Content uploaded by Steve Schneider
Author content
All content in this area was uploaded by Steve Schneider
Content may be subject to copyright.
Communicating B Machines
Abstract
This paper describes a way of using the process algebra CSP to enable controlled interaction between concurrent B machines. This approach supports compositional verification: each of the controlled machines, and the combination of controller processes, can be analysed and verified separately in such a way as to guarantee correctness of the combined communicating system. Reasoning about controlled machines separately is possible due to the introduction of guards and assertions into description of the controller processes in order to capture assumptions about other controlled machines and provide guarantees to the rest of the system. The verification process can be completely supported by different tools. The use of separate controller processes facilitates the iterative development and analysis of complex control flows within the system. The approach is motivated and illustrated with a non-trivial running example. Keywords: B-Method, CSP, Combining Formalisms, Concurrency. 1
... La méthode de spécification CSP||B [ST02] utilise les paradigmes de la méthode B et ceux de l'algèbre de processus CSP. Une machine B permet de décrire les modifications apportées par le système aux variables d'état. ...
... La combinaison de CSP et de B peut introduire des blocages de la spécification. Pour éviter ces blocages, Schneider et Treharne[ST02] montrent qu'il faut prouver (1) pour chaque couple de spécification (P i , M i ) où P i est un processus CSP et M i la machine B associée, que la spécification M i ||P i est sans divergence et (2) que la spécification || i∈[1..n] P i est sans blocage. ...
La spécification d’un système industriel nécessite la collaboration d’un ingénieur connaissant le système à modéliser et d’un ingénieur connaissant le langage de modélisation. L'utilisation d'un langage de spécification graphique, tel que les ASTD (Algebraic State Transition Diagram), permet de faciliter cette collaboration. Dans cette thèse, nous définissons une méthode de spécification graphique et formelle qui combine les ASTD avec les langages Event-B et B. L’ordonnancement des actions de la spécification est décrit par les ASTD et le modèle de données est décrit dans la spécification Event-B. La spécification B permet de vérifier la cohérence du modèle : les événements Event-B doivent pouvoir être exécutés lorsque les transitions associées doivent l’être. Un raffinement combiné des ASTD et d’Event-B permet la spécification incrémental du système. Afin de valider son apport, la méthode de spécification a été utilisée pour la spécification de cas d’études
... A number of scholars have proposed and demonstrated hybrid formalisms based on B or Event-B, annotated with flow-type notations that express control flow and/or execution order. In the interest of brevity we describe only one: the CSP B formalism introduced by Treharne and Schneider [45,46,47]. This approach combines components described in B and components described in (a restricted subset of) CSP: CSP events are matched with B operations such that the execution of a B operation is strictly guarded by the CSP process. ...
... Taking the central unit of translation as a 'controlled B machine' (that is, one B machine whose inputs and outputs are strictly controlled by one CSP process), the first step in translation is ensuring the consistency of the controlled machine. The process necessary to do so is concisely summarised by Colin et al. [49, p. 5] from [47,59,46]; to summarise the summary, the CSP process must be translated into a B machine (the rules for this translation are provided by [59]) in order for the consistency of the combination to be proven. Once this has been established, the set of B machines produced in the process may be translated into implementation code. ...
We investigate the application of formal models to the design and implementation of scalable, highly concurrent server applications. Through the construction and checking of formal models, important properties can be proven to hold. We discuss the literature on applications of formal design and analysis in the software development domain. We propose to automate the translation of formal models into implementation code suitable for deployment and empirical testing, and outline the current status of the research project. Lastly, we present a roadmap for our ongoing work.
... CSP has a denotational, an algebraic, and an operational semantics, which have been proved to be consistent. CSP also has extensions to deal with time (Schneider 2000), and has been combined with datamodelling notations to define state-rich process algebra (Schneider and Treharne 2002;Qin et al. 2003;Cavalcanti et al. 2003). ...
The process algebra CSP has been studied as a notation for model-based testing. Theoretical and practical work has been developed using its trace and failure semantics, and their refinement notions as conformance relations. Two sets of tests have been defined and proved to be exhaustive, in the sense that they can identify any SUT that is non-conforming with respect to the relevant refinement relation. However, these sets are usually infinite, and in this case, it is obviously not possible to apply them to verify the conformity of an SUT. Some classical selection criteria based on models have been studied. In this paper, we propose a procedure for online test generation for selection of finite test sets for traces refinement from CSP models. It is based on the notion of fault domains, focusing on the set of faulty implementations of interest. We investigate scenarios where the verdict of a test campaign can be reached after a finite number of test executions. We illustrate the usage of the procedure with some case studies.
p>This thesis presents a formal business process modelling language called StAC. The distinctive feature of this language is the concept of compensation, which can be defined as the action taken to correct any errors or when there is a change of plan. The motivation for developing StAC came from a collaboration with IBM concerning the extension of existing notions of compensation for business transactions within the BPBeans enterprise technology.
The StAC language supports sequential and concurrent processes, as well as compensation and early termination. A system specification has two components, the StAC processes that describe the system behaviour and compensation information, and the B specification that describes the system state and its basic operations. The language has two variants: the basic one that supports nested compensation; and an extended one where each process may have multiple compensations. Both StAC variants were applied to several examples and it emerged that both variants have features that make them useful to specify different types of systems. An operational semantics was defined for StAC extended with multiple compensation, and the interpretation of basic StAC was defined in terms of the extended language. An operational approach is also used to justify the integration of StAC processes with B operations.
A strategy for the refinement of StAC specifications is explored in this thesis. This strategy proposes to explicitly embed the behavioural and compensation information into a B machine. The machine obtained is standard B, allowing the use of the B notion of system refinement to prove the refinement of StAC specifications.
An extension to UML activity diagrams is defined as a way of making StAC more accessible to non-formal methods users. In UML a StAC specification is modelled by a class diagram that describes the data, and an activity diagram that describes the behaviour of the system.
StAC has formalised the notion of compensation while extending the notion of transaction compensation in several ways. The most relevant extensions are: the non-atomicity of compensation that allows a compensation to be a complex process and that a compensation itself can be compensated; and multiple compensation that allows a process to have several independent compensations.</p
When formal systems modelling is used as part of the development process, modellers need to understand the requirements in order to create appropriate models, and domain experts need to validate the final models to ensure they fit the needs of stakeholders. A suitable mechanism for such a validation are acceptance tests. In this paper we discuss how the principles of Behaviour-Driven Development (BDD) can be applied to (i) formal modelling and (ii) validation of behaviour specifications, thus coupling those two tasks. We show how to close the gap between the informal domain specification and the formal model, thus enabling the domain expert to write acceptance tests in a high-level language matching the formal specification. We analyse the applicability of this approach by providing the Gherkin scenarios for an formal model of a ‘fixed virtual block’ approach to train movement control, developed according to the Hybrid ERTMS/ETCS Level 3 principles specified by the EEIG ERTMS Users Group and presented as a case study on the 6. International ABZ Conference 2018.
Safety-Critical Java (SCJ) is an Open Group standard that defines a novel version of Java suitable for programming systems with various levels of criticality. SCJ enables real-time programming and certification of safety-critical applications. This tutorial presents SCJ and an associated verification technique to prove correctness of programs based on refinement. For modelling, we use the Open image in new window family of notations, which combine Z, CSP, Timed CSP, and object orientation. The technique caters for the specification of functional and timing requirements, and establishes the correctness of designs based on architectures that use the structure of missions and event handlers of SCJ. It also considers the integrated refinement of value-based specifications into class-based designs using SCJ scoped memory areas. As an example, we use an SCJ implementation of a widely used leadership-election protocol.
We describe an extension of imperative CSP with primitives to declare new event names and to exchange them by message passing between processes. We give examples in Mobile CSP to motivate the language design, and describe its semantic domain, based on the standard failures-divergences model for CSP, but also recording a dynamic event alphabet. The traces component is identical to the separation logic semantics of Hoare & O’Hearn. Our novel contribution is a semantics for mobile channels in CSP, described in Unifying Theories of Programming, that supports: compositionality with other language paradigms; channel faults, nondeterminism, deadlock, and livelock; multi-way synchronisation; and many-to-many channels. We compare and contrast our semantics with other approaches, including the -calculus, and consider implementation issues. As well as modelling reconfigurable systems, our extension to CSP provides semantics for techniques such as dynamic class-loading and the full use of dynamic dispatching and delegation.
This paper presents the specification of the hemodialysis case study, proposed by ABZ’16 conference. The specification was carried out by a coupling of Algebraic State-Transition Diagrams (astd) and B-like methods. astd are a graphical notation, based on automata and process algebra operators. They provide an easy-to-read specification of the dynamic behaviour of the system. The data model is specified using the Event-B language. The system is incrementally designed using extended refinement of both methods.
This work presents a conservative extension of OhCircus, a concurrent specification language, which integrates CSP, Z, object-orientation and embeds a refinement calculus. This extension supports the definition of process inheritance, where control flow, operations and state components are eligible for reuse. We present the extended OhCircus grammar and, based on Hoare and He’s Unifying Theories of Programming, we give the formal semantics of process inheritance and its supporting constructs. The main contribution of this work is a set of sound algebraic laws for process inheritance. The proposed laws are exercised in the development of a case study.
A model checker is an automatic tool that traverses a specific structure (normally a Kripke structure referred as the model M) to check the satisfaction of some (temporal) logical property f. This is formally stated as M⊧f. For some formal notations, the model M of a specification S (written in a formal language L) can be described as a labelled transition system (LTS). Specifically, it is not clear in general how usual tools such as SPIN, FDR, PAT, etc., create the LTS representation from a given process. Although one expects the coherence of the LTS generation with the semantics of L, it is completely hidden inside the model checker itself. In this paper we show how to create a model checker for L, using a development approach based on its operational semantics. We use a systematic semantics embedding and the formal modeling using logic programming and analysis (FORMULA) framework to this end. We illustrate our strategy considering the formal language COMPASS modelling language (CML)—a new language that was based on CSP, VDM and the refinement calculus proposed for modelling and analysis of systems of systems. As FORMULA is based on satisfiability modulo theories solving, our model checker can handle communications and predicates involving data with infinite domains by building and manipulating a symbolic LTS. This goes beyond the capabilities of traditional CSP model checkers such as FDR and PAT. Moreover, we show how to reduce time and space complexities by simple semantic modifications in the embedding. This allows a more semantics-preserving tuning. Finally, we show a real implementation of our model checker in an integrated development platform for CML and its practical use on an industrial case study.
The communicating sequential processes (CSP) formalism, introduced by Hoare, is an event-based approach to distributed computing. The action-system formalism, introduced by Back & Kurki-Suonio, is a state-based approach to distributed computing. Using weakest-precondition formulae, Morgan has defined a correspondence between action systems and the failures-divergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of Morgan, Woodcock & Morgan have shown that simulation is sound and complete in the CSP failures-divergences model. In this thesis, Morgan's correspondence is extended to the CSP infinite- traces model in order to deal more properly with unbounded nondeterminism. It is shown that simulation is sound in the infinite-traces model, though completeness is lost in certain cases. The new correspondence is then extended to include a notion of internal action. This allows the definition of a hiding operator for action systems that is shown to correspond to the CSP hiding operator. Rules for simulation steps involving internal actions are developed. A parallel operator for action systems is defined, in which interaction is based on synchronisation over shared actions. This operator is shown to correspond to the CSP parallel operator. The correspondence between action systems and CSP is extended again so that actions may have input and output parameters. This allows parallel action- systems to pass values on synchronisation. The original motivation for the work described in this thesis was the use of the action system formalism in the development of telecommunications systems, where interaction is often based on synchronised value-passing. The techniques developed here are applied to a series of case studies involving telecommunications-type systems. The techniques are used to refine and decompose abstract specifications of these systems into parallel sub-systems that interact via synchronised value-passing.
These notes present a coherent and comprehensive introduction to the theory and applications of Communicating Sequential Processes. Most of the illustrative examples have appeared earlier in PRG-22. The theory described in PRG-16 has been taken as the basis of a number of algebraic laws, which can be used for proofs of equivalence and can justify correctness-preserving transformations. A complete method for specifying processes and proving their correctness has been taken over from PRG-20 and PRG-23. Many of the concepts have been implemented in LISPKIT, as described in PRG-32.
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
A state-based and an event-based approach to concurrency are linked: the traces, failures and divergences of CSP are expressed as weakest precondition formulae over Action Systems. The result is simpler than is obtained using relations for the state-based view; in particular, divergence is handled easily. Essential use is made of miracles.
In this paper, we describe an approach to the design of distributed systems with B AMN. The approach is based on the action-system formalism which provides a framework for developing state-based parallel reactive systems. More specifically, we use the so-called CSP approach to action systems in which interaction between subsystems is by synchronised message passing and there is no sharing of state. We show that the abstract machines of B may be regarded as action systems and show how reactive refinement and decomposition of action systems may be applied to abstract machines. The approach fits in closely with the stepwise refinement method of B.