Building Specifications in the Event-B Institution

This paper describes a formal semantics for the Event-B specification language using the theory of institutions. We define an institution for Event-B, EVT, and prove that it meets the validity requirements for satisfaction preservation and model amalgamation. We also present a series of functions that show how the constructs of the Event-B specification language can be mapped into our institution. Our semantics sheds new light on the structure of the Event-B language, allowing us to clearly delineate three constituent sub-languages: the superstructure, infrastructure and mathematical languages. One of the principal goals of our semantics is to provide access to the generic modularisation constructs available in institutions, including specification-building operators for parameterisation and refinement. We demonstrate how these features subsume and enhance the corresponding features already present in Event-B through a detailed study of their use in a worked example. We have implemented our approach via a parser and translator for Event-B specifications, EBtoEVT, which also provides a gateway to the Hets toolkit for heterogeneous specification.Comment: 54 pages, 25 figure

The application of Software Metrics to the area of Formal Specification

In this work our aim has been to investigate the application of software metrics to the area of formal specification. We first look at the nature of Formal Methods and those most commonly in use. This suggests the scope for the type of specifications that should come under investigation. Metrics and the nature of measurement become an important consideration as we discuss how to assess Formal Methods themselves and their impact on software development. We look at the work already done in software metrics to see if parallels can be drawn with the proposed work on formal specification. To establish current knowledge about the use and effectiveness of Formal Methods we investigate to see how their benefits had been assessed by two major surveys. Further information on the impact of the methods is obtained by analysing the results from a series of case studies. We build on work done in a previous study to investigate and compare attributes of three formal specification notations. This gives valuable insights into possible attributes, the way measurements might be made and possible metrics to establish. Drawing together the knowledge and experiences gained from the background research we design three experiments to look at metrics for comprehensibility in formal specifications. The experiments together with their results and statistical analysis are described. The main findings show that the variable names, comment levels and structure of Z specifications have an effect on their comprehensibility

Event-B in the Institutional Framework: Defining a Semantics, Modularisation Constructs and Interoperability for a Specification Language

Event-B is an industrial-strength specification language for verifying the properties of a given system’s specification. It is supported by its Eclipse-based IDE, Rodin, and uses the process of refinement to model systems at different levels of abstraction. Although a mature formalism, Event-B has a number of limitations. In this thesis, we demonstrate that Event-B lacks formally defined modularisation constructs. Additionally, interoperability between Event-B and other formalisms has been achieved in an ad hoc manner. Moreover, although a formal language, Event-B does not have a formal semantics. We address each of these limitations in this thesis using the theory of institutions. The theory of institutions provides a category-theoretic way of representing a formalism. Formalisms that have been represented as institutions gain access to an array of generic specification-building operators that can be used to modularise specifications in a formalismindependent manner. In the theory of institutions, there are constructs (known as institution (co)morphisms) that provide us with the facility to create interoperability between formalisms in a mathematically sound way. The main contribution of this thesis is the definition of an institution for Event-B, EVT, which allows us to address its identified limitations. To this end, we formally define a translational semantics from Event- B to EVT. We show how specification-building operators can provide a unified set of modularisation constructs for Event-B. In fact, the institutional framework that we have incorporated Event-B into is more accommodating to modularisation than the current state-of-the-art for Rodin. Furthermore, we present institution morphisms that facilitate interoperability between the respective institutions for Event-B and UML. This approach is more generic than the current approach to interoperability for Event-B and in fact, allows access to any formalism or logic that has already been defined as an institution. Finally, by defining EVT, we have outlined the steps required in order to include similar formalisms into the institutional framework. Hence, this thesis acts as a template for defining an institution for a specification language

Comparison of Z and UML: Two Case Studies

Specification languages usually can provide simple abstract descriptions of complex behaviors of software systems. A large number of specification languages have been introduced for software development. One categorization of specification languages is formal vs. informal. Z and UML are the well-known formal and informal objectoriented specification languages, respectively. In this thesis, related work on Z and UML is reviewed. An overview of Z and UML is also provided. Z and UML are compared from the language aspects based on a set of criteria. In order to provide a practical basis, Z and UML are also compared, based on another set of criteria, using two classic case studies: the library database system and the elevator concurrent control system. The results of the comparison carried out in this thesis are listed. Z is a formal specification language. Specifications in Z are abstract and are based on mathematical definition. Z is mature and there are lots of tools to support it. UML is an informal objectoriented specification language. UML notations are icons, graphics, and English. Specifications in UML are easy to understand, but have the potential to be ambiguous. UML is getting more popular now and there are lots of tools to support UML. In addition to the theoretical comparison, Z and UML are compared using two classic case studies: the library database system and the elevator concurrent control system. The practical experience revealed that UML provided a good approach to modeling the main concepts using use case diagrams, collaboration diagrams, and state diagrams, while Z provided a precise model for specification of the problem. Z and UML appear to be complementary. Combining Z and UML in different phases and aspects is the recommended approach

Constructing and Refining Modules in a Type Theory

The need to apply formal specification and development of programs to large problems has highlighted a need for methods to support modular development. This has two aspects: the modular construction of specifications, and the implementation of modular specifications. This thesis is concerned with both these activities. The main body of work in the development of modular specifications has been carried out in the context of algebraic specification languages, and model-based languages such as Z. However, these languages fail to provide some important mechanisms for structuring specifications. Furthermore, the complex semantics of these languages lead to complicated definitions of what it means for a program to be an implementation of a specification. In this thesis, we show that Martin-Lof's Type Theory provides a framework for both the specification and implementation of program modules; and this framework addresses the shortcomings, noted above, in other specification formalisms. The basic theoretical notion underlying our approach is that a specification is a type, and that an implementation of such a specification is any element in the type. We present a module specification language, and its associated implementation language. The semantics of both the specification and implementation languages are defined in Martin-Lof's Type Theory. We define some specification building operators for our specification language, and show how modular specifications may be incrementally constructed using the specification operators. We give some laws about the specification operators and show how these laws can be used to reason about, and restructure, modular specifications. We define a notion of refinement that supports the implementation of modular specifications by systematic mathematical transformation. We give some refinement laws for refining modular specifications. We also define some operators on program modules, and show how these operators can be used to systematically implement modular specifications

Inter-module code analysis techniques for software maintenance

The research described in this thesis addresses itself to the problem of maintaining large, undocumented systems written in languages that contain a module construct. Emphasis is placed on developing techniques for analysing the code of these systems, thereby helping a maintenance programmer to understand a system. Techniques for improving the structure of a system are presented. These techniques help make the code of a system easier to understand. All the code analysis techniques described in this thesis involve reasoning with, and manipulating, graphical representations of a system. To help with these graph manipulations, a set of graph operations are developed that allow a maintenance programmer to combine graphs to create a bigger graph, and to extract subgraphs from a given graph that satisfy specified constraints. A relational database schema is developed to represent the information needed for inter-module code analysis. Pointers are given as to how this database can be used for inter-module code analysis

A methodology for the requirements analysis of critical real-time systems

PhD ThesisThis thesis describes a methodology for the requirements analysis of critical real-time systems. The methodology is based on formal methods, and provides a systematic way in which requirements can be analysed and specifications produced. The proposed methodology consists of a framework with distinct phases of analysis, a set oftechniques appropriate for the issues to be analysed at each phase of the framework, a hierarchical structure of the specifications obtained from the process of analysis, and techniques to perform quality assessment of the specifications. The phases of the framework, which are abstraction levels for the analysis of the requirements, follow directly from a general structure adopted for critical real-time systems. The intention is to define abstraction levels, or domains, in which the analysis of requirements can be performed in terms of specific properties of the system, thus reducing the inherent complexity of the analysis. Depending on the issues to be analysed in each domain, the choice of the appropriate formalism is determined by the set of features, related to that domain, that a formalism should possess. In this work, instead of proposing new formalisms we concentrate on identifying and enumerating those features that a formalism should have. The specifications produced at each phase of the framework are organised by means of a specification hierarchy, which facilitates our assessment of the quality of the requirements specifications, and their traceability. Such an assessment should be performed by qualitative and quantitative means in order to obtain high confidence (assurance) that the level of safety is acceptable. In order to exemplify the proposed methodology for the requirements analysis of critical real-time systems we discuss a case study based on a crossing of two rail tracks (in a model railway), which raises safety issues that are similar to those found at a traditional level crossing (i.e. rail-road)CAPES/Ministry of Education (Brazil

Enhancing the usability of rely-guarantee conditions for atomicity refinement

Formal methods are a useful tool for increasing the confidence in the correctness of computer programs with respect to their specifications. Formal methods allow designers to model specifications and these formal models can then be reasoned about in a rigourous way. Formal methods for sequential processes are well-understood, however formal methods for concurrent programs are more difficult, because of the interference which may arise when programs run concurrently. Rely-guarantee reasoning is a well-established formal method for modelling concurrent programs. Rely-guarantee conditions offer a tractable and compositional approach to reasoning about concurrent programs, by allowing designers to reason about the interference inherent in concurrent systems. While useful, there are certain weaknesses in rely-guarantee conditions. In particular, the requirement for rely-guarantee conditions to describe whole-state updates can make large specifications unwieldy. Similarly, it can be difficult to describe problems which exhibit distinct phases of execution. The main contribution of this thesis is to show ways in which these two weaknesses of rely-guarantee reasoning can be addressed. In turn, this enhances the usability of rely-guarantee conditions. Atomicity refinement is a potentially useful tool for simplifying the development of concurrent programs. The central idea is that designers can record (possibly unrealistic) atomicity assumptions about the eventual implementation of a program. This fiction of atomicity simplifies the design process by avoiding the difficult issue of interference. It is then necessary to identify ways in which this atomicity can be relaxed and concurrent execution introduced. This thesis also argues that the choice of data representation plays an important role in achieving atomicity refinement. In addition, this thesis presents an argument that rely-guarantee conditions and VDM offer a potentially fruitful approach to atomicity refinement. Specifically, rely-conditions can be used to represent assumptions about atomicity and the refinement rules of VDM allow different data representations to be introduced. To this end, a more usable approach to rely-guarantee reasoning would benefit the search for a usable form of atomicity refinement. All of these points are illustrated with a novel development of Simpson’s Four-Slot, a mechanism for asynchronous communication between processes.EThOS - Electronic Theses Online ServiceEPSRCGBUnited Kingdo