model13s1soln java

8/12/2019 model13s1soln java

1/7

Solutions to the Model Exam COMP2111 13s1

Kai Engelhardt

Revision: 1.4 of Date: 2013/06/12 12:45:41

Answer to Question 1 These are screen shots from Rodin and quite small so I could fit

them onto the pages. Some definitions and invariants werent called for in the questions but

made the presentation easier or POs easier to discharge.

Answer to Question 2 And the machine to go with the context:

1


2/7

Answer to Question 3 See answer 1.

Answer to Question 4 See answers 1 and 2.

Answer to Question 5 See answer 2.

Answer to Question 6 To answer questions relating to POs, let us abbreviate the con-

junction of all axioms listed in the context bag ctx by A and the conjunction of allinvariants in bagA by I. Let G= t Tc < Mbe the conjunction of adds guards.

Let T = (c = c+ 1(t dom(b) b = b {t b(t) + 1})(t / dom(b) b =b {t1})) the before-after predicate of addderived from the two actions.

There are three POs for add: Rodin would split some of these POs up. For instance, theone for invariant preservation would be split into one for each invariant, omitting those that

hold trivially for some definition of trivially made by Rodin.

well-definedness of the second action (trivial; not discussed)

feasibility of the second action

AIG b, c T

2


3/7

Recall from maths that to prove validity of such a formula we need to consider the free

variables as implicitly universally quantified. The term variables here refers to all the

free identifiers, that is, not only the Event-B variables but also constants, set names,

and primed variables occuring freely in the formula. To prove feasibility, we providevalues for the existentially quantified variables b and c in line withT, that is, c is

alwaysc + 1 and b is changed only int. How it changes in tdepends on whether tis already in the bag.

invariant preservationAIG T I

Ill demonstrate once how to do this in detail, for each of the four conjuncts ofI =inv1 inv4 inv5 inv6.

Using A we translate inv1 : b BAG into b T N1. From I weuse that b T N1. Now there are two cases. (1) If t dom(b) thenb =b {tb(t) + 1}which is of type T N1. (2) Otherwise, ift /dom(b)then b =b {t1}is also of that type.

FromG and inv4we know that c 0..M 1. Hencec =c + 1 1..M, whichestablishes inv4.

inv5 holds because inv5 is in I and res is not changed by add (formally:T = res= res).

inv6 follows from the axioms about bsin A, inv6, andT givingc =c + 1 =bs(b) + 1 = bs(b).

Answer to Question 7 Here are the two new events.

Answer to Question 8 For addnew, a guard PO and a simulation PO should be gen-

erated. The guard PO ensures that add must be enabled whenever addnew is. The POisAIGn G

3


4/7

where Gn is the conjunction of addnews guards. This is trivially true sinceaddnew hasall the guards of add (and one extra).

A similar argument yields validity of addolds guard PO.

addnews simulation PO is

AIGn Tn T

where Tn is addnews before-after predicate c = c + 1 b =b {t1}. This matches

precisely the first and last conjunct ofT when taking grd3 into account.

A similar argument establishes addolds simulation PO

AIGo To T

where Go is the conjunction ofaddolds guards andTo is addolds before-after predicatec =c + 1b =b {tb(t) + 1}. This time the second rather than third conjunct in

T is matched.Answer to Question 9 The answer is cleaner when storing some of the useful definitions

in another context. Again, much of this isnt necessary for the exam but I added it to help with

cleanliness of the presentation and discharging POs. For starters one could omit everything

labelled theorem.

4


5/7

Answer to Question 10 Let us abbreviate the conjunction of all axioms listed in thecontext bagC ctx byCand the conjunction of all invariants in bagC byJ.

The initialisation needs to establish the invariants, including the gluing invariants. Thebefore-after predicate of the initialisation including the intialisation ofbagAis T0= (b

=

c = 0res TB BUFl = 0h =M). We need to show

AC T0 J

5


6/7

We discuss the conjuncts ofJ in order. The first three, inv1inv5 clearly follow fromthe premises. (Even Rodin doesnt put up a fight.)

For glueS1 we need to show that

ACdom() =B [Bdom(0M)]

This follows from Bdom(0 M) = , which in turn is a consequence of the axioms inbagC ctx.

glueS2 is vacuously true since dom(b) =dom() =.

gluec is implied by c = 0, which we find inT0, and Bsize(0M) = 0, which is followsfrom the context.

For add we note the guard G1 = t TBsize(l h) < M, the witness predicatesW1 = (glueS1glueS2)[

b,B,h/b,B,h], and the before-after predicate T1 = (l =lh =

(h+ 1) mod (M+ 1)B =B {h t}). We encounter POs relating to

1. well-definedness of the witness

ACIJG1 T1 L(W1)

(we wont discuss this; well-definedness POs wont feature in the exam)

2. feasibility of the witness

ACIJG1 T1 b W1

The instantiation for b that works here is the one constructed in bagAs event add.

3. invariant preservation

ACIJG1 T1W1 J

Here W1 helps alot to preserve all the gluing invariants. The other invariants aremerely types and preserved by the actions.

4. action simulationACIJG1 T1W1 T

Again W1 does all the heavy lifting from circular buffers to bags by predicting the

correct value for b

.Answer to Question 11 Four possible answers are:

{I(a,c,x)} A5; C5 {I(a,c,x)}

{I(a,c,x)} A5 {I(a, fC(c, x), x)}

{I(a,c,x)} C5 {I(fA(a, x), c , x)}

{I(a,c,x)}true {I(fA(a, x), fC(c, x), x)}

Answer to Question 12 No fairness constraints are needed.

By the convergence argument for improve, after the initialisation, this event can onlyfire finitely often, then its disabled and, for the execution to be maximal, Finish, whichis now enabled, must fire, setting final = TRUE.

6


7/7

Answer to Question 13 Now a weak fairness constraint is needed for Improve andFinishto guarantee that these events happen since otherwiseskipcould monopolise theexecution.

We show (n = 3f = 1k = 0 final = FALSE) (final = TRUE f = 6) via

intermediate stages:

(n= 3f= 1k = 0final= FALSE) (n= 3f= 1k = 1final= FALSE)

(n= 3f= 2k = 2final= FALSE)

(n= 3f= 6k = 3final= FALSE)

(n= 3f= 6k = 3final= TRUE)

All these steps can be proved with the resp rule with the helpful events being H =Improvefor the first 3 , and H=Finish for the last.

7

model13s1soln java

Documents