8 research outputs found
From Event-B models to Dafny code contracts
International audienceThe constructive approach to software correctness aims at formal modelling and verification of the structure and behaviour of a system in different levels of abstraction. In contrast, the analytical approach to software verification focuses on code level correctness and its verification. Therefore it would seem that the constructive and analytical approaches should complement each other well. To demonstrate this idea we present a case for linking two existing verification methods, Event-B (constructive) and Dafny (analytical). This approach combines the power of Event-B abstraction and its stepwise refinement with the verification capabilities of Dafny. We presented a small case study to demonstrate this approach and outline of the rules for transforming Event-B events to Dafny contracts. Finally, a tool for automatic generation of Dafny contracts from Event-B formal models is presented
Code generation for event-B
Stepwise reļ¬nement and Design-by-Contract are two formal approaches for modelling systems. These approaches are widely used in the development of systems. Both approaches have (dis-)advantages: in stepwise reļ¬nement a model starts with an abstraction of the system and more details are added through reļ¬nements. Each reļ¬nement must be provably consistent with the previous one. Hence, reasoning about abstract models is possible. A high level of expertise is necessary in mathematics to have a good command of the underlying languages, techniques and tools, making this approach less popular. Design-by-Contract, on the other hand, works on the program rather than the program model, so developers in the software industry are more likely to have expertise in it. However, the beneļ¬t of reasoning over more abstract models is lost. A question arises: is it possible to combine both approaches in the development of systems, providing the user with the beneļ¬ts of both? This thesis answers this question by translating the stepwise reļ¬nement method with EventB to Design-by-Contract with Java and JML, so users can take full advantage of both formal approaches without losing their beneļ¬ts. This thesis presents a set of syntactic rules that translates Event-B to JML-annotated Java code. It also presents the implementation of the syntactic rules as the EventB2Java tool. We used EventB2Java to translate several Event-B models. The tool generated JML-annotated Java code for all the considered Event-B models that serve as ļ¬nal implementation. We also used EventB2Java for the development of two software applications. Additionally, we compared EventB2Java against two other tools that also generate Java code from Event-B models. EventB2Java enables users to start the software development process in Event-B, where users can model the system and prove its consistency, to then transition to JML-annotated Java code, where users can continue the development process
Transforming Event-B models to Dafny contracts
Our work aims to build a bridge between constructive (top-down) and analytical (bottom-up) approaches to software verification. This paper presents a tool-supported method for linking two existing verification methods: Event-B (constructive) and Dafny (analytical). This method combines Event-B abstraction and refinement with the code-level verification features of Dafny. The link transforms Event-B models to Dafny contracts by providing a framework in which Event-B models can be implemented correctly. The paper presents a method for transformation of Event-B models of abstract data types to Dafny contracts. Also a prototype tool implementing the transformation method is outlined. The paper also defines and proves a formal link between property verification in Event-B and Dafny. Our approach is illustrated with a small case study
Specification Reuse using Data Refinement in Dafny
Data refinement is a technique for transforming system specifications into system implementation that differs in data types. It gives us the freedom to write specifications in a way that is independent of its implementation; moreover we can generate multiple implementations without changing the system specifications, the client does not have to worry about the underlying implementation. Abstraction Invariant is used to relate the high level abstract specification to its concrete implementation.
Dafny is a research language developed by Microsoft. Its main focus is data refinement. The language provides the rich mathematical properties such as sequences, sets and multi-set, along with functions, predicates, methods and user defined data types. In Dafny the Abstraction Invariant is in the form of a function, which is added as a pre and post conditions to all of methods and functions. Given this function one can verify that the code is providing the implementation that satisfies its specifications even when the specification is defined in term of one data structure and the code is implemented in term of another data structure. Dafny works with Boogie which is a static program verifier and the SMT solver Z3. These are the main underlying technologies for verification: Dafny code is translated in to Boogie from which the verification conditions are generated for Z3 in order to verify the program.
In this research the programmer over head is identified when replacing one implementation to another in terms of underlying data structure change while preserving the client specification. The motivation behind this work is to assist programmers to come up with a quick solution in situations such as āslow system performanceā with new system implementation. Moreover, a semi automatic tool is developed for transforming one implementation to another without changing the client specifications. The result is the generation of a semi verified program whose implementation is in terms of a data structure other than that used in the specifications. The verification can be fully automatic through the provision of implementation details from the user
Event-B in the Institutional Framework: Defining a Semantics, Modularisation Constructs and Interoperability for a Specification Language
Event-B is an industrial-strength specification language for verifying
the properties of a given systemās specification. It is supported by its
Eclipse-based IDE, Rodin, and uses the process of refinement to model
systems at different levels of abstraction. Although a mature formalism,
Event-B has a number of limitations. In this thesis, we demonstrate that
Event-B lacks formally defined modularisation constructs. Additionally,
interoperability between Event-B and other formalisms has been
achieved in an ad hoc manner. Moreover, although a formal language,
Event-B does not have a formal semantics. We address each of these
limitations in this thesis using the theory of institutions.
The theory of institutions provides a category-theoretic way of representing
a formalism. Formalisms that have been represented as institutions
gain access to an array of generic specification-building operators
that can be used to modularise specifications in a formalismindependent
manner. In the theory of institutions, there are constructs
(known as institution (co)morphisms) that provide us with the facility to
create interoperability between formalisms in a mathematically sound
way.
The main contribution of this thesis is the definition of an institution
for Event-B, EVT, which allows us to address its identified limitations.
To this end, we formally define a translational semantics from Event-
B to EVT. We show how specification-building operators can provide
a unified set of modularisation constructs for Event-B. In fact, the institutional
framework that we have incorporated Event-B into is more
accommodating to modularisation than the current state-of-the-art for
Rodin. Furthermore, we present institution morphisms that facilitate interoperability between the respective institutions for Event-B and UML.
This approach is more generic than the current approach to interoperability
for Event-B and in fact, allows access to any formalism or logic
that has already been defined as an institution. Finally, by defining
EVT, we have outlined the steps required in order to include similar
formalisms into the institutional framework. Hence, this thesis acts as a
template for defining an institution for a specification language
A reactive architecture for cloud-based system engineering
PhD ThesisSoftware system engineering is increasingly practised over globally distributed locations. Such a practise is termed as Global Software Development (GSD). GSD has become a business necessity mainly because of the
scarcity of resources, cost, and the need to locate development closer to
the customers. GSD is highly dependent on requirements management,
but system requirements continuously change. Poorly managed change in
requirements affects the overall cost, schedule and quality of GSD projects.
It is particularly challenging to manage and trace such changes, and hence
we require a rigorous requirement change management (RCM) process.
RCM is not trivial in collocated software development; and with the presence of geographical, cultural, social and temporal factors, it makes RCM
profoundly difficult for GSD. Existing RCM methods do not take into
consideration these issues faced in GSD. Considering the state-of-the-art
in RCM, design and analysis of architecture, and cloud accountability,
this work contributes:
1. an alternative and novel mechanism for effective information and
knowledge-sharing towards RCM and traceability.
2. a novel methodology for the design and analysis of small-to-medium
size cloud-based systems, with a particular focus on the trade-off of
quality attributes.
3. a dependable framework that facilitates the RCM and traceability
method for cloud-based system engineering.
4. a novel methodology for assuring cloud accountability in terms of
dependability.
5. a cloud-based framework to facilitate the cloud accountability methodology.
The results show a traceable RCM linkage between system engineering
processes and stakeholder requirements for cloud-based GSD projects,
which is better than existing approaches. Also, the results show an improved dependability assurance of systems interfacing with the unpredictable cloud environment. We reach the conclusion that RCM with
a clear focus on traceability, which is then facilitated by a dependable
framework, improves the chance of developing a cloud-based GSD project
successfully