ProB Documentation - User contributions [en]

ProBLicence

2025-07-18T13:54:17Z

Vella:

[[Category:User Manual]]

== ProB Licence ==

The ProB source code is distributed under the [http://www.eclipse.org/org/documents/epl-v10.html EPL v1.0 license] (see also [[Getting_Involved|Getting Involved]]).

(C) 2000-2025 Michael Leuschel and many others.

ProB comes with ABSOLUTELY NO WARRANTY OF ANY KIND !
This software is distributed in the hope that it will be useful
but WITHOUT ANY WARRANTY. The author(s) do not accept responsibility
to anyone for the consequences of using it or for whether it serves
any particular purpose or works at all. No warranty is made about
the software or its performance.

The ProB binary and source distributions of version 1.15.0 and below contain the nauty library before version 2.6. You cannot use nauty symmetry reduction for applications with nontrivial military
significance, see https://pallini.di.uniroma1.it/.

For availability of commercial support, please contact [http://stups.hhu.de/w/Prof._Dr._Michael_Leuschel Michael Leuschel] or [http://www.formalmind.com/ Formal Mind].

Bugs

2025-06-18T08:59:59Z

Vella: /* Version Information */

Note: we have migrated our issues to the [https://github.com/hhu-stups/prob-issues/issues prob-issues] GitHub project.
Use this [https://github.com/hhu-stups/prob-issues/issues/new link to add a new issue].

=== Version Information ===
Typically it is helpful for us to know as much information as possible about your environment:
* the operating system you are using (Windows, macOS, Linux) and which version thereof
* which version of ProB you are using, which can be obtained as follows
** for probcli you can use the command: <tt>probcli -version -v</tt>
** in ProB Tcl/Tk you can use the "About ProB" menu command
** in ProB2-UI you can use the "About ProB2" menu command, which gives you the version of ProB2 UI, the version of the Java ProB API, the version of probcli, the version of the parser and the Java version. The dialog has a "Copy" button for your convenience.
* when having issues with visualization and you use a local version of dot/graphviz or plantuml we need that version as well

=== Console Output ===
For ProB2-UI the following information can also be helpful to us:
* either the output on the console, if you have started ProB2-UI inside a terminal or a console
** on Windows, there is a separate Start Menu entry for starting ProB2-UI with a visible console window
* the contents of the ProB2-UI logfile named "ProB2UI.log" which can be found inside your home directory inside the ".prob" folder
* alternatively, the contents of the ProB2-UI Prolog console, which is available in the Advanced menu using the "ProB Core Console" command. This contains less information than the full log, but can still be very helpful to diagnose issues.

=== Old Bug Tracker ===

If you want, you can also use our old bug tracker to submit a report
<html>
<a id="myCustomTrigger">Jira bug tracker</a>
<script
src="https://code.jquery.com/jquery-2.2.4.min.js"
integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44="
crossorigin="anonymous"></script>

<script type="text/javascript" src="https://probjira.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-T/-w0bwo4/b/14/a44af77267a987a660377e5c46e0fb64/_/download/batch/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector.js?locale=en-US&collectorId=9e060bbf"></script>

<script type="text/javascript">window.ATL_JQ_PAGE_PROPS = {
"triggerFunction": function(showCollectorDialog) {
//Requires that jQuery is available!
jQuery("#myCustomTrigger").click(function(e) {
e.preventDefault();
showCollectorDialog();
});
}};</script>
</html>
(in case this link does not work in your browser you can go directly to https://probjira.atlassian.net/secure/Dashboard.jspa)
You may also want to ask questions within our [https://groups.google.com/d/forum/prob-users prob-users group].

We use a free [http://www.atlassian.com/software/views/open-source-license-request/ Open Source license] from Atlassian!

[[Image:jira.png|200px|]]

JSON and Sockets

2025-04-04T12:09:48Z

Vella: /* Example Machine */

== Introduction ==

ProB contains external functions to read and write JSON data and to communicate via sockets using JSON-RPC:

* <tt>LibraryJSON.def</tt> and <tt>LibraryJSON.mch</tt> providing the functions <tt>READ_JSON</tt>, <tt>READ_JSON_FROM_STRING</tt>, <tt>WRITE_JSON</tt>, <tt>WRITE_JSON_TO_STRING</tt> and the freetype <tt>JsonValue</tt> to read and write JSON data.

* <tt>LibraryZMQ_RPC.def</tt> and <tt>LibraryZMQ_RPC.mch</tt>: providing access to a JSON-RPC (Remote Procedure Call) protocol implementation either over regular sockets or ZMQ sockets.

We have used this library to control Crazyflie drones via ProB:
[[File:prob_drone.jpeg||800px]]

== JSON Library ==

<tt>LibraryJSON.mch</tt> defines a FREETYPE to represent [https://json.org/ JSON] data in a type-safe way:
<pre>
JsonValue = JsonNull,
JsonBoolean(BOOL),
JsonNumber(FLOAT),
JsonString(STRING),
JsonArray(seq(JsonValue)),
JsonObject(STRING +-> JsonValue)
</pre>
[[Free Types]] are inductive data types.
They are not standard B, but stem from Z and Rodin's theory plug-in.

<tt>JsonValue</tt> maps quite naturally to the specification of JSON itself.

<tt>LibraryJSON.def</tt> contains the definitions for the the external functions to interact with JSON text data:
* <tt>READ_JSON(file)</tt>
** Type Signature: <tt>STRING --> JsonValue</tt>
** Reads a file path on the disk and parses the contained JSON data into the freetype representation.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>READ_JSON_FROM_STRING(contents)</tt>
** Type Signature: <tt>STRING --> JsonValue</tt>
** Parses the given JSON text into the freetype representation.
* <tt>WRITE_JSON (json, file)</tt>
** Type Signature: <tt>JsonValue * STRING</tt> (predicate, always returns <tt>true</tt>)
** Converts the given JSON data from the freetype representation into text and writes it to the given file path.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>WRITE_JSON_TO_STRING(json)</tt>
** Type Signature: <tt>JsonValue --> STRING</tt>
** Converts the given JSON data from the freetype representation into text.

You need to include both <tt>LibraryJson.def</tt> and <tt>LibraryJson.mch</tt> to interact with JSON. One contains the freetype definition, the other one the external function definitions.

== JSON-RPC Library ==

Implements the [http://jsonrpc.org/spec JSON RPC] protocol.

Despite their names the <tt>LibraryZMQ_RPC</tt> libraries can use both [https://zeromq.org/ ZeroMQ] library and native sockets.

<tt>LibraryZMQ_RPC.mch</tt> defines a FREETYPE to represent JSON-RPC response object in a type-safe way:
<pre>
RpcResult = RpcSuccess(JsonValue), RpcError(STRING)
</pre>

<tt>LibraryZMQ_RPC.def</tt> contains the definitions for the the external functions to interact with JSON RPC as a client or server:
* <tt>ZMQ_RPC_INIT(endpoint)</tt>
** Type Signature: <tt>STRING --> SOCKET</tt>
** Creates a ZMQ socket for RPC with the ZMQ library and binds it to the given endpoint.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>SOCKET_RPC_INIT(port)</tt>
** Type Signature: <tt>INTEGER --> SOCKET</tt>
** Creates a native socket for RPC and binds it to the given port.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>ZMQ_RPC_DESTROY(socket)</tt>
** Type Signature: <tt>SOCKET</tt> (substitution, no return value)
** Closes the given ZMQ or native socket.
** Note: despite its name this function works with both ZMQ and native sockets
** Warning: this substitution does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>ZMQ_RPC_SEND(socket, name, args)</tt>
** Type Signature: <tt>(SOCKET*STRING*(STRING+->JsonValue)) --> RpcResult</tt>
** Sends a JSON-RPC request object over the given ZMQ or native socket.
** Note: despite its name this function works with both ZMQ and native sockets
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>SOCKET_RPC_ACCEPT(port)</tt>
** Type Signature: <tt>INTEGER --> JsonValue</tt>
** Open a native server socket, wait for a client to connect, receive a JSON-RPC request object and return it.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>SOCKET_RPC_REPLY(port,rpcresult)</tt>
** Type Signature: <tt>(INTEGER * RpcResult) --> BOOL</tt>
** Respond to a previously received JSON-RPC request object with the given JSON-RPC response object. Will always return <tt>TRUE</tt>.
** Note: must be called right after <tt>SOCKET_RPC_ACCEPT</tt>
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
<tt>LibraryZMQ_RPC.def</tt> will transitively include <tt>LibraryJson.def</tt>.

You need to include all of <tt>LibraryJson.mch</tt>, <tt>LibraryZMQ_RPC.def</tt> and <tt>LibraryZMQ_RPC.mch</tt> to interact with JSON-RPC, because the freetype definitions have to be separate from the external function definitions.

== Example Machine ==
This is an excerpt from the B machine used to communicate with the Crazyflie drone.
Parallel to this a Python script is running, which implements all the JSON-RPC methods and uses [https://pypi.org/project/cflib/ <tt>cflib</tt>] to communicate with the drone over radio.
<pre>
MACHINE DroneCommunicator USES LibraryJSON, LibraryZMQ_RPC
DEFINITIONS
"LibraryZMQ_RPC.def";
"LibraryReals.def";
SET_PREF_MAX_OPERATIONS == 0;
CONSTANTS DRONE_URL
PROPERTIES DRONE_URL:STRING & DRONE_URL = "radio://0/80/2M/5700B500F7"
VARIABLES init, socket, cycle
INVARIANT
init:BOOL &
socket:SOCKET &
cycle:INTEGER
INITIALISATION
init := FALSE;
socket := 0;
cycle := 1

OPERATIONS
Init =
SELECT init = FALSE THEN
socket := ZMQ_RPC_INIT("tcp://localhost:22272");
init := TRUE
END;

Destroy =
SELECT init = TRUE THEN
ZMQ_RPC_DESTROY(socket);
init := FALSE
END;

register_sensors =
SELECT init = TRUE THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "register_log", {
("url" |-> JsonString(DRONE_URL)),
("name" |-> JsonString("Telemetry")),
("variables" |-> JsonArray([
JsonString("stateEstimate.x"),
JsonString("stateEstimate.y"),
JsonString("stateEstimate.z"),
JsonString("stateEstimate.roll"),
JsonString("stateEstimate.pitch"),
JsonString("stateEstimate.yaw")
]))}));
END
END;

Drone_Takeoff =
SELECT init = TRUE THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "takeoff", {("url" |-> JsonString(DRONE_URL))}))
END
END;

Drone_Land =
SELECT init = TRUE THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "land", {("url" |-> JsonString(DRONE_URL))}))
END
END;

Drone_Left(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "left", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Right(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "right", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Up(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "up", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Down(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "down", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Forward(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "forward", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Backward(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "backward", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

out <-- Drone_GetX =
SELECT init = TRUE THEN
out := floor(1000.0 * JsonNumber~(RpcSuccess~(ZMQ_RPC_SEND(socket, "get_log_var", {("url" |-> JsonString(DRONE_URL)), ("name" |-> JsonString("stateEstimate.x"))}))));
cycle := cycle + 1
END
END
</pre>

JSON and Sockets

2025-04-04T12:05:49Z

Vella:

== Introduction ==

ProB contains external functions to read and write JSON data and to communicate via sockets using JSON-RPC:

* <tt>LibraryJSON.def</tt> and <tt>LibraryJSON.mch</tt> providing the functions <tt>READ_JSON</tt>, <tt>READ_JSON_FROM_STRING</tt>, <tt>WRITE_JSON</tt>, <tt>WRITE_JSON_TO_STRING</tt> and the freetype <tt>JsonValue</tt> to read and write JSON data.

* <tt>LibraryZMQ_RPC.def</tt> and <tt>LibraryZMQ_RPC.mch</tt>: providing access to a JSON-RPC (Remote Procedure Call) protocol implementation either over regular sockets or ZMQ sockets.

We have used this library to control Crazyflie drones via ProB:
[[File:prob_drone.jpeg||800px]]

== JSON Library ==

<tt>LibraryJSON.mch</tt> defines a FREETYPE to represent [https://json.org/ JSON] data in a type-safe way:
<pre>
JsonValue = JsonNull,
JsonBoolean(BOOL),
JsonNumber(FLOAT),
JsonString(STRING),
JsonArray(seq(JsonValue)),
JsonObject(STRING +-> JsonValue)
</pre>
[[Free Types]] are inductive data types.
They are not standard B, but stem from Z and Rodin's theory plug-in.

<tt>JsonValue</tt> maps quite naturally to the specification of JSON itself.

<tt>LibraryJSON.def</tt> contains the definitions for the the external functions to interact with JSON text data:
* <tt>READ_JSON(file)</tt>
** Type Signature: <tt>STRING --> JsonValue</tt>
** Reads a file path on the disk and parses the contained JSON data into the freetype representation.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>READ_JSON_FROM_STRING(contents)</tt>
** Type Signature: <tt>STRING --> JsonValue</tt>
** Parses the given JSON text into the freetype representation.
* <tt>WRITE_JSON (json, file)</tt>
** Type Signature: <tt>JsonValue * STRING</tt> (predicate, always returns <tt>true</tt>)
** Converts the given JSON data from the freetype representation into text and writes it to the given file path.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>WRITE_JSON_TO_STRING(json)</tt>
** Type Signature: <tt>JsonValue --> STRING</tt>
** Converts the given JSON data from the freetype representation into text.

You need to include both <tt>LibraryJson.def</tt> and <tt>LibraryJson.mch</tt> to interact with JSON. One contains the freetype definition, the other one the external function definitions.

== JSON-RPC Library ==

Implements the [http://jsonrpc.org/spec JSON RPC] protocol.

Despite their names the <tt>LibraryZMQ_RPC</tt> libraries can use both [https://zeromq.org/ ZeroMQ] library and native sockets.

<tt>LibraryZMQ_RPC.mch</tt> defines a FREETYPE to represent JSON-RPC response object in a type-safe way:
<pre>
RpcResult = RpcSuccess(JsonValue), RpcError(STRING)
</pre>

<tt>LibraryZMQ_RPC.def</tt> contains the definitions for the the external functions to interact with JSON RPC as a client or server:
* <tt>ZMQ_RPC_INIT(endpoint)</tt>
** Type Signature: <tt>STRING --> SOCKET</tt>
** Creates a ZMQ socket for RPC with the ZMQ library and binds it to the given endpoint.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>SOCKET_RPC_INIT(port)</tt>
** Type Signature: <tt>INTEGER --> SOCKET</tt>
** Creates a native socket for RPC and binds it to the given port.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>ZMQ_RPC_DESTROY(socket)</tt>
** Type Signature: <tt>SOCKET</tt> (substitution, no return value)
** Closes the given ZMQ or native socket.
** Note: despite its name this function works with both ZMQ and native sockets
** Warning: this substitution does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>ZMQ_RPC_SEND(socket, name, args)</tt>
** Type Signature: <tt>(SOCKET*STRING*(STRING+->JsonValue)) --> RpcResult</tt>
** Sends a JSON-RPC request object over the given ZMQ or native socket.
** Note: despite its name this function works with both ZMQ and native sockets
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>SOCKET_RPC_ACCEPT(port)</tt>
** Type Signature: <tt>INTEGER --> JsonValue</tt>
** Open a native server socket, wait for a client to connect, receive a JSON-RPC request object and return it.
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
* <tt>SOCKET_RPC_REPLY(port,rpcresult)</tt>
** Type Signature: <tt>(INTEGER * RpcResult) --> BOOL</tt>
** Respond to a previously received JSON-RPC request object with the given JSON-RPC response object. Will always return <tt>TRUE</tt>.
** Note: must be called right after <tt>SOCKET_RPC_ACCEPT</tt>
** Warning: this function does external IO and should be guarded by a <tt>MAX_OPERATIONS == 0</tt> definition
<tt>LibraryZMQ_RPC.def</tt> will transitively include <tt>LibraryJson.def</tt>.

You need to include all of <tt>LibraryJson.mch</tt>, <tt>LibraryZMQ_RPC.def</tt> and <tt>LibraryZMQ_RPC.mch</tt> to interact with JSON-RPC, because the freetype definitions have to be separate from the external function definitions.

== Example Machine ==
This is an excerpt from the B machine used to communicate with the Crazyflie drone.
<pre>
MACHINE DroneCommunicator USES LibraryJSON, LibraryZMQ_RPC
DEFINITIONS
"LibraryZMQ_RPC.def";
"LibraryReals.def";
SET_PREF_MAX_OPERATIONS == 0;
CONSTANTS DRONE_URL
PROPERTIES DRONE_URL:STRING & DRONE_URL = "radio://0/80/2M/5700B500F7"
VARIABLES init, socket, cycle
INVARIANT
init:BOOL &
socket:SOCKET &
cycle:INTEGER
INITIALISATION
init := FALSE;
socket := 0;
cycle := 1

OPERATIONS
Init =
SELECT init = FALSE THEN
socket := ZMQ_RPC_INIT("tcp://localhost:22272");
init := TRUE
END;

Destroy =
SELECT init = TRUE THEN
ZMQ_RPC_DESTROY(socket);
init := FALSE
END;

register_sensors =
SELECT init = TRUE THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "register_log", {
("url" |-> JsonString(DRONE_URL)),
("name" |-> JsonString("Telemetry")),
("variables" |-> JsonArray([
JsonString("stateEstimate.x"),
JsonString("stateEstimate.y"),
JsonString("stateEstimate.z"),
JsonString("stateEstimate.roll"),
JsonString("stateEstimate.pitch"),
JsonString("stateEstimate.yaw")
]))}));
END
END;

Drone_Takeoff =
SELECT init = TRUE THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "takeoff", {("url" |-> JsonString(DRONE_URL))}))
END
END;

Drone_Land =
SELECT init = TRUE THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "land", {("url" |-> JsonString(DRONE_URL))}))
END
END;

Drone_Left(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "left", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Right(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "right", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Up(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "up", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Down(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "down", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Forward(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "forward", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

Drone_Backward(dist) =
SELECT
init = TRUE &
dist : 0..2000
THEN
VAR res IN
res := RpcSuccess~(ZMQ_RPC_SEND(socket, "backward", {("url" |-> JsonString(DRONE_URL)), ("distance" |-> JsonNumber(RDIV(real(dist), real(1000))))}))
END
END;

out <-- Drone_GetX =
SELECT init = TRUE THEN
out := floor(1000.0 * JsonNumber~(RpcSuccess~(ZMQ_RPC_SEND(socket, "get_log_var", {("url" |-> JsonString(DRONE_URL)), ("name" |-> JsonString("stateEstimate.x"))}))));
cycle := cycle + 1
END
END
</pre>

JSON and Sockets

2025-04-04T11:48:54Z

Vella:

SimB

2025-02-19T18:46:19Z

Vella: /* Direct Activation */

== SimB ==

Additional documentation is available here: [https://github.com/hhu-stups/prob2_ui/blob/develop/src/main/helpsources/help_en/Main%20Menu/Advanced/SimB.md SimB Documentation]

SimB is a simulator built on top of ProB. It is available in the latest SNAPSHOT version in the new JavaFX based user interface [[ProB2-UI]] (https://github.com/hhu-stups/prob2_ui), The modeler can write SimB annotations for a formal model to simulate it. Examples are available at https://github.com/favu100/SimB-examples.
Furthermore, it is then possible to validate probabilistic and timing properties with statistical validation techniques such as hypothesis testing and estimation.

SimB also contains a feature called interactive simulation.
This feature allows user interaction to trigger a simulation.
For interactive simulation, a modeler has to encode SimB listeners on events, triggering a SimB simulation.
Interactive Simulation examples are available at https://github.com/favu100/SimB-examples/tree/main/Interactive_Examples.

More recently, SimB is extended by a new feature which makes it possible to load an Reinforcement learning Agent.
Technically, each step of the RL agent is converted into a SimB activation.
In order to simulate a RL agent in SimB, one must (1) create a formal B model for the RL agent, and (2) create a mapping between the state in the RL agent and the formal model, and (3) provide information to the formal B model again.
Reinforcement Learning examples are available at: https://github.com/hhu-stups/reinforcement-learning-b-models

== Citing SimB ==
To cite SimB as a tool, its timing or probabilistic simulation features, or SimBs statistical validation techniques, please use:
<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael and Mashkoor, Atif},
Title = {{Validation of Formal Models by Timed Probabilistic Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2021,
Series = {LNCS},
Volume = {12709},
Pages = {81--96}
}
</pre>

To cite SimBs interactive simulation, please use:

<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael},
Title = {{Validation of Formal Models by Interactive Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2023
Series = {LNCS},
Volume = {14010},
Pages = {59--69}
}
</pre>

==Using SimB ==

Start SimB via "SimB" in the "Advanced" Menu after opening a machine.

[[File:Open_SimB.png|800px]]

Now, you can open a SimB file (JSON format) controlling the underlying formal model.

[[File:SimB_Window.png|800px]]

A SimB file consists of SimB activations and SimB listeners to simulate the model.
SimB activations encode an activation diagram with probabilistic and timing elements for automatic simulation.
To enable interactive simulation, it is also necessary to encode interactive elements aka. SimB listeners which trigger other SimB activations.
Within these elements, the modeler can user B expressions which are evaluated on the current state.

The general structure of a SimB simulation is as follows:

<pre>
{
"activations": [...]
"listeners": [...]
}
</pre>

<tt>activations</tt> stores SimB activations, while <tt>listeners</tt> stores SimB listeners.
<tt>activations</tt> must be encoded, <tt>listeners</tt> is optional and defaults to the empty list.

== Probabilistic and Timing Elements in SimB ==

The SimB file always contains an <tt>activations</tt> field storing a list of probabilistic and timing elements to control the simulation. Probabilistic values are always interpreted as weights and thus may sum to any number greater than zero.
There are two types of activations: direct activation and probabilistic choice.
All activations are identified by their <tt>id</tt>.

===Direct Activation ===

A direct activation activates an event to be executed in the future.
It requires the fields <tt>id</tt>, and <tt>execute</tt> to be defined.
All other fields can be defined optionally.

* <tt>execute</tt> identifies the activated event by its name.
* <tt>after</tt> defines the scheduled time (in ms) when activating an event. By default, it is set to 0 ms, e.g., when this field is not defined explicitly.
* <tt>activating</tt> stores events that will be activated when executing the event defined by <tt>execute</tt>. Missing definition leads to the behavior that no other events are activated. The modeler can either write a String (to activate a single event) or a list of Strings (to activate multiple events)
* <tt>activationKind</tt> stores the kind of activation for <tt>execute</tt>. Possible options are <tt>multi</tt>, <tt>single</tt>, <tt>single:min</tt>, and <tt>single:max</tt>. The default value is <tt>multi</tt>
** <tt>multi</tt> means that the activation will be queued for execution.
** <tt>single</tt> means that the activation will only be queued if there are no queued activations with the same <tt>id</tt>
** <tt>single:min</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is greater. In the case of (2), the already queued activation will be discarded.
** <tt>single:max</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is lower. In the case of (2), the already queued activation will be discarded.
* <tt>additionalGuards</tt> stores optional guards when executing the event stored in <tt>execute</tt>
* <tt>fixedVariables</tt> stores a Map. Here, a variable (parameter, or non-deterministic assigned variable) is assigned to its value.
* <tt>probabilisticVariables</tt>stores a Map. Here a variable (parameter, or non-deterministic assigned variable) is assigned to another Map defining the probabilistic choice of its value. The second Map stores Key-Value pairs where values are mapped to the probability/weight.
* <tt>transitionSelection</tt> determines how SimB choses from multiple possible transitions (due to not specified variables):
** <tt>first</tt> (the default) means that the first transition is chosen for execution.
** <tt>uniform</tt> means that a transition is selected from all alternatives uniformly.
* <tt>priority</tt> stores the priority for scheduling <tt>execute</tt>. Lower number means greater priority.

<pre>
{
"id": ...
"execute": ...
"after": ...
"activating": ...
"activationKind": ...
"additionalGuards": ...
"fixedVariables": ....
"probabilisticVariables": ....
"transitionSelection": ...,
"priority": ...
}
</pre>

=== Probabilistic Choice ===

A probabilistic choice selects an event to be executed in the future.
It requires the two fields <tt>id</tt>, and <tt>chooseActivation</tt>. <tt>chooseActivation</tt> is a Map storing Key-Value pairs where activations (identified by their <tt>id</tt>) are mapped to a probability/weight. It is possible to chain multiple probabilistic choices together, but eventually, a direct activation must be reached.
The probabilities are always interpreted as weights and may sum to any number greater than zero.
Thus, a <tt>probabilistic choice</tt> is of the following form:

<pre>
{
"id": ...
"chooseActivation": ...
}
</pre>

In the following, an example for a SimB file controlling a Traffic Lights for cars and pedestrians (with timing and probabilistic behavior) is shown:

<pre>
{
"activations": [
{"id":"$initialise_machine", "execute":"$initialise_machine", "activating":"choose"},
{"id":"choose", "chooseActivation":{"cars_ry": "0.8", "peds_g": "0.2"}},
{"id":"cars_ry", "execute":"cars_ry", "after":5000, "activating":"cars_g"},
{"id":"cars_g", "execute":"cars_g", "after":500, "activating":"cars_y"},
{"id":"cars_y", "execute":"cars_y", "after":5000, "activating":"cars_r"},
{"id":"cars_r", "execute":"cars_r", "after":500, "activating":"choose"},
{"id":"peds_g", "execute":"peds_g", "after":5000, "activating":"peds_r"},
{"id":"peds_r", "execute":"peds_r", "after":5000, "activating":"choose"}
]
}
</pre>

== Interactive Elements in SimB ==

Interactive elements in SimB are so called SimB listeners.
A SimB listener consists of four fields <tt>id</tt>, <tt>event</tt>, <tt>predicate</tt>, and <tt>activating</tt>.
This means that the SimB listener associated with <tt>id</tt> listens on a manual/user interaction on <tt>event</tt> with <tt>predicate</tt> after which activations in <tt>activating</tt> are triggered.
<tt>predicate</tt> is optional and defaults to <tt>1=1</tt>.
Manual/User interaction is recognized via VisB and ProB's Operations View.

<pre>
{
"id": ...
"event": ...
"predicate": ...
"activating": [...]
}
</pre>

In the following, we parts of a SimB simulation from an automotive case study.
The SimB simulation contains a SimB listener which is linked to two activations.
The case study models the car's lighting system controlled by pitman controller, the key ignition, and the warning lights button.

The SimB listeners states that SimB listens on user interaction on the event <tt>ENV_Pitman_DirectionBlinking</tt>, to trigger two SimB activations <tt>blinking_on</tt> and blinking_off afterward.
Practically, this means that a driver's input on the pitman for direction blinking activates the blinking cycle for the corresponding direction indicators.

<pre>
{
"activations": [
{
"id": "blinking_on",
"execute": "RTIME_BlinkerOn",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_off",
...
},
{
"id": "blinking_off",
"execute": "RTIME_BlinkerOff",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_on",
...
},
...
]
"listeners": [
{
"id": "start_blinking",
"event": "ENV_Pitman_DirectionBlinking",
"activating" : ["blinking_on", "blinking_off"]
}
]
}
</pre>

== Reinforcement Learning Agent in SimB ==

Instead of loading a SimB simulation as a JSON file, one can also load a Reinforcement Learning
agent implemented in Python (.py).
For the simulation to work, one has to apply the following steps:

1. Train a model of a Reinforcement Learning agent.

2. Create a formal B model (including safety shield) for the RL agent.

The operations represent the actions the RL agent can choose from. The formal model's state mainly represents the state of the environment.
Safety shields are encoded by the operations' guards which are provided to the RL agent. Enabled operations are considered to be safe. Thus, the RL agent chooses the enabled operation/action with the highest predicted reward.
The operations' substitutions model the desired behavior of the respective actions.

An example for the FASTER of a HighwayEnvironment is as follows:
<pre>
FASTER =
PRE
¬(∃v. (v ∈ PresentVehicles \ {EgoVehicle} ∧ VehiclesX(v) > 0.0 ∧ VehiclesX(v) < 45.0 ∧
VehiclesY(v) < 3.5 ∧ VehiclesY(v) > -3.5))
THEN
Crash :∈ BOOL ||
PresentVehicles :∈ P(Vehicles) ;
VehiclesX :∈ Vehicles → R ||
VehiclesY :∈ Vehicles → R ||
VehiclesVx :| (VehiclesVx ∈ PresentVehicles → R ∧
VehiclesVx(EgoVehicle) ≥ VehiclesVx’(EgoVehicle) - 0.05) ||
VehiclesVy :∈ Vehicles → R ||
VehiclesAx :| (VehiclesAx ∈ PresentVehicles → R ∧ VehiclesAx(EgoVehicle) ≥ -0.05) ||
VehiclesAy :∈ Vehicles → R ||
Reward :∈ R
END
</pre>

Lines 2-4 shows the operation's guard which is used as safety shield.

Lines 6-15 shows the operation's substitution describing the desired behavior after executing FASTER.

3. Implement the mapping between the RL agent in Python and the formal B model.
This includes the mapping of actions to operations, and the mapping of information from the RL agent, particularly the environment and observation, to the variables.

An example for the mapping of actions to operations is as follows:
<pre>
action_names = {
0: "LANE_LEFT",
1: "IDLE",
2: "LANE_RIGHT",
3: "FASTER",
4: "SLOWER"
}
</pre>

Here, one can see that the numbers representing the actions in the RL agents are mapped to the corresponding operation names in the formal B model.

An example for a mapping to a variable in the formal B model is as follows:

<pre>
def get_VehiclesX(obs):
return "{{EgoVehicle |-> {0}, Vehicles2 |-> {1}, Vehicles3 |-> {2},
Vehicles4 |-> {3}, Vehicles5 |-> {4}}}"
.format(obs[0][1]*200, obs[1][1]*200, obs[2][1]*200,
obs[3][1]*200, obs[4][1]*200) # Implemented manually
</pre>

Remark: While the getter for the variable is generated by B2Program, the function for the mapping is implemented manually.

4. Implement necessary messages sent between the ProB animator and the RL agent.
Simulation should be a while-loop which runs while the simulation has not finished.

* 1st message: Sent from ProB Animator: List of enabled operations
** Meanwhile RL agent predicts enabled operation with highest reward
* 2nd message: Sent from RL agent: Name of chosen action/operation
* 3rd message: Sent from RL agent: Time until executing chosen action/operation
* 4th message: Sent from RL agent: Succeeding B state as a predicate
* 5th message: Sent from RL agent: Boolean flag describing whether simulation is finished

Example code (line 70 - 113; particularly 86 - 113): https://github.com/hhu-stups/reinforcement-learning-b-models/blob/main/HighwayEnvironment/HighwayEnvironment.py

To generate a RL agent for SimB, one can use the high-level code generator B2Program: https://github.com/favu100/b2program

Given a formal B model, B2Program generates an RL agent which loads a given trained model and execute the necessary steps. This includes the fourth step described before.
The third step still has to be implemented; in this step, B2Program only generates the templates for the mappings which are then completed manually.

== Validation ==

=== Real-Time Simulation ===

Using a SimB file, the modeler can play a single simulation on the underlying model in real-time.
The modeler can then manually check whether the model behaves as desired. Combining [[VisB]] and SimB, a simulation can be seen as an animated picture similar to a GIF picture.
This gives the domain expert even a better understanding of the model.
With SimB listeners, it is also possible to encode simulations that are triggered by manual/user actions.

A Traffic Light example (based on the SimB file shown in [[SimB|Using_SimB]] ) simulating the first 21 seconds is shown below.

[[File:TrafficLight_Simulation.gif|800px]]

=== Timed Trace Replay ===

Based on a single simulation, the modeler can generate a timed trace which is also stored in the SimB format. Afterwards, it can be used to replay a scenario. similar to real-time simulation.

Below, the resulting timed trace for the scenario in [[SimB|Real-Time Simulation]] is shown

<pre>
{
"activations": [
{
"execute": "$initialise_machine",
"after": "0",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": {
"tl_cars": "red",
"tl_peds": "red"
},
"probabilisticVariables": null,
"activating": [
"cars_ry_1"
],
"id": "$initialise_machine"
},
{
"execute": "cars_ry",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_g_2"
],
"id": "cars_ry_1"
},
{
"execute": "cars_g",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_y_3"
],
"id": "cars_g_2"
},
{
"execute": "cars_y",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_r_4"
],
"id": "cars_y_3"
},
{
"execute": "cars_r",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_g_5"
],
"id": "cars_r_4"
},
{
"execute": "peds_g",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_r_6"
],
"id": "peds_g_5"
},
{
"execute": "peds_r",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": null,
"id": "peds_r_6"
}
],
"metadata": {
"fileType": "Timed_Trace",
"formatVersion": 1,
"savedAt": "2021-03-03T11:04:08.460477Z",
"creator": "User",
"proB2KernelVersion": "4.0.0-SNAPSHOT",
"proBCliVersion": null,
"modelName": null
}
}

</pre>

=== Monte Carlo Simulation ===

It is also possible to apply Monte Carlo simulation to generate a certain number of simulations.
Here, all simulations are played without real time. However, it is possible for the user, to replay the generated scenarios with real-time afterwards.

The input parameters are:

* Number of Simulations defines the number of simulations to be generated.
* Max Steps Before Start defines the number of steps before taking into account the starting and ending conditions.
* Starting Condition defines condition to simulate until before taking Ending Condition into account. It is either defined by a No Condition, Number of Steps, Starting Time or Starting Predicate.
* Ending Condition defines condition to simulate until after taking Starting Condition into account (defines the last transition of the simulation). It is either defined by a Number of Steps, Ending Time or Ending Predicate
* Check defines the check to apply for the simulation. Monte Carlo Simulation means that there are no checks to be applied, while the other options are Hypothesis Testing and Estimation

[[File:MonteCarloSimulation.png|400px]]

Furthermore, there are two statistical validation techniques that can be applied based on Monte Carlo simulations: Hypothesis Testing and Estimation.

=== Hypothesis Testing ===

Hypothesis Testing expects the same parameters as Monte Carlo Simulation: Max Steps before Simulation, Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Hypothesis Testing are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.

* Hypothesis Check
** Left-tailed hypothesis test
** Right-tailed hypothesis test
** Two-tailed hypothesis test

* Probability (in the hypothesis)
* Significance Level

[[File:HypothesisTesting.png|400px]]

=== Estimation ===

Estimation expects the same parameters as Monte Carlo Simulation: Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Estimation are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.
** Average can be used to check the average value of an expression.
** Sum can be used to check the sum of an expression.
* Estimator
** Minimum Estimator returns the minimum estimated value from all simulated runs.
** Mean Estimator returns the mean estimated value from all simulated runs.
** Maximum Estimator returns the maximum estimated value from all simulated runs.
* Desired Value
* Epsilon

For an estimated value e, a desired value d, and an epsilon eps, it checks for each simulation whether e is within [d - eps, d + eps]

[[File:Estimation.png|400px]]

SimB

2025-02-19T18:45:55Z

Vella: /* Probabilistic and Timing Elements in SimB */

== SimB ==

Additional documentation is available here: [https://github.com/hhu-stups/prob2_ui/blob/develop/src/main/helpsources/help_en/Main%20Menu/Advanced/SimB.md SimB Documentation]

SimB is a simulator built on top of ProB. It is available in the latest SNAPSHOT version in the new JavaFX based user interface [[ProB2-UI]] (https://github.com/hhu-stups/prob2_ui), The modeler can write SimB annotations for a formal model to simulate it. Examples are available at https://github.com/favu100/SimB-examples.
Furthermore, it is then possible to validate probabilistic and timing properties with statistical validation techniques such as hypothesis testing and estimation.

SimB also contains a feature called interactive simulation.
This feature allows user interaction to trigger a simulation.
For interactive simulation, a modeler has to encode SimB listeners on events, triggering a SimB simulation.
Interactive Simulation examples are available at https://github.com/favu100/SimB-examples/tree/main/Interactive_Examples.

More recently, SimB is extended by a new feature which makes it possible to load an Reinforcement learning Agent.
Technically, each step of the RL agent is converted into a SimB activation.
In order to simulate a RL agent in SimB, one must (1) create a formal B model for the RL agent, and (2) create a mapping between the state in the RL agent and the formal model, and (3) provide information to the formal B model again.
Reinforcement Learning examples are available at: https://github.com/hhu-stups/reinforcement-learning-b-models

== Citing SimB ==
To cite SimB as a tool, its timing or probabilistic simulation features, or SimBs statistical validation techniques, please use:
<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael and Mashkoor, Atif},
Title = {{Validation of Formal Models by Timed Probabilistic Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2021,
Series = {LNCS},
Volume = {12709},
Pages = {81--96}
}
</pre>

To cite SimBs interactive simulation, please use:

<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael},
Title = {{Validation of Formal Models by Interactive Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2023
Series = {LNCS},
Volume = {14010},
Pages = {59--69}
}
</pre>

==Using SimB ==

Start SimB via "SimB" in the "Advanced" Menu after opening a machine.

[[File:Open_SimB.png|800px]]

Now, you can open a SimB file (JSON format) controlling the underlying formal model.

[[File:SimB_Window.png|800px]]

A SimB file consists of SimB activations and SimB listeners to simulate the model.
SimB activations encode an activation diagram with probabilistic and timing elements for automatic simulation.
To enable interactive simulation, it is also necessary to encode interactive elements aka. SimB listeners which trigger other SimB activations.
Within these elements, the modeler can user B expressions which are evaluated on the current state.

The general structure of a SimB simulation is as follows:

<pre>
{
"activations": [...]
"listeners": [...]
}
</pre>

<tt>activations</tt> stores SimB activations, while <tt>listeners</tt> stores SimB listeners.
<tt>activations</tt> must be encoded, <tt>listeners</tt> is optional and defaults to the empty list.

== Probabilistic and Timing Elements in SimB ==

The SimB file always contains an <tt>activations</tt> field storing a list of probabilistic and timing elements to control the simulation. Probabilistic values are always interpreted as weights and thus may sum to any number greater than zero.
There are two types of activations: direct activation and probabilistic choice.
All activations are identified by their <tt>id</tt>.

===Direct Activation ===

A direct activation activates an event to be executed in the future.
It requires the fields <tt>id</tt>, and <tt>execute</tt> to be defined.
All other fields can be defined optionally.

* <tt>execute</tt> identifies the activated event by its name.
* <tt>after</tt> defines the scheduled time (in ms) when activating an event. By default, it is set to 0 ms, e.g., when this field is not defined explicitly.
* <tt>activating</tt> stores events that will be activated when executing the event defined by <tt>execute</tt>. Missing definition leads to the behavior that no other events are activated. The modeler can either write a String (to activate a single event) or a list of Strings (to activate multiple events)
* <tt>activationKind</tt> stores the kind of activation for <tt>execute</tt>. Possible options are <tt>multi</tt>, <tt>single</tt>, <tt>single:min</tt>, and <tt>single:max</tt>. The default value is <tt>multi</tt>
** <tt>multi</tt> means that the activation will be queued for execution.
** <tt>single</tt> means that the activation will only be queued if there are no queued activations with the same <tt>id</tt>
** <tt>single:min</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is greater. In the case of (2), the already queued activation will be discarded.
** <tt>single:max</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is lower. In the case of (2), the already queued activation will be discarded.
* <tt>additionalGuards</tt> stores optional guards when executing the event stored in <tt>execute</tt>
* <tt>fixedVariables</tt> stores a Map. Here, a variable (parameter, or non-deterministic assigned variable) is assigned to its value.
* <tt>probabilisticVariables</tt>stores a Map. Here a variable (parameter, or non-deterministic assigned variable) is assigned to another Map defining the probabilistic choice of its value. The second Map stores Key-Value pairs where values are mapped to the probability/weight.
* <tt>transitionSelection</tt> determines how SimB choses from multiple possible transitions (due to not specified variables):
** <tt>first</tt> (the default) means that the first transition is chosen for execution.
** <tt>uniform</tt> means that a transition is selected from all alternatives uniformly.
* <tt>priority</tt> stores the priority for scheduling <tt>execute</tt>. Lower number means greater priority.

<pre>
{
"id": ...
"execute": ...
"after": ...
"activating": ...
"activationKind": ...
"additionalGuards": ...
"fixedVariables": ....
"probabilisticVariables": ....
"priority": ...
}
</pre>

=== Probabilistic Choice ===

A probabilistic choice selects an event to be executed in the future.
It requires the two fields <tt>id</tt>, and <tt>chooseActivation</tt>. <tt>chooseActivation</tt> is a Map storing Key-Value pairs where activations (identified by their <tt>id</tt>) are mapped to a probability/weight. It is possible to chain multiple probabilistic choices together, but eventually, a direct activation must be reached.
The probabilities are always interpreted as weights and may sum to any number greater than zero.
Thus, a <tt>probabilistic choice</tt> is of the following form:

<pre>
{
"id": ...
"chooseActivation": ...
}
</pre>

In the following, an example for a SimB file controlling a Traffic Lights for cars and pedestrians (with timing and probabilistic behavior) is shown:

<pre>
{
"activations": [
{"id":"$initialise_machine", "execute":"$initialise_machine", "activating":"choose"},
{"id":"choose", "chooseActivation":{"cars_ry": "0.8", "peds_g": "0.2"}},
{"id":"cars_ry", "execute":"cars_ry", "after":5000, "activating":"cars_g"},
{"id":"cars_g", "execute":"cars_g", "after":500, "activating":"cars_y"},
{"id":"cars_y", "execute":"cars_y", "after":5000, "activating":"cars_r"},
{"id":"cars_r", "execute":"cars_r", "after":500, "activating":"choose"},
{"id":"peds_g", "execute":"peds_g", "after":5000, "activating":"peds_r"},
{"id":"peds_r", "execute":"peds_r", "after":5000, "activating":"choose"}
]
}
</pre>

== Interactive Elements in SimB ==

Interactive elements in SimB are so called SimB listeners.
A SimB listener consists of four fields <tt>id</tt>, <tt>event</tt>, <tt>predicate</tt>, and <tt>activating</tt>.
This means that the SimB listener associated with <tt>id</tt> listens on a manual/user interaction on <tt>event</tt> with <tt>predicate</tt> after which activations in <tt>activating</tt> are triggered.
<tt>predicate</tt> is optional and defaults to <tt>1=1</tt>.
Manual/User interaction is recognized via VisB and ProB's Operations View.

<pre>
{
"id": ...
"event": ...
"predicate": ...
"activating": [...]
}
</pre>

In the following, we parts of a SimB simulation from an automotive case study.
The SimB simulation contains a SimB listener which is linked to two activations.
The case study models the car's lighting system controlled by pitman controller, the key ignition, and the warning lights button.

The SimB listeners states that SimB listens on user interaction on the event <tt>ENV_Pitman_DirectionBlinking</tt>, to trigger two SimB activations <tt>blinking_on</tt> and blinking_off afterward.
Practically, this means that a driver's input on the pitman for direction blinking activates the blinking cycle for the corresponding direction indicators.

<pre>
{
"activations": [
{
"id": "blinking_on",
"execute": "RTIME_BlinkerOn",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_off",
...
},
{
"id": "blinking_off",
"execute": "RTIME_BlinkerOff",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_on",
...
},
...
]
"listeners": [
{
"id": "start_blinking",
"event": "ENV_Pitman_DirectionBlinking",
"activating" : ["blinking_on", "blinking_off"]
}
]
}
</pre>

== Reinforcement Learning Agent in SimB ==

Instead of loading a SimB simulation as a JSON file, one can also load a Reinforcement Learning
agent implemented in Python (.py).
For the simulation to work, one has to apply the following steps:

1. Train a model of a Reinforcement Learning agent.

2. Create a formal B model (including safety shield) for the RL agent.

The operations represent the actions the RL agent can choose from. The formal model's state mainly represents the state of the environment.
Safety shields are encoded by the operations' guards which are provided to the RL agent. Enabled operations are considered to be safe. Thus, the RL agent chooses the enabled operation/action with the highest predicted reward.
The operations' substitutions model the desired behavior of the respective actions.

An example for the FASTER of a HighwayEnvironment is as follows:
<pre>
FASTER =
PRE
¬(∃v. (v ∈ PresentVehicles \ {EgoVehicle} ∧ VehiclesX(v) > 0.0 ∧ VehiclesX(v) < 45.0 ∧
VehiclesY(v) < 3.5 ∧ VehiclesY(v) > -3.5))
THEN
Crash :∈ BOOL ||
PresentVehicles :∈ P(Vehicles) ;
VehiclesX :∈ Vehicles → R ||
VehiclesY :∈ Vehicles → R ||
VehiclesVx :| (VehiclesVx ∈ PresentVehicles → R ∧
VehiclesVx(EgoVehicle) ≥ VehiclesVx’(EgoVehicle) - 0.05) ||
VehiclesVy :∈ Vehicles → R ||
VehiclesAx :| (VehiclesAx ∈ PresentVehicles → R ∧ VehiclesAx(EgoVehicle) ≥ -0.05) ||
VehiclesAy :∈ Vehicles → R ||
Reward :∈ R
END
</pre>

Lines 2-4 shows the operation's guard which is used as safety shield.

Lines 6-15 shows the operation's substitution describing the desired behavior after executing FASTER.

3. Implement the mapping between the RL agent in Python and the formal B model.
This includes the mapping of actions to operations, and the mapping of information from the RL agent, particularly the environment and observation, to the variables.

An example for the mapping of actions to operations is as follows:
<pre>
action_names = {
0: "LANE_LEFT",
1: "IDLE",
2: "LANE_RIGHT",
3: "FASTER",
4: "SLOWER"
}
</pre>

Here, one can see that the numbers representing the actions in the RL agents are mapped to the corresponding operation names in the formal B model.

An example for a mapping to a variable in the formal B model is as follows:

<pre>
def get_VehiclesX(obs):
return "{{EgoVehicle |-> {0}, Vehicles2 |-> {1}, Vehicles3 |-> {2},
Vehicles4 |-> {3}, Vehicles5 |-> {4}}}"
.format(obs[0][1]*200, obs[1][1]*200, obs[2][1]*200,
obs[3][1]*200, obs[4][1]*200) # Implemented manually
</pre>

Remark: While the getter for the variable is generated by B2Program, the function for the mapping is implemented manually.

4. Implement necessary messages sent between the ProB animator and the RL agent.
Simulation should be a while-loop which runs while the simulation has not finished.

* 1st message: Sent from ProB Animator: List of enabled operations
** Meanwhile RL agent predicts enabled operation with highest reward
* 2nd message: Sent from RL agent: Name of chosen action/operation
* 3rd message: Sent from RL agent: Time until executing chosen action/operation
* 4th message: Sent from RL agent: Succeeding B state as a predicate
* 5th message: Sent from RL agent: Boolean flag describing whether simulation is finished

Example code (line 70 - 113; particularly 86 - 113): https://github.com/hhu-stups/reinforcement-learning-b-models/blob/main/HighwayEnvironment/HighwayEnvironment.py

To generate a RL agent for SimB, one can use the high-level code generator B2Program: https://github.com/favu100/b2program

Given a formal B model, B2Program generates an RL agent which loads a given trained model and execute the necessary steps. This includes the fourth step described before.
The third step still has to be implemented; in this step, B2Program only generates the templates for the mappings which are then completed manually.

== Validation ==

=== Real-Time Simulation ===

Using a SimB file, the modeler can play a single simulation on the underlying model in real-time.
The modeler can then manually check whether the model behaves as desired. Combining [[VisB]] and SimB, a simulation can be seen as an animated picture similar to a GIF picture.
This gives the domain expert even a better understanding of the model.
With SimB listeners, it is also possible to encode simulations that are triggered by manual/user actions.

A Traffic Light example (based on the SimB file shown in [[SimB|Using_SimB]] ) simulating the first 21 seconds is shown below.

[[File:TrafficLight_Simulation.gif|800px]]

=== Timed Trace Replay ===

Based on a single simulation, the modeler can generate a timed trace which is also stored in the SimB format. Afterwards, it can be used to replay a scenario. similar to real-time simulation.

Below, the resulting timed trace for the scenario in [[SimB|Real-Time Simulation]] is shown

<pre>
{
"activations": [
{
"execute": "$initialise_machine",
"after": "0",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": {
"tl_cars": "red",
"tl_peds": "red"
},
"probabilisticVariables": null,
"activating": [
"cars_ry_1"
],
"id": "$initialise_machine"
},
{
"execute": "cars_ry",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_g_2"
],
"id": "cars_ry_1"
},
{
"execute": "cars_g",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_y_3"
],
"id": "cars_g_2"
},
{
"execute": "cars_y",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_r_4"
],
"id": "cars_y_3"
},
{
"execute": "cars_r",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_g_5"
],
"id": "cars_r_4"
},
{
"execute": "peds_g",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_r_6"
],
"id": "peds_g_5"
},
{
"execute": "peds_r",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": null,
"id": "peds_r_6"
}
],
"metadata": {
"fileType": "Timed_Trace",
"formatVersion": 1,
"savedAt": "2021-03-03T11:04:08.460477Z",
"creator": "User",
"proB2KernelVersion": "4.0.0-SNAPSHOT",
"proBCliVersion": null,
"modelName": null
}
}

</pre>

=== Monte Carlo Simulation ===

It is also possible to apply Monte Carlo simulation to generate a certain number of simulations.
Here, all simulations are played without real time. However, it is possible for the user, to replay the generated scenarios with real-time afterwards.

The input parameters are:

* Number of Simulations defines the number of simulations to be generated.
* Max Steps Before Start defines the number of steps before taking into account the starting and ending conditions.
* Starting Condition defines condition to simulate until before taking Ending Condition into account. It is either defined by a No Condition, Number of Steps, Starting Time or Starting Predicate.
* Ending Condition defines condition to simulate until after taking Starting Condition into account (defines the last transition of the simulation). It is either defined by a Number of Steps, Ending Time or Ending Predicate
* Check defines the check to apply for the simulation. Monte Carlo Simulation means that there are no checks to be applied, while the other options are Hypothesis Testing and Estimation

[[File:MonteCarloSimulation.png|400px]]

Furthermore, there are two statistical validation techniques that can be applied based on Monte Carlo simulations: Hypothesis Testing and Estimation.

=== Hypothesis Testing ===

Hypothesis Testing expects the same parameters as Monte Carlo Simulation: Max Steps before Simulation, Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Hypothesis Testing are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.

* Hypothesis Check
** Left-tailed hypothesis test
** Right-tailed hypothesis test
** Two-tailed hypothesis test

* Probability (in the hypothesis)
* Significance Level

[[File:HypothesisTesting.png|400px]]

=== Estimation ===

Estimation expects the same parameters as Monte Carlo Simulation: Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Estimation are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.
** Average can be used to check the average value of an expression.
** Sum can be used to check the sum of an expression.
* Estimator
** Minimum Estimator returns the minimum estimated value from all simulated runs.
** Mean Estimator returns the mean estimated value from all simulated runs.
** Maximum Estimator returns the maximum estimated value from all simulated runs.
* Desired Value
* Epsilon

For an estimated value e, a desired value d, and an epsilon eps, it checks for each simulation whether e is within [d - eps, d + eps]

[[File:Estimation.png|400px]]

SimB

2025-02-19T18:45:27Z

Vella: /* Direct Activation */

== SimB ==

Additional documentation is available here: [https://github.com/hhu-stups/prob2_ui/blob/develop/src/main/helpsources/help_en/Main%20Menu/Advanced/SimB.md SimB Documentation]

SimB is a simulator built on top of ProB. It is available in the latest SNAPSHOT version in the new JavaFX based user interface [[ProB2-UI]] (https://github.com/hhu-stups/prob2_ui), The modeler can write SimB annotations for a formal model to simulate it. Examples are available at https://github.com/favu100/SimB-examples.
Furthermore, it is then possible to validate probabilistic and timing properties with statistical validation techniques such as hypothesis testing and estimation.

SimB also contains a feature called interactive simulation.
This feature allows user interaction to trigger a simulation.
For interactive simulation, a modeler has to encode SimB listeners on events, triggering a SimB simulation.
Interactive Simulation examples are available at https://github.com/favu100/SimB-examples/tree/main/Interactive_Examples.

More recently, SimB is extended by a new feature which makes it possible to load an Reinforcement learning Agent.
Technically, each step of the RL agent is converted into a SimB activation.
In order to simulate a RL agent in SimB, one must (1) create a formal B model for the RL agent, and (2) create a mapping between the state in the RL agent and the formal model, and (3) provide information to the formal B model again.
Reinforcement Learning examples are available at: https://github.com/hhu-stups/reinforcement-learning-b-models

== Citing SimB ==
To cite SimB as a tool, its timing or probabilistic simulation features, or SimBs statistical validation techniques, please use:
<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael and Mashkoor, Atif},
Title = {{Validation of Formal Models by Timed Probabilistic Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2021,
Series = {LNCS},
Volume = {12709},
Pages = {81--96}
}
</pre>

To cite SimBs interactive simulation, please use:

<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael},
Title = {{Validation of Formal Models by Interactive Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2023
Series = {LNCS},
Volume = {14010},
Pages = {59--69}
}
</pre>

==Using SimB ==

Start SimB via "SimB" in the "Advanced" Menu after opening a machine.

[[File:Open_SimB.png|800px]]

Now, you can open a SimB file (JSON format) controlling the underlying formal model.

[[File:SimB_Window.png|800px]]

A SimB file consists of SimB activations and SimB listeners to simulate the model.
SimB activations encode an activation diagram with probabilistic and timing elements for automatic simulation.
To enable interactive simulation, it is also necessary to encode interactive elements aka. SimB listeners which trigger other SimB activations.
Within these elements, the modeler can user B expressions which are evaluated on the current state.

The general structure of a SimB simulation is as follows:

<pre>
{
"activations": [...]
"listeners": [...]
}
</pre>

<tt>activations</tt> stores SimB activations, while <tt>listeners</tt> stores SimB listeners.
<tt>activations</tt> must be encoded, <tt>listeners</tt> is optional and defaults to the empty list.

== Probabilistic and Timing Elements in SimB ==

The SimB file always contains an <tt>activations</tt> field storing a list of probabilistic and timing elements to control the simulation. Probabilistic values are always evaluated to ensure that the sum of all possibilities is always 1. Otherwise an error will be thrown at runtime.
There are two types of activations: direct activation and probabilistic choice.
All activations are identified by their <tt>id</tt>.

===Direct Activation ===

A direct activation activates an event to be executed in the future.
It requires the fields <tt>id</tt>, and <tt>execute</tt> to be defined.
All other fields can be defined optionally.

* <tt>execute</tt> identifies the activated event by its name.
* <tt>after</tt> defines the scheduled time (in ms) when activating an event. By default, it is set to 0 ms, e.g., when this field is not defined explicitly.
* <tt>activating</tt> stores events that will be activated when executing the event defined by <tt>execute</tt>. Missing definition leads to the behavior that no other events are activated. The modeler can either write a String (to activate a single event) or a list of Strings (to activate multiple events)
* <tt>activationKind</tt> stores the kind of activation for <tt>execute</tt>. Possible options are <tt>multi</tt>, <tt>single</tt>, <tt>single:min</tt>, and <tt>single:max</tt>. The default value is <tt>multi</tt>
** <tt>multi</tt> means that the activation will be queued for execution.
** <tt>single</tt> means that the activation will only be queued if there are no queued activations with the same <tt>id</tt>
** <tt>single:min</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is greater. In the case of (2), the already queued activation will be discarded.
** <tt>single:max</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is lower. In the case of (2), the already queued activation will be discarded.
* <tt>additionalGuards</tt> stores optional guards when executing the event stored in <tt>execute</tt>
* <tt>fixedVariables</tt> stores a Map. Here, a variable (parameter, or non-deterministic assigned variable) is assigned to its value.
* <tt>probabilisticVariables</tt>stores a Map. Here a variable (parameter, or non-deterministic assigned variable) is assigned to another Map defining the probabilistic choice of its value. The second Map stores Key-Value pairs where values are mapped to the probability/weight.
* <tt>transitionSelection</tt> determines how SimB choses from multiple possible transitions (due to not specified variables):
** <tt>first</tt> (the default) means that the first transition is chosen for execution.
** <tt>uniform</tt> means that a transition is selected from all alternatives uniformly.
* <tt>priority</tt> stores the priority for scheduling <tt>execute</tt>. Lower number means greater priority.

<pre>
{
"id": ...
"execute": ...
"after": ...
"activating": ...
"activationKind": ...
"additionalGuards": ...
"fixedVariables": ....
"probabilisticVariables": ....
"priority": ...
}
</pre>

=== Probabilistic Choice ===

A probabilistic choice selects an event to be executed in the future.
It requires the two fields <tt>id</tt>, and <tt>chooseActivation</tt>. <tt>chooseActivation</tt> is a Map storing Key-Value pairs where activations (identified by their <tt>id</tt>) are mapped to a probability/weight. It is possible to chain multiple probabilistic choices together, but eventually, a direct activation must be reached.
The probabilities are always interpreted as weights and may sum to any number greater than zero.
Thus, a <tt>probabilistic choice</tt> is of the following form:

<pre>
{
"id": ...
"chooseActivation": ...
}
</pre>

In the following, an example for a SimB file controlling a Traffic Lights for cars and pedestrians (with timing and probabilistic behavior) is shown:

<pre>
{
"activations": [
{"id":"$initialise_machine", "execute":"$initialise_machine", "activating":"choose"},
{"id":"choose", "chooseActivation":{"cars_ry": "0.8", "peds_g": "0.2"}},
{"id":"cars_ry", "execute":"cars_ry", "after":5000, "activating":"cars_g"},
{"id":"cars_g", "execute":"cars_g", "after":500, "activating":"cars_y"},
{"id":"cars_y", "execute":"cars_y", "after":5000, "activating":"cars_r"},
{"id":"cars_r", "execute":"cars_r", "after":500, "activating":"choose"},
{"id":"peds_g", "execute":"peds_g", "after":5000, "activating":"peds_r"},
{"id":"peds_r", "execute":"peds_r", "after":5000, "activating":"choose"}
]
}
</pre>

== Interactive Elements in SimB ==

Interactive elements in SimB are so called SimB listeners.
A SimB listener consists of four fields <tt>id</tt>, <tt>event</tt>, <tt>predicate</tt>, and <tt>activating</tt>.
This means that the SimB listener associated with <tt>id</tt> listens on a manual/user interaction on <tt>event</tt> with <tt>predicate</tt> after which activations in <tt>activating</tt> are triggered.
<tt>predicate</tt> is optional and defaults to <tt>1=1</tt>.
Manual/User interaction is recognized via VisB and ProB's Operations View.

<pre>
{
"id": ...
"event": ...
"predicate": ...
"activating": [...]
}
</pre>

In the following, we parts of a SimB simulation from an automotive case study.
The SimB simulation contains a SimB listener which is linked to two activations.
The case study models the car's lighting system controlled by pitman controller, the key ignition, and the warning lights button.

The SimB listeners states that SimB listens on user interaction on the event <tt>ENV_Pitman_DirectionBlinking</tt>, to trigger two SimB activations <tt>blinking_on</tt> and blinking_off afterward.
Practically, this means that a driver's input on the pitman for direction blinking activates the blinking cycle for the corresponding direction indicators.

<pre>
{
"activations": [
{
"id": "blinking_on",
"execute": "RTIME_BlinkerOn",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_off",
...
},
{
"id": "blinking_off",
"execute": "RTIME_BlinkerOff",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_on",
...
},
...
]
"listeners": [
{
"id": "start_blinking",
"event": "ENV_Pitman_DirectionBlinking",
"activating" : ["blinking_on", "blinking_off"]
}
]
}
</pre>

== Reinforcement Learning Agent in SimB ==

Instead of loading a SimB simulation as a JSON file, one can also load a Reinforcement Learning
agent implemented in Python (.py).
For the simulation to work, one has to apply the following steps:

1. Train a model of a Reinforcement Learning agent.

2. Create a formal B model (including safety shield) for the RL agent.

The operations represent the actions the RL agent can choose from. The formal model's state mainly represents the state of the environment.
Safety shields are encoded by the operations' guards which are provided to the RL agent. Enabled operations are considered to be safe. Thus, the RL agent chooses the enabled operation/action with the highest predicted reward.
The operations' substitutions model the desired behavior of the respective actions.

An example for the FASTER of a HighwayEnvironment is as follows:
<pre>
FASTER =
PRE
¬(∃v. (v ∈ PresentVehicles \ {EgoVehicle} ∧ VehiclesX(v) > 0.0 ∧ VehiclesX(v) < 45.0 ∧
VehiclesY(v) < 3.5 ∧ VehiclesY(v) > -3.5))
THEN
Crash :∈ BOOL ||
PresentVehicles :∈ P(Vehicles) ;
VehiclesX :∈ Vehicles → R ||
VehiclesY :∈ Vehicles → R ||
VehiclesVx :| (VehiclesVx ∈ PresentVehicles → R ∧
VehiclesVx(EgoVehicle) ≥ VehiclesVx’(EgoVehicle) - 0.05) ||
VehiclesVy :∈ Vehicles → R ||
VehiclesAx :| (VehiclesAx ∈ PresentVehicles → R ∧ VehiclesAx(EgoVehicle) ≥ -0.05) ||
VehiclesAy :∈ Vehicles → R ||
Reward :∈ R
END
</pre>

Lines 2-4 shows the operation's guard which is used as safety shield.

Lines 6-15 shows the operation's substitution describing the desired behavior after executing FASTER.

3. Implement the mapping between the RL agent in Python and the formal B model.
This includes the mapping of actions to operations, and the mapping of information from the RL agent, particularly the environment and observation, to the variables.

An example for the mapping of actions to operations is as follows:
<pre>
action_names = {
0: "LANE_LEFT",
1: "IDLE",
2: "LANE_RIGHT",
3: "FASTER",
4: "SLOWER"
}
</pre>

Here, one can see that the numbers representing the actions in the RL agents are mapped to the corresponding operation names in the formal B model.

An example for a mapping to a variable in the formal B model is as follows:

<pre>
def get_VehiclesX(obs):
return "{{EgoVehicle |-> {0}, Vehicles2 |-> {1}, Vehicles3 |-> {2},
Vehicles4 |-> {3}, Vehicles5 |-> {4}}}"
.format(obs[0][1]*200, obs[1][1]*200, obs[2][1]*200,
obs[3][1]*200, obs[4][1]*200) # Implemented manually
</pre>

Remark: While the getter for the variable is generated by B2Program, the function for the mapping is implemented manually.

4. Implement necessary messages sent between the ProB animator and the RL agent.
Simulation should be a while-loop which runs while the simulation has not finished.

* 1st message: Sent from ProB Animator: List of enabled operations
** Meanwhile RL agent predicts enabled operation with highest reward
* 2nd message: Sent from RL agent: Name of chosen action/operation
* 3rd message: Sent from RL agent: Time until executing chosen action/operation
* 4th message: Sent from RL agent: Succeeding B state as a predicate
* 5th message: Sent from RL agent: Boolean flag describing whether simulation is finished

Example code (line 70 - 113; particularly 86 - 113): https://github.com/hhu-stups/reinforcement-learning-b-models/blob/main/HighwayEnvironment/HighwayEnvironment.py

To generate a RL agent for SimB, one can use the high-level code generator B2Program: https://github.com/favu100/b2program

Given a formal B model, B2Program generates an RL agent which loads a given trained model and execute the necessary steps. This includes the fourth step described before.
The third step still has to be implemented; in this step, B2Program only generates the templates for the mappings which are then completed manually.

== Validation ==

=== Real-Time Simulation ===

Using a SimB file, the modeler can play a single simulation on the underlying model in real-time.
The modeler can then manually check whether the model behaves as desired. Combining [[VisB]] and SimB, a simulation can be seen as an animated picture similar to a GIF picture.
This gives the domain expert even a better understanding of the model.
With SimB listeners, it is also possible to encode simulations that are triggered by manual/user actions.

A Traffic Light example (based on the SimB file shown in [[SimB|Using_SimB]] ) simulating the first 21 seconds is shown below.

[[File:TrafficLight_Simulation.gif|800px]]

=== Timed Trace Replay ===

Based on a single simulation, the modeler can generate a timed trace which is also stored in the SimB format. Afterwards, it can be used to replay a scenario. similar to real-time simulation.

Below, the resulting timed trace for the scenario in [[SimB|Real-Time Simulation]] is shown

<pre>
{
"activations": [
{
"execute": "$initialise_machine",
"after": "0",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": {
"tl_cars": "red",
"tl_peds": "red"
},
"probabilisticVariables": null,
"activating": [
"cars_ry_1"
],
"id": "$initialise_machine"
},
{
"execute": "cars_ry",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_g_2"
],
"id": "cars_ry_1"
},
{
"execute": "cars_g",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_y_3"
],
"id": "cars_g_2"
},
{
"execute": "cars_y",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_r_4"
],
"id": "cars_y_3"
},
{
"execute": "cars_r",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_g_5"
],
"id": "cars_r_4"
},
{
"execute": "peds_g",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_r_6"
],
"id": "peds_g_5"
},
{
"execute": "peds_r",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": null,
"id": "peds_r_6"
}
],
"metadata": {
"fileType": "Timed_Trace",
"formatVersion": 1,
"savedAt": "2021-03-03T11:04:08.460477Z",
"creator": "User",
"proB2KernelVersion": "4.0.0-SNAPSHOT",
"proBCliVersion": null,
"modelName": null
}
}

</pre>

=== Monte Carlo Simulation ===

It is also possible to apply Monte Carlo simulation to generate a certain number of simulations.
Here, all simulations are played without real time. However, it is possible for the user, to replay the generated scenarios with real-time afterwards.

The input parameters are:

* Number of Simulations defines the number of simulations to be generated.
* Max Steps Before Start defines the number of steps before taking into account the starting and ending conditions.
* Starting Condition defines condition to simulate until before taking Ending Condition into account. It is either defined by a No Condition, Number of Steps, Starting Time or Starting Predicate.
* Ending Condition defines condition to simulate until after taking Starting Condition into account (defines the last transition of the simulation). It is either defined by a Number of Steps, Ending Time or Ending Predicate
* Check defines the check to apply for the simulation. Monte Carlo Simulation means that there are no checks to be applied, while the other options are Hypothesis Testing and Estimation

[[File:MonteCarloSimulation.png|400px]]

Furthermore, there are two statistical validation techniques that can be applied based on Monte Carlo simulations: Hypothesis Testing and Estimation.

=== Hypothesis Testing ===

Hypothesis Testing expects the same parameters as Monte Carlo Simulation: Max Steps before Simulation, Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Hypothesis Testing are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.

* Hypothesis Check
** Left-tailed hypothesis test
** Right-tailed hypothesis test
** Two-tailed hypothesis test

* Probability (in the hypothesis)
* Significance Level

[[File:HypothesisTesting.png|400px]]

=== Estimation ===

Estimation expects the same parameters as Monte Carlo Simulation: Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Estimation are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.
** Average can be used to check the average value of an expression.
** Sum can be used to check the sum of an expression.
* Estimator
** Minimum Estimator returns the minimum estimated value from all simulated runs.
** Mean Estimator returns the mean estimated value from all simulated runs.
** Maximum Estimator returns the maximum estimated value from all simulated runs.
* Desired Value
* Epsilon

For an estimated value e, a desired value d, and an epsilon eps, it checks for each simulation whether e is within [d - eps, d + eps]

[[File:Estimation.png|400px]]

SimB

2025-02-19T18:44:58Z

Vella: /* Probabilistic Choice */

== SimB ==

Additional documentation is available here: [https://github.com/hhu-stups/prob2_ui/blob/develop/src/main/helpsources/help_en/Main%20Menu/Advanced/SimB.md SimB Documentation]

SimB is a simulator built on top of ProB. It is available in the latest SNAPSHOT version in the new JavaFX based user interface [[ProB2-UI]] (https://github.com/hhu-stups/prob2_ui), The modeler can write SimB annotations for a formal model to simulate it. Examples are available at https://github.com/favu100/SimB-examples.
Furthermore, it is then possible to validate probabilistic and timing properties with statistical validation techniques such as hypothesis testing and estimation.

SimB also contains a feature called interactive simulation.
This feature allows user interaction to trigger a simulation.
For interactive simulation, a modeler has to encode SimB listeners on events, triggering a SimB simulation.
Interactive Simulation examples are available at https://github.com/favu100/SimB-examples/tree/main/Interactive_Examples.

More recently, SimB is extended by a new feature which makes it possible to load an Reinforcement learning Agent.
Technically, each step of the RL agent is converted into a SimB activation.
In order to simulate a RL agent in SimB, one must (1) create a formal B model for the RL agent, and (2) create a mapping between the state in the RL agent and the formal model, and (3) provide information to the formal B model again.
Reinforcement Learning examples are available at: https://github.com/hhu-stups/reinforcement-learning-b-models

== Citing SimB ==
To cite SimB as a tool, its timing or probabilistic simulation features, or SimBs statistical validation techniques, please use:
<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael and Mashkoor, Atif},
Title = {{Validation of Formal Models by Timed Probabilistic Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2021,
Series = {LNCS},
Volume = {12709},
Pages = {81--96}
}
</pre>

To cite SimBs interactive simulation, please use:

<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael},
Title = {{Validation of Formal Models by Interactive Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2023
Series = {LNCS},
Volume = {14010},
Pages = {59--69}
}
</pre>

==Using SimB ==

Start SimB via "SimB" in the "Advanced" Menu after opening a machine.

[[File:Open_SimB.png|800px]]

Now, you can open a SimB file (JSON format) controlling the underlying formal model.

[[File:SimB_Window.png|800px]]

A SimB file consists of SimB activations and SimB listeners to simulate the model.
SimB activations encode an activation diagram with probabilistic and timing elements for automatic simulation.
To enable interactive simulation, it is also necessary to encode interactive elements aka. SimB listeners which trigger other SimB activations.
Within these elements, the modeler can user B expressions which are evaluated on the current state.

The general structure of a SimB simulation is as follows:

<pre>
{
"activations": [...]
"listeners": [...]
}
</pre>

<tt>activations</tt> stores SimB activations, while <tt>listeners</tt> stores SimB listeners.
<tt>activations</tt> must be encoded, <tt>listeners</tt> is optional and defaults to the empty list.

== Probabilistic and Timing Elements in SimB ==

The SimB file always contains an <tt>activations</tt> field storing a list of probabilistic and timing elements to control the simulation. Probabilistic values are always evaluated to ensure that the sum of all possibilities is always 1. Otherwise an error will be thrown at runtime.
There are two types of activations: direct activation and probabilistic choice.
All activations are identified by their <tt>id</tt>.

===Direct Activation ===

A direct activation activates an event to be executed in the future.
It requires the fields <tt>id</tt>, and <tt>execute</tt> to be defined.
All other fields can be defined optionally.

* <tt>execute</tt> identifies the activated event by its name.
* <tt>after</tt> defines the scheduled time (in ms) when activating an event. By default, it is set to 0 ms, e.g., when this field is not defined explicitly.
* <tt>activating</tt> stores events that will be activated when executing the event defined by <tt>execute</tt>. Missing definition leads to the behavior that no other events are activated. The modeler can either write a String (to activate a single event) or a list of Strings (to activate multiple events)
* <tt>activationKind</tt> stores the kind of activation for <tt>execute</tt>. Possible options are <tt>multi</tt>, <tt>single</tt>, <tt>single:min</tt>, and <tt>single:max</tt>. The default value is <tt>multi</tt>
** <tt>multi</tt> means that the activation will be queued for execution.
** <tt>single</tt> means that the activation will only be queued if there are no queued activations with the same <tt>id</tt>
** <tt>single:min</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is greater. In the case of (2), the already queued activation will be discarded.
** <tt>single:max</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is lower. In the case of (2), the already queued activation will be discarded.
* <tt>additionalGuards</tt> stores optional guards when executing the event stored in <tt>execute</tt>
* <tt>fixedVariables</tt> stores a Map. Here, a variable (parameter, or non-deterministic assigned variable) is assigned to its value.
* <tt>probabilisticVariables</tt>stores a Map. Here a variable (parameter, or non-deterministic assigned variable) is assigned to another Map defining the probabilistic choice of its value. The second Map stores Key-Value pairs where values are mapped to the probability.
* <tt>transitionSelection</tt> determines how SimB choses from multiple possible transitions (due to not specified variables):
** <tt>first</tt> (the default) means that the first transition is chosen for execution.
** <tt>uniform</tt> means that a transition is selected from all alternatives uniformly.
* <tt>priority</tt> stores the priority for scheduling <tt>execute</tt>. Lower number means greater priority.

<pre>
{
"id": ...
"execute": ...
"after": ...
"activating": ...
"activationKind": ...
"additionalGuards": ...
"fixedVariables": ....
"probabilisticVariables": ....
"priority": ...
}
</pre>

=== Probabilistic Choice ===

A probabilistic choice selects an event to be executed in the future.
It requires the two fields <tt>id</tt>, and <tt>chooseActivation</tt>. <tt>chooseActivation</tt> is a Map storing Key-Value pairs where activations (identified by their <tt>id</tt>) are mapped to a probability/weight. It is possible to chain multiple probabilistic choices together, but eventually, a direct activation must be reached.
The probabilities are always interpreted as weights and may sum to any number greater than zero.
Thus, a <tt>probabilistic choice</tt> is of the following form:

<pre>
{
"id": ...
"chooseActivation": ...
}
</pre>

In the following, an example for a SimB file controlling a Traffic Lights for cars and pedestrians (with timing and probabilistic behavior) is shown:

<pre>
{
"activations": [
{"id":"$initialise_machine", "execute":"$initialise_machine", "activating":"choose"},
{"id":"choose", "chooseActivation":{"cars_ry": "0.8", "peds_g": "0.2"}},
{"id":"cars_ry", "execute":"cars_ry", "after":5000, "activating":"cars_g"},
{"id":"cars_g", "execute":"cars_g", "after":500, "activating":"cars_y"},
{"id":"cars_y", "execute":"cars_y", "after":5000, "activating":"cars_r"},
{"id":"cars_r", "execute":"cars_r", "after":500, "activating":"choose"},
{"id":"peds_g", "execute":"peds_g", "after":5000, "activating":"peds_r"},
{"id":"peds_r", "execute":"peds_r", "after":5000, "activating":"choose"}
]
}
</pre>

== Interactive Elements in SimB ==

Interactive elements in SimB are so called SimB listeners.
A SimB listener consists of four fields <tt>id</tt>, <tt>event</tt>, <tt>predicate</tt>, and <tt>activating</tt>.
This means that the SimB listener associated with <tt>id</tt> listens on a manual/user interaction on <tt>event</tt> with <tt>predicate</tt> after which activations in <tt>activating</tt> are triggered.
<tt>predicate</tt> is optional and defaults to <tt>1=1</tt>.
Manual/User interaction is recognized via VisB and ProB's Operations View.

<pre>
{
"id": ...
"event": ...
"predicate": ...
"activating": [...]
}
</pre>

In the following, we parts of a SimB simulation from an automotive case study.
The SimB simulation contains a SimB listener which is linked to two activations.
The case study models the car's lighting system controlled by pitman controller, the key ignition, and the warning lights button.

The SimB listeners states that SimB listens on user interaction on the event <tt>ENV_Pitman_DirectionBlinking</tt>, to trigger two SimB activations <tt>blinking_on</tt> and blinking_off afterward.
Practically, this means that a driver's input on the pitman for direction blinking activates the blinking cycle for the corresponding direction indicators.

<pre>
{
"activations": [
{
"id": "blinking_on",
"execute": "RTIME_BlinkerOn",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_off",
...
},
{
"id": "blinking_off",
"execute": "RTIME_BlinkerOff",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_on",
...
},
...
]
"listeners": [
{
"id": "start_blinking",
"event": "ENV_Pitman_DirectionBlinking",
"activating" : ["blinking_on", "blinking_off"]
}
]
}
</pre>

== Reinforcement Learning Agent in SimB ==

Instead of loading a SimB simulation as a JSON file, one can also load a Reinforcement Learning
agent implemented in Python (.py).
For the simulation to work, one has to apply the following steps:

1. Train a model of a Reinforcement Learning agent.

2. Create a formal B model (including safety shield) for the RL agent.

The operations represent the actions the RL agent can choose from. The formal model's state mainly represents the state of the environment.
Safety shields are encoded by the operations' guards which are provided to the RL agent. Enabled operations are considered to be safe. Thus, the RL agent chooses the enabled operation/action with the highest predicted reward.
The operations' substitutions model the desired behavior of the respective actions.

An example for the FASTER of a HighwayEnvironment is as follows:
<pre>
FASTER =
PRE
¬(∃v. (v ∈ PresentVehicles \ {EgoVehicle} ∧ VehiclesX(v) > 0.0 ∧ VehiclesX(v) < 45.0 ∧
VehiclesY(v) < 3.5 ∧ VehiclesY(v) > -3.5))
THEN
Crash :∈ BOOL ||
PresentVehicles :∈ P(Vehicles) ;
VehiclesX :∈ Vehicles → R ||
VehiclesY :∈ Vehicles → R ||
VehiclesVx :| (VehiclesVx ∈ PresentVehicles → R ∧
VehiclesVx(EgoVehicle) ≥ VehiclesVx’(EgoVehicle) - 0.05) ||
VehiclesVy :∈ Vehicles → R ||
VehiclesAx :| (VehiclesAx ∈ PresentVehicles → R ∧ VehiclesAx(EgoVehicle) ≥ -0.05) ||
VehiclesAy :∈ Vehicles → R ||
Reward :∈ R
END
</pre>

Lines 2-4 shows the operation's guard which is used as safety shield.

Lines 6-15 shows the operation's substitution describing the desired behavior after executing FASTER.

3. Implement the mapping between the RL agent in Python and the formal B model.
This includes the mapping of actions to operations, and the mapping of information from the RL agent, particularly the environment and observation, to the variables.

An example for the mapping of actions to operations is as follows:
<pre>
action_names = {
0: "LANE_LEFT",
1: "IDLE",
2: "LANE_RIGHT",
3: "FASTER",
4: "SLOWER"
}
</pre>

Here, one can see that the numbers representing the actions in the RL agents are mapped to the corresponding operation names in the formal B model.

An example for a mapping to a variable in the formal B model is as follows:

<pre>
def get_VehiclesX(obs):
return "{{EgoVehicle |-> {0}, Vehicles2 |-> {1}, Vehicles3 |-> {2},
Vehicles4 |-> {3}, Vehicles5 |-> {4}}}"
.format(obs[0][1]*200, obs[1][1]*200, obs[2][1]*200,
obs[3][1]*200, obs[4][1]*200) # Implemented manually
</pre>

Remark: While the getter for the variable is generated by B2Program, the function for the mapping is implemented manually.

4. Implement necessary messages sent between the ProB animator and the RL agent.
Simulation should be a while-loop which runs while the simulation has not finished.

* 1st message: Sent from ProB Animator: List of enabled operations
** Meanwhile RL agent predicts enabled operation with highest reward
* 2nd message: Sent from RL agent: Name of chosen action/operation
* 3rd message: Sent from RL agent: Time until executing chosen action/operation
* 4th message: Sent from RL agent: Succeeding B state as a predicate
* 5th message: Sent from RL agent: Boolean flag describing whether simulation is finished

Example code (line 70 - 113; particularly 86 - 113): https://github.com/hhu-stups/reinforcement-learning-b-models/blob/main/HighwayEnvironment/HighwayEnvironment.py

To generate a RL agent for SimB, one can use the high-level code generator B2Program: https://github.com/favu100/b2program

Given a formal B model, B2Program generates an RL agent which loads a given trained model and execute the necessary steps. This includes the fourth step described before.
The third step still has to be implemented; in this step, B2Program only generates the templates for the mappings which are then completed manually.

== Validation ==

=== Real-Time Simulation ===

Using a SimB file, the modeler can play a single simulation on the underlying model in real-time.
The modeler can then manually check whether the model behaves as desired. Combining [[VisB]] and SimB, a simulation can be seen as an animated picture similar to a GIF picture.
This gives the domain expert even a better understanding of the model.
With SimB listeners, it is also possible to encode simulations that are triggered by manual/user actions.

A Traffic Light example (based on the SimB file shown in [[SimB|Using_SimB]] ) simulating the first 21 seconds is shown below.

[[File:TrafficLight_Simulation.gif|800px]]

=== Timed Trace Replay ===

Based on a single simulation, the modeler can generate a timed trace which is also stored in the SimB format. Afterwards, it can be used to replay a scenario. similar to real-time simulation.

Below, the resulting timed trace for the scenario in [[SimB|Real-Time Simulation]] is shown

<pre>
{
"activations": [
{
"execute": "$initialise_machine",
"after": "0",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": {
"tl_cars": "red",
"tl_peds": "red"
},
"probabilisticVariables": null,
"activating": [
"cars_ry_1"
],
"id": "$initialise_machine"
},
{
"execute": "cars_ry",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_g_2"
],
"id": "cars_ry_1"
},
{
"execute": "cars_g",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_y_3"
],
"id": "cars_g_2"
},
{
"execute": "cars_y",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_r_4"
],
"id": "cars_y_3"
},
{
"execute": "cars_r",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_g_5"
],
"id": "cars_r_4"
},
{
"execute": "peds_g",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_r_6"
],
"id": "peds_g_5"
},
{
"execute": "peds_r",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": null,
"id": "peds_r_6"
}
],
"metadata": {
"fileType": "Timed_Trace",
"formatVersion": 1,
"savedAt": "2021-03-03T11:04:08.460477Z",
"creator": "User",
"proB2KernelVersion": "4.0.0-SNAPSHOT",
"proBCliVersion": null,
"modelName": null
}
}

</pre>

=== Monte Carlo Simulation ===

It is also possible to apply Monte Carlo simulation to generate a certain number of simulations.
Here, all simulations are played without real time. However, it is possible for the user, to replay the generated scenarios with real-time afterwards.

The input parameters are:

* Number of Simulations defines the number of simulations to be generated.
* Max Steps Before Start defines the number of steps before taking into account the starting and ending conditions.
* Starting Condition defines condition to simulate until before taking Ending Condition into account. It is either defined by a No Condition, Number of Steps, Starting Time or Starting Predicate.
* Ending Condition defines condition to simulate until after taking Starting Condition into account (defines the last transition of the simulation). It is either defined by a Number of Steps, Ending Time or Ending Predicate
* Check defines the check to apply for the simulation. Monte Carlo Simulation means that there are no checks to be applied, while the other options are Hypothesis Testing and Estimation

[[File:MonteCarloSimulation.png|400px]]

Furthermore, there are two statistical validation techniques that can be applied based on Monte Carlo simulations: Hypothesis Testing and Estimation.

=== Hypothesis Testing ===

Hypothesis Testing expects the same parameters as Monte Carlo Simulation: Max Steps before Simulation, Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Hypothesis Testing are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.

* Hypothesis Check
** Left-tailed hypothesis test
** Right-tailed hypothesis test
** Two-tailed hypothesis test

* Probability (in the hypothesis)
* Significance Level

[[File:HypothesisTesting.png|400px]]

=== Estimation ===

Estimation expects the same parameters as Monte Carlo Simulation: Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Estimation are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.
** Average can be used to check the average value of an expression.
** Sum can be used to check the sum of an expression.
* Estimator
** Minimum Estimator returns the minimum estimated value from all simulated runs.
** Mean Estimator returns the mean estimated value from all simulated runs.
** Maximum Estimator returns the maximum estimated value from all simulated runs.
* Desired Value
* Epsilon

For an estimated value e, a desired value d, and an epsilon eps, it checks for each simulation whether e is within [d - eps, d + eps]

[[File:Estimation.png|400px]]

SimB

2025-02-19T18:43:33Z

Vella: /* Direct Activation */

== SimB ==

Additional documentation is available here: [https://github.com/hhu-stups/prob2_ui/blob/develop/src/main/helpsources/help_en/Main%20Menu/Advanced/SimB.md SimB Documentation]

SimB is a simulator built on top of ProB. It is available in the latest SNAPSHOT version in the new JavaFX based user interface [[ProB2-UI]] (https://github.com/hhu-stups/prob2_ui), The modeler can write SimB annotations for a formal model to simulate it. Examples are available at https://github.com/favu100/SimB-examples.
Furthermore, it is then possible to validate probabilistic and timing properties with statistical validation techniques such as hypothesis testing and estimation.

SimB also contains a feature called interactive simulation.
This feature allows user interaction to trigger a simulation.
For interactive simulation, a modeler has to encode SimB listeners on events, triggering a SimB simulation.
Interactive Simulation examples are available at https://github.com/favu100/SimB-examples/tree/main/Interactive_Examples.

More recently, SimB is extended by a new feature which makes it possible to load an Reinforcement learning Agent.
Technically, each step of the RL agent is converted into a SimB activation.
In order to simulate a RL agent in SimB, one must (1) create a formal B model for the RL agent, and (2) create a mapping between the state in the RL agent and the formal model, and (3) provide information to the formal B model again.
Reinforcement Learning examples are available at: https://github.com/hhu-stups/reinforcement-learning-b-models

== Citing SimB ==
To cite SimB as a tool, its timing or probabilistic simulation features, or SimBs statistical validation techniques, please use:
<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael and Mashkoor, Atif},
Title = {{Validation of Formal Models by Timed Probabilistic Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2021,
Series = {LNCS},
Volume = {12709},
Pages = {81--96}
}
</pre>

To cite SimBs interactive simulation, please use:

<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael},
Title = {{Validation of Formal Models by Interactive Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2023
Series = {LNCS},
Volume = {14010},
Pages = {59--69}
}
</pre>

==Using SimB ==

Start SimB via "SimB" in the "Advanced" Menu after opening a machine.

[[File:Open_SimB.png|800px]]

Now, you can open a SimB file (JSON format) controlling the underlying formal model.

[[File:SimB_Window.png|800px]]

A SimB file consists of SimB activations and SimB listeners to simulate the model.
SimB activations encode an activation diagram with probabilistic and timing elements for automatic simulation.
To enable interactive simulation, it is also necessary to encode interactive elements aka. SimB listeners which trigger other SimB activations.
Within these elements, the modeler can user B expressions which are evaluated on the current state.

The general structure of a SimB simulation is as follows:

<pre>
{
"activations": [...]
"listeners": [...]
}
</pre>

<tt>activations</tt> stores SimB activations, while <tt>listeners</tt> stores SimB listeners.
<tt>activations</tt> must be encoded, <tt>listeners</tt> is optional and defaults to the empty list.

== Probabilistic and Timing Elements in SimB ==

The SimB file always contains an <tt>activations</tt> field storing a list of probabilistic and timing elements to control the simulation. Probabilistic values are always evaluated to ensure that the sum of all possibilities is always 1. Otherwise an error will be thrown at runtime.
There are two types of activations: direct activation and probabilistic choice.
All activations are identified by their <tt>id</tt>.

===Direct Activation ===

A direct activation activates an event to be executed in the future.
It requires the fields <tt>id</tt>, and <tt>execute</tt> to be defined.
All other fields can be defined optionally.

* <tt>execute</tt> identifies the activated event by its name.
* <tt>after</tt> defines the scheduled time (in ms) when activating an event. By default, it is set to 0 ms, e.g., when this field is not defined explicitly.
* <tt>activating</tt> stores events that will be activated when executing the event defined by <tt>execute</tt>. Missing definition leads to the behavior that no other events are activated. The modeler can either write a String (to activate a single event) or a list of Strings (to activate multiple events)
* <tt>activationKind</tt> stores the kind of activation for <tt>execute</tt>. Possible options are <tt>multi</tt>, <tt>single</tt>, <tt>single:min</tt>, and <tt>single:max</tt>. The default value is <tt>multi</tt>
** <tt>multi</tt> means that the activation will be queued for execution.
** <tt>single</tt> means that the activation will only be queued if there are no queued activations with the same <tt>id</tt>
** <tt>single:min</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is greater. In the case of (2), the already queued activation will be discarded.
** <tt>single:max</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is lower. In the case of (2), the already queued activation will be discarded.
* <tt>additionalGuards</tt> stores optional guards when executing the event stored in <tt>execute</tt>
* <tt>fixedVariables</tt> stores a Map. Here, a variable (parameter, or non-deterministic assigned variable) is assigned to its value.
* <tt>probabilisticVariables</tt>stores a Map. Here a variable (parameter, or non-deterministic assigned variable) is assigned to another Map defining the probabilistic choice of its value. The second Map stores Key-Value pairs where values are mapped to the probability.
* <tt>transitionSelection</tt> determines how SimB choses from multiple possible transitions (due to not specified variables):
** <tt>first</tt> (the default) means that the first transition is chosen for execution.
** <tt>uniform</tt> means that a transition is selected from all alternatives uniformly.
* <tt>priority</tt> stores the priority for scheduling <tt>execute</tt>. Lower number means greater priority.

<pre>
{
"id": ...
"execute": ...
"after": ...
"activating": ...
"activationKind": ...
"additionalGuards": ...
"fixedVariables": ....
"probabilisticVariables": ....
"priority": ...
}
</pre>

=== Probabilistic Choice ===

A probabilistic choice selects an event to be executed in the future.
It requires the two fields <tt>id</tt>, and <tt>chooseActivation</tt>. <tt>chooseActivation</tt> is a Map storing Key-Value pairs where activations (identified by their <tt>id</tt>) are mapped to a probability. It is possible to chain multiple probabilistic choices together, but eventually, a direct activation must be reached.

<pre>
{
"id": ...
"chooseActivation": ...
}
</pre>

In the following, an example for a SimB file controlling a Traffic Lights for cars and pedestrians (with timing and probabilistic behavior) is shown:

<pre>
{
"activations": [
{"id":"$initialise_machine", "execute":"$initialise_machine", "activating":"choose"},
{"id":"choose", "chooseActivation":{"cars_ry": "0.8", "peds_g": "0.2"}},
{"id":"cars_ry", "execute":"cars_ry", "after":5000, "activating":"cars_g"},
{"id":"cars_g", "execute":"cars_g", "after":500, "activating":"cars_y"},
{"id":"cars_y", "execute":"cars_y", "after":5000, "activating":"cars_r"},
{"id":"cars_r", "execute":"cars_r", "after":500, "activating":"choose"},
{"id":"peds_g", "execute":"peds_g", "after":5000, "activating":"peds_r"},
{"id":"peds_r", "execute":"peds_r", "after":5000, "activating":"choose"}
]
}
</pre>

== Interactive Elements in SimB ==

Interactive elements in SimB are so called SimB listeners.
A SimB listener consists of four fields <tt>id</tt>, <tt>event</tt>, <tt>predicate</tt>, and <tt>activating</tt>.
This means that the SimB listener associated with <tt>id</tt> listens on a manual/user interaction on <tt>event</tt> with <tt>predicate</tt> after which activations in <tt>activating</tt> are triggered.
<tt>predicate</tt> is optional and defaults to <tt>1=1</tt>.
Manual/User interaction is recognized via VisB and ProB's Operations View.

<pre>
{
"id": ...
"event": ...
"predicate": ...
"activating": [...]
}
</pre>

In the following, we parts of a SimB simulation from an automotive case study.
The SimB simulation contains a SimB listener which is linked to two activations.
The case study models the car's lighting system controlled by pitman controller, the key ignition, and the warning lights button.

The SimB listeners states that SimB listens on user interaction on the event <tt>ENV_Pitman_DirectionBlinking</tt>, to trigger two SimB activations <tt>blinking_on</tt> and blinking_off afterward.
Practically, this means that a driver's input on the pitman for direction blinking activates the blinking cycle for the corresponding direction indicators.

<pre>
{
"activations": [
{
"id": "blinking_on",
"execute": "RTIME_BlinkerOn",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_off",
...
},
{
"id": "blinking_off",
"execute": "RTIME_BlinkerOff",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_on",
...
},
...
]
"listeners": [
{
"id": "start_blinking",
"event": "ENV_Pitman_DirectionBlinking",
"activating" : ["blinking_on", "blinking_off"]
}
]
}
</pre>

== Reinforcement Learning Agent in SimB ==

Instead of loading a SimB simulation as a JSON file, one can also load a Reinforcement Learning
agent implemented in Python (.py).
For the simulation to work, one has to apply the following steps:

1. Train a model of a Reinforcement Learning agent.

2. Create a formal B model (including safety shield) for the RL agent.

The operations represent the actions the RL agent can choose from. The formal model's state mainly represents the state of the environment.
Safety shields are encoded by the operations' guards which are provided to the RL agent. Enabled operations are considered to be safe. Thus, the RL agent chooses the enabled operation/action with the highest predicted reward.
The operations' substitutions model the desired behavior of the respective actions.

An example for the FASTER of a HighwayEnvironment is as follows:
<pre>
FASTER =
PRE
¬(∃v. (v ∈ PresentVehicles \ {EgoVehicle} ∧ VehiclesX(v) > 0.0 ∧ VehiclesX(v) < 45.0 ∧
VehiclesY(v) < 3.5 ∧ VehiclesY(v) > -3.5))
THEN
Crash :∈ BOOL ||
PresentVehicles :∈ P(Vehicles) ;
VehiclesX :∈ Vehicles → R ||
VehiclesY :∈ Vehicles → R ||
VehiclesVx :| (VehiclesVx ∈ PresentVehicles → R ∧
VehiclesVx(EgoVehicle) ≥ VehiclesVx’(EgoVehicle) - 0.05) ||
VehiclesVy :∈ Vehicles → R ||
VehiclesAx :| (VehiclesAx ∈ PresentVehicles → R ∧ VehiclesAx(EgoVehicle) ≥ -0.05) ||
VehiclesAy :∈ Vehicles → R ||
Reward :∈ R
END
</pre>

Lines 2-4 shows the operation's guard which is used as safety shield.

Lines 6-15 shows the operation's substitution describing the desired behavior after executing FASTER.

3. Implement the mapping between the RL agent in Python and the formal B model.
This includes the mapping of actions to operations, and the mapping of information from the RL agent, particularly the environment and observation, to the variables.

An example for the mapping of actions to operations is as follows:
<pre>
action_names = {
0: "LANE_LEFT",
1: "IDLE",
2: "LANE_RIGHT",
3: "FASTER",
4: "SLOWER"
}
</pre>

Here, one can see that the numbers representing the actions in the RL agents are mapped to the corresponding operation names in the formal B model.

An example for a mapping to a variable in the formal B model is as follows:

<pre>
def get_VehiclesX(obs):
return "{{EgoVehicle |-> {0}, Vehicles2 |-> {1}, Vehicles3 |-> {2},
Vehicles4 |-> {3}, Vehicles5 |-> {4}}}"
.format(obs[0][1]*200, obs[1][1]*200, obs[2][1]*200,
obs[3][1]*200, obs[4][1]*200) # Implemented manually
</pre>

Remark: While the getter for the variable is generated by B2Program, the function for the mapping is implemented manually.

4. Implement necessary messages sent between the ProB animator and the RL agent.
Simulation should be a while-loop which runs while the simulation has not finished.

* 1st message: Sent from ProB Animator: List of enabled operations
** Meanwhile RL agent predicts enabled operation with highest reward
* 2nd message: Sent from RL agent: Name of chosen action/operation
* 3rd message: Sent from RL agent: Time until executing chosen action/operation
* 4th message: Sent from RL agent: Succeeding B state as a predicate
* 5th message: Sent from RL agent: Boolean flag describing whether simulation is finished

Example code (line 70 - 113; particularly 86 - 113): https://github.com/hhu-stups/reinforcement-learning-b-models/blob/main/HighwayEnvironment/HighwayEnvironment.py

To generate a RL agent for SimB, one can use the high-level code generator B2Program: https://github.com/favu100/b2program

Given a formal B model, B2Program generates an RL agent which loads a given trained model and execute the necessary steps. This includes the fourth step described before.
The third step still has to be implemented; in this step, B2Program only generates the templates for the mappings which are then completed manually.

== Validation ==

=== Real-Time Simulation ===

Using a SimB file, the modeler can play a single simulation on the underlying model in real-time.
The modeler can then manually check whether the model behaves as desired. Combining [[VisB]] and SimB, a simulation can be seen as an animated picture similar to a GIF picture.
This gives the domain expert even a better understanding of the model.
With SimB listeners, it is also possible to encode simulations that are triggered by manual/user actions.

A Traffic Light example (based on the SimB file shown in [[SimB|Using_SimB]] ) simulating the first 21 seconds is shown below.

[[File:TrafficLight_Simulation.gif|800px]]

=== Timed Trace Replay ===

Based on a single simulation, the modeler can generate a timed trace which is also stored in the SimB format. Afterwards, it can be used to replay a scenario. similar to real-time simulation.

Below, the resulting timed trace for the scenario in [[SimB|Real-Time Simulation]] is shown

<pre>
{
"activations": [
{
"execute": "$initialise_machine",
"after": "0",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": {
"tl_cars": "red",
"tl_peds": "red"
},
"probabilisticVariables": null,
"activating": [
"cars_ry_1"
],
"id": "$initialise_machine"
},
{
"execute": "cars_ry",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_g_2"
],
"id": "cars_ry_1"
},
{
"execute": "cars_g",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_y_3"
],
"id": "cars_g_2"
},
{
"execute": "cars_y",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_r_4"
],
"id": "cars_y_3"
},
{
"execute": "cars_r",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_g_5"
],
"id": "cars_r_4"
},
{
"execute": "peds_g",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_r_6"
],
"id": "peds_g_5"
},
{
"execute": "peds_r",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": null,
"id": "peds_r_6"
}
],
"metadata": {
"fileType": "Timed_Trace",
"formatVersion": 1,
"savedAt": "2021-03-03T11:04:08.460477Z",
"creator": "User",
"proB2KernelVersion": "4.0.0-SNAPSHOT",
"proBCliVersion": null,
"modelName": null
}
}

</pre>

=== Monte Carlo Simulation ===

It is also possible to apply Monte Carlo simulation to generate a certain number of simulations.
Here, all simulations are played without real time. However, it is possible for the user, to replay the generated scenarios with real-time afterwards.

The input parameters are:

* Number of Simulations defines the number of simulations to be generated.
* Max Steps Before Start defines the number of steps before taking into account the starting and ending conditions.
* Starting Condition defines condition to simulate until before taking Ending Condition into account. It is either defined by a No Condition, Number of Steps, Starting Time or Starting Predicate.
* Ending Condition defines condition to simulate until after taking Starting Condition into account (defines the last transition of the simulation). It is either defined by a Number of Steps, Ending Time or Ending Predicate
* Check defines the check to apply for the simulation. Monte Carlo Simulation means that there are no checks to be applied, while the other options are Hypothesis Testing and Estimation

[[File:MonteCarloSimulation.png|400px]]

Furthermore, there are two statistical validation techniques that can be applied based on Monte Carlo simulations: Hypothesis Testing and Estimation.

=== Hypothesis Testing ===

Hypothesis Testing expects the same parameters as Monte Carlo Simulation: Max Steps before Simulation, Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Hypothesis Testing are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.

* Hypothesis Check
** Left-tailed hypothesis test
** Right-tailed hypothesis test
** Two-tailed hypothesis test

* Probability (in the hypothesis)
* Significance Level

[[File:HypothesisTesting.png|400px]]

=== Estimation ===

Estimation expects the same parameters as Monte Carlo Simulation: Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Estimation are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.
** Average can be used to check the average value of an expression.
** Sum can be used to check the sum of an expression.
* Estimator
** Minimum Estimator returns the minimum estimated value from all simulated runs.
** Mean Estimator returns the mean estimated value from all simulated runs.
** Maximum Estimator returns the maximum estimated value from all simulated runs.
* Desired Value
* Epsilon

For an estimated value e, a desired value d, and an epsilon eps, it checks for each simulation whether e is within [d - eps, d + eps]

[[File:Estimation.png|400px]]

SimB

2025-02-19T18:43:22Z

Vella: /* Direct Activation */

== SimB ==

Additional documentation is available here: [https://github.com/hhu-stups/prob2_ui/blob/develop/src/main/helpsources/help_en/Main%20Menu/Advanced/SimB.md SimB Documentation]

SimB is a simulator built on top of ProB. It is available in the latest SNAPSHOT version in the new JavaFX based user interface [[ProB2-UI]] (https://github.com/hhu-stups/prob2_ui), The modeler can write SimB annotations for a formal model to simulate it. Examples are available at https://github.com/favu100/SimB-examples.
Furthermore, it is then possible to validate probabilistic and timing properties with statistical validation techniques such as hypothesis testing and estimation.

SimB also contains a feature called interactive simulation.
This feature allows user interaction to trigger a simulation.
For interactive simulation, a modeler has to encode SimB listeners on events, triggering a SimB simulation.
Interactive Simulation examples are available at https://github.com/favu100/SimB-examples/tree/main/Interactive_Examples.

More recently, SimB is extended by a new feature which makes it possible to load an Reinforcement learning Agent.
Technically, each step of the RL agent is converted into a SimB activation.
In order to simulate a RL agent in SimB, one must (1) create a formal B model for the RL agent, and (2) create a mapping between the state in the RL agent and the formal model, and (3) provide information to the formal B model again.
Reinforcement Learning examples are available at: https://github.com/hhu-stups/reinforcement-learning-b-models

== Citing SimB ==
To cite SimB as a tool, its timing or probabilistic simulation features, or SimBs statistical validation techniques, please use:
<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael and Mashkoor, Atif},
Title = {{Validation of Formal Models by Timed Probabilistic Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2021,
Series = {LNCS},
Volume = {12709},
Pages = {81--96}
}
</pre>

To cite SimBs interactive simulation, please use:

<pre>
@InProceedings{simb,
Author = {Vu, Fabian and Leuschel, Michael},
Title = {{Validation of Formal Models by Interactive Simulation}},
Booktitle = {Proceedings ABZ},
Year = 2023
Series = {LNCS},
Volume = {14010},
Pages = {59--69}
}
</pre>

==Using SimB ==

Start SimB via "SimB" in the "Advanced" Menu after opening a machine.

[[File:Open_SimB.png|800px]]

Now, you can open a SimB file (JSON format) controlling the underlying formal model.

[[File:SimB_Window.png|800px]]

A SimB file consists of SimB activations and SimB listeners to simulate the model.
SimB activations encode an activation diagram with probabilistic and timing elements for automatic simulation.
To enable interactive simulation, it is also necessary to encode interactive elements aka. SimB listeners which trigger other SimB activations.
Within these elements, the modeler can user B expressions which are evaluated on the current state.

The general structure of a SimB simulation is as follows:

<pre>
{
"activations": [...]
"listeners": [...]
}
</pre>

<tt>activations</tt> stores SimB activations, while <tt>listeners</tt> stores SimB listeners.
<tt>activations</tt> must be encoded, <tt>listeners</tt> is optional and defaults to the empty list.

== Probabilistic and Timing Elements in SimB ==

The SimB file always contains an <tt>activations</tt> field storing a list of probabilistic and timing elements to control the simulation. Probabilistic values are always evaluated to ensure that the sum of all possibilities is always 1. Otherwise an error will be thrown at runtime.
There are two types of activations: direct activation and probabilistic choice.
All activations are identified by their <tt>id</tt>.

===Direct Activation ===

A direct activation activates an event to be executed in the future.
It requires the fields <tt>id</tt>, and <tt>execute</tt> to be defined.
All other fields can be defined optionally.

* <tt>execute</tt> identifies the activated event by its name.
* <tt>after</tt> defines the scheduled time (in ms) when activating an event. By default, it is set to 0 ms, e.g., when this field is not defined explicitly.
* <tt>activating</tt> stores events that will be activated when executing the event defined by <tt>execute</tt>. Missing definition leads to the behavior that no other events are activated. The modeler can either write a String (to activate a single event) or a list of Strings (to activate multiple events)
* <tt>activationKind</tt> stores the kind of activation for <tt>execute</tt>. Possible options are <tt>multi</tt>, <tt>single</tt>, <tt>single:min</tt>, and <tt>single:max</tt>. The default value is <tt>multi</tt>
** <tt>multi</tt> means that the activation will be queued for execution.
** <tt>single</tt> means that the activation will only be queued if there are no queued activations with the same <tt>id</tt>
** <tt>single:min</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is greater. In the case of (2), the already queued activation will be discarded.
** <tt>single:max</tt> means that the activation will only be queued if (1) there are no queued activations for the same <tt>id</tt> or (2) there is a queued activation with the same <tt>id</tt> whose value for the scheduled time is lower. In the case of (2), the already queued activation will be discarded.
* <tt>additionalGuards</tt> stores optional guards when executing the event stored in <tt>execute</tt>
* <tt>fixedVariables</tt> stores a Map. Here, a variable (parameter, or non-deterministic assigned variable) is assigned to its value.
* <tt>probabilisticVariables</tt>stores a Map. Here a variable (parameter, or non-deterministic assigned variable) is assigned to another Map defining the probabilistic choice of its value. The second Map stores Key-Value pairs where values are mapped to the probability.
- <tt>transitionSelection</tt> determines how SimB choses from multiple possible transitions (due to not specified variables):
** <tt>first</tt> (the default) means that the first transition is chosen for execution.
** <tt>uniform</tt> means that a transition is selected from all alternatives uniformly.
* <tt>priority</tt> stores the priority for scheduling <tt>execute</tt>. Lower number means greater priority.

<pre>
{
"id": ...
"execute": ...
"after": ...
"activating": ...
"activationKind": ...
"additionalGuards": ...
"fixedVariables": ....
"probabilisticVariables": ....
"priority": ...
}
</pre>

=== Probabilistic Choice ===

A probabilistic choice selects an event to be executed in the future.
It requires the two fields <tt>id</tt>, and <tt>chooseActivation</tt>. <tt>chooseActivation</tt> is a Map storing Key-Value pairs where activations (identified by their <tt>id</tt>) are mapped to a probability. It is possible to chain multiple probabilistic choices together, but eventually, a direct activation must be reached.

<pre>
{
"id": ...
"chooseActivation": ...
}
</pre>

In the following, an example for a SimB file controlling a Traffic Lights for cars and pedestrians (with timing and probabilistic behavior) is shown:

<pre>
{
"activations": [
{"id":"$initialise_machine", "execute":"$initialise_machine", "activating":"choose"},
{"id":"choose", "chooseActivation":{"cars_ry": "0.8", "peds_g": "0.2"}},
{"id":"cars_ry", "execute":"cars_ry", "after":5000, "activating":"cars_g"},
{"id":"cars_g", "execute":"cars_g", "after":500, "activating":"cars_y"},
{"id":"cars_y", "execute":"cars_y", "after":5000, "activating":"cars_r"},
{"id":"cars_r", "execute":"cars_r", "after":500, "activating":"choose"},
{"id":"peds_g", "execute":"peds_g", "after":5000, "activating":"peds_r"},
{"id":"peds_r", "execute":"peds_r", "after":5000, "activating":"choose"}
]
}
</pre>

== Interactive Elements in SimB ==

Interactive elements in SimB are so called SimB listeners.
A SimB listener consists of four fields <tt>id</tt>, <tt>event</tt>, <tt>predicate</tt>, and <tt>activating</tt>.
This means that the SimB listener associated with <tt>id</tt> listens on a manual/user interaction on <tt>event</tt> with <tt>predicate</tt> after which activations in <tt>activating</tt> are triggered.
<tt>predicate</tt> is optional and defaults to <tt>1=1</tt>.
Manual/User interaction is recognized via VisB and ProB's Operations View.

<pre>
{
"id": ...
"event": ...
"predicate": ...
"activating": [...]
}
</pre>

In the following, we parts of a SimB simulation from an automotive case study.
The SimB simulation contains a SimB listener which is linked to two activations.
The case study models the car's lighting system controlled by pitman controller, the key ignition, and the warning lights button.

The SimB listeners states that SimB listens on user interaction on the event <tt>ENV_Pitman_DirectionBlinking</tt>, to trigger two SimB activations <tt>blinking_on</tt> and blinking_off afterward.
Practically, this means that a driver's input on the pitman for direction blinking activates the blinking cycle for the corresponding direction indicators.

<pre>
{
"activations": [
{
"id": "blinking_on",
"execute": "RTIME_BlinkerOn",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_off",
...
},
{
"id": "blinking_off",
"execute": "RTIME_BlinkerOff",
"after": "curDeadlines(blink_deadline)",
"activating" : "blinking_on",
...
},
...
]
"listeners": [
{
"id": "start_blinking",
"event": "ENV_Pitman_DirectionBlinking",
"activating" : ["blinking_on", "blinking_off"]
}
]
}
</pre>

== Reinforcement Learning Agent in SimB ==

Instead of loading a SimB simulation as a JSON file, one can also load a Reinforcement Learning
agent implemented in Python (.py).
For the simulation to work, one has to apply the following steps:

1. Train a model of a Reinforcement Learning agent.

2. Create a formal B model (including safety shield) for the RL agent.

The operations represent the actions the RL agent can choose from. The formal model's state mainly represents the state of the environment.
Safety shields are encoded by the operations' guards which are provided to the RL agent. Enabled operations are considered to be safe. Thus, the RL agent chooses the enabled operation/action with the highest predicted reward.
The operations' substitutions model the desired behavior of the respective actions.

An example for the FASTER of a HighwayEnvironment is as follows:
<pre>
FASTER =
PRE
¬(∃v. (v ∈ PresentVehicles \ {EgoVehicle} ∧ VehiclesX(v) > 0.0 ∧ VehiclesX(v) < 45.0 ∧
VehiclesY(v) < 3.5 ∧ VehiclesY(v) > -3.5))
THEN
Crash :∈ BOOL ||
PresentVehicles :∈ P(Vehicles) ;
VehiclesX :∈ Vehicles → R ||
VehiclesY :∈ Vehicles → R ||
VehiclesVx :| (VehiclesVx ∈ PresentVehicles → R ∧
VehiclesVx(EgoVehicle) ≥ VehiclesVx’(EgoVehicle) - 0.05) ||
VehiclesVy :∈ Vehicles → R ||
VehiclesAx :| (VehiclesAx ∈ PresentVehicles → R ∧ VehiclesAx(EgoVehicle) ≥ -0.05) ||
VehiclesAy :∈ Vehicles → R ||
Reward :∈ R
END
</pre>

Lines 2-4 shows the operation's guard which is used as safety shield.

Lines 6-15 shows the operation's substitution describing the desired behavior after executing FASTER.

3. Implement the mapping between the RL agent in Python and the formal B model.
This includes the mapping of actions to operations, and the mapping of information from the RL agent, particularly the environment and observation, to the variables.

An example for the mapping of actions to operations is as follows:
<pre>
action_names = {
0: "LANE_LEFT",
1: "IDLE",
2: "LANE_RIGHT",
3: "FASTER",
4: "SLOWER"
}
</pre>

Here, one can see that the numbers representing the actions in the RL agents are mapped to the corresponding operation names in the formal B model.

An example for a mapping to a variable in the formal B model is as follows:

<pre>
def get_VehiclesX(obs):
return "{{EgoVehicle |-> {0}, Vehicles2 |-> {1}, Vehicles3 |-> {2},
Vehicles4 |-> {3}, Vehicles5 |-> {4}}}"
.format(obs[0][1]*200, obs[1][1]*200, obs[2][1]*200,
obs[3][1]*200, obs[4][1]*200) # Implemented manually
</pre>

Remark: While the getter for the variable is generated by B2Program, the function for the mapping is implemented manually.

4. Implement necessary messages sent between the ProB animator and the RL agent.
Simulation should be a while-loop which runs while the simulation has not finished.

* 1st message: Sent from ProB Animator: List of enabled operations
** Meanwhile RL agent predicts enabled operation with highest reward
* 2nd message: Sent from RL agent: Name of chosen action/operation
* 3rd message: Sent from RL agent: Time until executing chosen action/operation
* 4th message: Sent from RL agent: Succeeding B state as a predicate
* 5th message: Sent from RL agent: Boolean flag describing whether simulation is finished

Example code (line 70 - 113; particularly 86 - 113): https://github.com/hhu-stups/reinforcement-learning-b-models/blob/main/HighwayEnvironment/HighwayEnvironment.py

To generate a RL agent for SimB, one can use the high-level code generator B2Program: https://github.com/favu100/b2program

Given a formal B model, B2Program generates an RL agent which loads a given trained model and execute the necessary steps. This includes the fourth step described before.
The third step still has to be implemented; in this step, B2Program only generates the templates for the mappings which are then completed manually.

== Validation ==

=== Real-Time Simulation ===

Using a SimB file, the modeler can play a single simulation on the underlying model in real-time.
The modeler can then manually check whether the model behaves as desired. Combining [[VisB]] and SimB, a simulation can be seen as an animated picture similar to a GIF picture.
This gives the domain expert even a better understanding of the model.
With SimB listeners, it is also possible to encode simulations that are triggered by manual/user actions.

A Traffic Light example (based on the SimB file shown in [[SimB|Using_SimB]] ) simulating the first 21 seconds is shown below.

[[File:TrafficLight_Simulation.gif|800px]]

=== Timed Trace Replay ===

Based on a single simulation, the modeler can generate a timed trace which is also stored in the SimB format. Afterwards, it can be used to replay a scenario. similar to real-time simulation.

Below, the resulting timed trace for the scenario in [[SimB|Real-Time Simulation]] is shown

<pre>
{
"activations": [
{
"execute": "$initialise_machine",
"after": "0",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": {
"tl_cars": "red",
"tl_peds": "red"
},
"probabilisticVariables": null,
"activating": [
"cars_ry_1"
],
"id": "$initialise_machine"
},
{
"execute": "cars_ry",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_g_2"
],
"id": "cars_ry_1"
},
{
"execute": "cars_g",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_y_3"
],
"id": "cars_g_2"
},
{
"execute": "cars_y",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"cars_r_4"
],
"id": "cars_y_3"
},
{
"execute": "cars_r",
"after": "500",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_g_5"
],
"id": "cars_r_4"
},
{
"execute": "peds_g",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": [
"peds_r_6"
],
"id": "peds_g_5"
},
{
"execute": "peds_r",
"after": "5000",
"priority": 0,
"additionalGuards": null,
"activationKind": null,
"fixedVariables": null,
"probabilisticVariables": null,
"activating": null,
"id": "peds_r_6"
}
],
"metadata": {
"fileType": "Timed_Trace",
"formatVersion": 1,
"savedAt": "2021-03-03T11:04:08.460477Z",
"creator": "User",
"proB2KernelVersion": "4.0.0-SNAPSHOT",
"proBCliVersion": null,
"modelName": null
}
}

</pre>

=== Monte Carlo Simulation ===

It is also possible to apply Monte Carlo simulation to generate a certain number of simulations.
Here, all simulations are played without real time. However, it is possible for the user, to replay the generated scenarios with real-time afterwards.

The input parameters are:

* Number of Simulations defines the number of simulations to be generated.
* Max Steps Before Start defines the number of steps before taking into account the starting and ending conditions.
* Starting Condition defines condition to simulate until before taking Ending Condition into account. It is either defined by a No Condition, Number of Steps, Starting Time or Starting Predicate.
* Ending Condition defines condition to simulate until after taking Starting Condition into account (defines the last transition of the simulation). It is either defined by a Number of Steps, Ending Time or Ending Predicate
* Check defines the check to apply for the simulation. Monte Carlo Simulation means that there are no checks to be applied, while the other options are Hypothesis Testing and Estimation

[[File:MonteCarloSimulation.png|400px]]

Furthermore, there are two statistical validation techniques that can be applied based on Monte Carlo simulations: Hypothesis Testing and Estimation.

=== Hypothesis Testing ===

Hypothesis Testing expects the same parameters as Monte Carlo Simulation: Max Steps before Simulation, Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Hypothesis Testing are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.

* Hypothesis Check
** Left-tailed hypothesis test
** Right-tailed hypothesis test
** Two-tailed hypothesis test

* Probability (in the hypothesis)
* Significance Level

[[File:HypothesisTesting.png|400px]]

=== Estimation ===

Estimation expects the same parameters as Monte Carlo Simulation: Number of Simulations, Starting Condition and Ending Condition.

The additional input parameters for Estimation are:

* Property defines the property to be checked between Starting Condition and Ending Condition for each simulation. Possible configurations are:
** All Invariants can be used to check all invariants.
** Predicate as Invariant can be used to provide a predicate to be checked whether it is always true.
** Final Predicate can be used to provide a predicate to be checked in the final state of a simulation.
** Predicate Eventually can be used to provide a predicate to be checked whether it is eventually true.
** Timing can be used to check the time.
** Average can be used to check the average value of an expression.
** Sum can be used to check the sum of an expression.
* Estimator
** Minimum Estimator returns the minimum estimated value from all simulated runs.
** Mean Estimator returns the mean estimated value from all simulated runs.
** Maximum Estimator returns the maximum estimated value from all simulated runs.
* Desired Value
* Epsilon

For an estimated value e, a desired value d, and an epsilon eps, it checks for each simulation whether e is within [d - eps, d + eps]

[[File:Estimation.png|400px]]

Summary of B Syntax

2024-06-13T13:07:20Z

Vella: /* Differences with AtelierB/B4Free */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
"FILE.def"; Include definitions from file
</pre>

There are a few specific definitions which can be used to influence ProB:
<pre>
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
MAX_OPERATIONS_OPNAME == n max. number of enablings for the operation OPNAME
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
HEURISTIC_FUNCTION == n in directed model-checking mode nodes with smalles value will be processed first
</pre>

The following definitions allow providing a custom state visualization (n can be empty or a number):
<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]] (n can be empty or a number):
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records or sets of records like
rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node, ...)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like
color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", style:"filled", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", dir:"none", penwidth:2, edges:e)
</pre>

Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can now also use a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes
(replacing CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can also provide <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == ... define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == ... define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == ... define a record or set of records for VisB hover functions
VISB_SVG_BOX == ... record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == ... defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set, lambda, union or composition to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are three special descriptions:
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc expand*/ to be put after identifiers (in VARIABLES, CONSTANTS,... section)
indicating that they should be expanded and not kept symbolically
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- You can apply prj1 and prj2 without providing the type arguments, e.g., prj2(prj1(1|->2|->3))
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead)
ProB now allows btrue and bfalse to be used as predicates.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

If you discover more differences, please let us know!

=== Other notes ===
<pre>
ProB now supports the Unicode mathematical symbols, exactly like Atelier-B
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS),
!(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:51:06Z

Vella: /* Other notes */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
"FILE.def"; Include definitions from file
</pre>

There are a few specific definitions which can be used to influence ProB:
<pre>
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
MAX_OPERATIONS_OPNAME == n max. number of enablings for the operation OPNAME
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
HEURISTIC_FUNCTION == n in directed model-checking mode nodes with smalles value will be processed first
</pre>

The following definitions allow providing a custom state visualization (n can be empty or a number):
<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]] (n can be empty or a number):
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records or sets of records like
rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node, ...)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like
color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", style:"filled", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", dir:"none", penwidth:2, edges:e)
</pre>

Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can now also use a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes
(replacing CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can also provide <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == ... define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == ... define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == ... define a record or set of records for VisB hover functions
VISB_SVG_BOX == ... record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == ... defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set, lambda, union or composition to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are three special descriptions:
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc expand*/ to be put after identifiers (in VARIABLES, CONSTANTS,... section)
indicating that they should be expanded and not kept symbolically
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB now supports the Unicode mathematical symbols, exactly like Atelier-B
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS),
!(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:48:40Z

Vella: /* File Extensions */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
"FILE.def"; Include definitions from file
</pre>

There are a few specific definitions which can be used to influence ProB:
<pre>
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
MAX_OPERATIONS_OPNAME == n max. number of enablings for the operation OPNAME
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
HEURISTIC_FUNCTION == n in directed model-checking mode nodes with smalles value will be processed first
</pre>

The following definitions allow providing a custom state visualization (n can be empty or a number):
<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]] (n can be empty or a number):
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records or sets of records like
rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node, ...)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like
color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", style:"filled", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", dir:"none", penwidth:2, edges:e)
</pre>

Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can now also use a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes
(replacing CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can also provide <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == ... define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == ... define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == ... define a record or set of records for VisB hover functions
VISB_SVG_BOX == ... record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == ... defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set, lambda, union or composition to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are three special descriptions:
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc expand*/ to be put after identifiers (in VARIABLES, CONSTANTS,... section)
indicating that they should be expanded and not kept symbolically
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:48:10Z

Vella: /* Comments and Pragmas */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
"FILE.def"; Include definitions from file
</pre>

There are a few specific definitions which can be used to influence ProB:
<pre>
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
MAX_OPERATIONS_OPNAME == n max. number of enablings for the operation OPNAME
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
HEURISTIC_FUNCTION == n in directed model-checking mode nodes with smalles value will be processed first
</pre>

The following definitions allow providing a custom state visualization (n can be empty or a number):
<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]] (n can be empty or a number):
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records or sets of records like
rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node, ...)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like
color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", style:"filled", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", dir:"none", penwidth:2, edges:e)
</pre>

Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can now also use a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes
(replacing CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can also provide <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == ... define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == ... define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == ... define a record or set of records for VisB hover functions
VISB_SVG_BOX == ... record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == ... defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set, lambda, union or composition to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are three special descriptions:
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc expand*/ to be put after identifiers (in VARIABLES, CONSTANTS,... section)
indicating that they should be expanded and not kept symbolically
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:43:14Z

Vella: /* Definitions */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
"FILE.def"; Include definitions from file
</pre>

There are a few specific definitions which can be used to influence ProB:
<pre>
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
MAX_OPERATIONS_OPNAME == n max. number of enablings for the operation OPNAME
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
HEURISTIC_FUNCTION == n in directed model-checking mode nodes with smalles value will be processed first
</pre>

The following definitions allow providing a custom state visualization (n can be empty or a number):
<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]] (n can be empty or a number):
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records or sets of records like
rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node, ...)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like
color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", style:"filled", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", dir:"none", penwidth:2, edges:e)
</pre>

Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can now also use a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes
(replacing CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

You can also provide <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == ... define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == ... define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == ... define a record or set of records for VisB hover functions
VISB_SVG_BOX == ... record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == ... defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:35:37Z

Vella: /* Machine inclusion */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:35:12Z

Vella: /* Machine inclusion */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:34:26Z

Vella: /* Machine sections */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
FREETYPES x=x1,x2(arg2),...;...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;...
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION S (substitution)
OPERATIONS O;... (operations)
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:32:14Z

Vella: /* Machine header */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION
</pre>
Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)

You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:31:24Z

Vella: /* Statements (aka Substitutions) */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
&ast;&ast;: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:30:23Z

Vella: /* Statements (aka Substitutions) */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
\**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:30:12Z

Vella: /* Statements (aka Substitutions) */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x; previous value of x is x$0)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END
WHILE P1 DO G INVARIANT P2 VARIANT E END
WHEN P THEN G END is a synonym for SELECT P THEN G END
</pre>
**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a <tt>BEGIN END</tt> or another statement (to avoid
confusion with the operators <tt>;</tt> and <tt>||</tt> on relations).

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:27:40Z

Vella: /* LET and IF-THEN-ELSE */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:27:06Z

Vella: /* LET and IF-THEN-ELSE */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates, expressions and substitutions:
<pre>
IF P THEN E1 END conditional branching
IF P THEN E1 ELSIF E2 END we also allow multiple ELSIF branches
IF P THEN E1 ELSE E2 END but you always need an ELSE branch for expressions and predicates
IF P THEN E1 ELSIF E2 ELSE E3 END
LET x1,... BE x1=E1 & ... IN E END introduce local variables
</pre>
Note: the expression <tt>Ei</tt> defining <tt>xi</tt> is allowed to use <tt>x1,...,x(i-1)</tt> for predicates/expressions.
By setting the preference <tt>ALLOW_COMPLEX_LETS</tt> to <tt>TRUE</tt>, this is also allowed for substitutions.

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:18:14Z

Vella: /* Trees */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, <tt>n=[1,2,1]</tt>
Each node in the tree is labelled with an element from a domain S.
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:16:59Z

Vella: /* Reals */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.
The <tt>REAL_SOLVER</tt> preference how constraints are solved.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:16:39Z

Vella: /* Reals */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase <tt>e</tt> for literals in scientific notation (e.g. <tt>1.0e-10</tt>).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:16:15Z

Vella: /* Reals */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r into an integer
ceiling(r) convert a real r into an integer
</pre>

One can also use a lowercase e for literals in scientific notation (e.g. 1.0e-10).
Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus do not hold.
The [[External_Functions|library]] LibraryReals.def in stdlib contains additional useful external functions
(like <tt>RSIN</tt>, <tt>RCOS</tt>, <tt>RLOG</tt>, <tt>RSQRT</tt>, <tt>RPOW</tt>, ...).
You can turn off support for REALS using the preference <tt>ALLOW_REALS</tt>.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:13:57Z

Vella: /* Strings */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).

ProB also allows multi-line strings.

As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.

ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:13:21Z

Vella: /* Strings */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the <tt>STRING_AS_SEQUENCE</tt> preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).
ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:13:00Z

Vella: /* Strings */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
In ProB, however, some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse of a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.
The [[External_Functions|library]] LibraryStrings.def in stdlib contains additional useful external functions
(like <tt>TO_STRING</tt>, <tt>STRING_SPLIT</tt>, <tt>FORMAT_TO_STRING</tt>, <tt>INT_TO_HEX_STRING</tt>, ...).
ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
<pre>
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol
</pre>
Within single-line string literals, you do not need to escape <tt>'</tt>.
Within multi-line string literals, you do not need to escape <tt>"</tt> and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:08:21Z

Vella: /* Strings */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:06:54Z

Vella: /* Summary of B Syntax */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions) ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:05:04Z

Vella: /* Summary of B Syntax */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality: ===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans: ===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets: ===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers: ===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations: ===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions: ===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences: ===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records: ===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers: ===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings: ===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees: ===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE: ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions): ===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header: ===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections: ===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion: ===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions: ===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas: ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions: ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types: ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free: ===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes: ===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax: ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:03:29Z

Vella: /* Summary of B Syntax */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Identifiers:===
<pre>
ID must start with letter (ASCII or Unicode), can then contain
letters (ASCII or Unicode), digits and underscore (_) and
can end with Unicode subscripts followed by Unicode primes
M.ID composed identifier for identifier coming from included machine M
`ID` an identifier in backquotes can contain almost any character (except newline)
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:01:50Z

Vella: /* Records: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:01:34Z

Vella: /* Sequences: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
[] or <> empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T12:00:54Z

Vella: /* Functions: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:59:53Z

Vella: /* Relations: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0)=id(s) where s=TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:59:21Z

Vella: /* Sets: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T or S \ T set difference
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:58:52Z

Vella: /* Sets: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:58:33Z

Vella: /* Integers: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) set product
SIGMA(z).(P|E) set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:57:14Z

Vella: /* Booleans: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are expression values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:56:49Z

Vella: /* Booleans: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE truth value (this is an expression)
FALSE falsity value (this is an expression)
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:56:15Z

Vella: /* Equality: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE
FALSE
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:55:52Z

Vella: /* Logical predicates: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE
FALSE
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:55:36Z

Vella: /* Logical predicates: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not(P) negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
btrue truth (this is a predicate)
bfalse falsity (this is a predicate)
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE
FALSE
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:40:51Z

Vella: /* Sets: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not P negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE
FALSE
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set (brackets needed)
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}

Summary of B Syntax

2024-06-13T11:39:23Z

Vella: /* Sets: */

[[Category:Tutorial]]
[[Category:User Manual]]

== Summary of B Syntax ==

Below we describe the "classical" B syntax as supported by ProB.
You may also wish to consult
* The B summary by Ken Robinson ([[File:B-summary.pdf|PDF File]])
* The [https://www.atelierb.eu Atelier-B] reference manual ([https://www.atelierb.eu/wp-content/uploads/2023/10/b-language-reference-manual.pdf b-language-reference-manual.pdf])

=== Logical predicates: ===
<pre>
P & Q conjunction
P or Q disjunction
P => Q implication
P <=> Q equivalence
not P negation
!(x).(P=>Q) universal quantification
#(x).(P&Q) existential quantification
</pre>

Above, <tt>P</tt> and <tt>Q</tt> stand for predicates. Inside the universal quantification, <tt>P</tt> must give a value type to the quantified variable.
Note: you can also introduce multiple variables inside a universal or existential quantification, e.g., <tt>!(x,y).(P => Q)</tt>.

=== Equality:===
<pre>
E = F equality
E /= F disequality
</pre>

=== Booleans:===
<pre>
TRUE
FALSE
BOOL set of boolean values ({TRUE,FALSE})
bool(P) convert predicate into BOOL value
</pre>

Warning: <tt>TRUE</tt> and <tt>FALSE</tt> are values and not predicates in B and cannot be combined using logical connectives.
To combine two boolean values <tt>x</tt> and <tt>y</tt> using conjunction you have to write <tt>x=TRUE & y=TRUE</tt>.
To convert a predicate such as <tt>z>0</tt> into a boolean value you have to use <tt>bool(z>0)</tt>.

=== Sets:===
<pre>
{} empty set
{E} singleton set
{E,F} set enumeration
{x|P} comprehension set
{(x).P|E} Event-B style comprehension set
{x•P|E} Event-B style comprehension set
POW(S) power set
POW1(S) set of non-empty subsets
FIN(S) set of all finite subsets
FIN1(S) set of all non-empty finite subsets
card(S) cardinality
S*T cartesian product
S\/T set union
S/\T set intersection
S-T set difference (S \ T is also allowed)
E:S element of
E/:S not element of
S<:T subset of
S/<:T not subset of
S<<:T strict subset of
S/<<:T not strict subset of
union(S) generalised union over sets of sets
inter(S) generalised intersection over sets of sets
UNION(z).(P|E) generalised union with predicate
INTER(z).(P|E) generalised intersection with predicate
</pre>

=== Integers:===
<pre>
INTEGER set of integers
NATURAL set of natural numbers
NATURAL1 set of non-zero natural numbers
INT set of implementable integers (MININT..MAXINT)
NAT set of implementable natural numbers
NAT1 set of non-zero implementable natural numbers
n..m set of numbers from n to m
MININT the minimum implementable integer
MAXINT the maximum implementable integer
m>n greater than
m<n less than
m>=n greater than or equal
m<=n less than or equal
max(S) maximum of a set of numbers
min(S) minimum of a set of numbers
m+n addition
m-n difference
m*n multiplication
m/n division
m**n power
m mod n remainder of division
PI(z).(P|E) Set product
SIGMA(z).(P|E) Set summation
succ(n) successor (n+1)
pred(n) predecessor (n-1)
0xH hexadecimal literal, where H is a sequence of letters in [0-9A-Fa-f]
</pre>

=== Relations:===
<pre>
S<->T relation
S<<->T total relation
S<->>T surjective relation
S<<->>T total surjective relation
E|->F maplet
dom(r) domain of relation
ran(r) range of relation
id(S) identity relation
S<|r domain restriction
S<<|r domain subtraction
r|>S range restriction
r|>>S range subtraction
r~ inverse of relation
r[S] relational image
r1<+r2 relational overriding (r2 overrides r1)
r1><r2 direct product (all pairs (x,(y,z)) with x,y:r1 and x,z:r2)
(r1;r2) relational composition {x,y| x|->z:r1 & z|->y:r2}
(r1||r2) parallel product (all pairs ((x,v),(y,w)) with x,y:r1 and v,w:r2)
prj1(S,T) projection function (usage prj1(Dom,Ran)(Pair))
prj2(S,T) projection function (usage prj2(Dom,Ran)(Pair))
prj1(Pair) and prj2(Pair) are also allowed
fnc(r) translate relation A<->B into function A+->POW(B)
rel(r) translate relation A<->POW(B) into relation A<->B
closure1(r) transitive closure
closure(r) reflexive & transitive closure
(equal to id(TYPEOF_r) \/ closure1(r))
iterate(r,n) iteration of r with n>=0
(Note: iterate(r,0) = id(s) where s =TYPEOF_r)
</pre>

=== Functions:===
<pre>
S+->T partial function
S-->T total function
S+->>T partial surjection
S-->>T total surjection
S>+>T partial injection
S>->T total injection
S>+>>T partial bijection
S>->>T total bijection
%x.(P|E) lambda abstraction
f(E) function application
f(E1,...,En) is also supported (as well as f(E1|->E2...|->En))
</pre>

=== Sequences:===
<pre>
<> or [] empty sequence
[E] singleton sequence
[E,F] constructed sequence
seq(S) set of sequences over S
seq1(S) set of non-empty sequences over S
iseq(S) set of injective sequences over S
iseq1(S) set of non-empty injective sequences over S
perm(S) set of bijective sequences (permutations) over S
size(s) size of sequence
s^t concatenation
E->s prepend element
s<-E append element
rev(s) reverse of sequence
first(s) first element
last(s) last element
front(s) front of sequence (all but last element)
tail(s) tail of sequence (all but first element)
conc(S) concatenation of sequence of sequences
s/|\n take first n elements of sequence
s\|/n drop first n elements from sequence
</pre>

=== Records:===
<pre>
struct(ID:S,...,ID:S) set of records with given fields and field types
rec(ID:E,...,ID:E) construct a record with given field names and values
E'ID get value of field with name ID
</pre>

=== Strings:===
<pre>
"astring" a specific (single-line) string value
'''astring''' an alternate way of writing (multi-line) strings, no need to escape "
```tstring``` template strings, where ${Expr} parts are evaluated and converted to string,
you can provide options separated by commas in square brackets like $[2f]{Expr}.
Valid options are: Nf (for floats/reals), Nd (for integer), Np (padding),
ascii (can be abbreviated to a), unicode (can be abbreviated to u).
STRING the set of all strings
</pre>

Atelier-B does not support any operations on strings, apart from equality and disequality.
However, the ProB [[External_Functions|external function library]] contains several operators on strings. ProB also allows multi-line strings.
As of version 1.7.0, ProB will support the following escape sequences within strings:
\n newline (ASCII character 13)
\r carriage return (ASCII 10)
\t tab (ASCII 9)
\" the double quote symbol "
\' the single quote symbol '
\\ the backslash symbol

Within single-line string literals, you do not need to escape '.
Within multi-line string literals, you do not need to escape " and you can use
tabs and newlines.
ProB assumes that all B machines and strings use the UTF-8 encoding.

The library LibraryStrings.def in stdlib contains additional useful external functions
(like TO_STRING, STRING_SPLIT, FORMAT_TO_STRING, INT_TO_HEX_STRING, ...).
Some of the sequence operators work also on strings:
<pre>
size(s) the length of a string s
rev(s) the reverse a string s
s ^ t the concatenation of two strings
conc(ss) the concatenation of a sequence of strings
</pre>
You can turn this support off using the STRING_AS_SEQUENCE preference.

=== Reals: ===

<pre>
REAL set of reals
FLOAT set of floating point numbers
i.f real literal in decimal notation, where i and f are natural numbers
i.fEg real literal in scientific notation, where i,f are natural numbers and g is an integer
real(n) convert an integer n into a real number
floor(r) convert a real r to an integer
ceiling(r) convert a real r to an integer
</pre>

Standard arithmetic operators can be applied to reals: +, - , *, /, SIGMA, PI.
Exponentiation of a real with an integer is also allowed.
The comparison predicates =, /=, <, >, <=, >= also all work.
Support for reals and floats is experimental. The definition in Atelier-B
is also not stable yet. Currently ProB supports floating point numbers only.
Warning: properties such as associativity and commutativity of arithmetic operators
thus does not hold.
The library LibraryReals.def in stdlib contains additional useful external functions
(like RSIN, RCOS, RLOG, RSQRT, RPOW, ...).
You can turn off support for REALS using the preference ALLOW_REALS.

=== Trees:===
Nodes in the tree are denoted by index sequences (branches), e.g, n=[1,2,1]
Each node in the tree is labelled with an element from a domain S
A tree is a function mapping of branches to elements of the domain S.
<pre>
tree(S) set of trees over domain S
btree(S) set of binary trees over domain S
top(t) top of a tree
const(E,s) construct a tree from info E and sequence of subtrees s
rank(t,n) rank of the node at end of branch n in the tree t
father(t,n) father of the node denoted by branch n in the tree t
son(t,n,i) the ith son of the node denoted by branch n in tree t
sons(t) the sequence of sons of the root of the tree t
subtree(t,n)
arity(t,n)
bin(E) construct a binary tree with a single node E
bin(tl,E,tr) construct a binary tree with root info E and subtrees tl,tr
left(t) the left (first) son of the root of the binary tree t
right(t) the right (last) son of the root of the binary tree t
sizet(t) the size of the tree (number of nodes)
prefix(t) the nodes of the tree t in prefix order
postfix(t) the nodes of the tree t in prefix order
mirror, infix are recognised by the parser but not yet supported by ProB itself
</pre>

=== LET and IF-THEN-ELSE ===
ProB allows the following for predicates and expressions:
<pre>
IF P1 THEN E1 ELSE E2 END
IF P1 THEN E1 ELSIF P2 THEN E2 ... ELSE En END conditional for expressions or predicates E1,E2,...,En
LET x1,... BE x1=E1 & ... IN E END
</pre>
Note: the expressions E1,... defining x1,... are not allowed to use x1,...

=== Statements (aka Substitutions):===
<pre>
skip no operation
x := E assignment
f(x) := E functional override
x :: S choice from set
x : (P) choice by predicate P (constraining x)
x <-- OP(x) call operation and assign return value
G||H parallel substitution**
G;H sequential composition**
ANY x,... WHERE P THEN G END non deterministic choice
LET x,... BE x=E & ... IN G END
VAR x,... IN G END generate local variables
PRE P THEN G END
ASSERT P THEN G END
CHOICE G OR H END
IF P THEN G END
IF P THEN G ELSE H END
IF P1 THEN G1 ELSIF P2 THEN G2 ... END
IF P1 THEN G1 ELSIF P2 THEN G2 ... ELSE Gn END
SELECT P THEN G WHEN ... WHEN Q THEN H END
SELECT P THEN G WHEN ... WHEN Q THEN H ELSE I END
CASE E OF EITHER m THEN G OR n THEN H ... END END
CASE E OF EITHER m THEN G OR n THEN H ... ELSE I END END

WHEN P THEN G END is a synonym for SELECT P THEN G END

**: cannot be used at the top-level of an operation, but needs to
be wrapped inside a BEGIN END or another statement (to avoid
problems with the operators ; and ||).
</pre>

=== Machine header:===
<pre>
MACHINE or REFINEMENT or IMPLEMENTATION

Note: machine parameters can either be SETS (if identifier is all upper-case)
or scalars (i.e., integer, boolean or SET element; if identifier is not
all upper-case; typing must be provided be CONSTRAINTS)
You can also use MODEL or SYSTEM as a synonym for MACHINE, as well
as EVENTS as a synonym for OPERATIONS.
ProB also supports the ref keyword of Atelier-B for event refinement.
</pre>

=== Machine sections:===
<pre>
CONSTRAINTS P (logical predicate)
SETS S;T={e1,e2,...};...
CONSTANTS x,y,...
CONCRETE_CONSTANTS cx,cy,...
PROPERTIES P (logical predicate)
DEFINITIONS m(x,...) == BODY;....
VARIABLES x,y,...
CONCRETE_VARIABLES cv,cw,...
INVARIANT P (logical predicate)
ASSERTIONS P;...;P (list of logical predicates separated by ;)
INITIALISATION
OPERATIONS
</pre>

=== Machine inclusion:===
<pre>
USES list of machines
INCLUDES list of machines
SEES list of machines
EXTENDS list of machines
PROMOTES list of operations
REFINES machine
</pre>

Note: Refinement machines should express the operation preconditions in terms of their own variables.

=== Definitions:===
<pre>
NAME1 == Expression; Definition without arguments
NAME2(ID,...,ID) == E2; Definition with arguments
</pre>
"FILE.def"; Include definitions from file

There are a few Definitions which can be used to influence the animator:

<pre>
There are a few specific definitions which can be used to influence ProB:
GOAL == P to define a custom Goal predicate for Model Checking
(the Goal is also set by using "Advanced Find...")
SCOPE == P to limit the search space to "interesting" nodes
scope_SETNAME == n..n to define custom cardinality for set SETNAME
scope_SETNAME == n equivalent to 1..n
SET_PREF_MININT == n
SET_PREF_MAXINT == n
SET_PREF_MAX_INITIALISATIONS == n max. number of intialisations computed
SET_PREF_MAX_OPERATIONS == n max. number of enablings per operation computed
SET_PREF_SYMBOLIC == TRUE/FALSE
SET_PREF_TIME_OUT == n time out for operation computation in ms
ASSERT_LTL... == "LTL Formula" using X,F,G,U,R LTL operators +
Y,O,H,S Past-LTL operators +
atomic propositions: e(OpName), [OpName], {BPredicate}
</pre>

The following definitions allow providing a custom state visualization:

<pre>
ANIMATION_FUNCTIONn == e a function (INT*INT) +-> INT or an INT
ANIMATION_FUNCTION_DEFAULT == e a function (INT*INT) +-> INT or an INT
instead of any INT above you can also use BOOL or any SET
as a result you can also use STRING values,
or even other values which are pretty printed
ANIMATION_IMGn == "PATH to .gif" a path to a gif file
ANIMATION_STRn == "sometext" a string without spaces;
the result integer n will be rendered as a string
ANIMATION_STR_JUSTIFY_LEFT == TRUE computes the longest string in the outputs and pads
the other strings accordingly
SET_PREF_TK_CUSTOM_STATE_VIEW_PADDING == n additional padding between images in pixels
SET_PREF_TK_CUSTOM_STATE_VIEW_STRING_PADDING == n additional padding between text in pixels
</pre>

The following definitions allow providing a [[Custom Graph|custom state graph]]:
<pre>
CUSTOM_GRAPH_NODESn == e define a set of nodes to be shown,
nodes can also be pairs (Node,Colour), triples (Node,Shape,Colour) or
records rec(color:Colour, shape:Shape, style:Style, label:Label, value:Node)
Colours are strings of valid Dot/Tk colors (e.g., "maroon" or "red")
Shapes are strings of valid Dot shapes (e.g., "rect" or "hexagon"), and
Styles are valid Dot shape styles (e.g., "rounded" or "solid" or "dashed")
CUSTOM_GRAPH_EDGESn == e define a relation to be shown as a graph
edges can either be pairs (node1,node2) or triples (node1,Label,node2)
where Label is either a Dot/Tk color or a string or value representing
the label to be used for the edges
</pre>
In both cases e can also be a record which defines default dot attributes like color, shape, style and description, e.g.:
<pre>
CUSTOM_GRAPH_NODES == rec(color:"blue", shape:"rect", nodes:e);
CUSTOM_GRAPH_EDGES == rec(color:"red", style:"dotted", edges:e)
</pre>
Alternatively, the complete graph can be put into one definition using [[Custom_Graph|<code>CUSTOM_GRAPH</code>]].
You have to define a single CUSTOM_GRAPH definition of a record with global graph attributes
(like rankdir or layout) and optionally with edges and nodes attributes (replacing
CUSTOM_GRAPH_EDGES and CUSTOM_GRAPH_NODES respectively), e.g.:
<pre>
CUSTOM_GRAPH == rec(layout:"circo", nodes:mynodes, edges:myedges)
</pre>

There are also <tt>SEQUENCE_CHART_opname</tt> definitions for [[Generating UML Sequence Charts|generating UML sequence charts]].

These DEFINITIONS affect [[VisB|VisB]]:
<pre>
VISB_JSON_FILE == "PATH to .json" a path to a default VisB JSON file for visualisation;
if it is "" an empty SVG will be created
VISB_SVG_OBJECTSn == define a record or set of records for creating new SVG objects
VISB_SVG_UPDATESn == define a record or set of records containing updates of SVG objects
VISB_SVG_HOVERSn == define a record or set of records for VisB hover functions
VISB_SVG_BOX == record with dimensions (height, width) of a default empty SVG
VISB_SVG_CONTENTS == defines a string to be included into a created empty SVG file
</pre>

=== Comments and Pragmas ===
<pre>
B supports two styles of comments:
/* ... */ block comments
// ... line comments
</pre>

ProB recognises several pragma comments of the form /*@ PRAGMA VALUE */
The whitespace between @ and PRAGMA is optional.
<pre>
/*@symbolic */ put before comprehension set or lambda to instruct ProB
to keep it symbolic and not try to compute it explicitly
/*@label LBL */ associates a label LBL with the following predicate
(LBL must be identifier or a string "....")
/*@desc DESC */ associates a description DESC with the preceding predicate or
introduced identifier (in VARIABLES, CONSTANTS,... section)
There are two special descriptions
/*@desc memo*/ to be put after identifiers in the ABSTRACT_CONSTANTS section
indicating that these functions should be memoized
/*@desc prob-ignore */ to be put after predicates (e.g., in PROPERTIES) which
should be ignored by ProB
when the preference USE_IGNORE_PRAGMAS is TRUE
/*@file PATH */ associates a file for machines in SEES, INCLUDES, ...
put pragma after a seen or included machine
/*@package NAME */ at start of machine, machine file should be in folder NAME/...
NAME can be qualified N1.N2...Nk, in which case the machine
file should be in N1/N2/.../Nk
/*@import-package NAME */ adds ../NAME to search paths for SEES,...
NAME can also be qualified N1.N2...Nk, use after package pragma
/*@generated */ can be put at the top of a machine file; indicates the machine
is generated from some other source and should not be edited
</pre>

=== File Extensions ===
<pre>
.mch for abstract machine files
.ref for refinement machines
.imp for implementation machines
.def for DEFINITIONS files
.rmch for Rules machines for data validation
</pre>

=== Free Types ===
More information can be found [[Free Types|here]].

Free types exist in Z and in the Rodin theory plugin and are supported by ProB.
You can also define new free types in classical B by adding a ''FREETYPES'' clause with free type definitions separated by semicolon.

Here is a definition of an inductive type ''IntList'' for lists of integers constructed using ''inil'' and ''icons'':
<pre>
FREETYPES
IntList = inil, icons(INTEGER*IntList)
</pre>

=== Differences with AtelierB/B4Free===
Basically, ProB tries to be compatible with Atelier B and conforms to the semantics
of Abrial's B-Book and of [http://www.atelierb.eu/php/documents-en.php#manuel-reference Atelier B's reference manual].
Here are the main differences with Atelier B:
<pre>
- tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
- relational composition has to be wrapped into parentheses; write (f;g)
- parallel product also has to be wrapped into parentheses; write (f||g)
- not all tree operators are supported
- the VALUES clause is only partially supported
- definitions have to be syntactically correct and be either an expression,
predicate or substitution;
the arguments to definitions have to be expressions;
definitions which are predicates or substitutions must be declared before first use
- definitions are local to a machine
- for ProB the order of fields in a record is not relevant (internally the fields are
sorted), Atelier-B reports a type error if the order of the name of the fields changes
- well-definedness: for disjunctions and implications ProB uses the L-system
of well-definedness (i.e., for P => Q, P should be well-defined and
if P is true then Q should also be well-defined)
- ProB allows WHILE loops and sequential composition in abstract machines
- ProB now allows the IF-THEN-ELSE and LET for expressions and predicates
(e.g., IF x<0 THEN -x ELSE x END or LET x BE x=f(y) IN x+x END)
- ProB's type inference is stronger than Atelier-B's, much less typing predicates
are required
- ProB accepts operations with parameters but without pre-conditions
- ProB allows identifiers consisting of a single character and identifiers in single backquotes (`id`)
- ProB allows to use <> for the empty sequence (but this use is deprecated)
- ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings,
and ProB allows multi-line string literals written using three apostrophes ('''string''')
as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
- ProB allows a she-bang line in machine files starting with #!
(If you discover more differences, please let us know!)
- ProB allows btrue and bfalse as predicates in B machines
- ProB allows to use the Event-B relation operators <<->, <->>, <<->>
- ProB allows set comprehensions with an extra expression like {x•x:1..10|x*x}.
- The FREETYPES section and the external libraries (LibraryStrings.def, ...) do not exist in Atelier-B
</pre>

See also our Wiki for documentation:
* [[Current Limitations]]
* [[Using ProB with Atelier B]]

Also note that there are various differences between BToolkit and AtelierB/ProB:
<pre>
- AtelierB/ProB do not allow true as predicate;
e.g., PRE true THEN ... END is not allowed (use BEGIN ... END instead), ProB allows btrue as predicate.
- AtelierB/ProB do not allow a machine parameter to be used in the PROPERTIES
- AtelierB/ProB require a scalar machine parameter to be typed in the
CONSTRAINTS clause
- In AtelierB/ProB the BOOL type is pre-defined and cannot be redefined
</pre>

=== Other notes===
<pre>
ProB is best at treating universally quantified formulas of the form
!x.(x:SET => RHS), or
!(x,y).(x|->y:SET =>RHS), !(x,y,z).(x|->y|->z:SET =>RHS), ...;
otherwise the treatment of !(x1,...,xn).(LHS => RHS) may delay until all values
treated by LHS are known.
Similarly, expressions of the form SIGMA(x).(x:SET|Expr) and PI(x).(x:SET|Expr)
lead to better constraint propagation.
The construction S:FIN(S) is recognised by ProB as equivalent to the Event-B
finite(S) operator.
ProB assumes that machines and STRING values are encoded using UTF-8.
</pre>

=== Event-B Syntax ===

Note that the Event-B syntax in Rodin is slightly different (e.g, no sequences or strings built-in). There is also an Event-B summary by Ken Robinson ([[File:EventB-summary.pdf|PDF File]]). The Event-B syntax is only available for Event-B models in Rodin, ProB2-UI and ProB Jupyter notebooks.

{{Feedback}}