Automatic Generation of C from Event-B

Abstract. Event-B [15] is a formal modeling method intended to support refinement, an initial system description at a high level of abstraction with detail added in successive understandable steps. The refinement process may be carried to its logical conclusion, specification of all detail needed to define an executable in a high-level language, and automatic generation of source code from the model via a suitable tool. The introduction of the RODIN [20] tool-set allows such extensions to be provided by third-party developers [3], and translation of Event-B to the C [12] programming language has always been intended [2]. This paper discusses the requirements of such a tool, introduces the B2C extension to RODIN that has been developed to meet these needs, and describes its use on a practical example. 1

The use of knowledge management systems and Event-B modelling in a lean enterprise

This paper provides a case study describing an approach to improving the efficiency of an information system (IS) by supporting processes outside the IS, using the ontology-driven knowledge management systems (KMS) as a mini-application in the area of so-called lean enterprise. Lean enterprise is focused on creating a maximal value for final customers while eliminating all kinds of waste and unnecessary costs, which significantly helps to increase the level of its competitiveness. It is about managerial decision-making, which can be in some cases contradictory (solving a local problem can cause a problem in another place). In this paper, we describe the KMS ATOM, which supports the innovation process in a lean enterprise. We show how the risk of wrong decisions due to contradictory effects can be eliminated by implementing a safety-critical system into the traditional IS. Our model is supported by Event-B modelling, a refinement-based formal modelling method, which is successfully used in important areas such as infrastructure, medicine, nuclear engineering and transportation (fire alarm systems, robotic surgery machines, braking systems in transportation, etc.). Nowadays, Event-B modelling is starting to be used for various management decision-making activities, and it is becoming a powerful competitiveness tool. This paper introduces a simple example of how Event-B modelling and its proof obligations can help improve and automate the decision-making process by eliminating potential threats of inefficient decisions.RVO project "Modelling of effective production and administration processes parameters in industrial companies based on the concept Industry 4.0

Concurrent Scheduling of Event-B Models

Event-B is a refinement-based formal method that has been shown to be useful in developing concurrent and distributed programs. Large models can be decomposed into sub-models that can be refined semi-independently and executed in parallel. In this paper, we show how to introduce explicit control flow for the concurrent sub-models in the form of event schedules. We explore how schedules can be designed so that their application results in a correctness-preserving refinement step. For practical application, two patterns for schedule introduction are provided, together with their associated proof obligations. We demonstrate our method by applying it on the dining philosophers problem

Scheduling of guarded command based models

Formal methods provide a means of reasoning about computer programs in order to prove correctness criteria. One subtype of formal methods is based on the weakest precondition predicate transformer semantics and uses guarded commands as the basic modelling construct. Examples of such formalisms are Action Systems and Event-B. Guarded commands can intuitively be understood as actions that may be triggered when an associated guard condition holds. Guarded commands whose guards hold are nondeterministically chosen for execution, but no further control flow is present by default. Such a modelling approach is convenient for proving correctness, and the Refinement Calculus allows for a stepwise development method. It also has a parallel interpretation facilitating development of concurrent software, and it is suitable for describing event-driven scenarios. However, for many application areas, the execution paradigm traditionally used comprises more explicit control flow, which constitutes an obstacle for using the above mentioned formal methods. In this thesis, we study how guarded command based modelling approaches can be conveniently and efficiently scheduled in different scenarios. We first focus on the modelling of trust for transactions in a social networking setting. Due to the event-based nature of the scenario, the use of guarded commands turns out to be relatively straightforward. We continue by studying modelling of concurrent software, with particular focus on compute-intensive scenarios. We go from theoretical considerations to the feasibility of implementation by evaluating the performance and scalability of executing a case study model in parallel using automatic scheduling performed by a dedicated scheduler. Finally, we propose a more explicit and non-centralised approach in which the flow of each task is controlled by a schedule of its own. The schedules are expressed in a dedicated scheduling language, and patterns assist the developer in proving correctness of the scheduled model with respect to the original one

Building Specifications in the Event-B Institution

This paper describes a formal semantics for the Event-B specification language using the theory of institutions. We define an institution for Event-B, EVT, and prove that it meets the validity requirements for satisfaction preservation and model amalgamation. We also present a series of functions that show how the constructs of the Event-B specification language can be mapped into our institution. Our semantics sheds new light on the structure of the Event-B language, allowing us to clearly delineate three constituent sub-languages: the superstructure, infrastructure and mathematical languages. One of the principal goals of our semantics is to provide access to the generic modularisation constructs available in institutions, including specification-building operators for parameterisation and refinement. We demonstrate how these features subsume and enhance the corresponding features already present in Event-B through a detailed study of their use in a worked example. We have implemented our approach via a parser and translator for Event-B specifications, EBtoEVT, which also provides a gateway to the Hets toolkit for heterogeneous specification.Comment: 54 pages, 25 figure

Vérification des politiques XACML avec le langage Event-B

Les politiques permettent de définir les règles de la sécurité et de la gestion des différents composants du système. Cela implique l'emploi d'un langage pour exprimer les règles d'affaires et les règles non fonctionnelles, et de donner aux utilisateurs la possibilité de tester et de corriger les politiques. Plusieurs langages tels que XACML, Rei ou PONDER, sont utilisés pour exprimer les politiques par rapport aux objectifs du système d'information. Ces langages peuvent définir plusieurs règles et politiques, mais la plupart de ces langages ne donnent pas de mécanisme pour tester et vérifier la présence des conflits et de l'incohérence entre les politiques du système. Ce mémoire vise la vérification des politiques de contrôle d'accès. Notre approche consiste à traduire les politiques XACML sous forme d'un ensemble de machines abstraites de la méthode B. Nous exprimons aussi les propriétés à vérifier par des formules logiques. L'approche offre aux utilisateurs des moyens pour vérifier les politiques afin de s'assurer que les règles expriment bien les objectifs régissant le comportement et les interactions des systèmes gérés. Dans la première phase, les composantes des politiques XACML ont été exprimées avec des expressions formelles basées sur la logique du premier ordre. Par la suite, les outils développés pour la méthode B, comme le langage Event-B sous la plate forme Rodin, ont été utilisés pour vérifier les règles des politiques par rapport à un ensemble de propriétés que nous avons définies. Notre approche est plus flexible et permet aux utilisateurs de tester et de vérifier les règles avant l'implémentation de ces politiques. Une telle vérification est fondée sur les preuves avec logique du premier ordre, où des propriétés importantes de la politique peuvent être énoncées et prouvées. \ud ______________________________________________________________________________ \ud MOTS-CLÉS DE L’AUTEUR : Politique, XACML, Méthode formelle, Event-B, Vérification

On the Extensibility of Formal Methods Tools

Modern software systems often have long lifespans over which they must continually evolve to meet new, and sometimes unforeseen, requirements. One way to effectively deal with this is by developing the system as a series of extensions. As requirements change, the system evolves through the addition of new extensions and, potentially, the removal of existing extensions. In order for this kind of development process to thrive, it is necessary that the system have a high level of extensibility. Extensibility is the capability of a system to support the gradual addition of new, unplanned functionalities. This dissertation investigates extensibility of software systems and focuses on a particular class of software: formal methods tools. The approach is broad in scope. Extensibility of systems is addressed in terms of design, analysis and improvement, which are carried out in terms of source code and software architecture. For additional perspective, extensibility is also considered in the context of formal modelling. The work carried out in this dissertation led to the development of various extensions to the Overture tool supporting the Vienna Development Method, including a new proof obligation generator and integration with theorem provers. Additionally, the extensibility of Overture itself was also improved and it now better supports the development and integration of various kinds of extensions. Finally, extensibility techniques have been applied to formal modelling, leading to an extensible architectural style for formal models

Extending Event-B with discrete timing properties

Event-B is a formal language for systems modelling, based on set theory and predicate logic. It has the advantage of mechanized proof, and it is possible to model a system in several levels of abstraction by using refinement. Discrete timing properties are important in many critical systems. However, modelling of timing properties is not directly supported in Event-B. In this work, we identify three main categories of discrete timing properties for trigger response patterns, deadline, delay and expiry. We introduce language constructs for each of these timing properties that augment the Event-B language. We describe how these constructs have been given a semantics in terms of the standard Event-B constructs. To ease the process of using timing properties in a refinement-based development, we introduce patterns for refining the timing constructs that allow timing properties on abstract models to be replaced by timing properties on refined models. The language constructs and refinement patterns are illustrated through some generic examples.We have developed a tool to support our approach. Our tool is a plug-in to the Rodin tool-set for Event-B and automates the translation of timing properties to Event-B as well as the generation of gluing invariants, required to verify the consistency of timing properties refinement. In the end, we demonstrate the practicality of our approach, by going through the modelling and verifying process of two real-time case studies. The main focus will be the usefulness of the timing refinement patterns in a step-wise modelling and verification process of a real-time system