Automated property verification for large scale B models with ProB

In this paper we describe the successful application of the ProB tool for data validation in several industrial applications. The initial case study centred on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the development contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for Atelier B. Atelier B, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense, and they need to be revalidated whenever the rail network infrastructure changes. In this paper we show how we were able to use ProB to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in a few minutes that were manually uncovered in about one man-month. We have repeated this task for three ongoing projects at Siemens, notably the ongoing automatisation of the line 1 of the Paris Métro. Here again, about a man month of effort has been replaced by a few minutes of computation. This achievement required the extension of the ProB kernel for large sets as well as an improved constraint propagation algorithm. We also outline some of the effort and features that were required in moving from a tool capable of dealing with medium-sized examples towards a tool able to deal with actual industrial specifications. We also describe the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens.     

Another Look at LTL Model Checking

We show how LTL model checking can be reduced to CTL model checking with fairness constraints. Using this reduction, we also describe how to construct a symbolic LTL model checker that appears to be quite efficient in practice. In particular, we show how the SMV model checking system developed by McMillan [16] can be extended to permit LTL specifications. The results that we have obtained are quite surprising. For the specifications which can be expressed in both CTL and LTL, the LTL model checker required at most twice as much time and space as the CTL model checker. We also succeeded in verifying non-trivial LTL specifications. The amount of time and space that is required is quite reasonable. Based on the examples that we considered, it appears that efficient LTL model checking is possible when the specifications are not excessively complicated.     

<Emphasis Type="SmallCaps">ProB</Emphasis>: an automated analysis toolset for the B method

We present ProB, a validation toolset for the B method. ProB’s automated animation facilities allow users to gain confidence in their specifications. ProB also contains a model checker and a refinement checker, both of which can be used to detect various errors in B specifications. We describe the underlying methodology of ProB, and present the important aspects of the implementation. We also present empirical evaluations as well as several case studies, highlighting that ProB enables users to uncover errors that are not easily discovered by existing tools. This research was carried out as part of the EU research project IST 511599 RODIN (Rigorous Open Development Environment for Complex Systems).     

Temporal-logic property preservation under Z refinement

Formal specification languages such as Z, B and VDM are used in the incremental development of abstract specifications (suitable for establishing required properties) to more concrete specifications (resembling the final implementation). This incremental development process, known as refinement, preserves all observable properties of the original abstract specification. Recent research has looked at applying temporal-logic model checking to such specification languages. While this assists in the establishment of properties of the abstract specification, temporal-logic properties typically refer to state variables which are regarded as non-observable. Hence, such properties are not guaranteed to be preserved by refinement. This paper investigates the classes of temporal-logic properties which are preserved by refinement, and for some of those properties that are not preserved in general, the restrictions on the refinement process under which they are preserved. Results are presented for the temporal logics LTL, CTL and the μ-calculus and the formal specification language Z. They apply equally, however, to related formal specification languages such as B and VDM.     

Failure diagnosis of discrete-event systems with linear-time temporal logic specifications

The paper studies failure diagnosis of discrete-event systems (DESs) with linear-time temporal logic (LTL) specifications. The LTL formulas are used for specifying failures in the system. The LTL-based specifications make the specification specifying process easier and more user-friendly than the formal language/automata-based specifications; and they can capture the failures representing the violation of both liveness and safety properties, whereas the prior formal language/automaton-based specifications can capture the failures representing the violation of only the safety properties (such as the occurrence of a faulty event or the arrival at a failed state). Prediagnosability and diagnosability of DESs in the temporal logic setting are defined. The problem of testing prediagnosability and diagnosability is reduced to the problem of model checking. An algorithm for the test of prediagnosability and diagnosability, and the synthesis of a diagnoser is obtained. The complexity of the algorithm is exponential in the length of each specification LTL formula, and polynomial in the number of system states and the number of specifications. The requirement of nonexistence of unobservable cycles in the system, which is needed for the diagnosis algorithms in prior methods to work, is relaxed. Finally, a simple example is given for illustration.     

一种从Object—Z到CSP规格说明的转化方法

面向对象形式规格说明语言Object-Z与进程代数CSP相结合是当今的一个热点,它既可以表示复杂的模块化数据与算法,又可以表示系统的行为,但求精与验证对它们结合后的规格说明需要分别进行处理。本文提出了一个方法,把Object-Z规格说明转化为CSP规格说明,可以方便地处理结合后的规格说明,因此求精与推理对结合后的规格说明可以按CSP规则与方法一致来进行处理。此外,转化后的Object-Z规格说明可以按照CSP方法进行模型检查。     

An Overview of the Integrated Formalism RT-Z

We present an integration of the formal specification languages Z and timed CSP, called RT-Z, incorporating their combined strengths in a coherent frame. To cope with complex systems, RT-Z is equipped with structuring constructs built on top of the integration, because both Z and timed CSP lack appropriate facilities. The formal semantics of RT-Z, based on the denotational semantics of Z and timed CSP, is a prerequisite for preciseness and mathematical rigour. RT-Z is intended to be used in the requirements definition and design phases of the system and software development process. The envisaged application area is the development of real-time embedded systems. Received September 2000 / Accepted in revised form June 2001     

Semantics,calculi, and analysis for object-oriented specifications

We present a formal semantics for an object-oriented specification language. The formal semantics is presented as a conservative shallow embedding in Isabelle/hol and the language is oriented towards ocl formulae in the context of uml class diagrams. On this basis, we formally derive several equational and tableaux calculi, which form the basis of an integrated proof environment including automatic proof support and support for the analysis of this type of specifications. We show applications of our proof environment to data refinement based on an adapted standard refinement notion. Thus, we provide an integrated formal method for refinement-based object-oriented development.     

Object modelling and formal specification during real-time system development

Object oriented techniques promote understanding of requirements leading to flexible and extendible designs. The use of formal specification techniques ensures a complete understanding of system requirements and provides sound foundations for subsequent testing and verification. This paper describes the use of the Z and Timed CSP formal specification techniques to support object modelling during real-time system development. Relationships between class attributes are specified within the corresponding Z schemas and inheritance relationships between classes are formally specified using the schema extension mechanism of Z. Z is used to specify the domain types of the attributes of classes identified during object oriented analysis and design. Z is also used to produce model based specifications of the methods within classes that are specified informally during functional analysis. Dynamic analysis identifies events, states and temporal relationships between events. Timed CSP is used to formally specify this information as well as timing information that is necessary during real-time system development.     

Editorial

In June 1999, the first International Workshop on Integrated Formal Methods was held at York University in the UK. The primary aim of the workshop was the combination of behavioural and state-based formalisms to yield practical solutions to industrial problems. The workshop proceedings were edited by Keijiro Araki, Andy Galloway and Kenji Taguchi and are available as “IFM99” (ISBN 1-85233-107-0, published by Springer). After the workshop, selected authors were invited to develop journal versions of their papers, incorporating further extensions, corrections and revisions. This was arranged by Andy Galloway who then passed the papers to the journal for refereeing. And here we must record our sincere thanks to Andy. Without his efforts this issue of the journal would simply not have been possible. Following reports from referees and senior colleagues from the editorial board (and the withdrawal of one submission for publication in a book) five papers were accepted for publication here. We hope that those rejected will be further revised and resubmitted; they contained good work but required further development. The common theme is, predictably, the marrying of component specification with control of the interconnecting system, and the first 4 papers all present variations on the theme of Z + CSP. Sühl adds an additional structuring mechanism to Z and CSP and targets his application area as real-time embedded systems, whereas Derrick and Boiten use Object-Z to give partial specifications (viewpoints) which are then combined using CSP. Smith and Hayes describe Real-time Object-Z, which results from the integration of Object-Z with timed traces, and Mahony and Dong investigate the necessary formal underpinning required to combine Timed CSP and Object-Z by means of a trace model. The final paper, by Gro?e-Rhode, introduces and illustrates a mechanism for checking the compatibility of different partial specifications and for coping with composite specifications in which different formalisms have been used. Whether or not this area of formal methods research merely allows us to integrate different, more ‘appropriate’, specification languages or gives rise to new hybrid languages remains to be seen. What is certain is that there are still many problems to be tackled and technology to be transferred.     

Interactive tool support for CSP || B consistency checking

CSP || B is an integration of two well known formal notations: CSP and B. It provides a method for modelling systems with both complex state (described in B machines) and control flow (described as CSP processes). Consistency checking within this approach verifies that a controller process never calls a B operation outside its precondition. Otherwise the behaviour of the operation cannot be predicted. In previous work, this check was carried out by manually decomposing the model before preprocessing the CSP processes to perform a hand-written weakest precondition proof. In this paper, a framework is described that mechanises consistency checking in a theorem prover and removes the need for preprocessing. This work is based on an existing PVS embedding of the CSP traces model, but it is extended by introducing a notion of state so that the interaction between processes and machines can be analysed. Numerous rules have been defined (and proved) which enable consistency checking and decomposition via PVS proof. These rules also formally justify the relaxation of previous constraints on CSP || B architectures, thereby widening the scope of CSP || B modelling. The PVS embedding and rules presented in this paper are not only applicable to CSP || B specifications, but to other combined approaches which use a non-blocking semantics for the state-based operations. R. Lazic, R. Nagarajan and J. C. P. Woodcock     

Enabling run-time composition and support for heterogeneous pervasive multi-agent systems

User needs-driven and computer-supported development of pervasive heterogeneous and dynamic multi-agent systems remains a great challenge for agent research community. This paper presents an innovative approach to composing, validating and supporting multi-agent systems at run-time. Multi-agent systems (MASs) can and should be assembled quasi-automatically and dynamically based on high-level user specifications which are transformed into a shared and common goal–mission. Dynamically generating agents could also be supported as a pervasive service. Heterogeneity of MASs refers to diverse functionality and constituency of the system which include mobile as well as host associated software agents. This paper proposes and demonstrates on-demand and just-in-time agent composition approach which is combined with run-time support for MASs. Run-time support is based on mission cost-efficiency and shared objectives which enable termination, generation, injection and replacement of software agents as the mission evolves at run-time. We present the formal underpinning of our approach and describe the prototype tool – called eHermes, which has been implemented using available agent platforms. Analysis and results of evaluating eHermes are presented and discussed.     

Efficient approximate verification of B and Z models via symmetry markers

We present a new approximate verification technique for falsifying the invariants of B models. The technique employs symmetry of B models induced by the use of deferred sets. The basic idea is to efficiently compute markers for states, so that symmetric states are guaranteed to have the same marker (but not the other way around). The falsification algorithm then assumes that two states with the same marker can be considered symmetric. We describe how symmetry markers can be efficiently computed and empirically evaluate an implementation, showing both very good performance results and a high degree of precision (i.e., very few non-symmetric states receive the same marker). We also identify a class of B models for which the technique is precise and therefore provides an efficient and complete verification method. Finally, we show that the technique can be applied to Z models as well.     

A template-based approach for the generation of abstractable and reducible models of featured networks

We investigate the relationship between symmetry reduction and inductive reasoning when applied to model checking networks of featured components. Popular reduction techniques for combatting state space explosion in model checking, like abstraction and symmetry reduction, can only be applied effectively when the natural symmetry of a system is not destroyed during specification. We introduce a property which ensures this is preserved, open symmetry. We describe a template-based approach for the construction of open symmetric Promela specifications of featured systems. For certain systems (safely featured parameterised systems) our generated specifications are suitable for conversion to abstract specifications representing any size of network. This enables feature interaction analysis to be carried out, via model checking and induction, for systems of any number of featured components. In addition, we show how, for any balanced network of components, by using a graphical representation of the features and the process communication structure, a group of permutations of the underlying state space of the generated specification can be determined easily. Due to the open symmetry of our Promela specifications, this group of permutations can be used directly for symmetry reduced model checking.The main contributions of this paper are an automatic method for developing open symmetric specifications which can be used for generic feature interaction analysis, and the novel application of symmetry detection and reduction in the context of model checking featured networks.We apply our techniques to a well known example of a featured network – an email system.     

Heterogeneous Notations for Pure Formal Method Integration

We outline an extendible approach for combining formal methods – such as Z, Morgan's refinement calculus, and predicative programming – based on composing specifications written in similar formal languages. We discuss how algorithm refinement can be extended to such a setting, and outline some examples of using integrated formal methods. We also provide justifications for why using combinations of similar methods might be helpful. Received November 1996 / Accepted in revised form August 1998     

Safety-critical Java programs from Circus models

Safety-Critical Java (SCJ) is a novel version of Java that addresses issues related to real-time programming and certification of safety-critical applications. In this paper, we propose a technique that reveals the issues involved in the formal verification of an SCJ program, and provides guidelines for tackling them in a refinement-based approach. It is based on Circus, a combination of well established notations: Z, CSP, Timed CSP, and object orientation. We cater for the specification of timing requirements and their decomposition towards the structure of missions and event handlers of SCJ. We also consider the integrated refinement of value-based specifications into class-based designs using SCJ scoped memory areas. We present a refinement strategy, a Circus variant that captures the essence of the SCJ paradigm, and a substantial example based approach on a concurrent version of a case study that has been used as a benchmark by the SCJ community: an aircraft collision detector.     

Live sequence charts applied to hardware requirements specification and verification

Techniques and tools for formally verifying compliance with industry standards are important, especially in System-on-Chip (SoC) designs: a failure to integrate externally developed intellectual property (IP) cores is prohibitively costly. There are three essential components in the practical verification of compliance with a standard. First, an easy-to-read and yet formal specification of the standard is needed; we propose Live Sequence Charts (LSCs) as a high-level visual notation for writing specifications. Second, assertions should be generated directly from the specification; an implementation will be scrutinized, usually by model checking, to check that it satisfies each assertion. Third, a formal link must be made between proofs of assertions and compliance with the original specification. As an example, we take the Virtual Component Interface (VCI) Standard. We compare three efforts in verifying that the same register transfer level code is VCI-compliant. The first two efforts were manual, while the third used a tool, lscAssert, to automatically generate assertions in LTL. We discuss the details of the assertion generation algorithm.     

FDR Explorer

We describe: (1) the internal structures of FDR, the refinement model checker for Hoare’s Communicating Sequential Processes (CSP); and (2) an application-programming interface (API) that allows users to interact more closely with FDR and to have finer-grain control over its behaviour and data structures. This API makes it possible to create optimised CSP code to perform refinement checks that are more space or time efficient, enabling the analysis of more complex and data-intensive specifications. The API can be used either by those constructing CSP models or by tools that automatically generate CSP code. We present examples of using our tool, including handling advanced FDR features such as transparent functions, which compress state spaces before checking. We also show how to transform FDR’s graph format into a graph notation such as JGraph, enabling visualisation of labelled transition systems of CSP specifications.