Discover millions of ebooks, audiobooks, and so much more with a free trial

From $11.99/month after trial. Cancel anytime.

Formal Methods Applied to Complex Systems: Implementation of the B Method
Formal Methods Applied to Complex Systems: Implementation of the B Method
Formal Methods Applied to Complex Systems: Implementation of the B Method
Ebook709 pages7 hours

Formal Methods Applied to Complex Systems: Implementation of the B Method

Rating: 0 out of 5 stars

()

Read preview

About this ebook

This book presents real-world examples of formal techniques in an industrial context. It covers formal methods such as SCADE and/or the B Method, in various fields such as railways, aeronautics, and the automotive industry. The purpose of this book is to present a summary of experience on the use of “formal methods” (based on formal techniques such as proof, abstract interpretation and model-checking) in industrial examples of complex systems, based on the experience of people currently involved in the creation and assessment of safety critical system software. The involvement of people from within the industry allows the authors to avoid the usual confidentiality problems which can arise and thus enables them to supply new useful information (photos, architecture plans, real examples, etc.).
LanguageEnglish
PublisherWiley
Release dateJul 22, 2014
ISBN9781119002925
Formal Methods Applied to Complex Systems: Implementation of the B Method

Related to Formal Methods Applied to Complex Systems

Related ebooks

Software Development & Engineering For You

View More

Reviews for Formal Methods Applied to Complex Systems

Rating: 0 out of 5 stars
0 ratings

0 ratings0 reviews

What did you think?

Tap to rate

Review must be at least 10 words

    Book preview

    Formal Methods Applied to Complex Systems - Jean-Louis Boulanger

    Introduction

    I.1. Context

    Although formal program analysis techniques have a long history (including the work by Hoare [HOA 69] and Dijkstra [DIJ 75]), formal methods were only established in the 1980s. These techniques are used to analyze the behavior of software applications written using a programming language. The correctness of a program (correct behavior, program completion, etc.) is then demonstrated using a program proof based on the calculation of the weakest precondition [DIJ 76].

    The application of formal methods (Z [SPI 89], VDM [JON 90] and the B method [ABR 96, ARA 97]) for industrial applications and their suitability for use in industrial contexts dates back to the late 1990s. Formal specifications use mathematical notations to give a precise description of system requirements.

    Note 1.– Z – A Z specification is made up of schematic diagrams and sets used to specify a computer system. A specification is a set of schematic diagrams.

    Note 2.– The Vienna Development Method (VDM) – this is a formal method based on a denotational and operational vision (programs are seen as mathematical functions), unlike Z or the B method which are based on axiomatic set theory.

    One stumbling block is the possibility of implementation within the context of industrial applications (on a large scale, with cost and time constraints, etc.); this implementation requires tools to have attained a sufficient level of maturity and performance.

    Note that for critical applications, at least two formal methods make use of recognized and widely available design environments covering part of the code specification process while implementing one or more verification processes: the B method [ABR 96], the LUSTRE language [HAL 91, ARA 97] and its graphic version SCADE¹ [DOR 08]. The B method and the SCADE environment have been used successfully in industrial tools.

    To give an example, Atelier B, marketed and sold by CLEARSY², is a tool which covers the whole development cycle involved in the B method (specification, refining, code generation and proof). Note that Atelier B³ can be freely downloaded since version 4.0.

    Formal methods are based on a variety of formal verification techniques, such as proof, model checking [BAI 08] and/or simulation.

    Although formal methods are now becoming increasingly widely used, they are still relatively marginal when viewed in terms of the number of lines of code involved. To date, far more lines of ADA [ANS 83], C [ISO 99] and C++ code have been produced manually than through the use of a formalr ocess.

    For this reason, other formal techniques have been implemented in order to verify the behavior of software applications written in languages such as C and ADA. The main technique, abstract program interpretation, is used to evaluate all the behaviors of a software application by static analysis. In recent years, this type of technique has been applied to a number of tools, including POLYSPACE⁴, Caveat⁵, Absint⁶, FramaC⁷ and ASTREE⁸.

    The effectiveness of these static program analysis techniques has greatly improved with increases in the processing power of personal computers. Note that these techniques generally require the insertion of additional information, such as preconditions, invariants and/or postconditions, into the manual code.

    SPARK Ada⁹ is an approach in which the ADA language [ANS 83] has been extended [BAR 03] to include these additional tools and a suite of tailored tools has been created.

    I.2. Aims of this book

    [BOW 95] and [ARA 97] provided the first feedback from industrial actors concerning the use of formal techniques, notably the B method [ABR 96], the LUSTRE language [HAL 91, ARA 97] and SAO+, the precursor of SCADE¹⁰ [DOR 08]. Other works, including [MON 00, MON 02 and HAD 06], give an overview of formal methods from a more academic perspective.

    Our aim in this book is to present real-world examples of the use of formal techniques.

    For our purposes, the term formal techniques is taken to mean the different mathematically based approaches used to demonstrate that a software application respects a certain number of properties.

    Note that the standard use of formal techniques consists of producing specification and/or design models, but that formal techniques are increasingly seen as tools for verification (static code analysis, to demonstrate that properties are respected, to demonstrate good management of floating points, etc.).

    This book is the fifth and final volume in a series covering different aspects:

    – Volume 1 [BOU 11] concerns examples of industrial implementation of formal techniques based on static analysis, such as abstract interpretation, and includes examples of the use of ASTREE, CAVEAT, CODEPEER, FramaC and POLSYPACE.

    – Volume 2 [BOU 12b] presents different formal modeling techniques used in the field of rail transport, such as the B method, SCADE, Simulink DV, GaTel and Control Build and other techniques.

    – Volume 3 [BOU 12a] presents different tools used in formal verification: SPARK ADA, MaTeLo, AltaRica, Polyspace, Escher and B-event.

    – Volume 4 [BOU 14] gives examples of the industrial implementation of the B method [ABR 96], SCADE, and verification using Prover Verifier. Note that this volume (which presents examples of application using the B method) constitutes a useful addition to university textbooks such as [LAN 96], [WOR 96] and [SCH 01].

    I wish to thank all the industrial actors who have freely given of their time to contribute such interesting and informative chapters to this book.

    I.3. Bibliography

    [ABR 96] Abrial J.R., The B Book: Assigning Programs to Meanings, Cambridge University Press, Cambridge, August 1996.

    [ANS 83] ANSI, Norme ANSI/MIL-STD-1815A-1983, Langage de programmation Ada, 1983.

    [ARA 97] ARAGO, Applications des Méthodes Formelles au Logiciel, Observatoire Français des Techniques Avancées (OFTA), Masson, vol. 20, June 1997.

    [BAI 08] Baier C., Katoen J.-P., Principles of Model Checking, MIT Press, 2008.

    [BAR 03] Barnes J., High Integrity Software: The SPARK Approach to Safety and Security, Addison-Wesley, 2003.

    [BOU 11] Boulanger J.-L. (ed.), Static Analysis of Software, ISTE, London, and John Wiley & Sons, New York, 2011.

    [BOU 12a] Boulanger J.-L. (ed.), Industrial Use of Formal Method: Formal Verification, ISTE, London, and John Wiley & Sons, New York, 2012.

    [BOU 12b] Boulanger J.-L. (ed.), Formal Methods: Industrial Use from Model to the Code, ISTE, London, and John Wiley & Sons, New York, 2012.

    [BOU 14] Boulanger J.-L. (ed.), Formal Method, Applied to Industrial Complex Systems, ISTE, London, and John Wiley & Sons, New York, 2014.

    [BOW 95] Bowen J.P., Hinchey M.G., Applications of Formal Methods, Prentice Hall, 1995.

    [COU 00] Cousot P., Interprétation abstraite, Technique et Science Informatique, vol. 19, no. 1–3, pp. 155–164, January 2000.

    [DIJ 75] Dijkstra E.W., Guarded commands, nondeterminacy and formal derivation of programs, Communications of the ACM, vol. 18, no. 8, pp. 453– 457, August 1975.

    [DIJ 76] Dijkstra E.W., A Discipline of Programming, Prentice Hall, 1976.

    [DOR 08] Dormoy F.-X., Scade 6 a model based solution for safety critical software development, Embedded Real-Time Systems Conference, 2008.

    [HAD 06] Haddad S., Kordon F., Petrucci L. (ed.), Méthodes formelles pour les systèmes répartis et coopératifs, Collection IC2, Hermes, 2006.

    [HAL 91] Halbwachs N., Paul C., Pascal R., et al., The synchronous dataflow programming language Lustre, Proceedings of the IEEE, vol. 79, no. 9, pp. 1305–1320, September 1991.

    [HOA 69] Hoare C.A.R., An axiomatic basis for computer programming, Communications of the ACM, vol. 12, no. 10, pp. 576–580, 583, 1969.

    [JON 90] Jones C.B., Systematic Software Development Using VDM, 2nd ed., Prentice Hall International, 1990.

    [LAN 96] Lano K., The B Language and Method: A Guide to Practical Formal Development, Springer Verlag London Ltd., 1996.

    [MON 00] Monin J.-F., Introduction aux Méthodes Formelles, Hermès, 2000. [Foreword by G. Huet]

    [MON 02] Monin J.-F., Understanding Formal Methods, Springer Verlag, 2002. [Foreword by G. Huet, Translation edited by M. Hinchey]

    [SCH 01] Schneider S., The B-Method: An Introduction, Palgrave, 2001.

    [SPI 89] Spivey J.M., The Z Notation: A Reference Manual, Prentice Hall International, 1989.

    [WOR 96] Wordsworth J., Software Engineering with B, Addison-Wesley, 1996.

    Introduction written by Jean-Louis Boulanger.

    1 The SCADE development environment is marketed by ESTEREL-Technologies – see http://www.esterel-technologies.com/.

    2 For more information on CLEARSY and Atelier B, see http://www.clearsy.com/.

    3 Atelier B and the associated information may be obtained at http://www.atelierb.eu/.

    4 See http://www.mathworks.com/products/polyspace/ for further information concerning Polyspace.

    5 See http://www-list.cea.fr/labos/fr/LSL/caveat/index.html for further information concerning Caveat.

    6 See http://www.absint.com/ for further information concerning Absint.

    7 Further details may be found at http://frama-c.com/.

    8 See http://www.astree.ens.fr/ for further information concerning ASTREE.

    9 The Website http://www.altran-praxis.com/spark.aspx offers additional information concerning SPARK Ada technology.

    10 Note that SCADE started out as a development environment using the LUSTRE language before becoming a language in its own right from version 6 onward (the code generator for version 6 uses a SCADE model instead of a LUSTRE code as input).

    1

    Presentation of the B Method

    1.1. Introduction

    The use of formal methods [BEH 93, ARA 97, HIN 95, MON 00, BOU 11, BOU 12a, BOU 12b] is increasing, especially in critical applications such as nuclear power plants, avionics and rail transport. Ensuring maximum safety while operating an application is a significant challenge.

    The contribution of formal methods is that they present a mathematical framework for the development process, which provides a method for producing software that is correct by construction. This is because the development process can be verified by validation techniques such as proof or exploration of the model.

    Figure 1.1. Example of a Z diagram¹

    images/c01_img_8_0.jpg

    Of course, to achieve this we need a precise description of the properties that the computerized system must possess. There are different classes of formal methods: algebraic specifications (PLUSS or PVS), equational specifications (LUSTRE [HAL 91, ARA 97]) and model-oriented specifications (B [ABR 96], the Vienna Development Method (VDM) [JON 90] or Z [SPI 89]).

    In contrast to model exploration-oriented validation (model-checking [BAI 08]) such as LUSTRE, the B method [ABR 96] is based on the proof of a proof obligation (or PO in the following) which guarantees the feasibility and the coherence of the model (validity of the refinement).

    In the French railway industry, the use of formal methods [BEH 93, ARA 97, DEB 94, BOU 11, BOU 12a, BOU 12b], and in particular the B method, is increasingly common within the development of critical systems.

    The software for these safety systems (rail signaling, automatic driving, etc.) must meet very strict quality, reliability, safety and robustness criteria.

    One of the first applications of formal methods was made a posteriori on the SACEM² [GUI 90]. During the installation of the SACEM [GEO 90], the RATP³ had carried out a Hoare proof [HOA 69] to demonstrate that the requirements had been taken into account; for more information, see [GUI 90]. The Hoare proof makes it possible to clearly show all of the postconditions, using a program P and a set of preconditions C.

    The Hoare proof, which was carried out within the SACEM, showed a certain number of code properties, but it was not possible to link these with requirements related to safety (e.g. requirement for non-collision).

    As a result, the decision was made to create a formal model in Z [SPI 89, DIL 95]. This formal model made it possible to break the properties down and to link the requirements with the code. Around 20 significant anomalies were discovered in this way by the team of experts responsible for the respecification in Z.

    Projects such as the CTDC, KVS or the SAET-METEOR⁴ [BEH 93, BEH 96, BEH 97, BOU 06], LST [DEH 94], CdG VAL (VAL for Véhicule Automatique Léger – Light Automatic Vehicle)⁵ and the automation of Line 1 of the Parisian metro use the B method throughout the development process (from the specifications to the code).

    1.2. The B method

    1.2.1. Presentation

    The B method was developed by Jean-Raymond Abrial⁶ [ABR 96], and is a formal, model-oriented method like Z [SPI 89] and VDM [JON 90]. However, unlike these methods, it also allows incremental development of the specification up to the code through the concept of refinement [MOR 90], and this is through a unique formalism: the language of abstract machines.

    Figure 1.2. The Hello program in B

    images/c01_img_6_2.jpg

    At each stage of B development, proof obligations (POs) are generated in order to guarantee the validity of the refinement and the consistency of the abstract machine. In this way, the B method makes it possible to develop safe software.

    Like Z, the B method is based on set theory and first-order predicate logic. However, unlike Z, the B method has a development flavor in its way of specifying operations. In fact, operations are not specified in terms of pre- and postconditions, but by means of generalized substitutions.

    In Figure 1.2, we introduce the specification of the HelloWorld program and its implementation HelloWorld_n.

    1.2.2. The concept of an abstract machine

    1.2.2.1. Abstract machine

    A B-model is designed through composition, decomposition and refinement of abstract machines. The basic component of the B method is the abstract machine, which can be a high-level machine or a refinement of another machine. The final refinement may also be called the implementation.

    The concept of an abstract machine is similar to the concept of a module and/or object, which is found in more traditional programming languages. The keyword here is encapsulation: the state evolution of an abstract machine should only take place through the behavior of the encapsulation.

    Abstract machines are divided into three levels: the MACHINEs, which describe the highest level of specification; the REFINEMENTs, which include all the intermediary steps between the specification and the code; and the IMPLEMENTATIONs, which define the coding.

    Figure 1.3 shows the structure of a MACHINE. The refinements and implementations follow the same model.

    The B method defines a unique notation, known as abstract machine notation (AMN) (see [ABR 92]), which allows us to describe the above-mentioned three levels of abstraction. It should be noted that in order to transition from a high-level machine to implementation, we can go through one or several refinements. In this case, we talk about a development chain for the machine concerned.

    Figure 1.3. Example of an abstract machine

    images/c01_img_2_4.jpg

    From the final refinement (implementation) onward, we have obtained a level of detail which is sufficient for us to use an automatic code generator (C [ISO 99], ADA [ANS 83], etc.) to obtain an executable code. The restrictions on the AMN at the implementation level make it possible to build a translator.

    Abstract machines are made up of three parts: declarative, composition and executive. In Figure 1.4, the declarative part is shown in italics, the executive part is shown in bold and the composition part is shown in normal typeface.

    1.2.2.2. Declarative part

    The declarative part makes it possible to describe the state of the abstract machine through variables, constants, sets and, above all, through properties, which should always be verified by the state of the machine. This part is based on set theory and first-order predicates. We can call this a state model.

    Figure 1.4. Example of an abstract machine

    images/c01_img_2_5.jpg

    For the STACK machine in Figure 1.4, the state is made up of a sequence-type stack variable, with Object-type elements and a max_object constant, introduced by configuration, which makes it possible to configure the maximum number of elements from this stack. The sequence is the second type of basis after sets.

    Table 1.1. The basic sets

    images/c01_img_5_5.jpg

    The B language is not built on the manipulation of types, but rather on the manipulation of sets. For each variable, we calculate all the associated values. Table 1.1 introduces the basic sets.

    The basic sets are associated with an operator set which makes it possible to construct more complex sets. Table 1.2 introduces a subset of set operators available for the creation of B models.

    Table 1.2. The basic sets

    images/c01_img_3_6.jpg

    As we can see in Figure 1.4, the B language has a mathematical notation (, , eτχ). However, it also needs to have a computer notation ( :, & , etc.), which makes it possible to enter elements using a normal keyboard. Table 1.3 shows an extract of the correspondence between B American Standard Code for Information Interchange (ASCII) notation and mathematical notation.

    Table 1.3. Correspondence between ASCII and mathematical notation

    Figure 1.5 shows an example of a specification which uses sets. There is a global set PEOPLE (PERSONNES) which characterizes all the people which can exist in the specification. This set must be finite, and this is why there is a constraint on the cardinal. The set people characterizes people who exist and the set men characterizes a specific subset of people.

    Figure 1.5. Example of set usage

    images/c01_img_3_7.jpg

    The clause DEFINITIONS introduces the set WOMEN which is the complement of the set men. This clause makes it possible to have inline definitions of programming languages (an inline code is expanded at compilation).

    1.2.2.3. Composition part

    The composition clauses (SEES, INCLUDES, IMPORTS and EXTENDS) make it possible to describe the various links between abstract machines. Each clause introduces visibility rules on the state and the operations of the abstract machine in question.

    In our example in Figure 1.3, we introduce the visibility link (SEES) on the machine OBJECT in order to have access to the set Object.

    1.2.2.4. Executive part

    The executive part contains the initialization and the operations of the abstract machine. It is based on the generalized substitution language (GSL). This execution mechanism may be interpreted as an extension of the assignment as it exists in imperative languages (of the type ADA, PASCAL, C, etc.).

    Table 1.4 shows a subset of the GSL [ABR 91]. Generalized substitutions are an extension of the work of Dijkstra [DIJ 76] on substitutions.

    Table 1.4. A subset of generalized substitutions

    NOTE.– x describes a variable, E is an expression of set theory, P and R are predicates, and S and T are generalized substitutions.

    Generalized substitutions are predicate transformers. The predicate obtained by applying the substitution S on the predicate P is written as [S] P. In fact, as shown in Table 1.5, we define substitutions by their effect on a predicate, and this is known as weakest precondition (wp).

    Table 1.5. Use of predicate transformation

    There are complementary calculation rules available for manipulating generalized substitutions, such as distributivity [S] (p q) = [S]p & [S]q or [S](¬p) = ¬([S] p).

    The behavior of our example (see Figure 1.4) basically consists of two operations (push and pop) that are constructed around the behavior of the sequences. The operations last, front and ← represent, respectively, access to the final element, the sequence without the final element and the concatenation to the right.

    In order to find out whether the substitution of the body of the push operation can verify the invariant of the STACK machine, we can simply calculate the initial precondition so that the substitution stack := stack ← XX satisfies the invariant of the abstract machine. (see Figure 1.6)

    Figure 1.6. Application of the push operation on the invariant

    images/c01_img_5_9.jpg

    In order to minimize the burden of the construction of abstract machines, some sugared constructions have been introduced at the AMN level. The basic substitutions (see Table 1.4) have a textual form available to them; for example, the preconditioning P | S is written as PRE P THEN S END.

    Some more evolved structures, which are found in the so-called evolved languages, have been introduced, but they may be rewritten by combining the basic substitutions. The multiple substitution x,y := E,F and the classical conditional structure IF P THEN S ELSE T END are both examples of actions that can be found in the body of operations. They may be rewritten, respectively, with the simultaneous substitution x:=E || y:=F and the limited substitution P=>S [] not(P)=>T.

    As previously stated, the AMN defines a single notation based on GSL, set theory and first-order logic. However, the set of substitutions cannot be used on all levels. For example, the substitution ANY xx WHERE P(xx) THEN S END (which means that ∀ xx.P(xx) => [S]) can be used at the abstract levels (machine and refinement), whereas the substitution WHILE B DO S END cannot be accepted at the most abstract level.

    The B method is based on encapsulation. Therefore, the operations should provide the set of behaviors enabling the state of the machine to evolve. However, this is not always possible, as we will see in in the following.

    1.2.3. From machines to implementations

    1.2.3.1. Principle

    Abstract machines that are used to describe the specification use non-deterministic constructs and all the power of set language and first-order logic. In this context, algorithmic constructions (sequence and loops) are forbidden for abstract machines.

    In order to proceed toward an executable application, the process known as refinement needs to be introduced. This allows us to progressively replace the set data structures with structures close to those of programming languages. In this way, the non-determinism is removed and generalized substitutions analogous to sequence and loops (WHILE) are introduced.

    All of these refinement stages are subjected to proofs of maintenance of the invariants and the conformity of the refined machines in relation to the more abstract machines.

    1.2.3.2. Refinement

    As can be seen in Figure 1.7, the refinement process (see [MOR 90]) has usually been represented as a sequence of independent steps, with which verifications are associated. A component i+1 (refinement or implementation) refines a component i (machine or refinement).

    The refinement process begins with the definition of a machine that contains the abstract description of the need. The refinements allow us to make the need concrete and show the non-deterministic and non-sequential elements. The implementation is a B component that uses a subset of the B language named B0.

    Figure 1.7. From the description of the need to the implementation

    images/c01_img_2_11.jpg

    The sublanguage B0 is a language that is close to more traditional languages (C, ADA, etc.). B0 is thus easy to translate into programming languages.

    Figure 1.8 shows an example of refinement (for more information about the process of refinement, see [MOR 90]). The specification indicates that the need is to find two numbers q and r such that a= q*b+r and r

    The suggested algorithm uses an instruction WHILE … DO END. The B language is here the B instruction, integrating the concept INVARIANT and the concept VARIANT. The VARIANT allows us to show the end of the loop and the INVARIANT allows us to verify the correct behavior of the loop.

    1.2.3.3. Process

    Figure 1.9 introduces the generally used process, which is focused on searching for a fault in the software application. The search for a fault is based on the concept of program execution. This approach seeks to show that the software is correct.

    Figure 1.8. Example of a refinement

    images/c01_img_3_12.jpg

    Figure 1.9. Development cycle with the B method

    images/c01_img_5_12.jpg

    Using formal methods, the process is based on a different observation: the software is correct by construction. As a result, the process is different because it is focused on analyzing the need and demonstrating that some properties are true during all executions (see Figure 1.10).

    Figure 1.10. Formal process

    images/c01_img_2_13.jpg

    As can be seen in Figure 1.11, the process consists of writing a modeling of the problem, simple and abstract. Then, to this modeling, as the stages known as refinement progress [MOR 90], we add more concrete and more complex elements, all the while proving the coherence of the new models created.

    Figure 1.11. Development cycle with the B method

    images/c01_img_5_13.jpg

    Implementation, the final stage, is free from abstract types of original data, which have become programmable structures such as tables and files. The following have been eliminated: the preconditions of subprograms, and the simultaneity and the non-determinism that were present in the abstract model. Structures for checking programming such as sequencing and loop have been introduced.

    At this stage, automatic transformation into code may take place. This could be into ADA or C, or even into Assembleur code for certain tools: trying to match a formal specification directly with a traditional programming language is impossible because they have different thought patterns.

    The concept of proof (in Figure 1.11, the thin arrows) is strongly linked to the B development and the specification is written as a function of these future obligations. The proof is involved at all levels of abstraction. After a machine is written, the proof of its internal coherence is carried out. If the result of this is positive, then the development may continue.

    The proof is carried out in this way after each level of abstraction, verifying internal coherence and conformity with the level of abstraction above.

    Figure 1.12. B Process

    images/c01_img_5_14.jpg

    Figure 1.12 summarizes the creation process for a B model. In input are the specifications of the needs, and in output are the sources of the B model, the added rules, the POs, the proofs and the source codes.

    1.3. Verification and validation (V&V)

    1.3.1. Internal verification

    1.3.1.1. Principles

    As shown in Figure 1.13, external verification (consistency of the specification) and internal verification (validity of the refinements) are carried out through proof of the POs. POs are an essential part of the B method.

    Figure 1.13. Internal verification and external verification

    images/c01_img_3_15.jpg

    The B method introduces three verification phases for all abstract machines: syntactic analysis, verification of type and generation of POs. For implementations, there is an additional verification linked to the fact that the B component must comply with the B0 language in order to guarantee the translation into the target language.

    1.3.1.2. Syntactic and semantic analysis

    Syntactic analysis allows us to verify that the abstract machine has been correctly built, through ensuring that it complies with the syntactic rules of AMN. One of the syntactic rules verified in this way is linked to the restriction on the use of certain substitutions. For example, simultaneous substitution, denotated S || P, may not be used in an implementation.

    Verification of type makes it possible to detect faults linked to undeclared or poorly declared objects, expressions that cannot be typed, incoherencies between various definitions of the same operation, or to violations of visibility rules introduced by the composition clauses. All expressions can be typed, since the set theory used in AMN is a simplification of classical set theory.

    1.3.1.3. Generation of proof obligations

    As we have already shown, at each development stage there is a stage of PO generation. POs are automatically generated by the tool.

    Figure 1.14. Aims of proof obligations

    images/c01_img_4_16.jpg

    For a high-level abstract machine, the POs generated guarantee mathematical consistency. For refinements and implementations, the POs guarantee the validity of the refinement in relation to the machine at the next level in the development chain. In general, the complexity of the POs depends on the level of abstraction used (the more concrete, the more complex) and the structure of the application in terms of links between machines.

    All the POs contain information that describes the context of the machine in their hypotheses. The context contains a set of constraints that define the formal parameters, and the properties concerning the sets and the constants of the abstract machine. It also takes into account that all the sets used are finite, not empty, and that all of their elements are distinct.

    The context of an abstract machine is denotated by . The composition clauses may add information to the context, to the invariant and to the initialization which is in agreement with the visibility rules.

    The verification of mathematical consistency introduces two types of POs. First, we need to show that the model is not empty. This is done by showing that the initialization creates the invariant.

    [1.1] images/Inline_17_10.jpg

    Second, we need to prove that each operation of the abstract machine maintains the invariant. In the case of an OPE operation defined by a substitution S under the precondition that if Q is OPE = PRE Q then S END, we obtain a PO of the following form:

    [1.2]

    images/Inline_18_3.jpg

    We may take the result of Figure 1.5 to be an example of this. It thus remains to be shown that:

    images/c01_img_5_17.jpg

    To show that an abstract machine is actually a refinement of a highest level machine in relation to a development chain, we need to show that its initialization and its operations maintain the semantics of their most abstract versions. The POs generated for the nth refinement are described by equation [1.3] for the initialization and by equation [1.4] for each operation.

    [1.3] images/Inline_18_8.jpg

    [1.4]

    images/Inline_18_10.jpg

    where Initi, Ii, Qi, Si and ui are, respectively, the initialization, the invariant, the precondition of the operation, the action of the operation and the formal parameter of the operation of the ith refinement.

    We notice that there is no PO regarding the feasibility of the predicates introduced in the invariant, the preconditions of the operations, the constraints relative to the formal parameters, and the properties of the sets and the constants. In fact, feasibility is introduced by the construction of the other proofs or by the introduction of a specific PO in the case of need.

    The verification of the existence of a variable that satisfies the invariant is indirectly introduced by the POs [1.1] and [1.3].

    The existence of formal parameters that validate the precondition of an operation is carried out by the POs [1.2] and [1.4]. The existence of formal parameters that validate the constraints of the target machine is required when a machine uses the inclusion or importation of another machine.

    All machines that include or import a configured machine must instantiate the formal parameters, and the PO [1.5] is generated in order to guarantee that the effective parameters validate the constraints.

    [1.5]

    images/Inline_19_4.jpg

    where A is a predicate indicating that the sets that have become parameters are finite and not empty, and where the predicate Constraints is associated with the clause of the same name.

    The valuation of the sets and constants may be carried out at the highest level or at implementation (sets and constants submitted). The PO [1.6] guarantees that, at the implementation level, the properties are true for the values given to these objects:

    [1.6]

    images/Inline_19_8.jpg

    where Properties is the predicate associated with the clause PROPERTIES. relates to the part of the context used to create the Values.

    Using constructive proof implies that certain verifications are carried out at the implementation level. In the case of parameterized machines, these verifications are reported until inclusion (machine or refinement) or importation (implementation) in a machine which is part of another development chain.

    In the above, we have seen that we can use the structure WHILE at the final realizations level. As we are in a proof environment, a certain number of complementary POs are generated to guarantee that WHILE (see Figure 1.8) and its termination are executed correctly.

    Finally, the following should be noted: while we are analyzing the POs, the number of predicates from the analysis grows when the number of the levels of refinement and the number of links introduced by the composition clauses increase.

    The POs are represented by a goal to be achieve under the condition of the presence of assumptions. These are established starting from the preconditions and the definitions contained in the refined component, but also using the information read in the viewed or imported machines.

    1.3.2. Validation or external verification

    When the B-model is written and proved, we may believe that it is correct, but in fact it is not so simple. The proof guarantees that the B-model is coherent and respects the properties introduced in precondition, invariant and postcondition. However, the validation deals with the correctness with regard to the need.

    The B method does not cover the validation; we need to introduce some specific activities:

    – to review the B-model to verify that the textual specification is assumed by the model;

    – to demonstrate that the properties (contained in the model) cover all parts of the model. It is possible to introduce some obvious properties or partial properties (which cover just a part of the model);

    – to test (overall software tests) the complete software (generated automatically) to demonstrate that the complete application fulfills the requirements of the textual specification.

    1.4. Methodology

    The development of an application in B is not code-oriented, but rather it is proof-oriented. This is why all application development methodology in B must be proof-oriented. Indeed the POs generated should be as small as possible and their numbers whether large or small should be provable.

    Figure 1.15. Refinement chain

    images/c01_img_2_20.jpg

    1.4.1. Development by layer

    Figure 1.15 shows the classical process for development using a formal method. We begin by writing the specification of the system to be created, and then we carry out successive refinements until the code is obtained.

    In order to validate the specification, there is a unique external verification at the level of the specification and there are internal verifications at each refinement. Putting a process such as this in place for development in B introduces a significant network of links (SEES, INCLUDES, PROMOTES and EXTEND) between the machines (composition part of the machines) at the highest level of abstraction.

    In addition, such a process rapidly reveals variables and invariants which characterize the composition part in high-level machines. This weighs down the predicates brought into play in the POs and thus makes the POs more complicated.

    The B development must start from the highest possible level of abstraction and progressively introduce the details of implementation in the form of operation and data refinements. In this way, a layered development is obtained (see Figure 1.16).

    Figure 1.16. Layered development

    images/c01_img_2_21.jpg

    In fact, in layered development [WAE 95], we progress from an abstract stage to a concrete stage that leads to the appearance of new abstract stages. This is the way in which the concept of a development chain and a breakdown based on services appears.

    A development chain brings together all the stages, from specification to implementation, for a given module (shown by the dotted rectangle in Figure 1.16). The structuring of the layered model is performed through SEES and IMPORTS links. The SEES link (shown by a line) allows MACHINE and REFINEMENT to access the data structures. The IMPORTS link (shown by the arrow) makes it possible to access the operations during the final realization.

    The sheets of the graph obtained in this way are basic machines that are already proved and that have been created in different target languages.

    This type of development offers a model rather than a specification of the problem. As an immediate consequence, we have an external validation, which will need to be fragmented

    Enjoying the preview?
    Page 1 of 1