Extending the Static Checker (How to extend Rodin Tutorial)
In this part
We will see how to add rules to statically check the machines after our extension. The Static Checker is one dedicated part of the Proof Obligation generation process. Indeed, the Proof Obligations are generated from the statically checked version of the model taken into consideration. Hence, we have to ensure before creating Proof Obligations, that the model is correctly expressed (i.e. proof obligations are generated for a model which "could have some sense"). This means that we have to verify some additional proprerties on the newly added elements.
The question addressed here is : " Under which conditions (about the model well-formdness) the proof obligation generation means something ? ".
Principles
1. To extend the static checker in order to verify some conditions, one has to define a static checker module using the extension point : org.eventb.core.scModuleTypes.
There are two types of modules : processorType and filterType. We will detail the way to define such modules later.
2. Then , one has to set up a configuration involving those modules and giving them a hierachy. In fact, verifying that correctness conditions about added elements can be separated in several processor and filter modules : the configuration is then used to organise them.
3. Finally, it is needed to add this configuration to the default one, so our checkings can be performed.
Step1 : Adding modules
In our case of probabilistic reasoning, the following well-formdness conditions should be held for a model containing probabilistic events :
- The variant V (declared as usual) is either of the type integer or some set.
- There is exactly one bound for a model where the probabilistic converge is proved. The bound element B must be of the same type as the declared variant.
- Every probabilistic event must be refined by a probabilistic event.
- The result of merging a probabilistic event and a convergent event is a probabilistic event.
We can face two types of situations during the static checking :
- we encounter a problem which doesn't affect the PO generation : this leads to a warning (corrected by a default assumption or not).
- we encounter a problem which affects the PO generation : this leads to an error. (the element (added with our extension) under consideration is not added in the statically checked model.
From the two types of modules, we will first use a processorModule. Processor modules literally process the elements, storing them once validated in the static checked file. If the static check fails for the considered element, the module must not add such element to the statically checked file that it holds, and that is used for proof obligation generation. Processors are also responsible of running sub-processors, and filters, as well as adding states to the repository if required.
The developer is responsible of its module configuration lifecycle. He must be aware, at any time, of his module's hierachy, and call submodules explicitely when this is meaningful. Furthermore, a system of state sharing (via a state repository) is available so that a processor can provide informations about its checking results to its submodules. See org.eventb.core.sc.state.ISCStateRepository and org.eventb.core.sc.state.ISCState. Remember that it is only allowed to share informations within a module/sub-module hierarchy and that a policy should be established so that concurrent access to those states is taken into account, and that informations stored in the state repository are still coherent through sub-processors and filters computations.
The processor, that we will create, will perform checkings and eventually, add the statically checked version of the bound to the statically checked machine.
Whereas filterModules performs only some verifications (i.e. a filtermodule must not add the element in the statically checked file). Furthermore, the filters are called (in group) from processors, and as soon as one filter rejects one element (i.e. "does not accept the element"), the other filters will not be evaluated.
For the extension point org.eventb.core.scModuleTypes create an extension processorType.
1. enter a unique ID (like here machineBoundModule),
2. enter a human readable name such as "Machine SC Bound Module" as we will start to check bound elements,
3. enter the parent id of the module we want to extend. Here as we want to make checkings on bounds, variants and events, we will take org.eventb.core.machineModule as parent,
4. create the module class that extends SCProcessorModule (we called it "MachineBoundModule" and we used the "new class wizard").
The module (e.g. the class we created) needs to be implemented.
Two methods inherited from the interface ISCProcessorModule need to be defined (e.g. @Override) :
A . public IModuleType<?> getModuleType()
This method shall return the type of our module, built from its extension's name. To do this we use the static method in org.eventb.core.sc.SCCore.getModuleType() with our module extension complete id : QualProbPlugin.PLUGIN_ID + ".machineBoundModule".
Thus, let's use the constant below in our module :
public static final IModuleType<MachineBoundModule> MODULE_TYPE = SCCore.getModuleType(QualProbPlugin.PLUGIN_ID + ".machineBoundModule");
So we can write :
@Override public IModuleType<?> getModuleType() { return MODULE_TYPE; }
B . public void process(IRodinElement element, IInternalElement target, ISCStateRepository repository, IProgressMonitor monitor) throws CoreException
This method is the place where checkings are done. Thus it's where we will code all the conditions to check and finally produce a statically checked bound element, if all those conditions are respected. Accorded to the checking implementations which are "huge" and pure java, it is not relevant for this part of the tutorial to detail the full code. We will rather explain which are the main explainations about the process method and give some hints about how to use the Rodin API to retreive the informations needed in our checkings. Full implementation is let to the reader as an exercise.
Here are some explanations about the process() method.
The element passed as an argument here, is the element passed by the parent of this module. It can be useful in case of systematic element checking, to retrieve the elements to check in a parent processor module, and then, treat each element one by one, calling sub-processor modules.
The IInternalElement target is (e.g. should be) the statically checked file where our elements, after sucessful well-formdness verification, should be stored. This file will be used as an input for the proof obligation generation.
The parameter ISCStateRepository repository is the global repository used by the module to get shared informations. (//FIXME complete the static checker page, to add infos about states and link it here).
Finally, IProgressMonitor monitor is the progress monitor used while performing the static checking.