Using ProB with Atelier B: Difference between revisions - ProB Documentation

Help

Using ProB with Atelier B: Difference between revisions

← Older edit
 
(11 intermediate revisions by 2 users not shown)
Line 10: Line 10:


Note: as the layout of Atelier-B's directories has changed, you need to use ProB 1.12.0 or newer for Atelier-B 4.7.1 or newer on macOS.
Note: as the layout of Atelier-B's directories has changed, you need to use ProB 1.12.0 or newer for Atelier-B 4.7.1 or newer on macOS.
You can also create the the above file yourself.
You can also create the above file yourself.


Here is a typical <tt>probtclk.etool</tt> file (where PathToProB depends on your location of the ProB installation folder containing the prob and probcli binaries):
Here is a typical <tt>probtclk.etool</tt> file (where PathToProB depends on your location of the ProB installation folder containing the prob and probcli binaries):
Line 69: Line 69:
END
END
</pre>
</pre>
== Using the Atelier B Provers inside ProB ==
In the REPL of probcli you can [[Proving_Theorems_in_the_ProB_REPL#Calling_Atelier-B_Provers | call the provers ML and PP of Atelier-B]].


== Differences with Atelier B ==
== Differences with Atelier B ==
Line 87: Line 91:
** As of version 1.12.1 you can apply prj1 and prj2 without providing the type arguments. For example, you can write <tt>prj2(prj1(1|->2|->3))</tt> instead of <tt>prj2(INTEGER,INTEGER)(prj1(INTEGER*INTEGER,INTEGER)(1|->2|->3))</tt>.
** As of version 1.12.1 you can apply prj1 and prj2 without providing the type arguments. For example, you can write <tt>prj2(prj1(1|->2|->3))</tt> instead of <tt>prj2(INTEGER,INTEGER)(prj1(INTEGER*INTEGER,INTEGER)(1|->2|->3))</tt>.


* DEFINITIONS: the definitions and its arguments are checked by ProB. We believe this to be an important feature for a formal method language. However, as such, every DEFINITION must be either a predicate, an expression or a substitution. You '''cannot''' use, for example, lists of identifiers as a definition. Also, for the moment, the arguments to DEFINITIONS have to be expressions. Finally, when replacing DEFINITIONS the associativity is not changed. E.g., with <tt>PLUS(x,y) == x+y</tt>, the expression <tt>PLUS(2,3)*10</tt> will evaluate to 50 (and not to 32 as with Atelier-B).
* DEFINITIONS: the definitions and its arguments are checked by ProB. We believe this to be an important feature for a formal method language. However, as such, every DEFINITION must be either a predicate, an expression or a substitution. You '''cannot''' use, for example, lists of identifiers as a definition. Also, for the moment, the arguments to DEFINITIONS have to be expressions. Finally, when replacing DEFINITIONS the associativity is not changed. E.g., with <tt>PLUS(x,y) == x+y</tt>, the expression <tt>PLUS(2,3)*10</tt> will evaluate to 50 (and not to 32 as with Atelier-B). Also, ProB will generate a warning when variable capture may occur. In Version 1.16.0 of ProB there is the new preference HYGIENIC_DEFINITIONS. By setting it to TRUE you avoid most of the variable capture problems (ProB will automatically introduce a LET for parameters if necessary to avoid code duplication and variable capture).
* In version 1.16.0 ProB will support EXPRESSIONS and PREDICATES sections as a hygienic replacement of DEFINITIONS


* for a LET substitution, Atelier-B does not allow introduced identifiers to be used in the right-hand side of equations; ProB allows <tt>LET x,y BE x=2 & y=x*x IN ... END</tt> but only if the preference <tt>ALLOW_COMPLEX_LETS</tt> is set to TRUE.
* for a LET substitution, Atelier-B does not allow introduced identifiers to be used in the right-hand side of equations; ProB allows <tt>LET x,y BE x=2 & y=x*x IN ... END</tt> but only if the preference <tt>ALLOW_COMPLEX_LETS</tt> is set to TRUE.
Line 107: Line 112:
* Some of the sequence operators can be applied to strings (unless you set the preference STRING_AS_SEQUENCE to FALSE): <tt>size</tt>, <tt>rev</tt>, <tt>^</tt>, <tt>conc</tt>
* Some of the sequence operators can be applied to strings (unless you set the preference STRING_AS_SEQUENCE to FALSE): <tt>size</tt>, <tt>rev</tt>, <tt>^</tt>, <tt>conc</tt>


* As of version 1.12.1 you can write Event-B style set comprehensions with an extra expression like {x•x:1..10|x*x}. You have to use the middle dot, the bullet (•) or a Unicode dot for this, though.
* As of version 1.12.1 you can write Event-B style set comprehensions with an extra expression like {x•x:1..10|x*x}. You have to use the middle dot, the bullet (•) or a Unicode dot for this, though. You can also put parentheses around the identifiers and use the regular dot: {(x).x:1..10|x*x}.


* ProB comes with several libraries of [[External_Functions | external functions]] for string manipulations, mathematical functions, Hilbert's choice operator, etc.
* ProB comes with several libraries of [[External_Functions | external functions]] for string manipulations, mathematical functions, Hilbert's choice operator, etc.
* ProB supports a special section [[Free_Types|FREETYPES]] to define inductive data types


=== Differences ===
=== Differences ===
Line 115: Line 122:


* [[Well-Definedness_Checking|Well-definedness]]: ProB will try to check if your predicates are well-defined during animation or model checking, but there is currently no guarantee that all well-definedness errors will be detected. To be on the safe side, you should ensure that your formulas are well-defined according to the  left-to-right definition of well-definedness employed in Rodin for Event-B. ProB now has a [[Well-Definedness_Checking|static checker for well-definedness]] which you can use for this. Note, however, that ProB may re-order conjuncts if this improves well-definedness. For example, for <tt>x:0..3 & y=10/x & x /=0</tt> ProB will not report an error as the conjunct <tt>x/=0</tt> is processed before the division. Indeed, while this predicate is not well-defined according to Rodin's left-to-right rule, it is well-defined according to the more liberal commutative definition of well-definedness.
* [[Well-Definedness_Checking|Well-definedness]]: ProB will try to check if your predicates are well-defined during animation or model checking, but there is currently no guarantee that all well-definedness errors will be detected. To be on the safe side, you should ensure that your formulas are well-defined according to the  left-to-right definition of well-definedness employed in Rodin for Event-B. ProB now has a [[Well-Definedness_Checking|static checker for well-definedness]] which you can use for this. Note, however, that ProB may re-order conjuncts if this improves well-definedness. For example, for <tt>x:0..3 & y=10/x & x /=0</tt> ProB will not report an error as the conjunct <tt>x/=0</tt> is processed before the division. Indeed, while this predicate is not well-defined according to Rodin's left-to-right rule, it is well-defined according to the more liberal commutative definition of well-definedness.
== Reflexive Closure ==
In version 1.8.0 (March 2018) ProB changed the definition of the transitive and reflexive closure operator of B.
PorB now uses to the mathematical definition:
<pre> closure(X) = id(TypeOfX) \/ closure1(X)
</pre>
This means that <tt>closure({1|->2}) </tt>is now infinite and contains for example the pair <tt>3|->3</tt>. The same holds for <tt> iterate({1|->2},0)</tt>.
The previous definition was closure(X) = id(ran(X)\/dom(X)) \/ closure1(X) and
the definition in Atelier-B was closure(X) = id(dom(X)) \/ closure1(X).
However, both were not compatible with the following law in the B-Book on page 169:
<pre> r[a] <: a => closure(r)[a]=a
</pre>
Take  r = {1|->2}, then  r[{3}] <: {3}.
So, according to the law we have: <tt> closure(r)[{3}] = {3}</tt>.
In the next version of Atelier-B in 2025 closure(R) will be defined as "the smallest relation
that contains R that is transitive and reflexive."
This corresponds to ProB's definition prior to version 1.8.0 closure(X) = id(ran(X)\/dom(X)) \/ closure1(X) and is thus different to the B-Book.
ProB may provide a preference in the next release to allow the user to choose between the two interpretations.


=== Limitations ===
=== Limitations ===

Latest revision as of 10:59, 30 January 2026


Atelier B Plugin

ProB Tcl/Tk can be installed as a plugin for Atelier B, so that ProB can be launched directly from within Atelier B projects. With this you can animate and model check B machines directly from within the IDE of Atelier-B.

The easiest is to perform the menu command "Install AtelierB 4 Plugin..." in the Help menu of ProB Tcl/Tk. This will create a file called probtclk.etool in an extensions folder next to Atelier B's bbin folder. The extensions folder is created if necessary.

Note: as the layout of Atelier-B's directories has changed, you need to use ProB 1.12.0 or newer for Atelier-B 4.7.1 or newer on macOS. You can also create the above file yourself.

Here is a typical probtclk.etool file (where PathToProB depends on your location of the ProB installation folder containing the prob and probcli binaries): 

<externalTool category="component"   name="ProBTclTk" label="&Animate with ProB (Tcl/Tk)">
    <toolParameter name="editor" type="tool" configure="yes"
   default="PathToProB/StartProB.sh" />
    <command>${editor}</command>
    <param>${componentPath}</param>
 </externalTool>

Note, you can also ProB2-UI within Atelier-B by creating a suitable file prob2ui.etool in this extensions folder. Here is a typical file for macOS; the path needs to be adapted for your location and operating system (we plan to provide an installer within ProB2-UI): 

<externalTool category="component"   name="ProB2UI" label="&Animate with ProB2-UI">
    <toolParameter name="editor" type="tool" configure="yes"
   default="/Applications/Development/ProB/ProB 2 UI.app/Contents/MacOS/ProB 2 UI" />
    <command>${editor}</command>
    <param>--machine-file</param>
    <param>${componentPath}</param>
</externalTool>

After installing the plugins you can launch ProB for selected B machines by right-clicking on a B machine within Atelier B:


ProB as Atelier B Prover

Atelier B also enables to use ProB as a prover/disprover in the interactive proof window. For this you need to set the ProB_Path resource to point to probcli (command-line version of ProB). To do this you need to add the following line to the resource file of your project (replacing PATH by the the path on your machine to probcli): 

ATB*PR*ProB_Path:PATH/probcli

Then you can type, e.g., the command prob(1)in the interactive proof window.

Two commands are provided within Atelier-B:

  • prob(n) tries to prove the goal with the selected hypotheses (selected using rp.n as is done for th e pp command of Atelier-B)
  • prob(n|t) is similar but also limits the execution time of ProB to t seconds

Atelier-B will call probcli using the commands -cbc_assertions_tautology_proof and -cbc_result_file after having encoded the proof obligation into the ASSERTIONS clause of a generated B machine.

The generated machine typically has the form: 

MACHINE probNr
SETS ...
CONSTANTS ...
PROPERTIES
  << ALL HYPOTHESES >>
ASSERTIONS
  ( <<SELECTED HYPOTHESES >>
   =>
  << PROOF GOAL >>
  )
END

Using the Atelier B Provers inside ProB

In the REPL of probcli you can call the provers ML and PP of Atelier-B.

Differences with Atelier B

As of version 1.3, ProB contains a much improved parser which tries be compliant with Atelier B but provides extra features.

Extra Features of ProB

  • Identifiers: ProB also allows identifiers consisting of a single letter. ProB also accepts enumerated set elements to be used as identifiers. Arbitrary identifiers can be used in backquotes (e..g, `id-1*`)
  • Lexing: The Atelier-B parser (bcomp) reports a lexical error (illegal token |-) if the vertical bar (|) of a lambda abstraction is followed directly by the minus sign.
  • Typing:
    • ProB makes use of a unification-based type inference algorithm. As such, typing information can not only flow from left-to-right inside a formula, but also from right-to-left. For example, it is sufficient to type xx<:yy & yy<:NAT instead of typing both xx and yy in ProB.
    • Similar to Rodin, ProB extracts typing information from all predicates. As such, it is sufficient to write xx/:{1,2} to assign a type to xx.
    • the fields of records are normalized (sorted); hence the predicate rec(a:0,b:1) = rec(b:y,a:x) is correctly typed for ProB.
    • As of version 1.12.1 you can apply prj1 and prj2 without providing the type arguments. For example, you can write prj2(prj1(1|->2|->3)) instead of prj2(INTEGER,INTEGER)(prj1(INTEGER*INTEGER,INTEGER)(1|->2|->3)).
  • DEFINITIONS: the definitions and its arguments are checked by ProB. We believe this to be an important feature for a formal method language. However, as such, every DEFINITION must be either a predicate, an expression or a substitution. You cannot use, for example, lists of identifiers as a definition. Also, for the moment, the arguments to DEFINITIONS have to be expressions. Finally, when replacing DEFINITIONS the associativity is not changed. E.g., with PLUS(x,y) == x+y, the expression PLUS(2,3)*10 will evaluate to 50 (and not to 32 as with Atelier-B). Also, ProB will generate a warning when variable capture may occur. In Version 1.16.0 of ProB there is the new preference HYGIENIC_DEFINITIONS. By setting it to TRUE you avoid most of the variable capture problems (ProB will automatically introduce a LET for parameters if necessary to avoid code duplication and variable capture).
  • In version 1.16.0 ProB will support EXPRESSIONS and PREDICATES sections as a hygienic replacement of DEFINITIONS
  • for a LET substitution, Atelier-B does not allow introduced identifiers to be used in the right-hand side of equations; ProB allows LET x,y BE x=2 & y=x*x IN ... END but only if the preference ALLOW_COMPLEX_LETS is set to TRUE.
  • ProB allows WHILE loops and sequential composition in abstract machines
  • ProB now allows the IF-THEN-ELSE for expressions and predicates: IF x<0 THEN -x ELSE x END
  • ProB now allows LET constructs for expressions and predicates
  • ProB allows btrue and bfalse as predicates.
  • ProB allows to use the Event-B relation operators <<->, <->>, <<->>
  • ProB allows escape codes (\n, \', \", see above) and supports UTF-8 characters in strings, and ProB allows multi-line string literals written using three apostrophes ("'string'") as well as template strings using three backquotes (e.g., ```1+2=${1+2}```)
  • ProB allows WHILE loops and sequential composition in abstract machines
  • Some of the sequence operators can be applied to strings (unless you set the preference STRING_AS_SEQUENCE to FALSE): size, rev, ^, conc
  • As of version 1.12.1 you can write Event-B style set comprehensions with an extra expression like {x•x:1..10|x*x}. You have to use the middle dot, the bullet (•) or a Unicode dot for this, though. You can also put parentheses around the identifiers and use the regular dot: {(x).x:1..10|x*x}.
  • ProB comes with several libraries of external functions for string manipulations, mathematical functions, Hilbert's choice operator, etc.
  • ProB supports a special section FREETYPES to define inductive data types

Differences

  • for ProB the order of fields in a record is not relevant (internally the fields are sorted), Atelier-B reports a type error if the order of the name of the fields changes
  • Well-definedness: ProB will try to check if your predicates are well-defined during animation or model checking, but there is currently no guarantee that all well-definedness errors will be detected. To be on the safe side, you should ensure that your formulas are well-defined according to the left-to-right definition of well-definedness employed in Rodin for Event-B. ProB now has a static checker for well-definedness which you can use for this. Note, however, that ProB may re-order conjuncts if this improves well-definedness. For example, for x:0..3 & y=10/x & x /=0 ProB will not report an error as the conjunct x/=0 is processed before the division. Indeed, while this predicate is not well-defined according to Rodin's left-to-right rule, it is well-defined according to the more liberal commutative definition of well-definedness.

Reflexive Closure

In version 1.8.0 (March 2018) ProB changed the definition of the transitive and reflexive closure operator of B. PorB now uses to the mathematical definition: 

 closure(X) = id(TypeOfX) \/ closure1(X)

This means that closure({1|->2}) is now infinite and contains for example the pair 3|->3. The same holds for iterate({1|->2},0). The previous definition was closure(X) = id(ran(X)\/dom(X)) \/ closure1(X) and the definition in Atelier-B was closure(X) = id(dom(X)) \/ closure1(X). However, both were not compatible with the following law in the B-Book on page 169: 

 r[a] <: a => closure(r)[a]=a

Take r = {1|->2}, then r[{3}] <: {3}. So, according to the law we have: closure(r)[{3}] = {3}.

In the next version of Atelier-B in 2025 closure(R) will be defined as "the smallest relation that contains R that is transitive and reflexive." This corresponds to ProB's definition prior to version 1.8.0 closure(X) = id(ran(X)\/dom(X)) \/ closure1(X) and is thus different to the B-Book. ProB may provide a preference in the next release to allow the user to choose between the two interpretations.


Limitations

  • Parsing: ProB will require parentheses around the comma, the relational composition, and parallel product operators. For example, you cannot write r2=rel;rel. You need to write r2=(rel;rel). This allows ProB to distinguish the relational composition from the sequential composition (or other uses of the semicolon). You also generally need to put BEGIN and END around the sequential composition operator, e.g., Op = BEGIN x:=1;y:=2 END.
  • Similarly, tuples without parentheses are not supported; write (a,b,c) instead of a,b,c
  • Unsupported Operators:
    • Trees and binary trees: some tree operators (mirror, infix) are not supported by ProB. The tree operators may disappear in future version of Atelier B and may also disappear from ProB.
    • VALUES: This clause of the IMPLEMENTATION machines is not yet fully supported;
Retrieved from "https://prob.hhu.de/w/index.php?title=Using_ProB_with_Atelier_B&oldid=6091"