We assume that you have completed Tutorial Complete Model Checking.
Let us examine the following B machine:
MACHINE DoubleCounter VARIABLES counter INVARIANT counter:NATURAL & counter<=128 INITIALISATION counter:=8 OPERATIONS Double = PRE counter<100 THEN counter := 2*counter END; Halve = BEGIN counter := counter/2 END END
Now click the "Model Check" button. After a short while, ProB will give you the following message:
Is this model correct? As you will see, this depends on your point of view.
If you look purely at the state space of the machine (choose the View State Space command in the Animate menu) you get the following picture:
Indeed, all reachable states are correct, in the sense that the invariant counter:NATURAL & counter<=128 holds for all of those states.
However, you will not be able to prove the system correct using AtelierB or Rodin.
In addition to model checking, ProB also offers constraint-based checking (CBC), which is particularly useful when used in conjunction with proof. This will give us the clue as to why the above machine cannot be proven correct, and why it can also be viewed as incorrect.
Before proceeding, please ensure that you have either set the CLPFD preference to TRUE or have set the MAXINT preference to at least 130. This can be set by going to the "Animation Preferences" command in the Preferences menu or by adding for example the following to your file:
DEFINITIONS SET_PREF_CLPFD == TRUE
Let us choose the "Check Invariant Preservation for Operation" command inside the "Constraint Based Checking" submenu:
(You This will report an invariant violation and transport you to the following state:
As you can see, the Counter has the value 130, which clearly violates the invariant counter<=128. However, no value in the state space above did have this value for Counter. So how did we reach this error state? By pressing the left arrow in the "EnabledOperations" pane you will see the previous state that ProB has computed:
Now, while this state does not appear in the state space above either. However, this time this state does satisfy the invariant. Thus, if we ignore the initialisation and just look at the INVARIANT counter:NATURAL & counter<=128 as describing all possible states, then the machine is indeed erroneous: the operation Double lead us outside of the safe states. The operation Halve on the other hand is correct: for every possible state satisfying the INVARIANT the resulting successor state will also satisfy the INVARIANT.