A CSP Account of Event-B Refinement

J. Derrick , E.A. Boiten, S. Reev es (Eds.): Refinement W orkshop 2011. EPTCS 55, 2011, pp. 139–154, doi:10.4204/EPTCS.55.9 A CSP account of Event-B r efinement Ste ve Schneider Department of Computing, Univ ersity of Surrey S.Schneider@surrey.ac.uk Helen T reharne Department of Computing, Univ ersity of Surrey H.Treharne@surrey.ac.uk Heike W ehrheim Department of Computer Science, Univ ersity of Paderborn wehrheim@uni-paderborn.de Event-B pro vides a flexible frame work for stepwise system de velopment via refinement. The frame- work supports steps for (a) refining events (one-by-one), (b) splitting ev ents (one-by-many), and (c) introducing new ev ents. In each of the steps ev ents can moreover possibly be anticipated or con ver - gent. All such steps are accompanied with precise proof obligations. Still, it remains unclear what the exact relationship - in terms of a behaviour-oriented semantics - between an Event-B machine and its refinement is. In this paper , we give a CSP account of Event-B refinement, with a treatment for the first time of splitting ev ents and of anticipated events. T o this end, we define a CSP seman- tics for Event-B and show how the different forms of Event-B refinement can be captured as CSP refinement. 1 Intr oduction Event-B [1] provides a frame work for system de velopment through stepwise refinement. Indi vidual refinement steps are verified with respect to their proof obligations, and the transitivity of refinement ensures that the final system description is a refinement of the initial one. The refinement process al- lo ws ne w events to be introduced through the refinement process, in order to provide the more concrete implementation details necessary as refinement proceeds. The frame work allo ws for a great deal of flexibility as to co ver a broad range of system de velopments. The recent book [1] comprising case studies from rather di verse areas sho ws that this goal is actually met. The flexibility is a result of the different ways of dealing with ev ents during refinement. At each step existing e vents of an Event-B machine need to be refined. This can be achie ved by (a) simply keeping the ev ent as is, (b) refining it into another ev ent, possibly because of a change of the state variables, or (c) splitting it into several e vents 1 . Furthermore, e very refinement step allows for the introduction of ne w e vents. T o help reasoning about di ver gence, ev ents are in addition classified as ordinary , anticipated or con ver gent . Anticipated and con ver gent events both introduce ne w details into the machine specification. Con ver gent ev ents must not be executed forev er , while for anticipated e vents this condition is deferred to later refinement steps. All of these steps come with precise proof obligations; appropriate tool support helps in dischar ging these [3, 2]. Event-B is essentially a state-based specification technique, and proof obligations therefore reason about predicates on states. Like Event-B, CSP comes with a notion of refinement. In order to understand their relationship, these two refinement concepts need to be set in a single framew ork. Both formalisms moreover support a v ariety of different forms of refinement: Event-B by means of sev eral proof obligations related to refinement, out of which the system designer chooses an appropriate set; CSP by means of its different 1 A fourth option is merging of e vents which we do not consider here. 140 A CSP account of Event-B refinement semantic domains of traces, failures and diver gences. The aim of this paper is to giv e a precise account of Event-B refinement in terms of CSP’ s behaviour -oriented process refinement. This will also provide the underlying results that support refinement in the combined formalism Event-B k CSP . Our work is thus in line with previous studies relating state-based with behaviour -oriented refinement (see e.g. [5, 9, 4]). It turns out that CSP supports an approach to refinement consistent with that of Event-B. It faithfully reflects all of Event-B’ s possibilities for refinement, including splitting events and ne w e vents. It moreo ver also deals with the Event-B approach of anticipated e v ents as a means to defer consideration of div ergence-freedom. Our results in volv es support for individual refinement steps as well as for the resulting refinement chain. The paper is structured as follows. The next section introduces the necessary background on Event-B and CSP . Section 3 giv es the CSP semantics for Event-B based on weakest preconditions. In Section 4 we precisely fix the notion of refinement used in this paper , both for CSP and for Event-B, and Section 5 will then set these definitions in relation. It turns out that the appropriate refinement concept of CSP in this combination with Event-B is infinite-traces-di ver gences refinement. The last section concludes. 2 Backgr ound W e start with a short introduction to CSP and Event-B. For more detailed information see [17] and [1] respecti vely . 2.1 CSP CSP , Communicating Sequential Processes, introduced by Hoare [11] is a formal specification language aiming at the description of communicating processes. A process is characterised by the ev ents it can engage in and their ordering. Events will in the following be denoted by a 1 , a 2 , . . . or evt 0 , evt 1 , . . . . Process expressions are built out of e vents using a number of composition operators. In this paper , we will make use of just three of them: interleaving ( P 1 ||| P 2 ), executing two processes in parallel without any synchronisation; hiding ( P \ N ), making a set N of e vents internal; and renaming ( f ( P ) and f − 1 ( P ) ), changing the names of e vents according to a renaming function f . If f is a non-injectiv e function, f − 1 ( P ) will of fer a choice of ev ents b such that f ( b ) = a whenever P of fers event a . Every CSP process P has an alphabet α P . Its semantics is given using the Failures/Di ver gences/Infinite T races semantic model for CSP . This is presented as U in [16] or FDI in [17]. The semantics of a process can be understood in terms of four sets, T , F , D , I , which are respecti v ely the traces, failures, di ver gences, and infinite traces of P . These are understood as observations of possible ex ecutions of the process P , in terms of the e vents from α P that it can engage in. T races are finite sequences of e vents from P ’ s alphabet: tr ∈ α P ∗ . The set traces ( P ) represents the possible finite sequences of e vents that P can perform. Failures will not be considered in this paper and are therefore not explained here. Di ver gences are finite sequences of ev ents on which the process might di ver ge: perform an infinite sequence of internal e vents (such as an infinite loop) at some point during or at the end of the sequence. The set diver gences ( P ) is the set of all possible div ergences for P . Infinite traces u ∈ α P ω are infinite sequences of ev ents. The set infinites ( P ) is the set of infinite traces that P can exhibit. For technical reasons it also contains those infinite traces which hav e some prefix which is a di ver gence. Definition 2.1 A pr ocess P is di ver gence-free if diver gences ( P ) = {} . S.Schneider , H. T reharne & H. W ehrheim 141 machine M 0 variables v in variant I ( v ) ev ents init 0 , evt 0 , . . . end evt 0 b = when G ( v ) then v : | BA 0 ( v , v 0 ) end Figure 1: T emplate of an Event-B machine and an ev ent. W e use tr to refer to finite traces. These can also be written explicitly as h a 1 , a 2 , . . . , a n i . The empty trace is hi , concatenation of traces is written as tr 1 a tr 2 . W e use u to refer to infinite traces. Giv en a set of e vents A , the pr ojections tr  A and u  A are the traces restricted to only those e vents in A . Note that u  A might be finite, if only finitely many A ev ents appear in u . Conv ersely , tr \ A and u \ A are those traces with the ev ents in A removed. The length operator # tr and # u giv es the length of the trace it is applied to. As a first observ ation, we get the follo wing. Lemma 2.2 If P is diver gence-fr ee, and for any infinite tr ace u of P we have # ( u \ A ) = ∞ , then P \ A is diver gence-fr ee. Proof 2.3 F ollows immediately fr om the semantics of the hiding operator . Later , we furthermore use specifications on traces or , more generally , on CSP processes. Specifications are giv en in terms of predicates. If S is a predicate on a particular semantic element, then we write P sat S to denote that all rele v ant elements in the semantics of P meet the predicate S . For example, if S ( u ) is a predicate on infinite traces, then P sat S ( u ) is equiv alent to ∀ u ∈ infinites ( P ) . S ( u ) . 2.2 Event-B Event-B [1, 13] is a state-based specification formalism based on set theory . Here we describe the basic parts of an Event-B machine required for this paper; a full description of the formalism can be found in [1]. A machine specification usually defines a list of v ariables, gi ven as v . Event-B also in general allows sets s and constants c . Howe ver , for our purposes the treatment of elements such as sets and constants are independent of the results of this paper, and so we will not include them here. Howe ver , they can be directly incorporated without af fecting our results. There are many clauses that may appear in Event-B machines, and we concentrate on those clauses concerned with the state. W e will therefore describe a machine M 0 with a list of state variables v , a state in v ariant I ( v ) , and a set of e vents evt 0 , . . . to update the state (see left of Fig.1). Initialisation is a special e vent init 0. A machine M 0 will hav e various proof obligations on it. These include consistency obligations, that e vents preserve the in v ariant. They can also include (optional) deadlock-freeness obligations: that at least one e vent guard is alw ays true. Central to an Event-B description is the definition of the ev ents, each consisting of a guard G ( v ) ov er the variables, and a body , usually written as an assignment S on the variables. The body defines a befor e-after pr edicate B A ( v , v 0 ) describing changes of variables upon e vent e xecution, in terms of the relationship between the variable values before ( v ) and after ( v 0 ). The body can also be written as v : | 142 A CSP account of Event-B refinement B A ( v , v 0 ) , whose execution assigns to v any value v 0 which makes the predicate B A ( v , v 0 ) true (see right of Fig. 1). 3 CSP semantics f or Event-B machine Event-B machines are particular instances of action systems, so Mor gan’ s CSP semantics for action sys- tems [14] allows traces, failures, and div ergences to be defined for Event-B machines, in terms of the sequences of e vents that they can and cannot engage in. Butler’ s extension to handle unbounded non- determinism [6] defines the infinite traces for action systems. These together give a way of considering Event-B machines as CSP processes, and treating them within the CSP semantic frame work. In this paper we use the infinite traces model in order to give a proper treatment of div ergence under hiding. This is required to establish our main result concerning di ver gence-freedom under hiding of ne w e vents. Consideration of finite traces alone is not suf ficient for this result. Note that the notion of traces for machines is different to that presented in [1], where traces are considered as sequences of states rather than our treatment of traces as sequences of events . The CSP semantics is based on the weakest precondition semantics of events. Let S be a statement (of an e vent). Then [ S ] R denotes the weakest precondition for statement S to establish postcondition R . W eakest preconditions for e vents of the form “ when G ( v ) then S ( v ) end ” are given by considering them as guarded commands: [ when G ( v ) then S ( v ) end ] P = G ( v ) ⇒ [ S ( v )] P Events in the general form “ when G ( v ) then v : | BA ( v , v 0 ) end ” ha ve a weakest precondition semantics as follo ws: [ when G ( v ) then v : | BA ( v , v 0 ) end ] P = G ( v ) ⇒ ∀ x . ( BA ( v , x ) ⇒ P [ x / v ]) Observe that for the case P = true we hav e [ when G ( v ) then v : | BA ( v , v 0 ) end ] true = true Based on the weakest precondition, we can define the traces, di ver gences and infinite traces of an Event-B machine 2 . T races The traces of a machine M are those sequences of e vents tr = h a 1 , . . . , a n i which are possible for M (after initialisation init ): those that do not establish false : traces ( M ) = { tr | ¬ [ init ; tr ] false } Here, the weak est precondition on a sequence of e vents is the weakest precondition of the sequen- tial composition of those e vents: [ h a 1 , . . . , a n i ] P is gi ven as [ a 1 ; . . . ; a n ] P = [ a 1 ]( . . . ([ a n ] P ) . . . ) . Diver gences A sequence of e vents tr is a div ergence if the sequence of ev ents is not guaranteed to terminate, i.e. ¬ [ init ; tr ] true . Thus diver gences ( M ) = { tr | ¬ [ init ; tr ] true } Note that any Ev ent-B machine M with ev ents of the form evt gi ven above is di ver gence-free. This is because [ evt ] true = true for such e vents (and for init ), and so [ init ; tr ] true = true . Thus no potential di ver gence tr meets the condition ¬ [ init ; tr ] true . 2 Failures can be defined as well b ut are omitted since they are not needed for our approach. S.Schneider , H. T reharne & H. W ehrheim 143 Infinite T races The technical definition of infinite traces is gi ven in [6], in terms of least fixed points of predicate transformers on infinite vectors of predicates. Informally , an infinite sequence of ev ents u = h u 0 , u 1 , . . . i is an infinite trace of M if there is an infinite sequence of predicates P i such that ¬ [ init ]( ¬ P 0 ) (i.e. some ex ecution of init reaches a state where P 0 holds), and P i ⇒ ¬ [ u i ]( ¬ P i + 1 ) for each i (i.e. if P i holds then some ex ecution of u i can reach a state where P i + 1 holds). infinites ( M ) = { u | there is a sequence h P i i i ∈ N . ¬ [ init ]( ¬ P 0 ) ∧ for all i . P i ⇒ ¬ [ u i ]( ¬ P i + 1 ) } These definitions giv e the CSP T races/Di ver gences/Infinite Traces semantics of Event-B machines in terms of the weakest precondition semantics of e vents. 4 Refinement In this paper , we intend to giv e a CSP account of Event-B refinement. The pre vious section provides us with a technique for relating Ev ent-B machines to the semantic domain of CSP processes. Next, we will briefly rephrase the refinement concepts in CSP and Event-B before explaining Event-B refinement in terms of CSP refinement. 4.1 CSP refinement Based on the semantic domains of traces, failures, div ergences and infinite traces, different forms of refinement can be giv en for CSP . The basic idea underlying these concepts is - howe ver - always the same: the refining process should not exhibit a behaviour which was not possible in the refined process. The dif ferent semantic domains then supply us with dif ferent forms of “beha viour”. In this paper we will use the follo wing refinement relation, based on traces and div ergences: P v TDI Q b = tr aces ( Q ) ⊆ traces ( P ) ∧ diverg ences ( Q ) ⊆ diverg ences ( P ) ∧ infinites ( Q ) ⊆ infinites ( P ) Refinement in Ev ent-B also allo ws for the possibility of introducing ne w events. T o capture this aspect in CSP , we need a way of incorporating this into process refinement. As a first idea, we could hide the ne w e vents in the refining process. This potentially introduces div ergences, namely , when there is an infinite sequence of ne w ev ents in the infinite traces. In order to separate out consideration of diver gence from reasoning about traces, we will use P ||| R UN N as a lazy abstraction operator instead. R UN N defines a di ver gence free process capable of executing any order of events from the set N . This will enable us to characterise Event-B refinement introducing new e vents in CSP terms. The following lemma gi ves the relationship between refinement in v olving interleaving, and refinement in volving hiding. Lemma 4.1 If P 0 ||| R UN N v TDI P 1 and N ∩ α P 0 = {} and P 1 \ N is diver gence-fr ee, then P 0 v TDI P 1 \ N . Proof: Assume that (1) P 0 ||| R UN N v TDI P 1 , (2) N ∩ α P 0 = {} and (3) P 1 \ N is diver gence-free. W e need to sho w that the (finite and infinite) traces as well as di ver gences of P 1 \ N are contained in those of P 0 . 144 A CSP account of Event-B refinement evt 0 b = when G ( v ) then v : | BA 0 ( v , v 0 ) end evt 1 b = refines evt 0 status st when H ( w ) then w : | BA 1 ( w , w 0 ) end Figure 2: An e vent and its refinement T races Let tr ∈ traces ( P 1 \ N ) . By semantics of hiding there is some tr 0 ∈ traces ( P 1 ) s.t. tr 0 \ N = tr . By (1) tr 0 ∈ traces ( P 0 ||| R UN N ) . By (2) and the semantics of ||| we get tr 0 \ N ∈ traces ( P 0 ) and thus tr ∈ traces ( P 0 ) . Diver gences By (3) diver gences ( P 1 \ N ) = {} , thus nothing to be prov en here. Infinites Let u ∈ infinites ( P 1 \ N ) . By the semantics of hiding there is some u 0 ∈ infinites ( P 1 ) such that u 0 \ N = u and # ( u 0 \ N ) = ∞ . By (1) u 0 ∈ infinites ( P 0 ||| R UN N ) and by (2) and semantics of interleav e we get u 0 \ N = u ∈ infinites ( P 0 ) . 2 4.2 Event-B r efinement In Ev ent-B, the (intended) refinement relationship between machines is directly written into the machine definitions. As a consequence of writing a refining machine, a number of proof obligations come up. Here, we assume a machine and its refinement to take the follo wing form: machine M 0 variables v in variant I ( v ) ev ents init 0 , evt 0 , . . . end machine M 1 refines M 0 variables w in variant J ( v , w ) ev ents init 1 , evt 1 , . . . variant V ( w ) end The machine M 0 is actually refined by machine M 1 , written M 0 4 M 1 , if the gi ven linking in variant J on the v ariables of the two machines is established by their initialisations, and preserved by all ev ents, in the sense that any ev ent of M 1 can be matched by an e vent of M 0 (or skip for ne wly introduced e vents) to maintain J . This is the standard notion of do wnwards simulation data refinement [8]. W e ne xt look at this in more detail, and in particular gi ve the proof obligations associated to these conditions. First of all, we need to look at e vents again. Figure 2 gi ves the shape of an ev ent and its refinement. W e see that an ev ent in the refinement now also gets a status . The status can be ordinary (also called r emaining ), or anticipated or con ver gent . Conv ergent e vents are those which must not be executed fore ver , and anticipated e vents are those that will be made con ver gent at some later refinement step. Ne w ev ents must either have status anticipated or con ver gent. Both of these introduce further proof obligations: to prev ent execution “fore ver” the refining machine has to giv e a v ariant V (see abov e in S.Schneider , H. T reharne & H. W ehrheim 145 M 1 ), and V has to be decreased by ev ery conv ergent e vent and must not be increased by anticipated e vents. W e now describe each of the proof obligations in turn. W e hav e simplified them from their form in [13] by removing explicit references to sets and constants. Alternati ve forms of these proof obligations are gi ven in [1, Section 5.2: Proof Obligation Rules]. FIS REF: Feasibility Feasibility of an event is the property that, if the event is enabled (i.e. the guard is true), then there is some after-state. In other words, the body of the e vent will not block when the e vent is enabled. The rule for feasibility of a concrete e vent is: I ( v ) ∧ J ( v , w ) ∧ H ( w ) ` ∃ w 0 . B A 1 ( w , w 0 ) FIS REF GRD REF: Guard Strengthening This requires that when a concrete event is enabled, then so is the abstract one. The rule is: I ( v ) ∧ J ( v , w ) ∧ H ( w ) ` G ( v ) GRD REF INV REF: Simulation This ensures that the occurrence of e vents in the concrete machine can be matched in the abstract one (including the initialization e vent). Ne w ev ents are treated as re- finements of skip . The rule is: I ( v ) ∧ J ( v , w ) ∧ H ( w ) ∧ BA 1 ( w , w 0 ) ` ∃ v 0 . ( B A 0 ( v , v 0 ) ∧ J ( v 0 , w 0 )) INV REF Event-B also allo ws a v ariety of further proof obligations for refinement, depending on what is appropri- ate for the application. The two parts of the v ariant rule WFD REF below must hold respecti vely for all con ver gent and anticipated e vents, including all ne wly-introduced e vents. WFD REF: V ariant This rule ensures that the proposed v ariant V satisfies the appropriate properties: that it is a natural number , that it decreases on occurrence of any conv ergent ev ent, and that it does not increase on occurrence of any anticipated e vent: I ( v ) ∧ J ( v , w ) ∧ H ( w ) ∧ BA 1 ( w , w 0 ) ` V ( w ) ∈ N ∧ V ( w 0 ) < V ( w ) WFD REF (con ver gent event) I ( v ) ∧ J ( v , w ) ∧ H ( w ) ∧ BA 1 ( w , w 0 ) ` V ( w ) ∈ N ∧ V ( w 0 ) 6 V ( w ) WFD REF (anticipated ev ent) 146 A CSP account of Event-B refinement W e will use the refinement relation M 0 4 M 1 to mean that the four proof obligations FIS REF , GRD REF , INV REF , and WFD REF hold between abstract machine M 0 and concrete machine M 1 . 5 Event-B r efinement as CSP r efinement W ith these definitions in place, we can no w look at our main issue, the characterisation of Event-B refinement via CSP refinement. Here, we in particular need to look at the different forms of events in Event-B during refinement. Ev ents can have status con ver gent or anticipated, or might ha ve no status. This partitions the set of e vents of M into three sets: anticipated A , con vergent C , and remaining ev ents R (neither anticipated nor con v ergent). The alphabet of M , the set of all possible e vents, is thus giv en by α M = A ∪ C ∪ R . In the CSP refinement, these will take dif ferent roles. No w consider an Event-B Machine M 0 and its refinement M 1 : M 0 4 M 1 . The machine M 0 has anticipated e vents A 0 , con ver gent e vents C 0 , and remaining e vents R 0 , and M 1 similarly has event sets A 1 , C 1 , and R 1 . Each ev ent ev 1 in M 1 either refines a single ev ent ev 0 in M 0 (indicated by the clause ‘refines ev 0 ’ in the description of ev 1 ) or does not refine any ev ent of M 0 . The set of new e vents N 1 is those e vents which are not refinements of e vents in M 0 . M 0 4 M 1 thus induces a partial surjecti ve function f 1 : α M 1 7 → → α M 0 where f 1 ( ev 1 ) = ev 0 ⇔ e v 1 refines ev 0 . Observe that α M 1 is partitioned by f − 1 1 ( α M 0 ) and N 1 . The rules for refinement between e vents in Event- B impose restrictions on these sets: 1. each ev ent of M 0 is refined by at least one e vent of M 1 ; 2. each new e vent in M 1 is either anticipated or con ver gent; 3. each e v ent in M 1 which refines an anticipated e vent of M 0 is itself either con ver gent or anticipated; 4. refinements of con ver gent or remaining events of M 0 are remaining in M 1 , i.e. they are not giv en a status. The conditions imposed by the rules are formalised as follo ws: 1. ran ( f 1 ) = A 0 ∪ C 0 ∪ R 0 ; 2. N 1 ⊆ A 1 ∪ C 1 ; 3. f − 1 1 ( A 0 ) ⊆ A 1 ∪ C 1 ; 4. f − 1 1 ( C 0 ∪ R 0 ) = f − 1 1 ( C 0 ) ∪ f − 1 1 ( R 0 ) = R 1 . These relationships between the classes of e vents are illustrated in Figure 3. 5.1 New ev ents For the new e vents arising in the refinement, we can use the lazy abstraction operator via the R UN process to get our desired result, disre garding the issue of di ver gence for a moment. The following lemma gi ves our first result on the relationship between Event-B refinement and CSP refinement. Lemma 5.1 If M 0 4 M 1 and the r efinement intr oduces new events N 1 and uses the mapping f 1 , then f − 1 1 ( M 0 ) ||| R UN N 1 v TDI M 1 . Proof: W e assume state v ariables of M 0 and M 1 named as given abo ve, i.e. state v ariables of M 0 are v and of M 1 are w . Let tr = h a 1 , . . . , a n i ∈ traces ( M 1 ) . W e need to show that tr ∈ traces ( f − 1 1 ( M 0 ) ||| RUN N 1 ) . First of all note that the interleaving operator mer ges the traces of two processes together , i.e., the traces of f − 1 1 ( M 0 ) ||| R UN N 1 are simply those of f − 1 1 ( M 0 ) with ne w e vents arbitrarily inserted. The proof proceeds by induction on the length of the trace. S.Schneider , H. T reharne & H. W ehrheim 147 R 1 C 1 A 1 N 1 C 1 A 1 f 1 R 0 C 0 A 0 N 0 C 0 A 0 Figure 3: Relationship between events in a refinement step: f 1 maps events in M 1 to events in M 0 that they refine. Induction base Assume n = 0, i.e., tr = hi . By definition this means that the initialisation ev ent init 1 has been executed bringing the machine M 1 into a state w 1 . By INV REF (using init as e vent), we find a state v 1 such that J ( v 1 , w 1 ) and furthermore h i ∈ traces ( M 0 ) and hence also in traces ( f − 1 1 ( M 0 ) ||| R UN N 1 ) . Induction step Assume that for a trace tr = h a 1 , . . . , a j − 1 i ∈ traces ( M 1 ) we ha ve already shown that tr ∈ traces ( f − 1 1 ( M 0 ) ||| R UN N 1 ) and this has led us to a pair of states v j − 1 , w j − 1 such that J ( v j − 1 , w j − 1 ) . No w two cases need to be considered: 1. a j / ∈ N 1 : Assume a j in M 1 to be of the form when H ( w ) then w : | BA 1 ( w , w 0 ) end and f 1 ( a j ) in M 0 of the form when G ( v ) then v : | BA ( v , v 0 ) end Since a j is executed in w j − 1 we hav e H ( w j − 1 ) . By GRD REF we thus get G ( v j − 1 ) . Further- more, for w j with BA 1 ( w j − 1 , w j ) we find – by INV REF – a state v j such that J ( v j , w j ) and B A ( v j − 1 , v j ) . Hence tr a h a j i ∈ traces ( f − 1 1 ( M 0 ) ||| R UN N 1 ) . 2. a j ∈ N 1 : Similar to the previous case. Here, a j refines skip and thus v j = v j − 1 and the event a j is coming from R UN N 1 . In the same way we can carry out a proof for infinite traces. For div ergences it is e ven simpler as diver gences ( M 1 ) = {} . 2 This lemma can be generalised to a chain of refinement steps. For this, we assume that we are giv en a se- quence of Ev ent-B machines M i with their associated processes P i , and e very refinement step introduces some set of ne w ev ents N i . 148 A CSP account of Event-B refinement Theorem 5.2 If a sequence of pr ocesses P i , mappings f i , and sets N i ar e such that f − 1 i + 1 ( P i ) ||| R UN N i + 1 v TDI P i + 1 (1) for each i, then f − 1 n ( . . . ( f − 1 1 ( P 0 )) . . . ) ||| R UN f − 1 n ( ... f − 1 2 ( N 1 ) ... ) ∪ ... ∪ f − 1 n ( N n − 1 ) ∪ N n v TDI P n Proof: T wo successiv e refinement steps combine to pro vide a relationship between P 0 and P 2 of the same form as Line 1 abov e, as follows: f − 1 2 ( P 1 ) ||| R UN N 2 v TDI P 2 (gi ven) f − 1 2 ( f − 1 1 ( P 0 ) ||| R UN N 1 ) ||| R UN N 2 v TDI P 2 (line (1), transiti vity of v ) f − 1 2 ( f − 1 1 ( P 0 )) ||| R UN f − 1 2 ( N 1 ) ||| RUN N 2 v TDI P 2 ( Law: f − 1 ( P ||| Q ) = f − 1 ( P ) ||| f − 1 ( Q )) f − 1 2 ( f − 1 1 ( P 0 )) ||| R UN f − 1 2 ( N 1 ) ∪ N 2 v TDI P 2 ( Law: R UN A ||| RUN B = RUN A ∪ B ) Hence the whole chain of refinement steps can be collected together , yielding the result. 2 5.2 Con vergent and anticipated ev ents The previous result lets us relate the first and last Event-B machine in a chain of refinements. Due to the lazy abstraction operator (and the resulting possibility of defining refinement without hiding new e vents), we considered di vergence free processes there: all processes P i representing Event-B machines, are div ergence free by definition. Ho wev er , Event-B refinement is concerned with a particular form of di ver gence and its av oidance. A sort of div ergence would arise when new events (or more specifically , con ver gent e vents) could be e xecuted fore ver , and this is what the proof rules for variants rule out. W e would like to capture the impact of con ver gence and anticipated sets of e vents in the CSP seman- tics as well. T o do so, we first of all define the specification predicate CA ( C , R )( u ) b = ( # ( u  C ) = ∞ ⇒ # ( u  R ) = ∞ ) Intuiti vely , this states that all infinite traces having infinitely many con ver gent ( C ) ev ents also hav e in- finitely many ( R ) remaining ev ents (and thus cannot execute con vergent e vents alone forev er). In this case we say that the Event-B machine does not diver ge on C events . Definition 5.3 Let M be an Event-B machine with its alphabet α M containing event sets C and R with C ∩ R = {} . M does not div erge on C ev ents if M sat CA ( C , R ) . Con ver gent e vents in Event-B machines only come into play during refinement. Thus a plain, single Event-B machine has no con ver gent e vents ( C = {} ) and thus tri vially satisfies the specification predicate. Lemma 5.4 If M 0 4 M 1 , and M 1 has con verg ent, anticipated, and r emaining events C 1 , A 1 , and R 1 r espectively , then M 1 sat CA ( C 1 , R 1 ) Proof: W e prove this by contradiction. Assume ¬ M 1 sat CA ( C 1 , R 1 ) . Then there is some u ∈ infinites ( M 1 ) such that # ( u  C 1 ) = ∞ and # ( u  R 1 ) < ∞ . Then there must be some tr 0 , u 0 such that u = tr 0 a u 0 with u 0 ∈ ( C 1 ∪ A 1 ) ω (i.e. tr 0 is a prefix of u containing all the R 1 e vents). Moreover , # u 0  C 1 = ∞ . No w since M 0 4 M 1 we ha ve by GRD REF and INV REF that there is some pair of states ( v , w ) (abstract and concrete state) reached after ex ecuting tr 0 for which J ( v , w ) and I ( v ) is true. Furthermore, S.Schneider , H. T reharne & H. W ehrheim 149 V ( w ) is a natural number . Also by M 0 4 M 1 we ha ve an infinite sequence of pairs of states ( v i , w i ) (for the remaining infinite trace u 0 ) such that J ( v i , w i ) . Since each event in u 0 is in A 1 or C 1 we hav e from WFD REF that V ( w i + 1 ) 6 V ( w i ) for each i . Further , for infinitely many i ’ s (i.e. those ev ents in C 1 ) we hav e V ( w i + 1 ) < V ( w i ) . Thus we have a sequence of v alues V ( w i ) decreasing infinitely often without e ver increasing. This contradicts the fact that the V ( w i ) ∈ N . 2 A number of further interesting properties can be deduced for the specification predicate CA . Lemma 5.5 Let P be a CSP pr ocess and C , C 0 , R ⊆ α P nonempty finite sets of e vents. 1. If P sat CA ( C , R ) then f − 1 ( P ) sat CA ( f − 1 ( C ) , f − 1 ( R )) . 2. If P sat CA ( C , R ) and N ∩ C = {} then P ||| R UN N sat CA ( C , R ) . 3. If P sat CA ( C , R ) and P sat CA ( C 0 , C ∪ R ) then P sat CA ( C ∪ C 0 , R ) . 4. If P sat CA ( C , R ) and C ∩ R = {} then P \ C is diver gence-fr ee. Proof: 1. Assume that u ∈ infinites ( f − 1 ( P )) and # ( u  f − 1 ( C )) = ∞ . From the first we get f ( u ) ∈ infinites ( P ) . From the latter it follo ws that # ( f ( u )  C ) = ∞ . W ith P sat CA ( C , R ) we ha ve # ( f ( u )  R ) = ∞ and hence # ( u  f − 1 ( R )) = ∞ . 2. Let u ∈ infinites ( P ||| R UN N ) and # ( u  C ) = ∞ . W ith N ∩ C = {} we get # (( u \ N )  C ) = ∞ . By definition of ||| we have u \ N ∈ infinites ( P ) ( u \ N is infinite since # (( u \ N )  C ) = ∞ ). By P sat CA ( C , R ) we get # (( u \ N )  R ) = ∞ , hence # ( u  R ) = ∞ . 3. Let u ∈ infinites ( P ) such that # ( u  ( C ∪ C 0 )) = ∞ . Both C and C 0 are finite sets hence either # ( u  C ) = infty or # ( u  C 0 ) = ∞ (or both). In the first case we get # ( u  R ) = ∞ by P sat CA ( C , R ) . In the second case it follows that # ( u  ( C ∪ R )) = ∞ and hence again # ( u  C ) = ∞ or directly # ( u  R ) = ∞ . 4. First of all note that if P sat CA ( C , R ) then P is diver gence free. Now assume that there is a trace tr ∈ diver gences ( P \ C ) . Then there exists a trace u ∈ infinites ( P ) such that tr = u \ C , and so # ( u \ C ) < ∞ . Hence # ( u  C ) = ∞ . Ho wev er , — as C ∩ R = {} — # ( u  R ) 6 = ∞ which contradicts P sat CA ( C , R ) . 2 The most interesting of these properties is probably the last one: it relates the specification predicate to the definition of diver gence freedom in CSP . In CSP , a process does not div erge on a set of e vents C if P \ C is di ver gence-free. This giv es us some results about the specification predicate for single Event-B machines and CSP processes. Next, we w ould like to apply this to refinements. First, we again consider just two machines. Lemma 5.6 Let M 0 4 M 1 with an associated r efinement function f 1 and let M 0 sat CA ( C 0 , R 0 ) . Then M 1 sat CA ( f − 1 1 ( C 0 ) ∪ C 1 , f − 1 1 ( R 0 )) . Proof: Assume u ∈ infinites ( M 1 ) and # ( u  ( f − 1 1 ( C 0 ) ∪ C 1 ) = ∞ . W e aim to establish that # ( u  f − 1 1 ( R 0 )) = ∞ . W e have # ( u  f − 1 1 ( C 0 )) = ∞ or # ( u  C 1 ) = ∞ . In the former case, Lemma 5.1 yields that f 1 ( u  f − 1 ( α M 0 )) ∈ infinites ( M 0 ) . Then # ( u  f − 1 1 ( C 0 )) = ∞ (gi ven) # ( f 1 ( u  f − 1 ( C 0 ))  C 0 ) = ∞ (since renaming preserves length) # ( f 1 ( u  f − 1 ( α M 0 ))  C 0 ) = ∞ (since C 0 ⊆ α M 0 ) # ( f 1 ( u  f − 1 ( α M 0 ))  R 0 ) = ∞ (by M 0 sat CA ( C 0 , R 0 )) # ( u  f − 1 ( α M 0 ))  f − 1 ( R 0 ) = ∞ (since renaming preserves length) # ( u  f − 1 1 ( R 0 )) = ∞ (since R 0 ⊆ α M 0 ) 150 A CSP account of Event-B refinement In the latter case Lemma 5.4 yields that # ( u  R 1 ) = ∞ . Then # ( u  R 1 ) = ∞ # ( u  f − 1 1 ( R 0 ∪ C 0 )) = ∞ (since R 1 = f − 1 1 ( C 0 ∪ R 0 )) # ( u  f − 1 1 ( R 0 )) = ∞ ∨ # ( u  f − 1 1 ( C 0 )) = ∞ The first disjunct is the desired result, the second is the one already treated abov e. 2 Note that by Lemma 5.5 (4) the abo ve result implies that the machine M 1 does not di ver ge on f − 1 1 ( C 0 ) ∪ C 1 , in particular M 0 \ ( f − 1 1 ( C 0 ) ∪ C 1 ) is di ver gence-free. Similar to the pre vious case, we can lift this to chains of refinement steps. Consider the last result with respect to two refinement steps M 0 4 M 1 4 M 2 : M 0 sat CA ( C 0 , R 0 ) (gi ven) f − 1 ( M 0 ) sat CA ( f − 1 ( C 0 ) , f − 1 ( R 0 )) (lemma 5.5 (1)) f − 1 ( M 0 ) ||| R UN N 1 sat CA ( f − 1 ( C 0 ) , f − 1 ( R 0 )) (lemma 5.5 (2), since f − 1 1 ( C 0 ) ∩ N 1 = {} ) M 1 sat CA ( f − 1 ( C 0 ) , f − 1 ( R 0 )) (lemma 5.1) f − 1 2 ( M 1 ) sat CA ( f − 1 2 ( f − 1 ( C 0 )) , f − 1 2 ( f − 1 ( R 0 ))) (lemma 5.5 (1)) f − 1 2 ( M 1 ) ||| R UN N 2 sat CA ( f − 1 2 ( f − 1 ( C 0 )) , f − 1 2 ( f − 1 ( R 0 ))) (lemma 5.5 (2)) M 2 sat CA ( f − 1 2 ( f − 1 ( C 0 )) , f − 1 2 ( f − 1 ( R 0 ))) (lemma 5.1) M 2 sat CA ( C 2 ∪ f − 1 2 ( C 1 ) , f − 1 2 ( R 1 )) (lemma 5.6) Then by applying Lemma 5.5(3) to the final two lines, with R = f − 1 2 ( f − 1 1 ( R 0 )) , C = f − 1 2 ( f − 1 1 ( C 0 )) , and C 0 = C 2 ∪ f − 1 2 ( C 1 ) , we obtain M 2 sat CA ( C 2 ∪ f − 1 2 ( C 1 ) ∪ f − 1 2 ( f − 1 1 ( C 0 )) , f − 1 2 ( f − 1 1 ( R 0 )) Thus if M 0 4 M 1 4 . . . 4 M n then collecting together all the steps yields that M n sat CA (( f − 1 n ( . . . f − 1 1 ( C 0 ) . . . ) ∪ . . . f − 1 n ( C n − 1 ) ∪ C n ) , f − 1 n ( . . . f − 1 1 ( R 0 ) . . . )) (2) Finally , we would like to put together these results into one result relating the initial machine M 0 to the final machine M n in the refinement chain. This result should use hiding for the treatment of new e vents, and – by stating the relationship between M 0 and M n \ { new e vents } via infinite-traces-diver gences refinement – sho w that Event-B refinement actually does not introduce div ergences on new events. For such chains of refinement steps we always assume that A 0 = C 0 = {} (initially we have neither anticipated nor con ver gent e vents), and A n = {} (at the end all anticipated ev ents hav e become con ver gent). For this, we first of all need to find out what the “new e vents” are in the final machine. Define g i , j as the functional composition of the e vent mappings from f j to f i : g i , j = f i ; f i + 1 ; . . . ; f j Then noting the disjointness of the union, by repeated application of C j ] A j ] R j = f − 1 j ( C j − 1 ] A j − 1 ] R j − 1 ) ] N j S.Schneider , H. T reharne & H. W ehrheim 151 g − 1 1 , n ( R 0 ) ∪ NEW R 1 N 1 C 1 A 1 f 1 f n R n − 1 C n − 1 A n − 1 N n − 1 R n C n N n R 0 R 2 C 2 A 2 N 2 f 2 R 3 C 3 A 3 N 3 f 3 C 2 A 2 C 3 A 3 C n − 1 A n − 1 C n Figure 4: Constructing NEW g − 1 1 , n ( R 0 ) ∪ CON R 1 N 1 C 1 A 1 f 1 f n R n − 1 C n − 1 A n − 1 N n − 1 R n C n N n R 0 R 2 C 2 A 2 N 2 f 2 R 3 C 3 A 3 N 3 f 3 C 2 A 2 C 3 A 3 C n − 1 A n − 1 C n Figure 5: Constructing CON we obtain C j ] A j ] R j = g − 1 1 , j ( C 0 ] A 0 ] R 0 ) ] g − 1 2 , j ( N 1 ) ] . . . ] g − 1 j , j ( N j − 1 ) ] N j (3) Observe that this is a partition of C j ] A j ] R j . Also, by repeated application of R j = f − 1 j ( R j − 1 ) ] f − 1 j ( C j − 1 ) we obtain R j ] C j = g − 1 1 , j ( R 0 ) ] g − 1 1 , j ( C 0 ) ] g − 1 2 , j ( C 1 ) ] . . . ] g − 1 j , j ( C j − 1 ) ] C j (4) Observe that this is a partition of C j ] R j . In a full refinement chain M 0 4 . . . 4 M n we hav e that A 0 = {} , C 0 = {} , and A n = {} . Define: NEW = g − 1 2 , n ( N 1 ) ] . . . ] g − 1 n , n ( N j − 1 ) ] N n CON = g − 1 1 , n ( C 0 ) ] . . . ] g − 1 n , n ( C j − 1 ) ] C n These constructions are illustrated in Figures 4 and 5. Then from Equation 3 abov e with j = n , and using A 0 = C 0 = A n = {} we obtain C n ] R n = g − 1 1 , n ( R 0 ) ] NEW 152 A CSP account of Event-B refinement From Equation 4 abov e with j = n we obtain C n ] R n = g − 1 1 , n ( R 0 ) ] CON Hence NEW = CON . From Theorem 5.2 and Line (2) above respecti vely we obtain that f − 1 n ( . . . ( f − 1 1 ( M 0 )) . . . ) ||| R UN NEW v TDI M n and M n sat CA ( CON , f − 1 n ( . . . f − 1 1 ( R 0 ) . . . ) ) Lemma 5.5(4) yields that M n \ CON is diver gence-free, i.e., M n \ NEW is di ver gence-free. Hence by Lemma 4.1 we obtain that f − 1 n ( . . . ( f − 1 1 ( M 0 )) . . . ) v TDI M n \ NEW (5) or , equi v alently , that the following theorem holds true. Theorem 5.7 Let M 0 4 M 1 4 . . . 4 M n be a chain of refinement steps suc h that A 0 = C 0 = {} and A n = {} , r efining events accor ding to functions f i , and let NEW be the set of events as calculated above. Then M 0 v TDI f 1 ( f 2 ( . . . f n ( M n \ NEW ) . . . )) Proof: This follows from the result in Line 5 abo ve, using the CSP la w f ( f − 1 ( P )) = P . 2 This result guarantees that Ev ent-B refinement (a) does neither introduce “ne w traces on old e vents” nor (b) does it introduce di ver gences on new e vents. This giv es us the precise account of Ev ent-B refinement in terms of CSP which we were aiming at. 6 Conclusion In this paper , we hav e giv en a CSP account of Event-B refinement. The approach builds on Butler’ s semantics for action systems [6]. Butler’ s refinement rules allo w ne w con ver gent e vents to be introduced into action systems, so that refinement steps satisfy M i v TDI ( M i + 1 \ N i + 1 ) , and hiding new ev ents does not introduce div ergence. Abrial’ s approach to Event-B refinement generalises this approach, allowing ne w e vents to be anticipated as well as con ver gent , and also allo wing splitting of events. Our approach to refinement using CSP semantics reflects this generalisation and thus extends Butler’ s, in order to encompass these different forms of ev ent treatment in Ev ent-B refinement. W e do not yet handle mer ging e vents, and this is the subject of current research. Recently , an Event-B k CSP approach has been introduced [19]. It aims to combine Event-B ma- chine descriptions with CSP [17] control processes, in order to support a more explicit view of control. In this, it follows previous works on integration of formal methods [7, 22, 15, 18, 12], which aim at complementing a state-based specification formalism with a process algebra. The account of refinement presented here provides the basis for a flexible refinement frame work in Event-B k CSP , and this is presented in [21]. The semantics justifies the introduction of a ne w status of devolved , for refinement events which are anticipated in the Event-B machine but con ver gent in the CSP controller . This approach has been applied to an initial Event-B k CSP case study of a Bounded Retransmission Protocol [20]. W e aim to dev elop inv estigate further case studies. W e are in particular S.Schneider , H. T reharne & H. W ehrheim 153 interested in finding out whether the work of sho wing div ergence-freedom (and also deadlock-freedom) can be divided onto the Event-B and CSP part such that for some ev ents con ver gence is guaranteed by sho wing the corresponding proof obligations in Event-B while for others we just look at di ver gence- freedom of the CSP process. The latter part could then be supported by model checking tools for CSP , like FDR [10]. Refer ences [1] J-R. Abrial (2010): Modeling in Event-B: System and Softwar e Engineering . Cambridge University Press. [2] J-R. Abrial, M. J. Butler , S. Hallerstede, T . S. Hoang, F . Mehta & L. V oisin (2010): Rodin: an open toolset for modelling and r easoning in Event-B . STTT 12(6), pp. 447–466, doi:10.1007/s10009-010-0145-y. [3] J-R. Abrial, M. J. Butler , S. Hallerstede & L. V oisin (2008): A Roadmap for the Rodin T oolset . In E. B ¨ orger , M. J. Butler, J. P . Bowen & P . Boca, editors: ABZ , Lecture Notes in Computer Science 5238, Springer , p. 347, doi:10.1007/978-3-540-87603-8. [4] E. A. Boiten & J. Derrick (2009): Modelling Divergence in Relational Concurrent Refinement . In Michael Leuschel & Heike W ehrheim, editors: IFM , Lecture Notes in Computer Science 5423, Springer , pp. 183–199, doi:10.1007/978-3-642-00255-7. [5] C. Bolton & J. Da vies (2002): Refinement in Object-Z and CSP . In M. Butler , L. Petre & K. Sere, editors: IFM 2002: Integrated F ormal Methods , LNCS 2335, pp. 225–244. [6] M. J. Butler (1992): A CSP appr oach to Action Systems . DPhil thesis, Oxford Uni versity . [7] M. J. Butler (2000): csp2B: A Practical Appr oach to Combining CSP and B . In: F A CS , pp. 182–196. [8] J. Derrick & E. A. Boiten (2001): Refinement in Z and Object-Z . Springer -V erlag, doi:10.1007/978-1-4471- 0257-1. [9] J. Derrick & E.A. Boiten (2003): Relational Concurr ent Refinement . Formal Aspects of Computing 15(2-3), pp. 182–214, doi:10.1007/s00165-003-0007-4. [10] Formal Systems (Europe) Ltd.: The FDR Model Chec ker . http://www.fsel.com/ (accessed 8/3/11). [11] C.A.R. Hoare (1985): Communicating Sequential Pr ocesses . Prentice-Hall. [12] A. Iliasov (2009): On Event-B and Contr ol Flow . T echnical Report CS-TR-1159, School of Computing Science, Newcastle Uni versity . [13] C. M ´ etayer , J.-R. Abrial & L. V oisin (2005): Event-B Language . R ODIN Project Deli verable 3.2, http://rodin.cs.ncl.ac.uk/deliverables/D7.pdf , accessed 25/5/10. [14] C. Morg an (1990): Of wp and CSP . In: Beauty is our business: a birthday salute to Edsger W . Dijkstra , Springer , pp. 319–326. [15] E-R. Olderog & H. W ehrheim (2005): Specification and (pr operty) inheritance in CSP-OZ . Sci. Comput. Program. 55(1-3), pp. 227–257, doi:10.1016/j.scico.2004.05.017. [16] A.W . Roscoe (1998): Theory and Practice of Concurr ency . Prentice-Hall. [17] S. Schneider (1999): Concurr ent and Real-time Systems: The CSP appr oac h . Wile y . [18] S. Schneider & H. Treharne (2005): CSP theorems for communicating B machines . F ormal Asp. Comput. 17(4), pp. 390–422, doi:10.1007/s00165-005-0076-7. [19] S. Schneider , H. Treharne & H. W ehrheim (2010): A CSP Appr oac h to Contr ol in Event-B . In Dominique M ´ ery & Stephan Merz, editors: IFM , Lecture Notes in Computer Science 6396, Springer, pp. 260–274, doi:10.1007/978-3-642-16265-7. [20] S. Schneider , H. Treharne & H. W ehrheim (2011): Bounded Retransmission in Event-B k CSP: a Case Study . T echnical Report CS-11-04, Univ ersity of Surrey . 154 A CSP account of Event-B refinement [21] S. Schneider, H. Treharne & H. W ehrheim (2011): Stepwise r efinement in Event-B k CSP . T echnical Report CS-11-03, Univ ersity of Surrey . [22] J. W oodcock & A. Cav alcanti (2002): The Semantics of Cir cus . In D. Bert, J. P . Bowen, M. C. Henson & K. Robinson, editors: ZB , Lecture Notes in Computer Science 2272, Springer , pp. 184–203. A v ailable at http://link.springer.de/link/service/series/0558/bibs/2272/22720184.htm .