite loop of sb , db events and neverreach a dc event. Thus Lemma 2 is not applicable to these properties.The properties φ and φ are the strongest; φ states that if you do not alwayshave an sb then you will be able to choose a chocolate and for it to be dispensed,and the dual applies in φ . Once we have also established the refinement chain VM W VM W VM W VM , and that VM is deadlock free we candeduce using Lemma 2 that VM | = φ i for all i ∈ ..
3. Observe however thatLemma 2 does not establish that φ i holds in all refinement machines, only thosewith no anticipated events. For example, VM and VM do not satisfy φ , φ nor φ since pay is anticipated and can be executed infinitely often.Since VM introduced the event pay we can also introduce new temporalproperties that are required to hold from VM onwards. In other words, we applyLemma 2 on the chain VM W VM W VM . The properties to consider are: φ = G ([ pay ] ⇒ F ([ dispenseBiscuit ] ∨ [ dispenseChoc ])) φ = GF [ pay ]The infinite behaviour of pay means that φ is not satisfied in VM . However, VM | = φ thus we can again apply Lemma 2, and obtain that VM | = φ since φ is β -dependent. This exemplifies that new temporal properties can be addedto the refinement verification chain.We note that in fact VM | = φ . Thus φ and φ together imply that GF ([ dispenseBiscuit ] ∨ [ dispenseChoc ])) holds for VM . anaging LTL properties in Event-B refinement 13 In this section we generalise the results of Section 5 in order to deal with split-ting events in Event-B, which occurs when abstract events are refined by severalevents in the concrete machine, corresponding to a set of alternatives. Consideras a motivating example VM in Figure 6. This is refined by VM , with link-ing invariant item = card ( chosen ), selectItem refined by both selectBiscuit and selectChoc , and dispenseItem refined by both dispenseBiscuit and dispenseChoc .Splitting events also involves their renaming to allow for several concrete eventsto map to the same abstract one. A refinement step will therefore be associatedwith a renaming function h from concrete events to the abstract events that theyrefine. In the general case h will be many-to-one, since many concrete events maymap to a single abstract event; and it will also be partial, since new events inthe concrete machine will not map to any abstract event.In general, each step in a refinement chain M W M W . . . W M n willhave an event renaming function h i corresponding to the renaming and splittingstep from M i to M i − . We define g i , n to be the composition of these renamingfunction from h n down to h i . Observe that g i , n will be undefined on any eventthat does not map to M i − , in other words any event that corresponds to anevent introduced at some point in the refinement chain. For example, for thechain VM W VM W . . . W VM , we obtain that g , ( selectBiscuit ) = g , ( selectChoc ) = selectItem , and g , ( dispenseBiscuit ) = g , ( dispenseChoc ) = dispenseItem , and g , is not defined on the remaining events of VM .Lemma 1 generalises to state that the final machine in the refinement chainmust always eventually perform some event relating to an event in the initialmachine. Lemma 3.
If M W M W . . . W M n and M n is deadlock free and M n does not contain any anticipated events then M n | = GF ( W e ∈ g − , n ( α M ) e )Observe that if there is no renaming or splitting, then g , n is the identity functionon the events in α M , yielding Lemma 1.We are interested in how the LTL properties of an abstract machine be-comes transformed through a refinement step such as VM to VM . For ex-ample, the property GF [ selectItem ] for VM states that from any stage thatis reached, selectItem will eventually occur. This will translate to the property GF ([ selectBiscuit ] ∨ [ selectChoc ]) for VM . We now consider how LTL propertiestranslate through a renaming function h .For a given event renaming function h , we define trans h as the translationthat maps LTL formulae by mapping abstract events to the disjunction of theircorresponding concrete events, as follows: machine VM variables item invariant item ∈ N events init b = item := 0selectItem b = status : ordinary when item ≤ then item := item + 1 end dispenseItem b = status : ordinary when item > then item := item − endend Fig. 6: VM Definition 5. trans h ( true ) = truetrans h ([ x ]) = _ y | h ( y )= x [ y ] trans h ( ¬ φ ) = ¬ trans h ( φ ) trans h ( φ ∨ φ ) = trans h ( φ ) ∨ trans h ( φ ) trans h ( φ ∧ φ ) = trans h ( φ ) ∧ trans h ( φ ) trans h ( φ U φ ) = trans h ( φ ) U trans h ( φ ) trans h ( G φ ) = G trans h ( φ ) trans h ( F φ ) = F trans h ( φ )For example trans h ( G ([ selectItem ] ⇒ F [ dispenseItem ]))= G (([ selectBiscuit ] ∨ [ selectChoc ]) ⇒ F ([ dispenseBiscuit ] ∨ [ dispenseChoc ]))Lemma 2 generalises to Lemma 4 below, to state that LTL properties are car-ried along the refinement chain by translating them. In particular, if a property φ is established for M i − , then trans g i , n ( φ ) will hold for M n : Lemma 4.
If M i − | = φ and M i − W . . . W M n and ≤ i − < n,M n is deadlock free and M n does not contain any anticipated events and φ is β -dependent and β ⊆ α M i − then M n | = trans g i , n ( φ )For example, from the result for VM that whenever selectItem occurs then dispenseItem will eventually occur, VM | = G ([ selectItem ] ⇒ F [ dispenseItem ])) anaging LTL properties in Event-B refinement 15 we obtain from Lemma 4 that VM | = G ( ([ selectBiscuit ] ∨ [ selectChoc ]) ⇒ F ([ dispenseBiscuit ] ∨ [ dispenseChoc ]) )This states that whenever selectBiscuit or selectChoc occur, then dispenseBiscuit or dispenseChoc will eventually occur. One of the few papers to discuss LTL preservation in Event-B refinement isGroslambert [8]. The LTL properties were defined in terms of predicates onsystem state rather than our paper’s formulation in terms of the occurrence ofevents. His paper focused only on the introduction of new convergent events. Itdid not include a treatment of anticipated events but this is unsurprising sincethe paper was published before their inclusion in Event-B. Our results are moregeneral in two ways. Firstly, the results support the treatment of anticipatedevents. Secondly, we allow more flexibility in the development methodology. Acondition of Groslambert’s results was that all the machines in the refinementchain needed to be deadlock free. The two main lemmas in our paper: Lemmas 2and 4 do not require each machine in a refinement chain to be deadlock free,only the final machine. It is irrelevant if intermediate M i s deadlock as long asthe deadlock is eventually refined away.Groslambert deals with new events via stuttering and leaves them as visibleevents in a trace. This is why the LTL operators used by the author do notinclude the next operator ( X ). As new events may happen this may violate the X property to be checked. Plagge and Leuschel in [14] permit the use of the X operator since they treat the inclusion of new events as internal events whichare not visible. Since we deal with new events as visible events we also lose theability to reason about a temporal property using the typical X operator. Ourreasoning is simpler than both Groslambert and Plagge and Leuschel since weonly focus on events but this means we cannot have atomic propositions in ourLTL, whereas they can.The notion of verification of temporal properties of both classical and Event-B systems using proof obligations has been considered in many research papers.Abrial and Musat in an early paper, [3], introduced proof obligations to deal withdynamic constraints in classical B. In a more recent paper [10] Hoang and Abrialhave also proposed new proof obligations for dealing with liveness propertiesin Event-B. They focus on three classes of properties: existence, progress andpersistence, with a view to implementing them in Rodin. Bicarregui et al. in [5]introduced a temporal concept into events using the guard in the when clauseand the additional labels of within and next so that the enabling conditions arecaptured clearly and separately. However, these concepts are not aligned withthe standard Event-B labelling.The interest of LTL preservation through refinement is wider than simplyEvent-B. Derrick and Smith [7] discuss the preservation of LTL properties in the context of Z refinement but the authors extend their results to other logics suchas CTL and the µ calculus. They focus on discussing the restrictions that areneeded on temporal-logic properties and retrieve relations to enable the modelchecking of such properties. Their refinements are restricted to data refinementand do not permit the introduction of new events in the refinement steps. Ourpaper does permit new events to be introduced during refinement steps; thecontribution is in identifying conditions for LTL properties to hold even in thecontext of such new events. The paper has provided foundational results that justify when temporal prop-erties hold at the end of an Event-B refinement chain for developments whichcontain anticipated, convergent and ordinary events, which goes beyond thatpresented in [8]. The paper has also provided restrictions on the temporal prop-erties in terms of being β -dependent which help to determine when a temporalproperty of interest should be introduced into the development chain.We could extend the results to deal with merging events. The inclusion ofthe X LTL operator and availability will require use to look at execution pathswhich include state transitions ( π paths). The inclusion of availability will enableus to address more advanced and useful notions of fairness in the context oftemporal properties. Our notion of weak fairness will be akin to that describedin Barradas and Bert in [4]. It will draw on work by Williams et al. [16]. Wecould also consider the impact on temporal property preservation in refinementchains which do not achieve convergence of all its new events by the end.In ongoing work we are looking at event liveness via the proof obligationfor strong deadlock freedom S NDF . We have defined new labelling of eventsto so that liveness proofs are on particular events. This is analagous to proving
WFD REF for events that are labelled anticipated or convergent. We have recentlydefined the semantics of Event-B in terms of stable failures and detailed itsrelationship with
S NDF . We are currently combining these results with our workin [15] in order to provide a cohesive process algebra underpinning for Event-B.
Acknowledgments.
Thanks to Thai Son Hoang and Thierry Lecomte for dis-cussions about Event-B development strategies and the challenges of discharingliveness proofs. Thanks to Steve Wesemeyer for discussions on the example.Thanks to the reviewers for their constructive comments that helped to improvethe paper.
References
1. J.-R. Abrial.
Modeling in Event-B: System and Software Engineering . CambridgeUniversity Press, 2010.2. J.-R. Abrial, M. J. Butler, S. Hallerstede, T. S. Hoang, F. Mehta, and L. Voisin.Rodin: an open toolset for modelling and reasoning in Event-B.
STTT , 12(6):447–466, 2010.anaging LTL properties in Event-B refinement 173. J.-R. Abrial and L. Mussat. Introducing dynamic constraints in B. In B , volume1393 of LNCS , pages 83–128. Springer, 1998.4. H. Barradas and D. Bert. Specification and proof of liveness properties underfairness assumptions in B event systems. In
Integrated Formal Methods , volume2335 of
LNCS , pages 360–379. Springer, 2002.5. J. Bicarregui, A. Arenas, B. Aziz, P. Massonet, and C. Ponsard. Towards modellingobligations in Event-B. In
Abstract State Machines, B and Z , volume 5238 of
LNCS ,pages 181–194. Springer, 2008.6. M. J. Butler.
A CSP approach to Action Systems . DPhil thesis, Oxford U., 1992.7. J. Derrick and G. Smith. Temporal-logic property preservation under Z refinement.
Formal Asp. Comput. , 24(3):393–416, 2012.8. J. Groslambert. Verification of LTL on B Event Systems. In
B 2007: Formal Spec-ification and Development in B , volume 4355 of
LNCS , pages 109–124. Springer,2006.9. S. Hallerstede, M. Leuschel, and D. Plagge. Validation of formal models by refine-ment animation.
Science of Computer Programming , 78(3):272 – 292, 2013.10. T. S. Hoang and J.-R. Abrial. Reasoning about liveness properties in Event-B. In
ICFEM , volume 6991 of
LNCS , pages 456–471. Springer, 2011.11. M. Leuschel and M. J. Butler. ProB: an automated analysis toolset for the Bmethod.
STTT , 10(2):185–203, 2008.12. M. Leuschel, J. Falampin, F. Fritz, and D. Plagge. Automated property verificationfor large scale B models. In FM , volume 5850 of LNCS , pages 708–723. Springer,2009.13. C. Morgan. Of wp and CSP.
Beauty is our business: a birthday salute to E. W.Dijkstra , pages 319–326, 1990.14. D. Plagge and M. Leuschel. Seven at one stroke: LTL model checking for high-levelspecifications in B, Z, CSP, and more.
STTT , 12(1):9–21, 2010.15. S. Schneider, H. Treharne, and H. Wehrheim. The behavioural semantics of Event-B refinement.
Formal Asp. Comput. , 26(2):251–280, 2014.16. D. M. Williams, J. de Ruiter, and W. Fokkink. Model checking under fairness inProB and its application to fair exchange protocols. In
ICTAC , volume 7521 of
LNCS , pages 168–182. Springer, 2012.
A Proofs of Lemmas
In this appendix we provide the proofs for the main lemmas: Lemma 1, 2 andLemma 4. We also provide additional supporting definitions and lemmas.
Proof of Lemma 1
Since M n does not deadlock consider an infinite trace u of M n . Let u = u ↾ ( C ∪ . . . ∪ C n ∪ O ) since M n does not have any anticipatedevents. We aim to prove that u ↾ O is infinite. If u ↾ C ∪ . . . ∪ C n is finitethen u ↾ O is infinite. If u ↾ C ∪ . . . ∪ C n is infinite then u ↾ O is infinite byTheorem 1 where g − , n is simply the identity function. ✷ Proof of Lemma 2
Let u be a trace of M n and since M n is deadlock free u willbe infinite. Since M i W . . . W M n then we deduce that u ↾ α ( M i ) is a traceof M i . Therefore u ↾ α ( M i ) | = φ . Therefore, u ↾ α ( M i ) ↾ β | = φ , i.e., u ↾ β | = φ ,since β ⊆ α ( M i ). By Definition 4 it follows that u | = φ as required. ✷ The following definition and lemmas regarding infinite traces and how theyrelate to temporal properties in the context of translation mappings: Definition 6,Lemma 5, Lemma 6 and Lemma 7, are required in order to prove Lemma 4presented in Section 6 and proved below.Given a partial surjective function h : B A , we define the completion of h as follows: Definition 6.
Given a partial surjection h : B A, its completion h tot : B →→ ( A ∪ ( B − dom ( h ))) is the function h augmented with the identity on all eventsnot in the domain of h. h tot is defined as h tot = h ∪ id ( B − dom ( h )) . The f i ,1 ≤ i ≤ n , for each machine M i . . . M n are examples of h . f , tot for VM is { ( pay , pay ) , ( refund , refund ) , ( sb , selectItem ) , ( sc , selectItem ) , . . . } . Thefunction h lifts to B ω A ω by applying h pointwise to each event. h tot similarlylifts to B ω →→ ( A ∪ ( B − dom ( h ))) ω . Lemma 5. If α ( φ ) ⊆ ran ( h ) (i.e. all events mentioned in φ are in the range ofh) then trans h ( φ ) is the same as trans h tot ( φ ) . Proof
This is because h − and h − tot are the same for all events in ran ( h ). ✷ The following lemma provides a result that allows us to demonstrate the rela-tionship between an infinite trace u preserving a transformed temporal propertyand a corresponding transformation on the trace preserving a temporal property. Lemma 6. If α ( φ ) ⊆ ran ( h ) , thenu ∈ ( dom ( h )) ∗ ⇒ ( u | = trans h ( φ ) ⇔ h ( u ) | = φ ) Proof:
By structural induction over the structure of φ . Base Case:
Consider when φ is [ x ]. If u | = trans h [ x ] ⇔ u | = _ y | h ( y )= x y [ by Definition ⇔ _ y | h ( y )= x u | = [ y ] [ by model distribution ] ⇔ _ y | h ( y )= x u = y [ where u is first element of u ] ⇔ _ y | h ( y )= x ( h ( u )) = h ( y ) = x [ condition on y ] ⇔ ( h ( u )) = x ⇔ h ( u ) | = [ x ] Inductive Cases:
Consider where φ is ¬ φ . Then u | = trans h ( φ ) ⇔ u = trans h ( φ ) ⇔ h ( u ) = φ ⇔ h ( u ) | = ¬ φ .Proof of the other cases follow similarly. ✷ The next lemma allows us to demonstrate the relationship between a property φ which is β -dependent following transformation. anaging LTL properties in Event-B refinement 19 Lemma 7. If α ( φ ) ⊆ β ⊆ ran ( h ) , then if φ is β -dependent then trans h ( φ ) ish − ( β ) − dependent Proof:
Consider an infinite trace v . Then v | = trans h ( φ ) ⇔ v | = trans h tot ( φ ) [ by Lemma since α ( φ ) ⊆ β ⊆ ran ( h )] ⇔ h tot ( v ) | = φ [ by Lemma ⇔ h tot ( v ) ↾ β | = φ [ by Definition ⇔ h tot ( v ↾ h − tot ( β )) | = φ [ by function mapping ] ⇔ v ↾ h − tot ( β ) | = trans h tot ( φ ) [ by Lemma ⇔ v ↾ h − ( β ) | = trans h ( φ ) [ since α ( φ ) ⊆ Aand β ⊆ A , so h and h tot have the same effect ] ✷ Proof of Lemma 4
Let u to be an infinite execution of M n since M n is deadlockfree. Let h = g i , n . It follows from Theorem 6.5 of [15] that h tot ( u ) ↾ α ( M i ) is aninfinite execution of M i Then we obtain h tot ( u ) ↾ α ( M i ) | = φ [since M i | = φ ] ⇒ h tot ( u ) ↾ α ( M i ) ↾ β | = φ [since φ is β -dependent] ⇒ h tot ( u ) ↾ β | = φ [ β ⊆ α ( M i )] ⇒ h tot ( u ↾ h − tot ( β )) | = φ [interaction of projection and mapping] ⇒ u ↾ h − tot ( β ) | = trans h tot ( φ ) [by Lemma 6] ⇒ u ↾ h − ( β ) | = trans h ( φ ) [by Lemma 5] ⇒ u | = trans h ( φ ) [by Lemma 7]as required.) [by Lemma 7]as required.