Difference between pages "Extending the Rodin Structured Editor (How to extend Rodin Tutorial)" and "Proof Hints"

From Event-B
(Difference between pages)
Jump to navigationJump to search
imported>Pascal
 
imported>Son
 
Line 1: Line 1:
{{Navigation|Previous= [[Extend_Rodin_database_(How_to_extend_Rodin_Tutorial)|Extend the database]] | Up= [[Plug-in_Tutorial|How to extend Rodin Tutorial (Index)]] | Next= }}
+
== Introduction ==
  
=== In this part ===
+
This document does NOT provide a way to avoid doing interactive proofs or pointing out the weakness of existing provers. Rather this document shows how to use information from doing interactive proofs to improve the clarity of models. As a consequence of these improvement, the obligations can be discharged automatically. We call these added information to the model "proof hints".
We will use the extension points provided by the plug-in <tt>org.eventb.ui</tt> to add our Probabilistic Attribute on events and the Bound Element to the Structured Editor.
 
  
=== Step 1 ===
+
This concept of "proof hints" already exists in the form of "witness" or "theorem" in Event-B. These useful features are designed not only to help with proving the correctness of the model but also to give more information about the particular model.
To structure a bit our development, we will separate the UI from the business layer.<br>
 
1. Create a new plug-in (here <tt>fr.systerel.rodinextension.sample.ui</tt>, and this time, select "This plug-in will make contributions to the UI" as it will be indeed the case here.<br>
 
2. Add our business plug-in (<tt>fr.systerel.rodinextension.sample</tt>) to the dependencies as well as <tt>org.eventb.ui</tt> that provides the extensions points we want to use.
 
  
=== Step 2 ===
+
The question is how we can decide which "features" are useful to have in the model. In principle we can go to the extreme and include the whole proof strategy into the model in order to be able to have it being discharged automatically. But this is undesirable since it will make the model difficult to understand. Having taken this into account we specify our criteria here for "proof hints".
1. Add the extension point <tt>org.eventb.ui.editorItems</tt>.<br>
 
At this point, we will start to add our extensions to the structured editor.<br>
 
  
=== Step 3 ===
+
1. It should help to understand the model better.
First, let's add the probabilistic attribute to Event-B events.<br>
 
The probabilistic attribute can have two values : 'standard' (by default) and 'probabilistic'. Thus we need to create a 'choiceAttribute' extension.
 
Create a new 'choice attribute' extension:<br>
 
1. Give a unique ID to identify this attribute in the UI plug-in (such as <tt>fr.systerel.rodinextension.sample.ui.probabilistic</tt>).<br>
 
2. In typeID, give the ID reference of the probabilistic attribute in our business plug-in (here <tt>fr.systerel.rodinextension.sample.probabilistic</tt>).<br>
 
3. Set the ''required'' attribute to <tt>true</tt> as we want this attribute to appear by default in the structured editor when editing events.<br>
 
4. Create a class (using Eclipse assist, see [[Extend_Rodin_database_(How_to_extend_Rodin_Tutorial)|Step4]]) to manipulate this attribute; this class should implements the interface <tt>org.eventb.ui.IAttributeManipulation</tt>.
 
//FIXME:This class should be implemented the following:
 
:Before doing any manipulation of the given <tt>IRodinElement</tt>, we have to cast this element as an <tt>IInternalElement</tt> (interface from <tt>org.rodinp.core</tt> providing access to element attributes. As we know that the element that will carry the probabilistic attribute is of type <tt>IEvent</tt>, and as <tt>IEvent</tt> implements the interface <tt>IInternalElement</tt>, let's create the following method.
 
  
  private IEvent asEvent(IRodinElement element) {
+
2. It should improve the automatic proving rate of the model.
assert element instanceof IEvent;
 
return (IEvent) element;
 
}
 
:We also have to add the ID of the probabilistic attribute as a constant, as we will need it at various places in this class. We then add the following code:
 
  
  public static IAttributeType.Boolean PROB_ATTRIBUTE = RodinCore
+
In fact, we regard the first criterion as more important whereas the second criterion can be considered as a bonus for improving the clarity of the model. Below are our proposal for two kinds of proof hints: [[Hypothesis Selection | hypothesis selection]] and proof by cases.
.getBooleanAttrType(QualProbPlugin.PLUGIN_ID + ".probabilistic");
 
  
where <tt>IAttributeType.Boolean</tt> defines that our probabilistic attribute is actually coded as a boolean. We will implement the probabilistic attribute as followed:
+
== Proof Hints ==
: if the event is probabilistic, the probabilistic attribute is set to <tt>true</tt>,
 
: otherwise, the event is standard (e.g. non probabilistic) so the probabilistic attribute is set to <tt>false</tt>.
 
  
There are several Types for attributes. See here from more details. '''//FIXME insert a link to IAttributeType doc'''
+
The presentation for each kind of proof hints is as follows:
  
:Now let's fill the methods required to implement <tt>IAttributeManipulation</tt> :
+
1. '''Description''': A brief description of the proof hints with the situation where this can be helpful.
:1. <tt>getPossibleValues(IRodinElement element, IProgressMonitor monitor)</tt> should return an array of two constant values : 'standard' and 'probabilistic'.<br>
 
:2. <tt>getValue(IRodinElement element, IProgressMonitor monitor)</tt> should 'convert' the given element as an event (using <tt>asEvent</tt>) and return the value (retrieved by <tt>IInternalElement.getAttributeValue(PROB_ATTRIBUTE)</tt> corresponding to the state of the probabilistic attribute.(e.g. should return 'probabilistic' if the attribute has value <tt>true</tt>, <tt>false</tt> otherwise.<br>
 
:3. <tt>hasValue(IRodinElement element, IProgressMonitor monitor)</tt> should check if the given element converted as an event has a probabilistic attribute using the method <tt>IInternalElement.hasAttribute(PROB_ATTRIBUTE)</tt>.<br>
 
:4. <tt>removeAttribute(IRodinElement element, IProgressMonitor monitor)</tt> should convert the given element as an event, and use <tt>IInternalElement.removeAttribute(PROB_ATTRIBUTE, monitor)</tt>.<br>
 
:5. <tt>setDefaultValue(IRodinElement element, IProgressMonitor monitor)</tt> should convert the given element as an event, and do <tt>IInternalElement.setAttributeValue(PROB_ATTRIBUTE,</tt> '''false'''<tt>, monitor);</tt> as the default value for the probabilistic attribute is '''false'''.<br>
 
:6. finally, <tt>setValue(IRodinElement element, String value, IProgressMonitor monitor)</tt> should check that the given value correspond to the "probabilistic" string constant, and set the value of the element (previously converted as an event) to <tt>true</tt> if it is the case, or set the value to <tt>false</tt> otherwise.
 
  
Now we will add this attribute to events. To do so, we need to create an attribute relation that will link our probabilistic attribute to events. Return to the MANIFEST.MF extensions page.<br>
+
2. '''Example''': an example in Event-B is presented.
1. Create a new ''attributeRelation'' extension from the <tt>org.eventb.ui.editorItems</tt> extension point.<br>
 
2. Enter <tt>org.eventb.core.event</tt> as ''elementTypeId'' in the attribute relation. This means that events will hold an attribute.<br>
 
3. From this extension specify that the attribute held by events (among others) will be our probabilistic attribute by adding an ''attributeReference'' with the ID of our UI extension for the probabilistic attribute (here <tt>fr.systerel.rodinextension.sample.ui.probabilistic</tt>).
 
  
=== Step 4 ===
+
3. '''Work around''': we show a solution (rather a work-around) for the current RODIN Platform.
Finally, let's add the Bound element to Event-B machines.<br>
 
This step differs from the previous, as our element Bound is a new element (e.g. not an attribute). We want it to appear at top level in the structured editor, in the same way that are elements such as invariants, events, etc.
 
  
We will then:
+
=== Hypothesis Selection ===
# Register the Bound element as an UI element (e.g. a new type of element).
+
'''Description''' In order to discharge the proof obligation, the developer just selects some hypotheses then invoke either AtelierB P0 or newPP restricted to finish these proofs. The solution is to (somehow) give "hints" to the Proof Obligation Generator (POG) to select these hypotheses automatically when generating the corresponding proof obligation.
# Set this element to be a 'child' of machine elements (e.g. Bound will belong to machine files).
 
# Set up a link to edit expressions of the Bound element in the UI. (Bound element carry one expression [they extend <tt>IExpressionElement</tt>]).
 
# Set up a link to edit comments of the Bound element in the UI. (Bound element carry one comment [they extend <tt>ICommentedElement</tt>]).
 
  
1. To register the Bound element in the UI, create an extension 'element':
+
'''Example''' Consider the following Event-B model
:- In typeId, specify the ID of the extension Bound in our business plug-in (here <tt>fr.systerel.rodinextension.sample.bound</tt>).
 
:- In imagePath, you can specify the icon to be displayed next to the element (we created here a folder 'icons' containing an default icon).
 
:- In prefix, type 'BOUND', this value will appear as the header of bound elements in the structured editor.
 
:- In 'defaultColumn' field, put the value '0' as to make the Bound element appear at top level in the outline of machines.
 
  
2. To set Bound element to be a child element of a machine:
+
[[Image:var-hypsel.png]]        [[Image:inv-hypsel.png]]
:- Create an extension 'childRelation' using the extension point <tt>org.eventb.ui.editorItems</tt>.<br>
 
:- In ''parentTypeId'' field of this extension, enter "<tt>org.eventb.core.machineFile</tt>" to refer to machine files.<br>
 
:- Create a sub element for the child relation extension<br>
 
:- and refer to the ID of the bound in our business class (here <tt>fr.systerel.rodinextension.sample.bound</tt>).<br>
 
:- Put a priority of '65' to display Bound elements after ''variants'' but before ''events''. (Have a look at the ''childRelation'' for <tt>org.eventb.core.machineFile</tt> type in extension <tt>org.eventb.ui.editorItems</tt> of the package <tt>org.eventb.ui</tt> to view the priorities of other elements displayed in the structured editor).
 
  
3. To set up a link to edit the expression of a Bound element:
+
[[Image:init-hypsel.png]]        [[Image:set-hypsel.png]]
:- Create an extension ''attributeRelation'' for our elementTypeId <tt>fr.systerel.rodinextension.sample.bound</tt>.
 
:- Add one ''attributeReference'' to <tt>org.eventb.ui.expression</tt> (descriptionID).
 
  
4. To set up a link to edit the comment of a Bound element:
+
Consider the proof obligation '''set/hypSel0_1/INV''' which states that the event '''set''' maintains invariant '''hypSel0_1''' (Here <math>\ldots</math> denotes the unselected hypotheses).
:- Repeat addition of an ''attributeReference'' to the above ''attributeRelation'' but specifying <tt>org.eventb.ui.expression</tt> as descriptionID.
+
[[Image:set-hypSel0_1-INV.png]]
  
You can now launch a Rodin product with our plug-ins imported and see the result:
+
Any provers works with only the selected hypotheses cannot discharge the above proof olbligation since the hypothesis <math>x \neq 0 \limp y \in \nat</math> is missing. The obligation with the appropriate hypothesis selection is as follows
 +
[[Image:set-hypSel0_1-INV-sel.png]]
  
[[Image:Extend_Rodin_Tuto_1_8_Used_ExtensionsExtended_UI.png]]
+
'''Workaround''' Currently, given and event '''evt''' and invariant '''inv''', the invariant preservation proof obligation '''evt/inv/INV''' generated with the following hypotheses automatically selected;
  
Congratulations! You are now able to edit the elements you added in Rodin Database.
+
* The invariant '''inv'''
  
{{Navigation|Previous= [[Extend_Rodin_database_(How_to_extend_Rodin_Tutorial)|Extending the database]] | Up= [[Plug-in_Tutorial|How to extend Rodin Tutorial (Index)]] | Next= }}
+
* The guard of the event '''evt'''
  
[[Category:Developer documentation|*Index]]
+
In order to have the needed hypothesis selected automatically, we will add this hypothesis into the guard.  Moreover, in order to avoid changing event's behaviour, we will mark this extra guard as a theorem.  Apply this technique, the new event '''set''' is as follows
[[Category:Rodin Platform|*Index]]
+
[[Image:new-set-hypsel.png]]
[[Category:Tutorial|*Index]]
+
 
 +
Note that the extra (theorem) guard can be removed in the further refinement without generating any new proof obligation.
 +
 
 +
=== Case distinction ===
 +
'''Description''' In order to discharge a proof obligation, the developer makes a manual "proof by cases" based on some condition <math>P</math>. Afterwards, all branches of the proofs are discharged either by ML or AtelierB P0. The solution is to (somehow) give "hints" to the POG to generate different proof obligations for each case separately. ''Proof by cases'' is usually not applied automatically since this splits the proof tree which could lead to blows up in terms of the number of cases.
 +
 
 +
'''Example''' Consider the following Event-B model
 +
 
 +
[[Image:casesplit.png]]
 +
 
 +
Consider the proof obligation '''set/case0_1/INV''' (Here all hypotheses, including those hidden are shown)
 +
 
 +
[[Image:set-case0_1-INV.png]]
 +
 
 +
In order to finish the proof, a correct "proof by cases" is done to consider <math>a = 1</math> or <math>a \neq 1</math>.
 +
 
 +
'''Workaround''' To capture the effect of doing '''proof by cases''', we split the original event '''set''' into two different events as follows
 +
 
 +
[[Image:new-set-evts.png]]
 +
 
 +
[[Category:Proof]]
 +
[[Category:Work in progress]]

Revision as of 16:54, 5 March 2010

Introduction

This document does NOT provide a way to avoid doing interactive proofs or pointing out the weakness of existing provers. Rather this document shows how to use information from doing interactive proofs to improve the clarity of models. As a consequence of these improvement, the obligations can be discharged automatically. We call these added information to the model "proof hints".

This concept of "proof hints" already exists in the form of "witness" or "theorem" in Event-B. These useful features are designed not only to help with proving the correctness of the model but also to give more information about the particular model.

The question is how we can decide which "features" are useful to have in the model. In principle we can go to the extreme and include the whole proof strategy into the model in order to be able to have it being discharged automatically. But this is undesirable since it will make the model difficult to understand. Having taken this into account we specify our criteria here for "proof hints".

1. It should help to understand the model better.

2. It should improve the automatic proving rate of the model.

In fact, we regard the first criterion as more important whereas the second criterion can be considered as a bonus for improving the clarity of the model. Below are our proposal for two kinds of proof hints: hypothesis selection and proof by cases.

Proof Hints

The presentation for each kind of proof hints is as follows:

1. Description: A brief description of the proof hints with the situation where this can be helpful.

2. Example: an example in Event-B is presented.

3. Work around: we show a solution (rather a work-around) for the current RODIN Platform.

Hypothesis Selection

Description In order to discharge the proof obligation, the developer just selects some hypotheses then invoke either AtelierB P0 or newPP restricted to finish these proofs. The solution is to (somehow) give "hints" to the Proof Obligation Generator (POG) to select these hypotheses automatically when generating the corresponding proof obligation.

Example Consider the following Event-B model

Var-hypsel.png Inv-hypsel.png

Init-hypsel.png Set-hypsel.png

Consider the proof obligation set/hypSel0_1/INV which states that the event set maintains invariant hypSel0_1 (Here \ldots denotes the unselected hypotheses). Set-hypSel0 1-INV.png

Any provers works with only the selected hypotheses cannot discharge the above proof olbligation since the hypothesis x \neq 0 \limp y \in \nat is missing. The obligation with the appropriate hypothesis selection is as follows Set-hypSel0 1-INV-sel.png

Workaround Currently, given and event evt and invariant inv, the invariant preservation proof obligation evt/inv/INV generated with the following hypotheses automatically selected;

  • The invariant inv
  • The guard of the event evt

In order to have the needed hypothesis selected automatically, we will add this hypothesis into the guard. Moreover, in order to avoid changing event's behaviour, we will mark this extra guard as a theorem. Apply this technique, the new event set is as follows New-set-hypsel.png

Note that the extra (theorem) guard can be removed in the further refinement without generating any new proof obligation.

Case distinction

Description In order to discharge a proof obligation, the developer makes a manual "proof by cases" based on some condition P. Afterwards, all branches of the proofs are discharged either by ML or AtelierB P0. The solution is to (somehow) give "hints" to the POG to generate different proof obligations for each case separately. Proof by cases is usually not applied automatically since this splits the proof tree which could lead to blows up in terms of the number of cases.

Example Consider the following Event-B model

Casesplit.png

Consider the proof obligation set/case0_1/INV (Here all hypotheses, including those hidden are shown)

Set-case0 1-INV.png

In order to finish the proof, a correct "proof by cases" is done to consider a = 1 or a \neq 1.

Workaround To capture the effect of doing proof by cases, we split the original event set into two different events as follows

New-set-evts.png

Retrieved from ‘https://wiki.event-b.org/index.php?title=Extending_the_Rodin_Structured_Editor_(How_to_extend_Rodin_Tutorial)&oldid=6509