An incremental development of the Mondex system in Event-B

A development of the Mondex system was undertaken using Event-B and its associated proof tools. An incremental approach was used whereby the refinement between the abstract specification of the system and its detailed design was verified through a series of refinements. The consequence of this incremental approach was that we achieved a very high degree of automatic proof. The essential features of our development are outlined. We also present some modelling and proof guidelines that we found helped us gain a deep understanding of the system and achieve the high degree of automatic proo

Reasoned modelling critics: turning failed proofs into modelling guidance

The activities of formal modelling and reasoning are closely related. But while the rigour of building formal models brings significant benefits, formal reasoning remains a major barrier to the wider acceptance of formalism within design. Here we propose reasoned modelling critics — an approach which aims to abstract away from the complexities of low-level proof obligations, and provide high-level modelling guidance to designers when proofs fail. Inspired by proof planning critics, the technique combines proof-failure analysis with modelling heuristics. Here, we present the details of our proposal, implement them in a prototype and outline future plans

Scalable reaction network modeling with automatic validation of consistency in Event-B

Constructing a large biological model is a difficult, error-prone process. Small errors in writing a part of the model cascade to the system level and their sources are difficult to trace back. In this paper we extend a recent approach based on Event-B, a state-based formal method with refinement as its central ingredient, allowing us to validate for model consistency step-by-step in an automated way. We demonstrate this approach on a model of the heat shock response in eukaryotes and its scalability on a model of the ErbB signaling pathway. All consistency properties of the model were proved automatically with computer support.</p

Rigorous Design of Fault Tolerance and Recovery Algorithm for Disaster Management and Relief Distribution System using Event-B

518-529India is vulnerable to disasters such as earthquakes, floods, tsunamis, landslides forest fires and cyclones due to its unique socio-economic and geo-climatic conditions. Twenty seven out of thirty-six states and union territories are prone to different types of disasters which cause loss of life, disruption of livelihoods, damage to infrastructure and property which in turn becomes a heavy burden on the national economy. Effective management of relief work is a key step towards normalizing human life post disaster. In this paper, we have presented the formal development and verification of a fault tolerance and recovery algorithm for district level disaster control centers in India which are connected to each other via a communication network. Formal methods help in the verification of critical properties of complex systems by developing mathematical models so that design errors can be detected and removed during the early stages of software development. Event-B, which is a formal method and Rodin platform is used for this work. Event-B is a mathematical language of first-order logic to provide a solution to the complex algorithms formally. In this algorithm a Disaster Control Centre is chosen as the coordinator based on its unique vote value. This vote value is allotted and modified dynamically based on the extent of damage in the area where the center is located. The center having the highest vote value among the currently active centers is elected as the coordinator. The correctness of the algorithm is verified through discharge of proof obligations generated by the Event-B model

Rigorous Design of Distributed Transactions

Database replication is traditionally envisaged as a way of increasing fault-tolerance and availability. It is advantageous to replicate the data when transaction workload is predominantly read-only. However, updating replicated data within a transactional framework is a complex affair due to failures and race conditions among conflicting transactions. This thesis investigates various mechanisms for the management of replicas in a large distributed system, formalizing and reasoning about the behavior of such systems using Event-B. We begin by studying current approaches for the management of replicated data and explore the use of broadcast primitives for processing transactions. Subsequently, we outline how a refinement based approach can be used for the development of a reliable replicated database system that ensures atomic commitment of distributed transactions using ordered broadcasts. Event-B is a formal technique that consists of describing rigorously the problem in an abstract model, introducing solutions or design details in refinement steps to obtain more concrete specifications, and verifying that the proposed solutions are correct. This technique requires the discharge of proof obligations for consistency checking and refinement checking. The B tools provide significant automated proof support for generation of the proof obligations and discharging them. The majority of the proof obligations are proved by the automatic prover of the tools. However, some complex proof obligations require interaction with the interactive prover. These proof obligations also help discover new system invariants. The proof obligations and the invariants help us to understand the complexity of the problem and the correctness of the solutions. They also provide a clear insight into the system and enhance our understanding of why a design decision should work. The objective of the research is to demonstrate a technique for the incremental construction of formal models of distributed systems and reasoning about them, to develop the technique for the discovery of gluing invariants due to prover failure to automatically discharge a proof obligation and to develop guidelines for verification of distributed algorithms using the technique of abstraction and refinement

Enhancing the usability of rely-guarantee conditions for atomicity refinement

Formal methods are a useful tool for increasing the confidence in the correctness of computer programs with respect to their specifications. Formal methods allow designers to model specifications and these formal models can then be reasoned about in a rigourous way. Formal methods for sequential processes are well-understood, however formal methods for concurrent programs are more difficult, because of the interference which may arise when programs run concurrently. Rely-guarantee reasoning is a well-established formal method for modelling concurrent programs. Rely-guarantee conditions offer a tractable and compositional approach to reasoning about concurrent programs, by allowing designers to reason about the interference inherent in concurrent systems. While useful, there are certain weaknesses in rely-guarantee conditions. In particular, the requirement for rely-guarantee conditions to describe whole-state updates can make large specifications unwieldy. Similarly, it can be difficult to describe problems which exhibit distinct phases of execution. The main contribution of this thesis is to show ways in which these two weaknesses of rely-guarantee reasoning can be addressed. In turn, this enhances the usability of rely-guarantee conditions. Atomicity refinement is a potentially useful tool for simplifying the development of concurrent programs. The central idea is that designers can record (possibly unrealistic) atomicity assumptions about the eventual implementation of a program. This fiction of atomicity simplifies the design process by avoiding the difficult issue of interference. It is then necessary to identify ways in which this atomicity can be relaxed and concurrent execution introduced. This thesis also argues that the choice of data representation plays an important role in achieving atomicity refinement. In addition, this thesis presents an argument that rely-guarantee conditions and VDM offer a potentially fruitful approach to atomicity refinement. Specifically, rely-conditions can be used to represent assumptions about atomicity and the refinement rules of VDM allow different data representations to be introduced. To this end, a more usable approach to rely-guarantee reasoning would benefit the search for a usable form of atomicity refinement. All of these points are illustrated with a novel development of Simpson’s Four-Slot, a mechanism for asynchronous communication between processes.EThOS - Electronic Theses Online ServiceEPSRCGBUnited Kingdo