証明責務の構造に基づくEvent-Bモデルの設計および証明支援手法

形式手法Event-B では，証明対象の仕様をモデル記述し，モデルから作成される証明責務を証明することで仕様の正しさを示せる．しかし記述したモデルに矛盾や不備がある場合は，証明責務を証明できない．その場合，その証明責務を満たすようにモデルを修正する．しかし，モデルを修正することにより，既に実施済みの証明が無効化され，証明の手戻りが発生する可能性がある．本研究では，上記証明の手戻りを防止可能なモデル修正手法を提案する．さらに，提案手法の適用可能性および有効性を確認するため，ファイル転送プロトコルを対象とする適用例とその評価結果を示す．また，上記提案手法の前提となるモデル全体像を策定する工程に対しても，分割戦略木と呼ぶ記法に基づく手法を整備する．電気通信大学201

Core Hybrid Event-B I: Single Hybrid Event-B machines

Faced with the increasing need for correctly designed hybrid and cyber-physical systems today, the problem of including provision for continuously varying behaviour as well as the usual discrete changes of state is considered in the context of Event-B. An extension of Event-B called Hybrid Event-B is presented, that accommodates continuous behaviours (called pliant events) in between familiar discrete transitions (called mode events in this context). The continuous state change can be specified by a combination of indirect specification via ordinary differential equations, or direct specification via assignment of variables to values that depend on time, or indirect specification by demanding that behaviour obeys a time dependent predicate. The syntactic elements of the extension are discussed, and the semantics is described in terms of the properties of time dependent valuations of variables. Refinement is examined in detail, with reference to the notion of refinement inherited from discrete Event-B. A full suite of proof obligations is presented, covering all aspects of the new framework. A selection of examples and case studies is presented. A particular challenge - bearing in mind the desirability of conforming to existing intuitions about discrete Event-B, and the impact on tool support (as embodied in tools for discrete Event-B like Rodin) - is to design the whole framework so as to disturb as little as possible the existing structures for handling discrete Event-B

Event-B モデルの詳細化構造の計画とリファクタリングの支援手法

学位の種別: 課程博士審査委員会委員 : （主査）東京大学准教授 蓮尾 一郎, 東京大学教授 萩谷 昌己, 東京大学教授 小林 直樹, 東京大学教授 高野 明彦, 東京大学教授 千葉 滋University of Tokyo(東京大学

Cruise Control in Hybrid Event-B

Abstract. A case study on automotive cruise control originally done in (conventional, discrete) Event-B is reexamined in Hybrid Event-B (an extension of Event-B that includes provision for continuously varying behaviour as well as the usual discrete changes of state). A significant case study such as this has various benefits. It can confirm that the Hybrid Event-B design allows appropriately fluent application level modelling (as is needed for serious industrial use). It also permits a critical comparison to be made between purely discrete and genuinely hybrid modelling. The latter enables application requirements to be covered in a more natural way. It also enables some inconvenient modelling metaphors to be eliminated.