Difference between pages "SMT Solvers Plug-in" and "Tasking Event-B Overview"

From Event-B
(Difference between pages)
Jump to navigationJump to search
imported>Nicolas
 
imported>Andy
 
Line 1: Line 1:
''For developer support, see [[SMT Solvers Plug-in Developer Support]]''
+
=== Tasking Event-B ===
{{TOCright}}
+
Tasking Event-B can be viewed as an extension of the existing Event-B language. We use the existing approaches of refinement and decomposition to structure a project that is suitable for a Tasking Development. During the modelling phase parameters are introduced to facilitate decomposition. As a result of the decomposition process, parameters become part of the interface that enables event synchronization. We make use of this interface and add information (see [[#Implementing Events]]) to facilitate code generation. The tasking extension consists of the constructs in the following table.
  
==Introduction==
+
<center>
The SMT plug-in allows users to use SMT solvers within Rodin.  
+
{| border="1"
This plug-in is maintained by SYSTEREL (See sources [https://sourceforge.net/p/rodin-b-sharp/smt/ci/master/tree/]).
+
!Construct
 +
!Options
 +
|-
 +
|Machine Type
 +
|DeclaredTask, [http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#Tasking_Machines AutoTask], [http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#Shared_Machines SharedMachine], [http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#The_Environ_Machine Environ]
 +
|-
 +
|[http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#Control_Constructs Control]
 +
|Sequence, Loop, Branch, Event, Output
 +
|-
 +
|[http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#Tasking_Machines Task Type]
 +
|Periodic(n), Triggered, Repeating, OneShot
 +
|-
 +
|Priority
 +
| -
 +
|-
 +
|[http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#Implementing_Events Event Role]
 +
| Actuating, Sensing
 +
|-
 +
|[http://wiki.event-b.org/index.php/Tasking_Event-B_Overview#Addressed_Variables Addressed Variable]
 +
|Address, Base
 +
|}
 +
</center>
  
'''Since version 0.8:'''<br />
+
==== Tasking Machines ====
* '''Some SMT solvers (veriT and Cvc3) are bundled within the plug-in. Therefore, it is not necessary (but still possible) to install another copy of these solvers.'''
+
The following constructs relate to Tasking and Environ Machines, and provide implementation details. Timing of periodic tasks is not modelled formally. Tasking and Environ Machines model Ada tasks, so they can be implemented easily in Ada; in C using the pthread library, or in Java using threads.
* '''An Auto-Tactic with SMT profile is available. Thus, it is not necessary (but still possible) to create a new profile to use SMT solvers tactics (see [[#Selecting_an_SMT_Auto-Tactic_Profile|Selecting an SMT auto-tactic profile]] to use this profile).'''
 
  
==Installation==
+
* Tasking Machines may be one of the following types:
You will need to:
+
** AutoTasks - Anonymous Tasks running from start-up.
* Install the Rodin Platform.
+
** Declared tasks - (Not currently used) A task template relating to an Ada ''tasktype'' declaration.  
* Install the SMT Solvers Plug-in into Rodin.
 
* Install any additional SMT-solvers you want to use.
 
  
=== Installing the Rodin Platform ===
+
''Auto Tasks'' are tasks that will be declared and defined in the ''Main'' procedure of the implementation. The effect of this is that the ''Auto Tasks'' are created when the program first loads, and then activated (made ready to run) before the ''Main'' procedure body runs.
Download the latest Rodin (Core) Platform corresponding to your operating system and install it [http://www.event-b.org/install.html].
 
  
=== Installing the SMT Solvers Plug-in ===
+
* Tasking and Environ Machines options are:
Launch Rodin and go to ''Help > Install New Software...''.
+
** TaskType - Defines the scheduling, cycle and lifetime of a task. i.e. one-shot periodic or triggered. The period of a task is specified in milliseconds.
 +
** Priority - An integer value is supplied, the task with the highest value priority takes precedence when being scheduled. The default priority is 5.
  
[[Image:Install_new_software.png|450px]]
+
==== Shared Machines ====
 +
A Shared Machine models a protected resource, such as a monitor. It may be implemented in Ada as a Protected Object, in C using mutex locking, or in Java as a monitor.
  
 +
* A Shared Machine is identified using the ''Shared Machine'' annotation.
  
Select the Rodin Platform Update Site: Rodin - http://rodin-b-sharp.sourceforge.net/updates.
+
==== The Environ Machine ====
 +
An Environ machine is a model of the environment. It can be used to generate code for use in a simulation, or be discarded in the case that a simulated environment is not required.
  
[[Image:Select_update_site.png|450px]]
+
* An Environ Machine is identified using the ''Environ Machine'' annotation.
  
 +
=== Control of Program Flow ===
 +
At the implementation stage we need to think about controlling the flow of execution; and where interaction with the environment is concerned, how events should be implemented. The following section describes the constructs that we have introduced to facilitate this.
 +
==== Control Constructs ====
 +
Each Tasking Machine has a ''task body'' which contains the flow control (algorithmic constructs).
  
Unfold the ''Prover Extensions'' category, and select the ''SMT Solvers'' feature. Click ''Next''.
+
* We have the following constructs available in the Tasking Machine body:
 +
** Sequence - for imposing an order on events.
 +
** Branch - choice between a number of mutually exclusive events.
 +
** Loop - event repetition while it's guard remains true.
 +
** Event - a wrapper for the Event-B element (soon to be redundant).
 +
** Text Output - writes textual output to the screen.
  
[[Image:Select_smt_feature.png|449px]]
+
The syntax for task bodies, as used in the Rose TaskBody editor, is as follows:
  
 +
<br/>
 +
[[Image:Syntax.png]]
 +
<br/>
  
Review the item to be installed and click ''Next''.
+
The ''String'' will be an event name, a variable name, or a text fragment to be output to the screen. The concrete syntax is shown in bold red font. '*' indicates 0 or more; [] indicates 0 or 1.
  
[[Image:Review_install_details.png|449px]]
+
===== Event Translation =====
 +
When an event, used in the task body, is translated to an implementation its translation depends on where it is used in the task body. The mappings are relatively simple for branch, loop, and sequence; but, in addition to the parent construct, the Event translation depends on whether it is part of a synchronization. Obviously the simplest translation is when no synchronization is involved. The translator checks the composed machine to see if the event is paired in a combined event. We say that events is a Tasking machine are local, and that events in a Shared or Environ machine, are remote. If there is no synchronization, then the actions of the local event are expanded in-line in the subroutine body.  
  
 +
<span style="color: RED">'''NOTE''': As a result of the decomposition process, the tool can produce a remote event, without a corresponding local event. A local event, with no guards and skip action, must be added manually to the tasking machine, and composed machine in order to facilitate code generation. This relates to an implementation with a subroutine call, where there are no parameters passed, and no local updates i.e. remote updates only. The addition of the 'dummy' event will be automated in a pre-processing step in the near future. It is not necessary to have a dummy remote event if a remote event does not exist.</span>
  
Read and accept the terms of the license agreement to install the plug-in. Then click ''Finish''.
+
===== Synchronization =====
  
[[Image:Review_licenses.png|449px]]
+
Synchronization between local events (in AutoTasks) and remote events (in shared/Environ Machines) is determined using the composed machine. To use an event simply enter its name in the TaskBody editor. The translator will in-line any local actions, and add a call to perform remote updates, and obtain remote data.
  
 +
Synchronization corresponds to:
 +
* a subroutine call from task to shared machine, or,
 +
* sensing or actuating of environment variables.
  
A security warning appears because the feature content is unsigned. Click ''Ok''.
+
In the case of a subroutine call the subroutine is an atomic (with respect to an external viewer) update to state. The updates in the protected resource are implemented by a procedure call to a protected object, and tasks do not share state.  The synchronization construct also provides the means to specify parameter passing, both in and out of the task.
  
[[Image:Security_warning.png|450px]]
+
In the case of a sensing or actuating event, the updates of the action correspond to reads of monitored variables, and writes to controlled variables of the environment.
  
 +
==== Implementing Events ====
 +
An event's role in the implementation is identified using the following extensions which are added to the event. Events used in task bodies are 'references' that make use of existing event definitions from the abstract development. The events are extended. to assist with translation, with a keyword indicating their role in the implementation.
  
Click ''Restart Now''.
+
* Event implementation role.
 +
** Branch - In essence a task's event is split in the implementation; guards are mapped to branch conditions and actions are mapped to the branch body. If the branch refers to a Shared Machine event (procedureDef) then this is mapped to a simple procedure call.
 +
** Loop - The task's event guard maps to the loop condition and actions to to loop body. If the loop refers to a Shared Machine event then it is mapped to a simple procedure call.
 +
** ProcedureSynch - This usually indicates to the translator that the event maps to a subroutine, but an event in a task may not require a subroutine implementation if its role is simply to provide parameters for a procedure call.
 +
** ProcedureDef - Identifies an event that maps to a (potentially blocking) subroutine definition. Event guards are implemented as a conditional wait; in Ada this is an entry barrier, and in C may use a pthread condition variable .
 +
** Sensing - Identifies an event that maps to a read from the environment. If the environment is simulated without address variables then the sensing event is similar to a ProcedureSynch event, in that it has an update action that models assignment of a return value from a subroutine call. The event parameters act like the ''actualIn'' parameters of a ProcedureSynch event. On the other hand, if the event has addressed variables associated with its event parameters, then they map to direct reads from memory mapped variables in the generated code.
 +
** Actuating - Identifies an event that maps to a write to the environment. If the environment is simulated without address variables then the actuating event has no update action, the parameters act like ''actualOut'' parameters of a ProcedureSynch event. If a sensing event has addressed variables associated with its parameters then they map to direct writes to memory mapped variables in the generated code.  
  
The SMT Solvers Plug-in is now installed.
+
Sensing (and actuating) can be viewed as a kind of synchronisation. Synchronisation between tasks and shared objects are represented as subroutine calls. The sensing/actuating synchronisations only occur between tasks and the environment. In implementable code, when an subroutine is defined, its formal parameters are replaced by actual parameter values at run-time. To assist the code generator we extend the Event-B parameters. We identify formal and actual parameters in the implementation, and add the following keywords to the event parameters, as follows:
  
== Usage ==
+
* Event parameter types - Note: formal parameters are place-holders in a subroutine; they are replaced by the actual parameters at call time.
 +
** FormalIn or FormalOut - event parameters are extended with the ParameterType construct. Extension with formal parameters indicates a mapping to formal parameters in the implementation.
 +
** ActualIn or ActualOut - Extension with an actual parameter indicates a mapping to an actual parameter in the implementation.
  
Since version 0.8.0, the SMT solver veriT and CVC3 are bundled within the plug-in.  
+
===== Addressed Variables =====
To use additional solvers, see [[#Installing additional SMT solvers]].
+
When sensing monitored variables, or actuating controlled variables in the environment, we may wish to use explicit memory addresses for use in the final implementation, or perhaps in the environment simulation too. We can link a task's event parameters, and an Environ machines variables, with specific addresses and use these in the generated code.
  
=== Discharging a Sequent ===
+
== References ==
We give an example of Event-B model of which proof obligation can be discharged using an SMT solver:
 
  
[[Image:PrettyPrinted context.png|300px]]
+
<references/>
[[Image:Hypothesis and goal.png|400px]]
 
  
''thm1'' is a theorem which must be proved given axioms ''axm2..axm5''.
 
  
 
Since we installed SMT Solvers Plug-in into the Rodin Platform, the SMT tactic button is now accessible in the ''Proof Control'' bar.
 
 
[[Image:SMT button.png|450px]]
 
 
 
Clicking on this button will show the list of all available SMT solver configurations.
 
 
[[Image:SMT dropdown.png|450px]]
 
 
 
The first one, "All enabled SMT", will call successively every enabled SMT solver configurations.
 
Others are all individual configurations, which may be enabled or not.
 
Clicking one of them will discharge the proof obligation if possible:
 
 
[[Image:Tactic applied successfully.png|450px]]
 
 
 
When the tactic is applied successfully, this means that the reasonner created the new proof rule:
 
 
[[Image:Proof Tree and Rule Details.png]]
 
 
If the solver used to discharge the sequent is able to extract an unsatisfiable core, the proof rule will be produced using it. This is the case for veriT.
 
 
== Installing additional SMT solvers ==
 
Currently, the SMT plug-in has been tested with the following solvers:
 
* Alt-Ergo (INRIA Saclay)
 
* CVC3 (New York and Iowa Universities)
 
* CVC4 (Stanford and Iowa Universities)
 
* veriT (Loria Nancy and UFRN)
 
* Z3 (Microsoft Research)
 
 
=== Installing veriT ===
 
The veriT solver can be downloaded from [http://www.verit-solver.org/veriT-download.php]. Compilation and installation instructions are in the ''INSTALL'' file.<br>
 
If you want the plug-in to extract unsatisfiable cores from veriT proofs, make sure that the proof production is on in ''Makefile.config'' :
 
# PROOF_PRODUCTION = NO
 
PROOF_PRODUCTION = YES
 
 
The following tools are needed by the installation process (Debian/Ubuntu platforms):
 
* gcc, g++: compilers
 
* make, ar, ranlib: build process
 
* wget, tar, patch: to fetch GMP and Minisat
 
* bison, flex, m4: build compilers and preprocessing
 
 
Do not forget to install the E-prover as well[http://eprover.org/] (''eprover'' package on Ubuntu platforms).
 
 
=== Installing Alt-Ergo ===
 
The alt-ergo solver can be downloaded from http://alt-ergo.lri.fr/, or installed using the Ubuntu repository: ''alt-ergo'' package.
 
 
=== Installing CVC3 ===
 
The CVC3 solver can be downloaded from http://cs.nyu.edu/acsys/cvc3/download.html, or installed using the Ubuntu repository: ''cvc3'' package.
 
 
=== Installing CVC4 ===
 
The CVC4 solver can be downloaded from http://cvc4.cs.nyu.edu/cvc4-builds .
 
 
=== Installing Z3 ===
 
The Z3 solver can be downloaded from https://github.com/Z3Prover/z3/wiki .
 
 
== Connect added solvers to the Rodin Platform ==
 
In order to use some SMT Solver, you must connect it to the Rodin platform by adding it to the list of known solvers, and adding SMT configurations to be used by the SMT tactic.<br/>
 
There can be several configurations (i.e. parameterization) targetting the same SMT solver.<br/>
 
 
Since version 0.8.0, some SMT solvers are bundled within the plug-in, and some default configurations are already available. To use the plug-in right now with these solvers, see [[#Usage]].
 
 
To display the SMT solvers page, open the ''Preferences'' window: ''Window > Preferences'', and unfold the SMT section in order to display the ''Configurations'' page.
 
 
[[Image:SMT_Solvers_Configurations.png|650px]]
 
 
=== Adding a new solver to Rodin ===
 
 
To use a new SMT solver in Rodin, click the ''Add'' button next to the list of known solvers.
 
 
[[Image:SMT_Solvers_AddSolver.png]]
 
 
* Fill the ''Name'' field with the name you want to give to this solver.
 
* Select the kind of the solver if it appears in the combo box. In this case, this will let the plug-in use some specific options of the solver to improve its integration. If it does not appear in the list, just select ''unknown''.
 
* Click ''Browse'' to enter the path to the solver executable.
 
* Click ''OK''.
 
 
=== Editing SMT Solver information ===
 
You can edit the information given when adding a SMT solver by clicking the ''Edit...'' button after having selected the solver information to edit in the list.<br/>
 
Note that the bundled solver connections cannot be edited.
 
 
=== Removing an SMT Solver information ===
 
You can remove location information on a ''selected'' solver by clicking the ''Remove'' button next to the list of known solvers.<br/>
 
Note that bundled solvers connections cannot be removed.
 
 
=== Restoring Default Solvers ===
 
Bundled solvers are set as default solvers. A click on the ''Restore Defaults'' button will remove all the solvers which are not bundled within the plugin.
 
 
== Customizing SMT Solvers Configurations ==
 
In order to run the various solvers from the SMT tactic, one has to define solver configurations.<br/>
 
We call ''SMT solver configuration'' a settled configuration of a solver, with ad-hoc properties such as its parameters and the SMT-LIB version of the benchmarks it will execute.<br>
 
For example, such configurations can execute a given solver with specific options, or specific versions of the solver.<br>
 
 
Since version 0.8.0, some SMT solvers are bundled within the plug-in. Some configurations of these solvers is already available in the plug-in : for example, the bundled veriT configuration launches the veriT solver (without e-prover), using the translation to SMT-LIB 2.0 and with the unsat-core extraction enabled. To use the plug-in right now with these configurations, see [[#Usage]].
 
 
To display the SMT solvers page, open the Preferences window: Window > Preferences, and unfold the SMT section in order to display the Configurations page.
 
 
[[Image:SMT_Solvers_Configurations.png|500px]]
 
 
=== Adding a New Solver Configuration ===
 
 
In order to run the various solvers from the SMT tactic, one has to define solver configurations.<br/>
 
A configuration contains :
 
* its name,
 
* its status from ''enabled'', ''not enabled'',
 
* the name of the solver from the list of known solvers,
 
* the parameterization of the solver under the form of command line arguments',
 
* the Rodin to SMT-LIB translator to be used (either PP or veriT),
 
* the version of the SMT-LIB to be used ( V1.2 or V2.0).
 
 
A configuration is a preset (e.g. customization) of one solver binary which appears in the list of known solvers.<br/>
 
Thus there can be several configurations (i.e. parameterization) targetting the same SMT solver.<br/>
 
[[Image:SMT_Solvers_AddConfiguration.png]]
 
 
To add a new SMT solver configuration into Rodin, just click the ''Add'' button next to the list of solver configurations.
 
 
* Fill the ''Name'' with the name you want to give to this configuration.
 
* Choose whether this configuration shall be run or not when calling the SMT tactic by checking the ''Enable'' checkbox. This value can be changed directly in the ''Configurations'' page too.
 
* Select the solver you want to use in this configuration. A solver to choose among the connected solvers of the ''Solvers'' page.
 
* Fill the ''Solver arguments'' if needed. For example, you must enter here the solver option which sets the version of SMT-LIB to be used by the solver.
 
* Select which SMT translator to used (just select PP unless you know why).
 
* Select which version of SMT-LIB must be used by the plug-in (just select V2.0 unless you know why).
 
* Enter the value of the time out delay, which is, the time (in milliseconds) after which the platform will terminate the solver if it has not yet answered.
 
 
* Click ''OK''.
 
 
=== Enabling/Disabling a Solver Configuration ===
 
When you will call the SMT tactic, only the enabled configurations will be executed.<br/>
 
One can enable or disable a configuration from the configurations page.<br/>
 
To do this, just tick or untick the checkbox corresponding to a given configuration.
 
 
[[Image:SMT_configuration_enablement_status.png|500px]]
 
 
=== Editing a Solver Configuration ===
 
You can edit all the informations given when setting a new solver configuration by clicking the ''Edit'' button. The bundled configurations cannot be edited.
 
 
=== Removing a Solver Configuration ===
 
You can remove the selected configuration by clicking the ''Remove'' button. The bundled configurations cannot be removed.
 
 
=== Duplicating a Solver Configuration ===
 
You can duplicate any configuration by clicking the ''Duplicate'' button. This will open the configuration dialog with the information of the original configuration. Just edit them and click ''OK'' to add the duplicated configuration.
 
 
=== Restoring Default Solvers Configurations ===
 
The default configurations are the bundled ones. A click on the ''Restore Defaults'' button will remove all the configurations which are not bundled within the plugin.
 
 
== Customizing the SMT-LIB translation settings ==
 
To display the SMT translation page, open the ''Preferences'' window: ''Window > Preferences'' and select the ''SMT'' node.
 
 
[[Image:SMT_TranslationConfig.png|450px]]
 
 
=== Setting the Translation Directory Path ===
 
The plug-in needs to store some temporary files to interact with the external SMT Solver.<br>
 
By default, this is set to the system temporary directory path.<br/>
 
You can change the directory to use for this purpose, by clicking the corresponding ''Browse'' button, and selecting the target directory.
 
 
=== Setting the veriT Path ===
 
Since version 0.8.0, the SMT solver veriT is bundled within the plug-in and its path used by default. However, you can change the path to another veriT binary if you want to use another version of it to produce SMT-LIB benchmarks.
 
This information is required if you want to use veriT instead of ppTrans to translate Event-B sequents to SMT-LIB benchmarks.
 
To give a different path, click the corresponding ''Browse'' button, and select the veriT binary to use.
 
 
Since version 1.3, this setting has disappeared, as the translation is always performed through PP.
 
 
=== Setting the SMT auto tactic timeout ===
 
Since version 1.1.0, the timeout of SMT solvers within "All enabled SMT configurations" can be customized.
 
The timeout (in ''milliseconds'') applies to each SMT solver individually. It is used in particular in the "Default Auto Tactic with SMT" profile.
 
 
=== Restoring Default Translation Settings ===
 
You can restore the default translation settings values by clicking the ''Restore Defaults'' button.<br/>
 
The default veriT path is the path of the bundled veriT solver.<br/>
 
The default translation directory path is the system temporary directory path.<br/>
 
The default timeout is 1000.
 
 
== SMT Auto-Tactic Profile ==
 
Since version 0.8.0 of the plug-in, an Auto-Tactic profile using SMT solvers is available in the plug-in. To use this profile, see [[#Selecting an SMT auto-tactic profile]].
 
 
One might also want to set-up one or several custom configurations of SMT solver to be used automatically to discharge Event-B sequents in the Rodin platform.<br>
 
For more information about tactic profiles, see ''Advanced Profile Customisation'' in [[Rodin_Platform_2.3_Release_Notes]] and ''3.1.8.4 Sequent Prover / Auto/Post Tactic'' in [http://handbook.event-b.org/current/html/preferences.html the preference page of the Rodin User’s Handbook v.2.4].<br>
 
 
=== Selecting an SMT Auto-Tactic Profile ===
 
 
One may want to use the new SMT auto-tactic profile (available since version 0.8.0 of the plug-in), or a user-defined profile using SMT solvers.
 
 
To set it on, go to the ''Auto/Post Tactic'' tab.
 
 
[[Image:Smt auto tactic profile selected.png|450px]]
 
 
Set the tactic profile to be used for auto-tactics up to the one combining the SMT tactic, by using the drop-down menu.
 
 
Then click ''Ok''.
 
 
Now, the combined tactics of your new profile, including the SMT tactic, will be automatically launched when auto-provers are called.
 
 
=== Creating a New SMT Auto-Tactic Profile ===
 
 
A reasonable combination using the SMT tactic is an SMT tactic queued to the default auto tactic combination. We show here how to create such a ''profile''.
 
 
First, open the ''Preferences'' window of the Rodin platform: ''Window > Preferences''.
 
 
[[Image:Preferences_menu.png|450px]]
 
 
 
Open the ''Auto/Post Tactic'' preferences page: ''Event-B > Sequent Prover > Auto/Post Tactic''. Go to the ''Profiles'' tab.
 
 
[[Image:Duplicating_auto_tactic_profile.png|450px]]
 
 
Select the default auto tactic profile, and click ''Duplicate'' to duplicate it.
 
 
Then, select the duplicated profile, and click ''Edit'' to edit it.
 
 
[[Image:Auto_tactic_profile_duplicated.png|450px]]
 
 
In the tactic profile window, rename the profile, and drag and drop the chosen SMT tactic from the tactics list (in the first column) to the end of the combined tactics (in the second column).
 
 
[[Image:Adding_smt_tactic_in_profile.png|450px]]
 
 
Then click ''Finish''.
 
 
Now a new profile combining the SMT tactic with other tactics is created.
 
 
== Bugs and Features Request ==
 
* SMT-LIB 2.0 support with the veriT translation approach in developpment
 
* Full set theory support in progress
 
* Support of division, modulo and exponentiation
 
 
== Releases Notes ==
 
 
'''Version 1.4.0'''
 
* Upgrade veriT (v2016)
 
* Upgrade CVC4 (v1.4)
 
* Upgrade Z3 (v4.5)
 
* See [[SMT 1.4 Performance Results]]
 
 
'''Version 1.3.0'''
 
* Add CVC4 and Z3, decreasing manual POs by 40% !
 
* Simplify preferences:
 
** always translate through PP
 
** assume SMT-lib 2.0
 
 
'''Version 1.2.0'''
 
* Port to Rodin 3.0
 
* Shortcut to solver configurations in Proof Control
 
 
'''Version 1.1.0'''
 
* Preference for auto tactic timeout.
 
 
'''Version 1.0.0'''
 
* Cvc3 SMT solver bundled with the plug-in
 
* User Interface entirely refactored for more intuitive experience: solvers preferences, configurations preferences and translation preferences are now separated into three preferences pages. This change is not backward compatible with previous versions of the plug-in.
 
* Notably added a button for duplicating a configuration
 
 
'''Version 0.8.0'''
 
* Support of SMT-LIB 2.0 in the PP translation approach
 
* Inclusion of the SMT solver veriT in the plug-in
 
* Addition of an SMT auto-tactic
 
* Auto-Tactic profile containing the SMT auto-tactic
 
* Possibility to parameterize a new SMT tactic
 
* Integration of solvers successfully tested with:
 
** Alt-Ergo 0.93
 
** Cvc3 2011-11-21
 
** veriT (included in the plug-in)
 
** z3 3.2
 
** Cvc4 2011-12-11 (but few theories are available for now)
 
* Good results in the field of linear integer arithmetic with uninterpreted sort and function symbols
 
* Good support of basic set theory
 
* Full set theory support needs to be improved
 
* Results showed the SMT Solvers Plug-in was a good alternative to the Atelier-B provers
 
 
'''Version 0.1.0'''
 
* Initial beta-release.
 
* Two approaches for translating Event-B to SMT-LIB 1.2:
 
** with ppTrans (included in Rodin official releases)
 
** with veriT (must be installed)
 
* Integration of solvers successfully tested with: ''(notice that no solver will be included in the plug-in at all)''
 
** Alt-Ergo 0.93
 
** Cvc3 2011-07-14
 
** veriT 201107
 
** z3 2.19
 
* Good results in the field of linear integer arithmetic with uninterpreted sort and function symbols
 
* Good support of basic set theory
 
* Full set theory support needs to be improved
 
* No SMT-LIB 2.0 support in this release
 
 
[[Category:Plugin]]
 
 
[[Category:User documentation]]
 
[[Category:User documentation]]

Revision as of 09:36, 28 November 2011

Tasking Event-B

Tasking Event-B can be viewed as an extension of the existing Event-B language. We use the existing approaches of refinement and decomposition to structure a project that is suitable for a Tasking Development. During the modelling phase parameters are introduced to facilitate decomposition. As a result of the decomposition process, parameters become part of the interface that enables event synchronization. We make use of this interface and add information (see #Implementing Events) to facilitate code generation. The tasking extension consists of the constructs in the following table.

Construct Options
Machine Type DeclaredTask, AutoTask, SharedMachine, Environ
Control Sequence, Loop, Branch, Event, Output
Task Type Periodic(n), Triggered, Repeating, OneShot
Priority -
Event Role Actuating, Sensing
Addressed Variable Address, Base

Tasking Machines

The following constructs relate to Tasking and Environ Machines, and provide implementation details. Timing of periodic tasks is not modelled formally. Tasking and Environ Machines model Ada tasks, so they can be implemented easily in Ada; in C using the pthread library, or in Java using threads.

  • Tasking Machines may be one of the following types:
    • AutoTasks - Anonymous Tasks running from start-up.
    • Declared tasks - (Not currently used) A task template relating to an Ada tasktype declaration.

Auto Tasks are tasks that will be declared and defined in the Main procedure of the implementation. The effect of this is that the Auto Tasks are created when the program first loads, and then activated (made ready to run) before the Main procedure body runs.

  • Tasking and Environ Machines options are:
    • TaskType - Defines the scheduling, cycle and lifetime of a task. i.e. one-shot periodic or triggered. The period of a task is specified in milliseconds.
    • Priority - An integer value is supplied, the task with the highest value priority takes precedence when being scheduled. The default priority is 5.

Shared Machines

A Shared Machine models a protected resource, such as a monitor. It may be implemented in Ada as a Protected Object, in C using mutex locking, or in Java as a monitor.

  • A Shared Machine is identified using the Shared Machine annotation.

The Environ Machine

An Environ machine is a model of the environment. It can be used to generate code for use in a simulation, or be discarded in the case that a simulated environment is not required.

  • An Environ Machine is identified using the Environ Machine annotation.

Control of Program Flow

At the implementation stage we need to think about controlling the flow of execution; and where interaction with the environment is concerned, how events should be implemented. The following section describes the constructs that we have introduced to facilitate this.

Control Constructs

Each Tasking Machine has a task body which contains the flow control (algorithmic constructs).

  • We have the following constructs available in the Tasking Machine body:
    • Sequence - for imposing an order on events.
    • Branch - choice between a number of mutually exclusive events.
    • Loop - event repetition while it's guard remains true.
    • Event - a wrapper for the Event-B element (soon to be redundant).
    • Text Output - writes textual output to the screen.

The syntax for task bodies, as used in the Rose TaskBody editor, is as follows: 


Syntax.png


The String will be an event name, a variable name, or a text fragment to be output to the screen. The concrete syntax is shown in bold red font. '*' indicates 0 or more; [] indicates 0 or 1.

Event Translation

When an event, used in the task body, is translated to an implementation its translation depends on where it is used in the task body. The mappings are relatively simple for branch, loop, and sequence; but, in addition to the parent construct, the Event translation depends on whether it is part of a synchronization. Obviously the simplest translation is when no synchronization is involved. The translator checks the composed machine to see if the event is paired in a combined event. We say that events is a Tasking machine are local, and that events in a Shared or Environ machine, are remote. If there is no synchronization, then the actions of the local event are expanded in-line in the subroutine body.

NOTE: As a result of the decomposition process, the tool can produce a remote event, without a corresponding local event. A local event, with no guards and skip action, must be added manually to the tasking machine, and composed machine in order to facilitate code generation. This relates to an implementation with a subroutine call, where there are no parameters passed, and no local updates i.e. remote updates only. The addition of the 'dummy' event will be automated in a pre-processing step in the near future. It is not necessary to have a dummy remote event if a remote event does not exist.

Synchronization

Synchronization between local events (in AutoTasks) and remote events (in shared/Environ Machines) is determined using the composed machine. To use an event simply enter its name in the TaskBody editor. The translator will in-line any local actions, and add a call to perform remote updates, and obtain remote data.

Synchronization corresponds to:

  • a subroutine call from task to shared machine, or,
  • sensing or actuating of environment variables.

In the case of a subroutine call the subroutine is an atomic (with respect to an external viewer) update to state. The updates in the protected resource are implemented by a procedure call to a protected object, and tasks do not share state. The synchronization construct also provides the means to specify parameter passing, both in and out of the task.

In the case of a sensing or actuating event, the updates of the action correspond to reads of monitored variables, and writes to controlled variables of the environment.

Implementing Events

An event's role in the implementation is identified using the following extensions which are added to the event. Events used in task bodies are 'references' that make use of existing event definitions from the abstract development. The events are extended. to assist with translation, with a keyword indicating their role in the implementation.

  • Event implementation role.
    • Branch - In essence a task's event is split in the implementation; guards are mapped to branch conditions and actions are mapped to the branch body. If the branch refers to a Shared Machine event (procedureDef) then this is mapped to a simple procedure call.
    • Loop - The task's event guard maps to the loop condition and actions to to loop body. If the loop refers to a Shared Machine event then it is mapped to a simple procedure call.
    • ProcedureSynch - This usually indicates to the translator that the event maps to a subroutine, but an event in a task may not require a subroutine implementation if its role is simply to provide parameters for a procedure call.
    • ProcedureDef - Identifies an event that maps to a (potentially blocking) subroutine definition. Event guards are implemented as a conditional wait; in Ada this is an entry barrier, and in C may use a pthread condition variable .
    • Sensing - Identifies an event that maps to a read from the environment. If the environment is simulated without address variables then the sensing event is similar to a ProcedureSynch event, in that it has an update action that models assignment of a return value from a subroutine call. The event parameters act like the actualIn parameters of a ProcedureSynch event. On the other hand, if the event has addressed variables associated with its event parameters, then they map to direct reads from memory mapped variables in the generated code.
    • Actuating - Identifies an event that maps to a write to the environment. If the environment is simulated without address variables then the actuating event has no update action, the parameters act like actualOut parameters of a ProcedureSynch event. If a sensing event has addressed variables associated with its parameters then they map to direct writes to memory mapped variables in the generated code.

Sensing (and actuating) can be viewed as a kind of synchronisation. Synchronisation between tasks and shared objects are represented as subroutine calls. The sensing/actuating synchronisations only occur between tasks and the environment. In implementable code, when an subroutine is defined, its formal parameters are replaced by actual parameter values at run-time. To assist the code generator we extend the Event-B parameters. We identify formal and actual parameters in the implementation, and add the following keywords to the event parameters, as follows:

  • Event parameter types - Note: formal parameters are place-holders in a subroutine; they are replaced by the actual parameters at call time.
    • FormalIn or FormalOut - event parameters are extended with the ParameterType construct. Extension with formal parameters indicates a mapping to formal parameters in the implementation.
    • ActualIn or ActualOut - Extension with an actual parameter indicates a mapping to an actual parameter in the implementation.
Addressed Variables

When sensing monitored variables, or actuating controlled variables in the environment, we may wish to use explicit memory addresses for use in the final implementation, or perhaps in the environment simulation too. We can link a task's event parameters, and an Environ machines variables, with specific addresses and use these in the generated code.

References

Retrieved from ‘https://wiki.event-b.org/index.php?title=SMT_Solvers_Plug-in&oldid=9725