Conference Paper

Inferring Physical Units in B Models

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Most state-based formal methods, like B, Event-B or Z, provide support for static typing. However, these methods and the associated tools lack support for annotating variables with (physical) units of measurement. There is thus no obvious way to reason about correct or incorrect usage of such units. In this paper we present a technique that analyses the usage of physical units throughout a B machine, infers missing units and notifies the user of incorrectly handled units. The technique combines abstract interpretation with classical animation and model checking and has been integrated into the ProB validation tool, both for classical B and for Event-B. It provides source-level feedback about errors detected in the models. The plugin uses a combination of abstract interpretation and constraint solving techniques. We provide an empirical evaluation of our technique, and demonstrate that it scales up to real-life industrial models.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

Article
Ensuring computations are unit-wise consistent is an important task in software development. Numeric computations are usually performed with primitive types instead of abstract data types, which results in very weak static guarantees about correct usage and conversion of units. This paper presents PUnits, a pluggable type system for expressive units of measurement types and a precise, whole-program inference approach for these types. PUnits can be used in three modes: (1) modularly check the correctness of a program, (2) ensure a possible unit typing exists, and (3) annotate a program with units. Annotation mode allows human inspection and is essential since having a valid typing does not guarantee that the inferred specification expresses design intent. PUnits is the first units type system with this capability. Compared to prior work, PUnits strikes a novel balance between expressiveness, inference complexity, and annotation effort. We implement PUnits for Java and evaluate it by specifying the correct usage of frequently used JDK methods. We analyze 234k lines of code from eight open-source scientific computing projects with PUnits. We compare PUnits against an encapsulation-based units API (the javax.measure package) and discovered unit errors that the API failed to find. PUnits infers 90 scientific units for five of the projects and generates well-specified applications. The experiments show that PUnits is an effective, sound, and scalable alternative to using encapsulation-based units APIs, enabling Java developers to reap the performance benefits of using primitive types instead of abstract data types for unit-wise consistent scientific computations.
Article
Robot software risks the hazard of dimensional inconsistencies. These inconsistencies occur when a program incorrectly manipulates values representing real-world quantities. Incorrect manipulation has real-world consequences that range in severity from benign to catastrophic. Previous approaches detect dimensional inconsistencies in programs but require extra developer effort and technical complications. The extra effort involves developers creating type annotations for every variable representing a real-world quantity that has physical units, and the technical complications include toolchain burdens like specialized compilers or type libraries. To overcome the limitations of previous approaches, this thesis presents novel methods to detect dimensional inconsistencies without developer annotations. We start by empirically assessing the difficulty developers have in making type annotations. In a human study of 83 subjects, we find that developers are only 51% accurate and require more than 2 minutes per annotation. We further find that type suggestions have a significant impact on annotation accuracy. We find that when showing developers annotation suggestions, three suggestions are better than a single suggestion because they are as helpful when correct and less harmful when incorrect. Since developers struggle to make type annotations accurately, we present a novel method to infer physical unit types without developer annotations. This is novel because it is the first method to detect dimensional inconsistencies in ROS C++ without developer annotations, and this is important because robot software and ROS are increasingly used in real-world applications. Our method leverages a property of robotic middleware architecture that reuses standardized data structures, and we implement our method in an open-source tool, Phriky. We evaluate our method empirically on a corpus of 5.9 M lines of code and find that it detects real inconsistencies with an 87% TP rate. However, our method only assigns physical unit types to 25% of variables, leaving much of the annotation space unaddressed. To overcome these limitations, we extend our method to utilize uncertain evidence in identifiers using probabilistic reasoning. We implement our new probabilistic method in a tool Phys and find that it assigns units to 75% of variables while retaining a TP rate of 82%. We present the first open dataset of dimensional inconsistencies in open-source robotics code, to our knowledge. Lastly, we identify extensions to our work and next steps for software tool developers to build more powerful robot software development tools. Advisers: Sebastian Elbaum and Carrick Detweiler
Article
Most state-based formal methods, like B, Event-B or Z, provide support for static typing. However, these methods and the associated tools lack support for annotating variables with (physical) units of measurement. There is thus no obvious way to reason about correct or incorrect usage of such units. We present a technique that analyzes the usage of physical units throughout B and Event-B machines infers missing units and notifies the user of incorrectly handled units. The technique combines abstract interpretation with classical animation, constraint solving and model checking and has been integrated into the ProB validation tool, both for classical B and for Event-B. It provides source-level feedback about errors detected in the models. We also describe how to extend our approach to TLA +^+, an untyped formal language. We provide an in-depth empirical evaluation and demonstrate that our technique scales up to real-life industrial models.
Article
Full-text available
In scientific applications, dimensional analysis forms a basis for catching errors as it introduces a type-discipline into the equations and formulae. Dimensions in physical quantities are measured via their standard units. However, many programming and modeling tools provide limited support for incorporating these units into the variables. Thus, it is quite difficult for a programmer to ensure dimensional consistency in the code. Different existing standards for units further complicates this problem and an incautious use could cause inconsistencies, often with catastrophic results. In this paper, we propose an extension of the basic type system in CHARON, a language for modeling of hybrid systems, to include Unit and Dynamic data types. Through a combination of indirect user-guided annotations and typeinference, we address the problem of ensuring both dimensional consistency, and consistency with respect to different unitsystems. Further, we also introduce dynamic data typing, that allows programmers to specify entities that bind at runtime. Such abstractions are particularly useful to program controllers for dynamic environments. We illustrate these benefits with an example on mobile robots.
Conference Paper
Full-text available
The first step in building a cyber-physical system is the construction of a faithful model that captures the relevant behaviors. Dimensional consistency provides the first check on the correctness of such models and the physical quantities represented in it. Though manual analysis of dimensions is used in physical sciences to find errors in formulas, this approach does not scale to complex cyber-physical systems with many interacting components. We present DimSim, a tool to automatically check the dimensional consistency of a cyber-physical system modeled in Simulink. DimSim generates a set of constraints from the Simulink model for each subsystem in a modular way, and solves them using the Gauss-Jordan elimination method. The tool depends on user-provided dimension annotations, and it can detect both inconsistency and underspecification in the given dimensional constraints. In case of a dimensional inconsistency, DimSim can provide a minimal set of constraints that captures the cause of the inconsistency. We have applied DimSim to numerous examples from different embedded system domains. Experimental results show that the dimensional analysis in DimSim is scalable and is capable of uncovering critical errors in models of cyber-physical systems.
Conference Paper
Full-text available
In scientific applications, dimensional analysis forms a basis for catching errors as it introduces a type-discipline into the equations and formulae. Dimensions in physical quantities are measured via their standard units. However, many programming and modeling tools provide limited support for incorporating these units into the variables. Thus, it is quite difficult for a programmer to ensure dimensional consistency in the code. Different existing standards for units further complicates this problem and an incautious use could cause inconsistencies, often with catastrophic results. In this paper, we propose an extension of the basic type system in CHARON, a language for modeling of hybrid systems, to include unit and dynamic data types. Through a combination of indirect user-guided annotations and type-inference, we address the problem of ensuring both dimensional consistency, and consistency with respect to different unit-systems. Further, we also introduce dynamic data typing, that allows programmers to specify entities that bind at runtime. Such abstractions are particularly useful to program controllers for dynamic environments. We illustrate these benefits with an example on mobile robots
Conference Paper
Full-text available
Misuse of measurement units is a common source of errors in scientific applications, but standard type systems do not prevent such errors. Dimensional analysis in physics can be used to manually detect such errors in physical equations. It is, however, not feasible to perform such manual analysis for programs computing physical equations because of code complexity. In this paper, we present a type system to automatically detect potential errors involving measurement units. It is constraint-based: we model units as types and flow of units as constraints. However, standard type checking algorithms are not powerful enough to handle units because of their abelian group nature (e.g., being commutative, multiplicative, and associative). Our system combines techniques such as type inference and Gaussian Elimination to overcome this problem. We have implemented Osprey, a prototype of the system for C programs, and evaluated it on various test programs, including computational physics and mechanical engineering applications. Osprey discovered unknown errors in mature code; it is precise with few false positives; it is also efficient and scales to large programs---we have successfully used it to analyze programs with hundreds of thousands of lines of code.
Conference Paper
Full-text available
A program denotes computations in some universe of objects. Abstract interpretation of programs consists in using that denotation to describe computations in another universe of abstract objects, so that the results of abstract execution give some information on the actual computations. An intuitive example (which we borrow from Sintzoff [72]) is the rule of signs. The text -1515 * 17 may be understood to denote computations on the abstract universe {(+), (-), (±)} where the semantics of arithmetic operators is defined by the rule of signs. The abstract execution -1515 * 17 → -(+) * (+) → (-) * (+) → (-), proves that -1515 * 17 is a negative number. Abstract interpretation is concerned by a particular underlying structure of the usual universe of computations (the sign, in our example). It gives a summary of some facets of the actual executions of a program. In general this summary is simple to obtain but inaccurate (e.g. -1515 + 17 → -(+) + (+) → (-) + (+) → (±)). Despite its fundamentally incomplete results abstract interpretation allows the programmer or the compiler to answer questions which do not need full knowledge of program executions or which tolerate an imprecise answer, (e.g. partial correctness proofs of programs ignoring the termination problems, type checking, program optimizations which are not carried in the absence of certainty about their feasibility, …).
Conference Paper
Full-text available
We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal mod- elling of complex systems is a dicult task. Even when theorem provers improve further and get more powerful, modelling will remain dicult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and prov- ing similar to what is oered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to dierent application domains and development methods.
Conference Paper
Full-text available
Continuous action systems (CAS) is a formalism intended for modeling hybrid systems (systems that combine discrete control with continuous behavior), and proving properties about the model within refinement calculus. We use a symbolic manipulation program to build a tool for simulating CAS models by, calculating symbolically the time evolution of the discrete and continuous CAS model functions, as explicit and exact expressions of a continuous time variable. We may then study the time behavior and general properties of the model by plotting these functions with respect to time. For certain models our tool eliminates the need for introducing tolerances into the model structure. The tool is useful for checking that the model behaves correctly, and we can sometimes study the behavior of CAS models with in principle infinite precision.
Article
Full-text available
Most specification languages have a type system. Type systems are hard to get right, and getting them wrong can lead to inconsistencies. Set theory can serve as the basis for a specification language without types. This possibility, which has been widely overlooked, offers many advantages. Untyped set theory is simple and is more flexible than any simple typed formalism. Polymorphism, overloading, and subtyping can make a type system more powerful, but at the cost of increased somplexity, and such refinements can never attain the flexibility of having no types at all. Typed formalisms have advantages, too, stemming from the power of mechanical type checking. While types serve little purpose in hand proofs, they do help with mechanized proofs. In the absence of verificaiton, type checking can catch errors in specifications. It may be possible to have the best of both worlds by adding typing annotations to an untyped specification language. We consider only specification languages, not programming languages.
Article
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
Conference Paper
This paper contains the development of hybrid systems in Event-B and the Rodin Platform. It follows the seminal approach introduced at the turn of the century in Action Systems. Many examples illustrate our approach.
Article
The booklet is the U.S. edition of the English language translation of the 6th edition of Le Systeme International d'Unites (SI), the definitive reference on the SI published in 1991 by the International Bureau of Weights and Measures (BIPM) in the French language. The U.S. edition conforms in substance with the English language translation that follows the French language text in the BIPM publication. To make the booklet helpful to the broadest community of users in the U.S., it was necessary to follow current Federal policy, to recognize present U.S. practices as they are found in the literature of the authors domestic voluntary standards organizations such as ASTM and IEEE, and to use American spelling of certain words.
Conference Paper
We present ProB, an animation and model checking tool for the B method. ProB's animation facilities allow users to gain con- fidence in their specifications, and unlike the animator provided by the B-Toolkit, the user does not have to guess the right values for the ope- ration arguments or choice variables. ProB contains a temporal and a state-based model checker, both of which can be used to detect various errors in B specifications. ProB enables users to uncover errors that are not easily discovered by existing tools.
Article
The ability to handle units of measure in a programming environment together with numerical quantities in scientific and engineering programs helps greatly in achieving computational safety as well as code and data readability. It allows for dimensional analysis, thus safeguarding against erroneous combination of values of different dimensionality, e.g. adding distances to masses, or against scaling errors, e.g. assigning distances measured in inch to variables supposed to hold centimeters. Associating values and variables with units of measure explicitly clarifies code and data and---given a clever compiler---allows for the above-mentioned dimensional analysis to be performed at compile time. If extended to input and output of user data, it might free the user from the burden to perform proper scaling himself when entering data conforming to program-defined units of measure. And it might allow for easy customization of output in order to present computational results to users familiar with different sets of units of measure, e.g. British and American use of units versus metric units.
Conference Paper
Units-of-measure are to science what types are to programming. In science and engineering, dimensional and unit consistency provides a first check on the correctness of an equation or formula, just as in programming the validation of a program by the type-checker eliminates one possible reason for failure.
Conference Paper
this paper we show how to adddimensions to the simply-typed lambda calculus, and we show that everytypable dimension-preserving term has a principal type. The principal typeis unique up to a choice of basis.
Book
A practical text suitable for an introductory or advanced course in formal methods, this book presents a mathematical approach to modelling and designing systems using an extension of the B formal method: Event-B. Based on the idea of refinement, the author's systematic approach allows the user to construct models gradually and to facilitate a systematic reasoning method by means of proofs. Readers will learn how to build models of programs and, more generally, discrete systems, but this is all done with practice in mind. The numerous examples provided arise from various sources of computer system developments, including sequential programs, concurrent programs and electronic circuits. The book also contains a large number of exercises and projects ranging in difficulty. Each of the examples included in the book has been proved using the Rodin Platform tool set, which is available free for download at www.event-b.org.
Book
The B method is a means for specifying, designing and coding software systems. The long-awaited B Book is the standard reference for everything concerning this method. It contains the mathematical basis on which it is founded, the precise definitions of the notations used, and a large number of examples illustrating its use in practice. J.-R. Abrial, the inventor of B, has written the book in such a way that it can be used for self-study or for reference. It is in four parts, the first dealing with the mathematical foundations, including a systematic construction of predicate logic and set theory, and the definition of the various mathematical structures that are needed to formalize software systems; the author places special emphasis on the notion of proof. The second part contains a presentation of the Generalized Substitution Language and of the Abstract Machine Notation, which are both used to specify software systems; the author gives examples to show how large specifications can be constructed systematically. The next part introduces the two basic programming features of sequencing and loop, with examples showing how to construct small algorithms. The last part covers the very important notion of refinement. It shows how to construct large software systems by means of layered architectures of modules. It culminates with the presentation of several examples of complete development with a special emphasis on the methodological approach. Finally, appendices give summaries of all the logical and mathematical definitions, and of all the rules and proof obligations. With the appearance of The B Book, formal methods practitioners, computer scientists, and systems developers at last will have access to the definitive account of what will become one of the standard approaches to the construction of software systems.
Book
Hybrid systems are models for complex physical systems and have become a widely used concept for understanding their behavior. Many applications are safety-critical, including car, railway, and air traffic control, robotics, physical-chemical process control, and biomedical devices. Hybrid systems analysis studies how we can build computerized controllers for physical systems which are guaranteed to meet their design goals. The author gives a unique, logic-based perspective on hybrid systems analysis. It is the first book that leverages the power of logic for hybrid systems. The author develops a coherent logical approach for systematic hybrid systems analysis, covering its theory, practice, and applications. It is further shown how the developed verification techniques can be used to study air traffic and railway control systems. This book is intended for researchers, postgraduates, and professionals who are interested in hybrid systems analysis, cyberphysical or embedded systems design, logic and theorem proving, or transportation and automation. © Springer-Verlag Berlin Heidelberg 2010. All rights are reserved.
Article
We present ProB, a validation toolset for the B method. ProB's automated animation facilities allow users to gain confidence in their specifications. ProB also contains a model checker and a refinement checker, both of which can be used to detect various errors in B specifications. We describe the underlying methodology of ProB, and present the important aspects of the implementation. We also present empirical evaluations as well as several case studies, highlighting that ProB enables users to uncover errors that are not easily discovered by existing tools.
Article
In the physical sciences and engineering, units of measurement provide a valuable aid to both the exposition and comprehension of physical systems. In addition, they provide an error checking facility comparable to static type checking commonly found with programming languages. It is argued that units of measurement can provide similar benefits in the specification and design of software and computer systems. To demonstrate this, we present an extension of the Z specification notation with support for the incorporation of units in specifications and demonstrate the feasibility of static dimensional analysis of the resulting language.
The SMT-LIB Standard: Version 2.0
  • C Barrett
  • A Stump
  • C Tinelli
SimCheck: An expressive type system for Simulink
  • P Roy
  • N Shankar
A Java extension with support for dimensions
  • A Van Delft
  • A. Delft van
Automatic dimensional inference
  • M Wand
  • P Keefe