The B-book - assigning programs to meanings.
Abstract
The B method is a means for specifying, designing and coding software systems. The long-awaited B Book is the standard reference for everything concerning this method. It contains the mathematical basis on which it is founded, the precise definitions of the notations used, and a large number of examples illustrating its use in practice. J.-R. Abrial, the inventor of B, has written the book in such a way that it can be used for self-study or for reference. It is in four parts, the first dealing with the mathematical foundations, including a systematic construction of predicate logic and set theory, and the definition of the various mathematical structures that are needed to formalize software systems; the author places special emphasis on the notion of proof. The second part contains a presentation of the Generalized Substitution Language and of the Abstract Machine Notation, which are both used to specify software systems; the author gives examples to show how large specifications can be constructed systematically. The next part introduces the two basic programming features of sequencing and loop, with examples showing how to construct small algorithms. The last part covers the very important notion of refinement. It shows how to construct large software systems by means of layered architectures of modules. It culminates with the presentation of several examples of complete development with a special emphasis on the methodological approach. Finally, appendices give summaries of all the logical and mathematical definitions, and of all the rules and proof obligations. With the appearance of The B Book, formal methods practitioners, computer scientists, and systems developers at last will have access to the definitive account of what will become one of the standard approaches to the construction of software systems.
... This work presents a technique to link a concrete RL agent with a high-level formal model of the B method [2] for the RL agent and its environment with a safety shield. This allows us to run the RL agent in the ProB [16,17] animator and model checker, and use the formal model as a safety shield at runtime. ...
... The B method. The B method [2] is a formal method for specifying and verifying software systems. The B language is based on set theory and first-order logic, and makes use of general substitution for state modifications as well as refinement calculus to model state machines at various levels of abstraction. ...
... 4. ProB provides a list of enabled operations to the RL agent. 2 5. Based on the current observation, the RL agent predicts the enabled operation/action with the highest reward. 6. ...
Reinforcement learning (RL) is an important machine learning technique to train agents that make decisions autonomously. For safety-critical applications, however, the decision-making of an RL agent may not be intelligible to humans and thus difficult to validate, verify and certify. This work presents a technique to link a concrete RL agent with a high-level formal B model of the safety shield and the environment. This allows us to run the RL agent in the formal method tool ProB, and particularly use the formal model to surround the agent with a safety shield at runtime. This paper also presents a methodology to validate the behavior of RL agents and respective safety shields with formal methods techniques, including trace replay, simulation, and statistical validation.The validation process is supported by domain-specific visualizations to ease human validation. Finally, we demonstrate the approach for a highway simulation.
... This paper is an extended version of the FMICS 2022 paper [68]. For this, we implemented new features, such as (1) timed probabilistic simulation with SimB [66], (2) interactive simulation [64], and (3) model checking support [67] for JavaScript for the performance analysis. In this extension, we also allow domain experts to give more feedback on execution traces by writing description texts. ...
... The B method was introduced by Jean-Raymond Abrial and is a formal method for specifying and verifying software systems [2]. The B method includes the formal B modeling language, which is based on first-order logic and set theory. ...
... Furthermore, the trace can be replayed automatically at different speeds. An example export can be seen in Fig. 4. 2 This feature has been used for the communication of modelers with domain experts, e.g., in follow-on projects of the ETCS Hybrid Level 3 [33]. In particular, we (as modelers) animated traces which contain critical behavior. ...
Especially in industrial applications of formal modeling, validation is as important as verification. Thus, it is important to integrate the stakeholders’ and the domain experts’ feedback as early as possible. In this work, we propose two approaches to enable this: (1) a static export of an animation trace into a single HTML file, and (2) a dynamic export of a classical B model as an interactive HTML document, both based on domain-specific visualizations. For the second approach, we extend the high-level code generator B2Program by JavaScript and integrate VisB visualizations alongside SimB simulations with timing, probabilistic and interactive elements. An important aspect of this work is to ease communication between modelers and domain experts. This is achieved by implementing features to run simulations, sharing animated traces with descriptions and giving feedback to each other. This work also evaluates the performance of the generated JavaScript code compared with existing approaches with Java and C++ code generation as well as the animator, constraint solver, and model checker ProB.
... Bernhard Aichernig aichernig@ist.tugraz.at 1 Graz University of Technology, Graz, Austria variety of devices, ranging from simple single-core to more complex multi-core or many-core systems, including specialized ASIC or even reconfigurable FPGA components [19,29]. ...
... Then, as a proof of concept, we further refine the generic OS model to two different architectures: MSP430 and RISC-V. In order to verify safety (something bad must not happen) and liveness (something good should eventually happen) properties [44], we (1) prove that our RTOS models do not corrupt any task's context by properly saving and loading them, even though the process for saving and restoring a context differs for different MCU architectures; (2) prove that the kernel runs in the appropriate CPU state and changes it as specified for task execution; (3) prove that the kernel executes in the correct order and eventually finishes execution. Since we only introduce hardware details in late refinements, most of those proofs need only be done once, on the generic RTOS model. ...
... Event-B is a formal method for system-level modeling and analysis [2,21] derived from the B formalism [1]. Based on set theory and state transitions, Event-B supports refinements to model different abstraction levels, while mathematical proofs verify correctness and consistency between refinements. ...
Porting software to new target architectures is a common challenge, particularly when dealing with low-level functionality in drivers or OS kernels that interact directly with hardware. Traditionally, adapting code for different hardware platforms has been a manual and error-prone process. However, with the growing demand for dependability and the increasing hardware diversity in systems like the IoT, new software development approaches are essential. This includes rigorous methods for verifying and automatically porting Real-Time Operating Systems (RTOS) to various devices. Our framework addresses this challenge through formal methods and code generation for embedded RTOS. We demonstrate a hardware-specific part of a kernel model in Event-B, ensuring correctness according to the specification. Since hardware details are only added in late modeling stages, we can reuse most of the model and proofs for multiple targets. In a proof of concept, we refine the generic model for two different architectures, also ensuring safety and liveness properties. We then showcase automatic low-level code generation from the model. Finally, a hardware-independent factorial function model illustrates more potential of our approach.
... In the approach proposed in this paper, we use the theorem proving approach, relying on the Event-B method [Abrial 2010]. Event-B is based on B [Abrial 2005], but adds the concepts of machine and events, that make the language very well-suited to the specification of distributed and concurrent systems. While analysis through theorem proving is not fully automatic, it allows to consider infinite state systems or systems with arbitrary size. ...
... Event-B [Abrial 2010] is a state-based formalism closely related to Classical B [Abrial 2005]. Given states v, v ′ an event is a tuple e = (H, S) where H(c, s, v) is the guard and S(c, s, v, v ′ ) is the before-after predicate that defines a relation between current and next states. ...
... For convenience, as in[Abrial 2005], no distinction is made between a set of variables and a state of a system. ...
During the development of algorithms for distributed systems, one has to adopt clear assumptions about the semantics offered by the underlying communication platform in order to show that the algorithms under construction fulfill the expected liveness and safety properties. In this paper we propose a library of reusable formal specifications defining several classic communication semantics. The specification of each communication semantics is presented along with the proofs of the expected main properties of each model. The library was build using Event-B and properties were shown using the theorem proving approach with the Rodin system. While modeling a distributed application one can reuse models from the proposed library (by refinement or extension) without having to redo all the proofs related to the communication platform. Moreover, existing proofs can be used to show desired properties of the application.
... In this paper, we focus on the phosphorylation of only one aminoacid -called S230 -of the hsf protein. In our more detailed model, we take into account two versions of hsf: one where S230 is present in the non-phosphorylated form (denoted rhsf (0) ) and the other where S230 is present in the phosphorylated form (denoted rhsf (1) ). The full details for the refinement of the heat shock response can be found in [25,29]. ...
... Event-B [2] is a state-based formal method, building on earlier formalisms such as the B-Method [1] and the Action Systems [4]. The system state in Event-B is described by the values of variables and the state changes are modeled using events. ...
... This is implemented in the context part of the Event-B model. In [29], the abstract event in Table 7 is replaced by two events (shown in Table 8), where the concrete variables that replace hsf are rhsf (0) and rhsf (1) , with the gluing invariant hsf = rhsf (0) + rhsf (1) . Similarly, the abstract variable binding hsp: hsf is to be replaced by the two concrete variables hsp: rhsf (0) and hsp: rhsf (1) , with the gluing invariant hsp: hsf = hsp: rhsf (0) + hsp: rhsf (1) . ...
Biology offers many examples of large-scale, complex, concurrent systems: many processes take place in parallel, compete on resources and influence each other's behavior. The scalable modeling of biological systems continues to be a very active field of research. In this paper we introduce a new approach based on Event-B, a state-based formal method with refinement as its central ingredient, allowing us to check for model consistency step-by-step in an automated way. Our approach based on functions leads to an elegant and concise modeling method. We demonstrate this approach by constructing what is, to our knowledge, the largest ever built Event-B model, describing the ErbB signaling pathway, a key evolutionary pathway with a significant role in development and in many types of cancer. The Event-B model for the ErbB pathway describes 1320 molecular reactions through 242 events.
... That is, there are types for sets, binary relations and their elements, and set and relational operators are typed accordingly. The type system is based on the type system defined for the Z formal notation (Spivey 1992), which in turn is similar to B's (Abrial 1996). Actually, {log} has been proposed as a prototyping language for B and Z specifications (Cristiá et al. 2013;Cristiá and Rossi 2021c;2024a). ...
... Clearly, rel represents the type of binary relations. This type system is aligned with those of Z (Spivey 1992) and B (Abrial 1996). ...
This technical note shows how we have combined prescriptive type checking and constraint solving to increase automation during software verification. We do so by defining a type system and implementing a typechecker for (read ‘setlog’), a Constraint Logic Programming language and satisfiability solver based on set theory. The constraint solver is proved to be safe w.r.t. the type system. Two industrial-strength case studies are presented where this combination is used with very good results.
... In this section, we apply our ITree and Circus library to create a formal modelling language and tool called "Z-Machines", which is in the style of the Z specification language [58,65], and B method [1]. Z-Machines are a form of abstract machine, similar to B machines [1], that use our Z toolkit as the underlying expression language. ...
... In this section, we apply our ITree and Circus library to create a formal modelling language and tool called "Z-Machines", which is in the style of the Z specification language [58,65], and B method [1]. Z-Machines are a form of abstract machine, similar to B machines [1], that use our Z toolkit as the underlying expression language. Z-Machines act as a case study for our ITrees library by demonstrating its applicability in creating accessible verification tools. ...
Model execution allows us to prototype and analyse software engineering models by stepping through their possible behaviours, using techniques like animation and simulation. On the other hand, deductive verification allows us to construct formal proofs demonstrating satisfaction of certain critical properties in support of high-assurance software engineering. To ensure coherent results between execution and proof, we need unifying semantics and automation. In this paper, we mechanise Interaction Trees (ITrees) in Isabelle/HOL to produce an execution and verification framework. ITrees are coinductive structures that allow us to encode infinite labelled transition systems, yet they are inherently executable. We use ITrees to create verification tools for stateful imperative programs, concurrent programs with message passing in the form of the CSP and \Circus languages, and abstract system models in the style of the Z and B methods. We demonstrate how ITrees can account for diverse semantic presentations, such as structural operational semantics, a relational program model, and CSP's failures-divergences trace model. Finally, we demonstrate how ITrees can be executed using the Isabelle code generator to support the animation of models.
... Thus, our implementation closely mimics realworld development conditions. Team overview Our team comes from a formal methods background: While all members are very familiar with the B method [1,2], we did not have particular expertise with C development or verification tooling for C. The basic code structure and the fixture for the test scenarios were developed by SK and PK in a synchronous meeting. Afterwards, SK implemented the ELS, JD was responsible for the SCS, and tests were provided by PK and KR. ...
... • Arcaini et al. [4], who utilized abstract state machines (ASMs) [10] and the ASMETA framework [3], • Cunha et al. [20], who modeled their solution in Electrum [37], an extension to Alloy [30], • Leuschel et al. [36], who developed their solution in classical B [1] and later translated to Event-B for proof [2], • Mammar et al. [38,39], used Event-B for two distinct models of the ELS [39] and the SCS [38]. ...
In this article, we present an approach to the ABZ 2020 case study that differs from those usually presented at ABZ: Rather than using a (correct-by-construction) approach following a formal method, we use C for a low-level implementation instead. We strictly adhere to test-driven development for validation, and only afterwards apply model checking using CBMC for verification. While the approach has several benefits compared to the more rigorous approaches, it also provides less mathematical clarity and overall less thorough verification. In consequence, our realization of the ABZ case study serves as a baseline reference for comparison, allowing to assess the benefit provided by the various formal modeling languages, methods and tools.
... The track received a number of submissions of which eleven were published [1]. Six of the published papers approached the problem with methods and tools rooted in the B notation [2] (Event-B, ProB, Hybrid Event-B and Rodin). In this paper we consider the article by Mammar and Laleau [3] and a journal version [4] as the starting point for our work. ...
... The B method was introduced by Abrial [2] after his work on the Z notation [7]. B is a formal notation based on state machines, set theory and first-order logic aimed at software specification and verification. ...
In this paper we show how (read ‘setlog’), a Constraint Logic Programming (CLP) language based on set theory, can be used as an automated verifier for B specifications. In particular we encode in an Event-B specification, developed by Mammar and Laleau, of the case study known as the Landing Gear System (LGS). Next we use to discharge all the proof obligations proposed in the Event-B specification by the Rodin platform. In this way, the program can be regarded as an automatically verified prototype of the LGS. We believe this case study provides empirical evidence on how CLP and set theory can be used in tandem as a vehicle for program verification.
... Theories like Hoare Logic [20] and Calculus of Predicate Transformers [12] are used to specify and verify sequential programs, possibly with nondeterminism. We also include in this class those theories, such as VDM [23], Z [45] and B [1], which are based these and have mechanisms for modularity. Object-Z [44], rCOS theory of semantics and refinement for OO programs [18] and Java Modeling Language (JML) [28] can be regarded as OO extensions, and the latest VDM also treats object-orientation. ...
... C, a failure of C is pair (tr, M), where tr is a finite trace of method invocations and returns ?m 1 (v 1 )!m 1 (u 1 ) . . . of the interface, and M a set of method invocations, such that one of the following conditions holds(1) tr is the empty sequence, and M is the set of invocations ?m(v) with their guards being false in the initial states;(2) tr is a trace ?m 1 (v 1 )!m 1 (u 1 ) . . .?m k (v k )!m k (u k )and M consists of the invocations ?m(v) that after the executions of the invocations m 1 (x 1 , y 1 ) . . . ...
Model-driven engineering (MDE) or model-driven architecture (MDA) holds significant appeal for the software industry. Its primary aim is to address software complexity by enabling automated model creation and transformation. Consequently, many software development firms are actively seeking integrated development platforms (IDP) to enhance automation within their software production processes. However, the adoption of MDE and the utilisation of IDPs remain low, with doubts surrounding their success. To tackle this issue, this paper uses the formal refinement of component and object systems (rCOS) as a framework to identify different types of requirements and their relationships, with the goal of supporting MDE. We emphasise the necessity for families of formal languages and transformations among them, as well as the indispensability of architecture modelling and refinement in MDE. Furthermore, to enhance the handling of changes during the development and operation of systems, there is a paramount need for formal methods that facilitate abstractions and decompositions, leading to a multi-dimensional separation of concerns.
... Generally speaking, formal methods can extract a formal model from a specification, on which the rigorous mathematical proofs can be conducted for the V&V purpose [1,2,25]. Moreover, such a process can be fully automated. ...
... Several techniques of formal methods can be utilized to model requirements, e.g., the Z [25], B [1], and Event-B [2] methods. These methods can model systems not only with physical environments but also with human users [3]. ...
Formal methods are promising for modeling and analyzing system requirements. However, applying formal methods to large-scale industrial projects is a remaining challenge. The industrial engineers are suffering from the lack of automated engineering methodologies to effectively conduct precise requirement models, and rigorously validate and verify (V&V) the generated models. To tackle this challenge, in this paper, we present a systematic engineering approach, named Formal Requirement Engineering Platform in Aircraft (FREPA), for formal requirement modeling and V\&V in the aerospace and aviation control domains. FREPA is an outcome of the seamless collaboration between the academy and industry over the last eight years. The main contributions of this paper include 1) an automated and systematic engineering approach FREPA to construct requirement models, validate and verify systems in the aerospace and aviation control domain, 2) a domain-specific modeling language AASRDL to describe the formal specification, and 3) a practical FREPA-based tool AeroReq which has been used by our industry partners. We have successfully adopted FREPA to seven real aerospace gesture control and two aviation engine control systems. The experimental results show that FREPA and the corresponding tool AeroReq significantly facilitate formal modeling and V&V in the industry. Moreover, we also discuss the experiences and lessons gained from using FREPA in aerospace and aviation projects.
... Event-B is a formal method focused on the step-wise development of models. Here, we briefly present some of the key features of Event-B modeling (refer to [1,5] for more details). Event-B modeling has two types of modules, called contexts and machines. ...
... (2) Design by Refinement [2], which is based on successive refinement of a solution in a step-by-step manner, with each step containing a formal proof verified by an automated solver. (3) Model Checking [22], which performs exhaustive exploration to automatically verify properties of a given model, providing a sound and complete verification result. ...
Recent advancements in machine learning have accelerated its widespread adoption across various real-world applications. However, in safety-critical domains, the deployment of machine learning models is riddled with challenges due to their complexity, lack of interpretability, and absence of formal guarantees regarding their behavior. In this paper, we introduce a verification framework tailored for Bayesian networks, designed to address these drawbacks. Our framework comprises two key components: (1) a two-step compilation and encoding scheme that translates Bayesian networks into Boolean logic literals, and (2) formal verification queries that leverage these literals to verify various properties encoded as constraints. Specifically, we introduce two verification queries: if-then rules (ITR) and feature monotonicity (FMO). We benchmark the efficiency of our verification scheme and demonstrate its practical utility in real-world scenarios.
... The well-definedness proof obligation rule (WD) verifies that a possibly ill-defined axiom, guard, action, theorem, invariant, or witness is well-defined.citetem22. The names for a particular modelling element (axm, thm, inv, Fig. 19 An Event-B model of property machine Table 2 Formal definition of the well-definedness PO (WD) (Abrial 2005) Mathematical expression Well-definedness condition ...
The Internet of Things (IoT) is a network of devices that can communicate and cooperate over the Internet. As the IoT expands, guaranteeing the dependability and accuracy of communication systems becomes increasingly important. One of the key challenges faced in the process of system development is the need to detection the errors in the early phases of system development. Formal techniques are the gold standard for ensuring a system’s correctness. In the context of the IoT, this paper presents an Event-B formal model for the verification of the correctness of Content-Based Publish/Subscribe Systems (CBPS). We developed our model using Event-B, which is an incrementally formal technique with a plugin-supported platform. Furthermore, it supports both theorem proving and model checking. The incremental method uses a series of refining processes to help manage complexity. The paper offers a thorough exposition of the CBPS architecture, with an emphasis on decentralised design, reliable message delivery, and message ordering. This formalised method ensures that the CBPS system satisfies its criteria and free of errors. As a case study for our concept, we employ a smart home system. Finally, we validate and verify the formal model using proof obligations and the Rodin platform.
... As for lightweight formal methods, the most popular modelcheckers -for example NuSMV, nuXmv, or SPIN -are too low-level to be used directly to describe software with complex configurations, being better suited to be used as backend analysis tools for higher-level languages, as is the case with Alloy 6. Among the higher-level formal specification languages, perhaps the tools in the B method [1] ecosystem are the ones better suited to compete with TLA + and Alloy, in particular the ProB tool [14]. This tool already implements some of the features of the Alloy Analyzer, namely simulation and graphical depiction of counter-examples, and offers interfaces to both TLA + and Alloy. ...
In this paper I discuss how can lightweight formal methods be used to specify and verify software with complex configurations (for example, distributed protocols that work on specific network configurations). More specifically, I briefly present two popular formal methods - TLA+ and Alloy - and discuss the pros and cons of both in this particular context.
... In our previous work [19] we applied deep embedding and the B method [1] to formally define the semantics of executable Domain Specific Languages (DSLs) in a Model-Driven Engineering (MDE) architecture. The work led to the development of Meeduse [17,31], the only existing language workbench today that applies theorem proving to deal with the correctness of DSLs. ...
... However, other free tools are available for other formal methods. For B users [1], executable C, C++, Java, and Ada code can be generated from formal specifications by the Atelier B platform 6 , which is free in its Community Edition. Additionally, for the Event-B formal method, the EventB2Java tool integrated into the Rodin platform allows developers to generate executable code [12]. ...
... B [1] is a method for specifying, designing, and coding software systems. It covers central aspects of the software life cycle ( Fig. 1): the writing of the technical specification, the design by successive refinement steps and model decomposition (layered architecture), and the source code generation. ...
The article focuses on the continuous improvement of Ate-lier B's automatic proof capabilities since its industrialisation in the 90s. The evolution of Atelier B addressed challenges in proof obligations generation and optimisation, adapting to new languages like Event-B and incorporating newer formats for easier analysis and third-party prover connections. Significant developments include enhancing the proof system to handle complex proof obligations efficiently and integrating external provers for improved proof capabilities. The article also showcases B's industrial applications in critical sectors, emphasising the method's importance in safety-critical software development and the ongoing efforts to facilitate proof activities and integrate AI for better proof automation.
... A. Mammar amel.mammar@telecom-SudParis.eu is the successor of the B method [1] permitting to model discrete reactive systems using mathematical notations. The complexity of a system is mastered thanks to the refinement concept that allows gradually introducing the different parts that constitute the system, starting from an abstract model and gradually refining it into a more concrete one. ...
This paper presents an Event-B model of a speed control system, a part of the case study provided in the ABZ2020 conference. The case study describes how the system regulates the current speed of a car according to a set of criteria like the driver’s desired speed, the position of a possible preceding vehicle, but also a given speed limit that the driver must not exceed. For that purpose, this controller reads different information from the available sensors (key state, desired speed) and takes adequate actions by acting on the actuators of the car’s speed according to the information read. To formally model this system, we adopt a stepwise refinement approach with the Event-B method. We consider most of the features of the case study. All proof obligations of the invariant properties have been discharged using the Rodin provers. Our model has been validated using ProB by applying the different provided scenarios. This validation has permitted us to point out and correct some mistakes, ambiguities and oversights contained in the first versions of the case study.
... Event-B [2] is the successor of the B method [1] permitting to model discrete systems using mathematical notations. The complexity of a system is mastered thanks to the refinement concept that allows gradually introducing the different parts that constitute the system starting from an abstract model to a more concrete one. ...
This paper introduces an Event-B formal model of the adaptive exterior light system for cars, a case study proposed in the context of the ABZ2020 conference. The system describes the different provided lights and the conditions under which they are switched on/off in order to improve the visibility of the driver without dazzling the oncoming ones. The system can be viewed as a lights controller that reads different information form the available sensors (key state, exterior luminosity, etc.) and takes the adequate actions by acting on the actuators of the lights in order to ensure a good visibility for the driver according to the information read. Our model is built using stepwise refinement with the Event-B method. We consider all the features of the case study, all proof obligations have been discharged using the Rodin provers. Our model has been validated using ProB by applying the different provided scenarios. This validation has permitted us to point out and correct some mistakes, ambiguities and oversights in the first versions of the case study description document.
... There exist works [7,8] where UML diagrams are converted into B method [9], Z notation [10], and Event-B [11]. The limitation of these works is the formal models are auto-generated from the UML. ...
System requirements can occasionally be ill-defined and difficult to define. In this case, graphic representation of the system created using semi-formal modelling is advantageous. A smart power grid, for example, includes numerous important needs and function points. We can portray the system functionalities graphically to better grasp the requirements before moving forward with the formal definition. Though, graphic models like Unified Modeling Language (UML) have ambiguity issues as they work on predefined rules. On the other hand, the formal technique uses the correct-by-construction method to guarantee the system's dependability. The formal technique is based on well-practiced mathematical notation. In this article, a smart grid (SG) system based on blockchain (BC) is formally modelled and verified. The system requirements are validated using the formal modelling technique Event-B. To illustrate the system, we first suggest various graphical notations. After that, the notations are translated into a JSON (JavaScript Object Notation) format. Java executable codes are generated in order to validate the JSON schemas. The graphical model is then translated into Event-B specifications and validated using RODIN, a standard tool support.
... Event-B [3] is a formal method that enables the gradual construction of correct formal models by means of a proof activity. This method is an extension of the classic B language [4]. Based on set theory and first-order logic, this method is used to develop formal models for reactive systems and sequential and distributed algorithms. ...
To correctly formalise requirements expressed in natural language, ambiguities must first be identified and then fixed. This paper focuses on behavioural requirements (i.e. requirements related to dynamic aspects and phenomena). Its first objective is to show, based on a practical, public case study, that the disambiguation process cannot be fully automated: even though natural language processing (NLP) tools and machine learning might help in the identification of ambiguities, fixing them often requires a deep, application-specific understanding of the reasons of being of the system of interest, of the characteristics of its environment, of which trade-offs between conflicting objectives are acceptable, and of what is achievable and what is not; it may also require arduous negotiations between stakeholders. Such an understanding and consensus-making ability is not in the reach of current tools and technologies, and will likely remain so for a long while. Beyond ambiguity, requirements are often marred by various other types of defects that could lead to wholly unacceptable consequences. In particular, operational experience shows that requirements inadequacy (whereby, in some of the situations the system could face, what is required is woefully inappropriate or what is necessary is left unspecified) is a significant cause for systems failing to meet expectations. The second objective of this paper is to propose a semantically accurate behavioural requirements formalisation format enabling tool-supported requirements verification, notably with simulation. Such support is necessary for the engineering of large and complex cyber-physical and socio-technical systems to ensure, first, that the specified requirements indeed reflect the true intentions of their authors and second, that they are adequate for all the situations the system could face. To that end, the paper presents an overview of the BASAALT (Behaviour Analysis and Simulation All Along systems Life Time) systems engineering method, and of FORM-L (FOrmal Requirements Modelling Language), its supporting language, which aims at representing as accurately and completely as possible the semantics expressed in the original, natural language behavioural requirements, and is markedly different from languages intended for software code generation. The paper shows that generally, semantically accurate formalisation is not a simple paraphrasing of the original natural language requirements: additional elements are often needed to fully and explicitly reflect all that is implied in natural language. To provide such complements for the case study presented in the paper, we had to follow different formalisation patterns, i.e. sequences of formalisation steps. For this paper, to avoid being skewed by what a particular automatic tool can and cannot do, BASAALT and FORM-L were applied manually. Still, the lessons learned could be used to specify and develop NLP tools that could assist the disambiguation and formalisation processes. However, more studies are needed to determine whether an exhaustive set of formalisation patterns can be identified to fully automate the formalisation process.
... This model can be used as the input for model checkers or theorem provers to validate and verify whether the design meets its specification and whether the specification meets the requirements. This process has been applied in industry and demonstrated its effectiveness for decreasing errors and increasing productivity in developing safety-critical applications [59,60] or distributed systems (e.g., cloud applications) [61]. ...
Concurrent systems play a crucial role in modern software development, enabling applications to handle multiple tasks simultaneously and improve performance by utilizing the full potential of modern hardware. The Behavior-Interaction-Priority (BIP) framework is a model-driven approach for designing and verifying concurrent and distributed systems. To apply BIP in designing a system, designers first analyze the system's requirements to construct BIP connectors describing the coordination between the system's components. Based on these connectors, developers create a BIP model for verification that uses model checkers and JavaBIP artifacts for implementation following an exogenous approach. However, constructing the BIP connectors and creating BIP/JavaBIP artifacts require a certain level of expertise in formal methods, model-driven design, and concurrent systems. Consequently, the developers might need to invest time and effort to learn the framework and associated tools. In this work, we propose a novel mechanism to reduce developers' manual efforts when applying the BIP framework, including (1) a pseudo-natural language for specifying behavioral constraints without learning the BIP framework and (2) a compiler for automatically generating the BIP/JavaBIP artifacts, which are then used for developing concurrent software following the exogenous approach. We illustrate the feasibility of our approach by introducing OCCIwareBIP, a framework for designing, validating, and implementing concurrent cloud applications.
... Event-B is the successor of the B method [2], it permits to model discrete systems using mathematical notations. The complexity of a system is mastered thanks to the refinement concept that introduce gradually the different parts that constitute the system starting from an abstract model to a more concrete one. ...
... In VDM (Vienna Development Method) [24], a move is made to post conditions that are relations between the initial and final states of the specified component. Although this requires slightly more complicated inference rules (see [3,28]), relations are required for most non-trivial specifications and this approach is used in VDM as well as, for example, Z [16,39], B [1], Event-B [2] and Alloy [23]. In all of the predicates that are relations (post, rely and guarantee conditions), undecorated identifiers refer to the earlier state and primed identifiers apply to the later state, for example: ...
The reference point for developing any artefact is its specification; to develop software formally, a formal specification is required. For sequential programs, pre and post conditions (together with abstract objects) suffice; rely and guarantee conditions extend the scope of formal development approaches to tackle concurrency. In addition, real-time systems need ways of both requiring progress and relating that progress to some notion of time. This paper extends rely-guarantee ideas to cope with specifications of—and assumptions about—real-time schedulers. Furthermore it shows how the approach helps identify and specify fault-tolerance aspects of such schedulers by systematically challenging the assumptions.
... Refinement may also be applied on semi-formal languages such as UML [32,30]. Formal languages such as B [33], Event-B [34] or Z [35] are based on the refinement theory, meaning that they allow refinements to be explicitely defined by modelers and automatic checking to be performed. ...
... Earlier, other methods for building specifications consisting of independent modules were proposed. The module decomposition is implemented in the classical method B [26]; however, it was lost in the development of Event-B. ...
... In Section 3 we present the formal B model of the system, which enables one to formalize and verify mitigating measures (solution 1), but also study the impact of undetected errors of the AI to be able to conduct solution 2 (which we tackle in Section 4). Therefore, we decide to use the formal B method [1] which was also used for other railway systems [26,25,4,5]. While this work focuses mostly on formally modelling and verifying the steering system and environment, we plan to address direct verification of the perception system in future work. ...
The research project KI-LOK aims to develop a certification methodology for incorporating AI components into rail vehicles. In this work, we study how to safely incorporate an AI for obstacle detection into an ATO (automatic train operation) system for shunting movements. To analyse the safety of our system we present a formal B model comprising the steering and AI perceptions subsystems as well as the shunting yard environment. Classical model checking is applied to ensure that the complete system is safe under certain assumptions. We use SimB to simulate various scenarios and estimate the likelihood of certain errors when the AI makes mistakes.
... Introduced by J-R.Abrial as a successor of the B method [1], the formal Event-B method [2] provides mathematical notations and concepts to develop correct-bydesign discrete systems. A system, developed by Event-B, is composed of a set of components, each of which can either be a context or a machine. ...
The present paper describes an Event-B model of the Arrival MANager system (called AMAN), the case study provided by the ABZ’23 conference. The goal of this safety critical interactive system is to schedule the arrival times of aircraft at airports. This system includes two parts: an autonomous part which predicts the arrival time of an aircraft from external sources (flight plan information, radar and weather information, etc.) and an interface part that permits to the Air Traffic Controller (ATCo) to submit requests to AMAN like changes regarding the arrival times of aircraft. To formally model and verify this critical system, we use a correct-by-construction approach with the Event-B formal method and its refinement process. We mainly consider functional features of the case study; all proof obligations have been discharged using the provers of the Rodin platform under which we carried out our development. To help users understand how AMAN works and its main functionalities, a visualisation of the Event-B models was achieved using the VisB component of ProB. Our models have been validated using ProB by applying scenarios related to different functional aspects of the system.KeywordsSystem modelingEvent-B methodRefinementVerification
... Safety-critical systems are often modeled using formal methods which make use of mathematical notation. For example, models in B [4] and Event-B [5] rely on set theory and first-order logic. This makes it hard for users and domain experts to understand and interact with the model. ...
Validating requirements for safety-critical systems with user interactions often involves techniques like animation, trace replay, and LTL model checking. However, animation and trace replay can be challenging since user and system events are not distinguished, and formulating LTL properties requires expertise.This work introduces interactive simulation, a new technique that combines domain-specific visualization of formal models with timed probabilistic simulation to create more realistic prototypes. It allows domain experts and users to interact with formal models and simulate the system/environment reactions. State diagrams are also generated for inspecting user interactions and system reactions. Finally, we demonstrate interactive simulation on the ABZ automotive case study.KeywordsValidationFormal Methods
VisualizationSimulationInteractive
... Over the last 35 years, formal methods have reached a sufficient level of maturity so that they can be practically applied in software development, especially safety critical software. A variety of different formal specification techniques (e.g., model-based formal specification [11] [12] [13], finite-state-based formal specification [14] [15] [16] [17], etc.) have been proposed and most of them are backed up by a wide variety of support tools. ...
In software development, identifying software faults is an important task. The presence of faults not only reduces the quality of the software, but also increases the cost of development life cycle. Fault identification can be performed by analysing the characteristics of the buggy source codes from the past and predict the present ones based on the same characteristics using statistical or machine learning models. Many studies have been conducted to predict the fault proneness of software systems. However, most of them provide either inadequate or insufficient information and thus make the fault prediction task difficult. In this paper, we present a novel set of software metrics called Error-type software metrics, which provides prediction models with information about patterns of different types of Java runtime error. Particular, in this study, the ESM values consist of information of three common Java runtime errors which are Index Out Of Bounds Exception, Null Pointer Exception, and Class Cast Exception. Also, we proposed a methodology for modelling, extracting, and evaluating error patterns from software modules using Stream X-Machine (a formal modelling method) and machine learning techniques. The experimental results showed that the proposed Error-type software metrics could significantly improve the performances of machine learning models in fault-proneness prediction.
... B [1] is a method for specifying, designing, and coding software systems. It covers central aspects of the software life cycle ( Fig. 1): the writing of the technical specification, the design by successive refinement steps and model decomposition (layered architecture), and the source code generation. ...
Despite significant advancements in the design of formal integrated development environments, applying formal methods in software industry is still perceived as a difficult task. To ease the task, providing tools that help during the development cycle is essential but proper education of computer scientists and software engineers is also an important challenge to take up. This paper summarises our experience of 20 years spent in the education of engineers, either colleagues or customers, and students, together with the parallel design and improvement of supporting modelling tools.
... Our concept with components (machines) and subcomponents is similar to the 'include' of B machines into others (see [1], chapter 7), although our individual operations (called events in B) are not assumed to be atomic (B disallows recursion, loops and sequential composition in operations). ...
Interactive theorem provers typically use abstract algebraic data structures to focus on algorithmic correctness. Verification of programs in real programming languages also has to deal with pointer structures, aliasing and, in the case of C, memory management. While progress has been made by using Separation Logic, direct verification of code still has to deal with both aspects at once. In this paper, we show a refinement-based approach that separates the two issues by using a suitable modular structure. We exemplify the approach with a correctness proof for red-black trees, demonstrating that our approach can generate efficient C code that uses parent pointers and avoids recursion. The proof is split into a large part almost identical to high-level algebraic proofs and a separate small part that uses Separation Logic to verify primitive operations on pointer structures.
Model execution allows us to prototype and analyse software engineering models by stepping through their possible behaviours, using techniques like animation and simulation. On the other hand, deductive verification allows us to construct formal proofs demonstrating satisfaction of certain critical properties in support of high-assurance software engineering. To ensure coherent results between execution and proof, we need unifying semantics and automation. In this paper, we mechanise Interaction Trees (ITrees) in Isabelle/HOL to produce an execution and verification framework. ITrees are coinductive structures that allow us to encode infinite labelled transition systems, yet they are inherently executable. We use ITrees to create verification tools for stateful imperative programs, concurrent programs with message passing in the form of the CSP and Circus languages, and abstract system models in the style of the Z and B methods. We demonstrate how ITrees can account for diverse semantic presentations, such as structural operational semantics, a relational program model, and CSP's failures-divergences trace model. Finally, we demonstrate how ITrees can be executed using the Isabelle code generator to support the animation of models.
The article focuses on the continuous improvement of Atelier B’s automatic proof capabilities since its industrialisation in the 90s. The evolution of Atelier B addressed challenges in proof obligations generation and optimisation, adapting to new languages like Event-B and incorporating newer formats for easier analysis and third-party prover connections. Significant developments include enhancing the proof system to handle complex proof obligations efficiently and integrating external provers for improved proof capabilities. The article also showcases B’s industrial applications in critical sectors, emphasising the method’s importance in safety-critical software development and the ongoing efforts to facilitate proof activities and integrate AI for better proof automation.
This research paper explores the critical importance of ensuring safety and reliability in communication-based train control (CBTC) systems through the application of formal verification methods. CBTC systems, which rely heavily on wireless communication and automated traffic management to control train movements, are integral to modern urban transit networks. However, the inherent complexities and the critical nature of these systems demand rigorous safety assurances to prevent potential failures that could lead to catastrophic accidents. The study delves into various formal verification techniques such as model checking, theorem proving, and static analysis, which are employed to validate and verify the correctness and reliability of the software and communication protocols used in CBTC systems. By implementing these formal methods, the research demonstrates how theoretical safety guarantees can be practically applied to enhance system reliability and operational safety. Case studies on existing urban transit systems are presented to illustrate the practical challenges and the effectiveness of formal verification in real-world applications. The paper concludes that formal verification, while complex and resource-intensive, is indispensable for the development of fail-safe CBTC systems and recommends its integration into the standard development lifecycle of transit software systems.
Formal, mathematically rigorous programming language semantics are the essential prerequisite for the design of logics and calculi that permit automated reasoning about concurrent programs. We propose a novel modular semantics designed to align smoothly with program logics used in deductive verification and formal specification of concurrent programs. Our semantics separates local evaluation of expressions and statements performed in an abstract, symbolic environment from their composition into global computations, at which point they are concretised. This makes incremental addition of new language concepts possible, without the need to revise the framework. The basis is a generalisation of the notion of a program trace as a sequence of evolving states that we enrich with event descriptors and trailing continuation markers. This allows to postpone scheduling constraints from the level of local evaluation to the global composition stage, where well-formedness predicates over the event structure declaratively characterise a wide range of concurrency models. We also illustrate how a sound program logic and calculus can be defined for this semantics.
Recent privacy laws and regulations raise the stakes in verifying that software systems respect user consent. The current state of the art shows that privacy by design and formal methods can help. Still, ensuring the validity of privacy properties, in particular consent properties, at different stages of software development, is hard. This paper proposes a step towards solving this issue by introducing a new tool, named CASTT, that allows software engineers to verify consent properties at two different development stages: system modeling and code verification. To describe the system, this paper introduces a new formal context specification language, named CSpeL, to specify the key elements involved in consent and their relationships. The tool is evaluated on two use cases targeting different application domains: healthcare and website. We also evaluate the correctness and the efficiency of our tool.KeywordsPrivacySpecification LanguageFormal Verification
Event-B is a formal method for describing and verifying systems at the system level. It enables a refining technique to design the system incrementally. Using Event-B notations to define system requirements can be quite abstract for complex requirements. The primary Event-B components uphold several relationships with context, machines, and events. The RODIN is the standard tool support to verify Event-B models. Using RODIN can sometimes be difficult when building the models and maintaining all the relationships. Leveraging the system’s graphical depiction would be preferable. In this paper, we provide a web-based graphical assistance tool. Graphic representations are offered for the components of Event-B. The refinement relationships between the components are automatically generated by the tool’s first module, G2E. It upholds the stated sequence of events. The component relationships of the Event-B model can be graphically defined in a single window, and the Event-B files are generated automatically. An executable Python class is produced by the second module (E2P) for further verification. The suggested module encourages early verification of crucial criteria while allowing for design flexibility through autonomous code generation. A district healthcare model is designed for Covid19 management using the proposed frameworks and verified.
We present WasmRef-Isabelle, a monadic interpreter for WebAssembly written in Isabelle/HOL and proven correct with respect to the WasmCert-Isabelle mechanisation of WebAssembly. WasmRef-Isabelle has been adopted and deployed as a fuzzing oracle in the continuous integration infrastructure of Wasmtime, a widely used WebAssembly implementation. Previous efforts to fuzz Wasmtime against WebAssembly's official OCaml reference interpreter were abandoned by Wasmtime's developers after the reference interpreter exhibited unacceptable performance characteristics, which its maintainers decided not to fix in order to preserve the interpreter's close definitional correspondence with the official specification. With WasmRef-Isabelle, we achieve the best of both worlds - an interpreter fast enough to be useable as a fuzzing oracle that also maintains a close correspondence with the specification through a mechanised proof of correctness.
We verify the correctness of WasmRef-Isabelle through a two-step refinement proof in Isabelle/HOL. We demonstrate that WasmRef-Isabelle significantly outperforms the official reference interpreter, has performance comparable to a Rust debug build of the industry WebAssembly interpreter Wasmi, and competes with unverified oracles on fuzzing throughput when deployed in Wasmtime's fuzzing infrastructure. We also present several new extensions to WasmCert-Isabelle which enhance WasmRef-Isabelle's utility as a fuzzing oracle: we add support for a number of upcoming WebAssembly features, and fully mechanise the numeric semantics of WebAssembly's integer operations.
Proving theorems and properties on B models, recursively-defined functions is a convenient tool which is missing in B proofs. The main contribution of this paper is the definition of a new theory without new concrete types and without axioms to enable the use of constructions by induction; This theory has been specified and proved within the Theory Plugin in Rodin. This induction theory clearly improves the existing B prover. This is illustrated in this paper by the implementation of ZFC in the Theory Plugin.
This paper surveys certain Communities of Practice (CoP) in the field of formal methods for software engineering, especially with respect to state-based notations, using personal knowledge and experience. The multiple communities involved with formal methods are examined here as related CoPs. In this context, the CoPs are open communities encouraging participation by all those interested both in research and application. The authors have been involved with formal methods over several decades and for most of their careers, and it is hoped that the observations in this paper may help future community building to further the development of formal methods, and software engineering in general. The paper also relates the concepts of Networks of Practice (NoP) and Landscapes of Practice (LoP) to formal methods research and practice, and gives a brief introduction to the possibility of visualizing formal methods CoPs. A substantial bibliography is included at the end of the paper.
The Unified Modeling Language (UML) is a standard for modeling dynamic systems. UML behavioral state machines are used for modeling the dynamic behavior of object-oriented designs. The UML specification, maintained by the Object Management Group (OMG), is documented in natural language (in contrast to formal language). The inherent ambiguity of natural languages may introduce inconsistencies in the resulting state machine model. Formalizing UML state machine specification aims at solving the ambiguity problem and at providing a uniform view to software designers and developers. Such a formalization also aims at providing a foundation for automatic verification of UML state machine models, which can help to find software design vulnerabilities at an early stage and reduce the development cost. We provide here a comprehensive survey of existing work from 1997 to 2021 related to formalizing UML state machine semantics for the purpose of conducting model checking at the design stage.
ResearchGate has not been able to resolve any references for this publication.