Tutorial Complete Model Checking: Difference between revisions
(Created page with 'Category:User Manual We assume that you have completed Tutorial First Model Checking. There we have seen how to find invariant violations using the model checker. In t…') |
No edit summary |
||
| Line 24: | Line 24: | ||
Note that the DEFINITION SET_PREF_MAX_OPERATIONS==5 means that ProB will compute at most 5 possible ways to execute any give operation (i.e., Increase and Reset in this case). We return to this issue below. | Note that the DEFINITION SET_PREF_MAX_OPERATIONS==5 means that ProB will compute at most 5 possible ways to execute any give operation (i.e., Increase and Reset in this case). We return to this issue below. | ||
== Successful Model Checking == | |||
Now select the "Model Check..." command in the "Verify" menu which brings up the model checking dialog box: | Now select the "Model Check..." command in the "Verify" menu which brings up the model checking dialog box: | ||
| Line 30: | Line 32: | ||
[[file:ProBModelCheckNoCounterExampleFound.png|center]] | [[file:ProBModelCheckNoCounterExampleFound.png|center]] | ||
This message means that ProB has examine all possible states of your B model and has found no invariant violation and no deadlock. | This message means that ProB has examine all possible states of your B model and has found no invariant violation and no deadlock. (In this case there are 4 states and one root node.) | ||
Does this mean that the B machine is guaranteed to be correct? Does this mean that the AtelierB provers will be able to prove the B machine correct? | |||
In this case yes, but in general we have to be very careful about interpreting a completed model check. | |||
Below we examine several issues that have to be considered. | |||
== Computing All Transitions == | |||
Let us now adapt the above B machine by changing the DEFINITION of MAX to 6. | |||
Now repeat the model checking exercise above. This time ProB will produce the following message: | |||
[[file:ProBModelCheckNoCounterExampleFoundTrans.png|center]] | |||
Again no invariant violations or deadlocks were found, but this time ProB warns us that not all transitions were computed. Indeed, the SET_PREF_MAX_OPERATIONS definition tells ProB to compute at most 5 ways to execute an operation. In this case, there are 6 ways to execute the Reset operation. As such, ProB may have missed certain states and thus may have missed an invariant violation. | |||
Indeed, when you double click on the "INITIALISATION(1)" entry in the "EnabledOperations" pane, you will see the following: | |||
[[file:ProBSimpleCounterForMC_Max.png|center]] | |||
The orange "max" button tells us that not all operations were computed. | |||
In this case, there was no error, but assume we change the definition of the Reset operation to | |||
<Pre> | |||
Reset = BEGIN count :: 1..MAX+1 END | |||
</Pre> | |||
and repeat the model checking. We will get the exact same result as above, but this time the machine is actually incorrect. | |||
The only way to solve this problem is to increase the "MAX_OPERATIONS" preference to a suitably large value, e.g., SET_PREF_MAX_OPERATIONS==10. | |||
Now model checking will find a counter example. | |||
[[file:ProBSimpleCounterForMC_InvViol.png|center]] | |||
Revision as of 08:51, 1 March 2011
We assume that you have completed Tutorial First Model Checking. There we have seen how to find invariant violations using the model checker.
In this part we use the following B Machine:
DEFINITIONS
MACHINE SimpleCounterForMC
DEFINITIONS MAX==4; SET_PREF_MAX_OPERATIONS==5
VARIABLES count
INVARIANT
count: 1..MAX
INITIALISATION count := 1
OPERATIONS
Increase(y) = PRE y: 1..(MAX-count) THEN
count := count+y
END;
Reset = BEGIN count :: 1..MAX END
END
To load this machine into ProB you can select "New..." from the "File" menu, choose a file name (e.g., "SimpleCounterForMC.mch") and then paste the text above into the ProB source pane and choose "Save and Reopen" from the "File" menu.
Note that the DEFINITION SET_PREF_MAX_OPERATIONS==5 means that ProB will compute at most 5 possible ways to execute any give operation (i.e., Increase and Reset in this case). We return to this issue below.
Successful Model Checking
Now select the "Model Check..." command in the "Verify" menu which brings up the model checking dialog box:
Now click the "Model Check" button. After a short while, ProB will give you the following message:
This message means that ProB has examine all possible states of your B model and has found no invariant violation and no deadlock. (In this case there are 4 states and one root node.)
Does this mean that the B machine is guaranteed to be correct? Does this mean that the AtelierB provers will be able to prove the B machine correct? In this case yes, but in general we have to be very careful about interpreting a completed model check. Below we examine several issues that have to be considered.
Computing All Transitions
Let us now adapt the above B machine by changing the DEFINITION of MAX to 6. Now repeat the model checking exercise above. This time ProB will produce the following message:
Again no invariant violations or deadlocks were found, but this time ProB warns us that not all transitions were computed. Indeed, the SET_PREF_MAX_OPERATIONS definition tells ProB to compute at most 5 ways to execute an operation. In this case, there are 6 ways to execute the Reset operation. As such, ProB may have missed certain states and thus may have missed an invariant violation.
Indeed, when you double click on the "INITIALISATION(1)" entry in the "EnabledOperations" pane, you will see the following:
The orange "max" button tells us that not all operations were computed.
In this case, there was no error, but assume we change the definition of the Reset operation to
Reset = BEGIN count :: 1..MAX+1 END
and repeat the model checking. We will get the exact same result as above, but this time the machine is actually incorrect. The only way to solve this problem is to increase the "MAX_OPERATIONS" preference to a suitably large value, e.g., SET_PREF_MAX_OPERATIONS==10. Now model checking will find a counter example.
