Bill Stoddart

An Introduction to the Event Calculus

The Event Calculus is a model of communicating state machines which is defined in Z. The machines have a number of behavioural states, which can be represented in diagrammatic form, and have data states which can be described with Z data base schemas. Machines change state on the occurrence of an “event”. A diagrammatic notation is used in which each transition may be labelled with an event together with a Z operation schema which describes any change in the machines data state. Communication between machines is modelled by means of shared events, associated with a simultaneous change of state of two or more machines. In this paper the key concepts of the calculus are introduced through tutorial examples based on vending machines. This is followed by a case study of a distributed seat booking system.

Undefined Expressions and Logic in Z and B

In this paper we show how undefined expressions and undetermined predicates may arise when using the specification languages Z and B. We review how undefined terms have been handled in various formalisms (Principia Mathematica, Domain Theory, LPF,) and look at the effect of undefined expressions on the proof theory and the denotational meaning of specifications in Z and B. We note that in formal systems which make use of partial functions and have an unguarded equality axiom x = x together with a classical two valued logic it is impossible to have a proof rules of the form y = f(x) ⇒ x ↦ y ∈ f and that consequently, assertions of the form y = f(x) may have very little meaning.

A design-based model of reversible computation

We investigate, within the UTP framework of Hoare He Designs, the effect of seeing computation as an essentially reversible process. We describe the theoretical link between reversibility and the minimum power requirements of a computation, and we review Zuliani’s work on Reversible Probabilistic Guarded Command Language. We propose an alternative formalisation of reversible computing which accommodates backtracking. To obtain a basic backtracking language able to search for a single result we exploit the already recognised properties of non-deterministic choice, using it as provisional choice rather than implementor’s choice. We add a “prospective values” formalism which can describe programs that return all the possible results of a search, and we show how to formally describe the premature termination of such a search, a mechanism analogous to the “cut” of Prolog. An appendix describes some aspects of the wp calculus in terms of Designs, as needed for our proofs. Support for the programming structures described has been incorporated in a reversible virtual machine for i386 platforms with Posix compatibility.

A prospective-value semantics for the GSL

We present a prospective-value (pv) semantics for the Generalised Substitution Language. Whereas wp semantics captures the meaning of a computation in terms of the weakest precondition that must be fulfilled for a generalised substitution S to establish any given postcondition Q, pv semantics expresses the meaning of a computation in terms of the value any expression E would take were the computation to be carried out. To integrate non-termination we formulate improper bunch theory, an extended version of Hehners bunch theory where each type is augmented with an improper bunch. Algebraic simplification laws for the pv expression transformer are presented, and proved to be sound. Iteration is treated as a fixed-point in expressions, and a corresponding theorem is presented allowing us to infer the pv effect of the while-loop construct.

Abstract State Machines: Designing Distributed Systems with State Machines and B

We outline a theory of communicating “Abstract State Machines”. The state of an Abstract State Machine has two components: a behavioural state and a data state. The behavioural states are shown on a state diagram, whose transitions are labelled with an “event” and a B operation. The firing of a transition is synonymous with the occurrence of its associated event. We use a synchronous model of communication based on shared events which simultaneously change the state of each participating machine. The B operation associated with a transition generally has the form G ⟹ S, where a necessary condition for the transition to fire is that G is true, and where S describes any resulting changes in the data state of the Abstract Machine. The paper includes simple examples, the translation of Abstract State Machines to B Action Systems, the translation of Abstract State Machines into “primitive” Abstract State Machines which have only behavioural state, the parallel combination of high level Abstract State Machines, and short notes on choice and refinement.

A unification of probabilistic choice within a design-based model of reversible computation

We see reversible computing as a generalisation of sequential computation obtained by revoking the law of the excluded miracle. Our execution language includes naked guarded commands and non-deterministic choice. Choices which lead to miraculous continuations invoke reverse computation, and non-deterministic choice plays the rôle of provisional choice within a backtracking context. We require probabilistic choice for symmetry breaking and sampling large search spaces, but must formulate it differently from previous approaches to obtain the required interactions between probabilistic choice and non-deterministic choice and between probabilistic choice and feasibility. Our formulation allows us to derive the post-distributions which characterise a program, and we use these to construct a relational model. We consider refinement as containment of convex closures within distribution space, qualified with additional conditions to avoid over-refinement. We link the non-probabilistic and probabilistic versions of the model with a Galois connection and show that classical designs are a retract of our probabilistic designs. We consider the interaction between probabilistic and non-deterministic choice and find the same initially counter-intuitive results that have been noted by other investigators. We provide an alternative formulation, within the same model, of oblivious non-determinism, which allows all non-deterministic choices to be moved to the start of a computation. We consider the interaction between probabilistic choice and feasibility that is required to match an operational interpretation in which infeasible commands provoke reverse execution, and we present a small case study to show how the interaction between probabilistic choice and feasibility can be exploited in a practical program. All programming structures described here are supported by our implementation platform, the Reversible Virtual Machine, whose development has accompanied our theoretical investigations.

Modelling and proof analysis of interrupt driven scheduling

Following a brief discussion of uniprocessor scheduling in which we argue the case for formal analysis, we describe a distributed Event B model of interrupt driven scheduling. We first consider a model with two executing tasks, presented with the aid of state machine diagrams. We then present a faulty variant of this model which, under particular event timings, may ”drop” an interrupt. We show how the failure to discharge a particular proof obligation leads us to the conceptual error in this model. Finally we generalise the correct model to n tasks, leading to a reduction in proof effort.

Type inference in stack based languages

We consider a language of operations which pass parameters by means of a stack. An algebra over the set of type signatures is introduced, which allows the type signature of a program to be obtained from the type signatures of its constituent operations.Although the theories apply in principle to any stack based language, they have been evolved with particular regard to the proposed ANSI Standard Forth language, which is currently implemented in a type free manner. We hope this work will stimulate an interest in Forth amongst those applying algebraic techniques in software engineering, and we hope to lay the theoretical foundations for implementing practical type checkers to support Forth.

Probabilistic choice, reversibility, loops, and miracles

We consider an addition of probabilistic choice to Abrials Generalised Substitution Language (GSL) in a form that accommodates the backtracking interpretation of non-deterministic choice. Our formulation is introduced as an extension of the Prospective Values formalism we have developed to describe the results from a backtracking search. Significant features are that probabilistic choice is governed by feasibility, and non-termination is strict. The former property allows us to use probabilistic choice to generate search heuristics. In this paper we are particularly interested in iteration. By demonstrating sub-conjunctivity and monotonicity properties of expectations we give the basis for a fixed point semantics of iterative constructs, and we consider the practical proof treatment of probabilistic loops. We discuss loop invariants, loops with probabilistic behaviour, and probabilistic termination in the context of a formalism in which a small probability of non-termination can dominate our calculations, proposing a method of limits to avoid this problem. The formal programming constructs described have been implemented in a reversible virtual machine (RVM).

The Specification and Refinement of an Environmental Model

When specifying a reactive system, we need to consider both the system itself, and the environment it operates in. A suitable formalism for such a task is the Event Calculus, a theory of synchronised state machines which lends itself to diagrammatic representation and which can be conveniently formulated in Z. In this paper we describe an approach to behavioural refinement in the Event Calculus. We consider a gas burner, starting with an outline description of its physical behaviour, then refining this by adding additional details and constraints. Each refinement step is achieved by adding a new (and simple) state machine to our existing model.