UNIVERSITY OF SOUTHAMPTON Developing Verified Sequential Programs with Event-B by Mohammadsadegh Dalvandi A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in the Faculty of Physical Sciences and Engineering Electronics and Computer Science April 2018 UNIVERSITY OF SOUTHAMPTON ABSTRACT FACULTY OF PHYSICAL SCIENCES AND ENGINEERING ELECTRONICS AND COMPUTER SCIENCE Doctor of Philosophy by Mohammadsadegh Dalvandi The constructive approach to software correctness aims at formal modelling of the in- tended behaviour and structure of a system in different levels of abstraction and verifying properties of models. The target of analytical approach is to verify properties of the final program code. A high level look at these two approaches suggests that the con- structive and analytical approaches should complement each other well. The aim of this thesis is to build a link between Event-B (constructive approach) and Dafny (analytical approach) for developing sequential verified programs. The first contribution of this the- sis is a tool supported method for transforming Event-B models to simple Dafny code contracts (in the form of method pre- and post-conditions). Transformation of Event-B formal models to Dafny method declarations and code contracts is enabled by a set of transformation rules. Using this set of transformation rules, one can generate code contracts from Event-B models but not implementations. The generated code contracts must be seen as an interface that can be implemented. If there is an implementation that satisfies the generated contracts then it is considered to be a correct implementation of the abstract Event-B model. A tool for automatic transformation of Event-B models to simple Dafny code contracts is presented. The second contribution of this thesis is an approach for derivation of algorithmic structure in Event-B refinement. To facilitate this, we augment Event-B with a scheduling language that allows modeller to explicitly define the control flow between Event-B events in each refinement level. The schedul- ing language supports both non-deterministic (choices and iterations) and deterministic (conditionals and loops) control structures and treat Event-B events as its atoms. We provide a set of schedule refinement rules for refining an abstract scheduling language to a concrete program structure. We also provide a set of rules allowing the elimination of event guards at the concrete level. The final contribution of this thesis is a method for transforming scheduled Event-B models to Dafny code and contracts. We formulate the transformation of a scheduled Event-B model to Dafny program constructs and show how the actions of an atomic event can be sequentialised in the final program. We in- troduce an approach for generation of Dafny contracts in the form of assertions in order to verify the correctness of the sequentialisation. Contents Acknowledgements xv 1 Introduction1 1.1 Motivation: Linking Verification Methods...................3 1.2 Contributions....................................4 1.3 Publications.....................................6 1.4 Report Organisation................................6 2 Background9 2.1 Guarded Command Language..........................9 2.1.1 Weakest Pre-condition.......................... 10 2.2 Event-B....................................... 11 2.2.1 Structure and Notation.......................... 11 2.2.1.1 Context Structure....................... 12 2.2.1.2 Machine Structure....................... 12 2.2.2 Refinement in Event-B.......................... 13 2.2.3 Before-After Predicates.......................... 15 2.2.4 Proof Obligations in Event-B...................... 15 2.2.5 Merging Rules............................... 16 2.2.6 Rodin Platform.............................. 17 2.2.7 Theory Extension............................. 18 2.3 Hoare Logic..................................... 19 2.3.1 Rules of Hoare Logic........................... 20 2.3.1.1 The Assignment Axiom.................... 20 2.3.1.2 Pre-condition Strengthening................. 21 2.3.1.3 Post-condition Weakening.................. 21 2.3.1.4 The Composition Rule.................... 21 2.3.1.5 The Conditional Rule..................... 21 2.3.1.6 The WHILE Rule....................... 22 2.4 Refinement Calculus................................ 22 2.5 Design by Contract................................ 23 2.6 Dafny......................................... 23 2.6.1 Basics of Dafny.............................. 24 2.6.1.1 Methods............................. 24 2.6.1.2 Pre- and Post-conditions................... 25 2.6.1.3 Assertions............................ 26 2.6.1.4 Functions............................ 26 v vi CONTENTS 2.6.1.5 Loop Invariants......................... 27 2.6.1.6 Termination........................... 27 2.6.1.7 Predicates............................ 28 2.6.1.8 Framing............................. 28 2.6.1.9 Modules and Refinement................... 29 2.6.2 Dafny IDE................................. 30 2.7 Related Work to Development of Verified Programs Using Formal Mod- elling Languages.................................. 31 3 Transforming Event-B Models to Simple Dafny Code Contracts 35 3.1 Event-B to Dafny: The Core Idea........................ 36 3.1.1 A Demonstration............................. 36 3.1.2 Mapping Restrictions........................... 37 3.2 Transforming Event-B Machines to Dafny Classes.............. 38 3.2.1 Mapping Event-B Constructs to Dafny................ 38 3.2.2 Generic Types............................... 40 3.2.3 Variables.................................. 40 3.2.4 Invariants.................................. 40 3.3 Transforming Events to Annotated Method Declarations.......... 41 3.3.1 Event to Hoare Triple........................... 41 3.3.2 Method Constructor Statement..................... 42 3.3.3 Method Contract Generation...................... 43 3.3.3.1 Method Contract Generation From One Listed Event.. 43 3.3.3.2 Method Contract Generation From n Listed Events... 47 3.3.4 Proof Obligations............................. 49 3.3.4.1 Internal and Output Parameter Feasibility........ 49 3.3.4.2 Disjointness........................... 49 3.3.4.3 Completeness.......................... 50 3.3.5 Semantics.................................. 50 3.3.6 Refinement Proof............................. 52 3.4 Summary...................................... 56 4 Case Studies For Simple Dafny Code Contracts 57 4.1 Map Abstract Datatype.............................. 57 4.1.1 Event-B Model of the Map ADT.................... 57 4.1.2 Model Preparation and Transformation................ 59 4.1.2.1 Method Add .......................... 60 4.1.2.2 Method Remove ........................ 62 4.2 Stack Abstract Datatype............................. 63 4.2.1 Event-B Model of the Stack ADT................... 63 4.2.2 Model Preparation and Transformation................ 64 4.2.2.1 Push Method.......................... 64 4.2.2.2 Pop Method........................... 65 4.2.2.3 isEmpty Method........................ 66 4.3 Summary...................................... 68 5 Tool Support for Simple Contract Generation 69 CONTENTS vii 5.1 Tool Overview................................... 69 5.2 User Interface.................................... 70 5.3 Proof Obligation Generator............................ 71 5.4 Transformation................................... 72 5.5 Example: Map ADT................................ 73 5.6 Limitations..................................... 75 5.7 Summary...................................... 75 6 Scheduled Event-B: Derivation of Algorithmic Control Structures in Event-B Refinement 77 6.1 Introduction..................................... 77 6.2 Abstract Scheduling Language.......................... 79 6.2.1 Example: A Binary Search Algorithm................. 80 6.2.2 Abstract Schedule Semantics...................... 83 6.2.3 Abstract Schedule Refinement...................... 84 6.3 Refinement to Concrete Program Structures................. 89 6.3.1 Refining the Abstract Schedule of the Search Example....... 91 6.4 Guard Propagation Rules and Elimination Conditions........... 91 6.4.1 Enabledness and Guard Elimination Condition........... 94 6.5 Summary...................................... 95 7 Case Studies: Simple Sort and Schorr-Waite Marking Algorithms 97 7.1 Introduction..................................... 97 7.2 Case Study 1: Simple Sort Algorithm..................... 97 7.2.1 Abstract Specification.......................... 97 7.2.2 First Refinement.............................. 98 7.2.3 Second Refinement............................ 100 7.2.4 Third Refinement............................. 100 7.2.5 Guard Elimination Conditions..................... 102 7.3 Case Study 2: Schorr-Waite Marking Algorithm............... 103 7.3.1 The Algorithm............................... 104 7.3.2 The Development of the Algorithm.................. 105 7.3.2.1 Abstract Specification..................... 105 7.3.2.2 First Refinement........................ 106 7.3.2.3 Second Refinement....................... 107 7.3.2.4 Third and Fourth Refinements................ 109 7.3.2.5 Fifth Refinement........................ 110 7.3.2.6 Sixth Refinement........................ 112 7.3.2.7 Seventh Refinement...................... 112 7.4 Summary...................................... 114 8 Transforming Scheduled Event-B to Code and Contract 117 8.1 Introduction..................................... 117 8.2 Modelling Structured Data Types in Event-B................. 118 8.3 Transforming