The substitution of a system with another one may occur in several situations
like system adaptation, system failure management, system resilience, system
reconfiguration, etc. It consists in replacing a running system by another one
when given conditions hold. This contribution summarizes our proposal to define
a formal setting for proving the correctness of system substitution. It relies
on refinement and on the Event-B method.Comment: EDCC-2014, Student-Forum, System Substitution, state rRecovery,
  correct-bycorrection, Event-B, refinemen

Babin, Guillaume

English

arXiv

The substitution of a system with another one may occur in several situations like system adaptation, system failure management, system resilience, system reconfiguration, etc. It consists in replacing a running system by another one when given conditions hold. This contribution summarizes our proposal to define a formal setting for proving the correctness of system substitution. It relies on refinement and on the Event-B method

Open Archive Toulouse Archive Ouverte

 Open Archive TOULOUSE Archive Ouverte (OATAO) OATAO is an open access repository that collects the work of Toulouse researchers andmakes it freely available over the web where possible. This  is  an author-deposited version published in  :  http://oatao.univ-toulouse.fr/Eprints ID : 13147To cite this version : Babin, Guillaume A formal approach for correct-by-construction system substitution. (2014) In: European Dependable Computing Conference (EDCC), 13 May 2014 - 16 May 2014 (Newcastle, United Kingdom). Any correspondance concerning this service should be sent to the repositoryadministrator: staff-oatao@listes-diff.inp-toulouse.frA formal approach forcorrect-by-construction system substitutionGuillaume Babin∗‡∗Université de Toulouse ; INP, IRIT ; 2 rue Camichel, BP 7122, 31071 Toulouse Cedex 7, France‡CNRS ; Institut de Recherche en Informatique de Toulouse ; Toulouse, Franceguillaume.babin@irit.frAbstract—The substitution of a system with another one mayoccur in several situations like system adaptation, system failuremanagement, system resilience, system reconfiguration, etc. Itconsists in replacing a running system by another one when givenconditions hold. This contribution summarizes our proposal todefine a formal setting for proving the correctness of systemsubstitution. It relies on refinement and on the Event-B method.Keywords: system substitution, state recovery, correct-by-correction, Event-B, refinementI. MOTIVATIONSeveral efforts were devoted to the formal developmentof complex systems. Different formal approaches have beendefined, they led to numerous system developments in reallife applications like transportation systems, web applications,information and data management, etc.One of the major concerns in system development relates tothe substitutability of a system by another one. This capabilitycan be seen throughout different concerns. Among these oneswe are mainly interested in two of them: functional andbehavioural concerns.1) The functional concern deals with the function of thesystem i.e. what it does. We have identified three mainsubstitutions:- a system may be replaced by an equivalent one;- a system may be degraded i.e. replaced by a sys-tem achieving less functions, the problem being toidentify that the critical ones are still achieved;- a system may be upgraded i.e. replaced by a systemachieving more functions.The functional concern relates to the preservation of thefunctions of the substituted system by the substitute one.This preservation is studied through property verifica-tion. Classical formal verification techniques guaranteethat the substituted and the substitute systems refine thesame specification.2) The behavioural concern deals with the behaviour ofa system in terms of execution sequences. We haveidentified two main substitutions:- a system may be replaced by another system, but itrequires to restart the system from its initial state.This corresponds to a cold start substitution;- a system may be replaced at a given state byanother system recovering this state and pursuingthe execution of the system from this recoveredstate. This corresponds to a warm start or hot startsubstitution.The behavioural concern requires an explicit modellingof system states during execution.Through these concerns several properties like dependability[1], adaptation [2] [3], resilience, self-healing systems [4], lossof QoS can be addressed.System substitution is performed when an event requiringthis change occurs. In several cases, this event is (or theseevents are) triggered by monitors in case of monitored systems,or by evaluating a given situation in autonomous systems(self-⋆ systems).This paper overviews the formal approach we propose tohandle system substitutions.II. OUR APPROACHIn the following, we consider systems that are expressed asstates and transitions describing state changes. Our approachis a correct-by-construction one, it relies on refinement and onthe Event-B method [5] [6] [7] [8]. It addresses system substi-tution and covers both concerns, functional and behavioural.A. The functional concern: refinementRefinement relates an abstract system to a concrete one.The refined concrete system preserves the properties of theabstract one. Both of the three identified cases of the functionalconcern may be encoded by refinement. Indeed, several con-crete representations of a given specification can be given atdifferent abstraction levels, linked by a refinement relationship.Invariants represent the key feature for describing equivalent,degraded or upgraded systems.B. The behavioural concern: refinement and variantsOnce the functional concern has been addressed, it becomespossible to assert that a system may substitute another one inone of the three identified cases above. When a system runs,one obvious substitution case corresponds to a re-start of thesubstitute system. But, when the sequence of system runningstates is recorded, one may identify correlations between thestates of the substitute system and the current state of thesubstituted system. Our proposal is to use explicit variantsto identify the substitution state and invariants to expresssuch state correlation. Indeed, variants describe the sequenceof running states. Correspondences between states of thesubstituted and of the substitute system are expressed by thevariant values. Invariants define properties between the statesof both systems, enabling the copy of the substituted statevariables to the substitute state variables.C. Why Event-B ?The Event-B method is set-up in order to formalise our ap-proach. Event-B is a state-based method that promotes correct-by-construction development paradigm and formal verificationby theorem proving. Indeed, Event-B supports the definition ofstate-based systems where transitions recording state changesare encoded by events. Moreover, it offers the capability toexplicitly express variants and invariants, and to build systemsusing refinements.1) Event-B refinement for the functional concern: a toplevel machine, representing the main function(s) of a systemmay be refined by one or more other machines leading todifferent concrete system designs. All the obtained machinesare possible system substitutes.2) Event-B refinement and variants for the behaviouralconcern: it is possible to link two substitute systems of thesame system into a single refinement. The idea consists inlinking these two substitutes with a property establishing arelation between the state variables of one substitute systemand the corresponding state variables of the other substitutesystem. We call this property an horizontal invariant. Thecorresponding state is defined thanks to explicit variants.Indeed, a state of the substitute system can recover the stateof another substitute system if their variant values match. Aspecific event switch commutes to the substitute system in asingle Event-B model of both systems.III. FORMALISATION WITH EVENT-BA. Functional concernThe first step consists in defining a top level specificationEvent-B machine. Each system, refining this specification isconsidered as a potential substitute. Obviously, the choseninvariant defines the nature of this substitution (equivalence,degradation or upgrade). Once these refinements have beenconducted, we get a set of potential substitutes.B. Behavioural concernThe behavioural concern requires the explicit manipulationof the current state of the system to be substituted. Therefore,our model defines systems as pairs (sv, V arExp):- sv being a subset of V ars the set of system variables,such that sv ⊆ V ars- an expression V arExp = exp(v1, · · · , vn) over vi ∈ svevaluating to a natural number and defining a decreasingfunction. This expression describes a variant for thestudied system.This model, combining functional and behavioural concerns,is generic enough to enable the expression of a system togetherwith an explicit representation of its states, if combined witha valuation of its variables. This explicit representation makesit possible to explicitly manipulate a state in an Event-B ma-chine. As a consequence of this modelling, the expression ofgeneric mechanisms combining variant values for recoveringstates becomes possible.C. Fragment of the Event-B generic modelThe following Event-B fragment results from the previouslydescribed model.- V ariables defines the carrier set containing all the sys-tem variables- V alues is the carrier set of the values of the variables- V ariablesSets ⊆ P (V ariables) a set of sets of vari-ables to identify the variables of each system (partition)- V aluations = V ariables → V alues functions that givethe value of a variable- Systems = V ariablesSets × (V aluations → N) asystem is a pair composed of a group of variables and avariant function- Systems states = Systems × V aluations: all thestates of the systems, i.e. pairs (system – variables values)IV. CASE STUDYTo illustrate our approach a case study issued from elec-tronic commerce is shown. We consider an online purchase ofgoods composed of four steps: selection of goods by filling acart, payment, billing and delivery. Solely the selection stepis detailed below. Moreover, for this case study, we considerthat the event triggering the system substitution is a systemfailure. A failure may occur while the client is filling his cartwith goods during the selection step. Failure is the event thattriggers system substitution.Setting up our approach led to the following steps.A. Functional concern- an upper model level with an abstract selection of a setof goods in a cart has been designed (corresponding tothe Event-B machine M1);- a first basic selection system (Sys1) composed of onecart located on a website, has been created by refiningM1 (machine M11);- a second basic selection system (Sys2) composed of twocarts located on different websites, without failures, hasbeen created by refining M1 (machine M12);- a system composed of the previous ones. The used systemis chosen at initialisation (machine M13 refining M1).B. Behavioural concern- The first step towards handling the behavioural concernwas the creation of an abstract selection feature, refiningM1 and introducing the possibility to switch from Sys1 toits substitute Sys2 . Here, we detail the switching processonly. (Machine M14)- Cold start. M14 is refined, by defining a mechanismthat substitutes Sys1 by Sys2 with a reinitialisation on theTABLE IPROOFS STATISTICSEvent-B Total Automatic InteractiveMachine PO proof proofM1 31 27 4 (13%)M11 28 27 1 (4%)M12 57 56 1 (2%)M13 99 97 2 (2%)M141 133 129 4 (3%)M142 230 214 16 (7%)Generic model 37 28 9 (24%)Instanciation 53 39 14 (26%)initial state of Sys2. The event triggering the substitutionre-initialises Sys2 from its initial state. (Machine M14)- Hot or Warm start. M14 is refined to a machine whereSys1 is substituted by Sys2 with preservation of theprevious Sys1 executions. The event that triggers thesubstitution restores the current state of Sys2 to a state thatfunctionally matches with Sys1 state before substitution.By functionally, we mean that there is no selected goodsof Sys1 cart that are lost. (Machine M142)C. Instanciation of the generic modelWe instantiated our model, according to the previouslyoverviewed generic model, with the following definitions.- V ariables = {C1, C2a, C2b} corresponding to the carts.C1 for Sys1 and C2a, C2b for Sys2;- V alueElements = {Prod1, P rod2, P rod3, P rod4,P rod5} is the set of goods;- V aluations = ({C1} 7→ P(V alueElements))∪ ({C2a, C2b} 7→ P(V alueElements)) asso-ciates a subset of goods to each cart;- V ariablesSets = {{C1}, {C2a, C2b}} identifies thevariables of each system Sys1 and Sys2;- Sys1 = {C1} 7→ (λval · val ∈{C1} → P(V alueElements) |card(V alueElements)− card(val(C1)))- Sys2 = {C2a, C2b} 7→ (λval · val ∈ {C2a, C2b} →P(V alueElements) | card(V alueElements)− card(val(C2a) ∪ val(C2b)))- Systems = {Sys1, Sys2}- Systems states = Systems× V aluationsWe were then able to refine this machine with one express-ing directly C1, C2a and C2b carts, and prove the refinement.Moreover, the following safety properties have been proved oneach of the machines.- All the desired products are selected after the selectionaction. If P ⊆ PRODUCTS is the set of products topurchase, and carts ∈ SITES × PRODUCTS is thevariable denoting the pair of selected products on a givenwebsite. This property is expressed asselection done ⇒ ran(carts) = P- There is no product selected twice i.e. no product in bothof the two carts, expressed as∀p, p ∈ ran(carts) ⇒ card(carts−1[{p}]) = 1Here, the horizontal invariant is val(C1) = val(C2a) ∪val(C2b), where val is the corresponding valuation.This generic model together with this case study have beenmodelled on the RODIN platform [9] [10] and the statisticsof table I (proof obligations PO) have been obtained.V. ONGOING WORKThis paper presented a global view of our approach forsystem substitution. This approach exploits the notion ofrefinement, invariants and variants. System substitution hasbeen illustrated with a use case from electronic commerce.Currently, our work is pursued in two directions. On the onehand, we are building a generic model for system substitutionformalised within the Event-B method. A set of generic ma-chines, to be instantiated, defining system substitution is underconstruction. It is planned to study within this frameworkadaptation, self-healing, reliability, . . . situations. On the otherhand, we plan to integrate a monitor in order to monitor aproperty of the system behaviour and trigger system substitu-tion. For example, monitored properties could be identificationof system failures or loss of quality of service.REFERENCES[1] J.-C. Laprie, “Dependable computing and fault tolerance: Conceptsand terminology,” in Fault-Tolerant Computing, 1995, Highlights fromTwenty-Five Years., Twenty-Fifth International Symposium on, Jun 1995,pp. 2–11.[2] D. Weyns, M. U. Iftikhar, D. G. de la Iglesia, and T. Ahmad,“A survey of formal methods in self-adaptive systems,” inProceedings of the Fifth International C* Conference on ComputerScience and Software Engineering, ser. C3S2E ’12. NewYork, NY, USA: ACM, 2012, pp. 67–79. [Online]. Available:http://doi.acm.org/10.1145/2347583.2347592[3] S. Kell, “A survey of practical software adaptationtechniques,” Journal of Universal Computer Science, vol. 14,no. 13, pp. 2110–2157, jul 2008. [Online]. Available:http://www.jucs.org/jucs 14 13/a survey of practical[4] M. Parashar and S. Hariri, “Autonomic computing: An overview,”in Unconventional Programming Paradigms, ser. Lecture Notes inComputer Science, J.-P. Banâtre, P. Fradet, J.-L. Giavitto, andO. Michel, Eds. Springer Berlin Heidelberg, 2005, vol. 3566, pp.257–269. [Online]. Available: http://dx.doi.org/10.1007/11527800 20[5] J.-R. Abrial, Modeling in Event-B: System and Software Engineering,1st ed. New York, NY, USA: Cambridge University Press, 2010.[6] J.-R. Abrial and S. Hallerstede, “Refinement, decomposition, andinstantiation of discrete models: Application to event-b,” FundamentaInformaticae, vol. 77, no. 1, pp. 1–28, 2007. [Online]. Available:http://iospress.metapress.com/content/C74274T385T6R72R[7] Y. Ait-Ameur, M. Baron, and N. Kamel, “Encoding a process alge-bra using the event b method. application to the validation of userinterfaces,” in Proceedings of 2nd IEEE international symposium onleveraging applications of formal methods (ISOLA), 2005.[8] Y. Ait-Ameur, M. Baron, N. Kamel, and J.-M. Mota, “Encoding aprocess algebra using the event b method,” International Journal onSoftware Tools for Technology Transfer, vol. 11, no. 3, pp. 239–253,2009. [Online]. Available: http://dx.doi.org/10.1007/s10009-009-0109-2[9] J.-R. Abrial, M. Butler, S. Hallerstede, and L. Voisin, “An openextensible tool environment for event-b,” in Formal Methods andSoftware Engineering, ser. Lecture Notes in Computer Science, Z. Liuand J. He, Eds. Springer Berlin Heidelberg, 2006, vol. 4260, pp.588–605. [Online]. Available: http://dx.doi.org/10.1007/11901433 32[10] J.-R. Abrial, M. Butler, S. Hallerstede, T. Hoang, F. Mehta, andL. Voisin, “Rodin: an open toolset for modelling and reasoningin event-b,” International Journal on Software Tools for TechnologyTransfer, vol. 12, no. 6, pp. 447–466, 2010. [Online]. Available:http://dx.doi.org/10.1007/s10009-010-0145-y

A formal approach for correct-by-construction system substitution

International audienceThe substitution of a system with another one may occur in several situations like system adaptation, system failure management, system resilience, system reconfiguration, etc. It consists in replacing a running system by another one when given conditions hold. This contribution summarizes our proposal to define a formal setting for proving the correctness of system substitution. It relies on refinement and on the Event-B method

A formal approach for correct-by-construction system substitution

Abstract

Similar works

Full text

Available Versions

Open Archive Toulouse Archive Ouverte

Scientific Publications of the University of Toulouse II Le Mirail