Event-B Method Research Articles

Web Service Compensation at Runtime: Formal Modeling and Verification Using the Event-B Refinement and Proof Based Formal Method

One of the key interests in web services is the ability to compose them in order to build more powerful and complex ones running in an interoperable and distributed setting. Several languages, like BPEL, that describe such services have been proposed. Similar to the usual complex systems, web service compositions may exhibit inappropriate behaviors in the presence of failures. Compensation mechanisms are available to express running services recovery in case of failures. This paper addresses the problem of the correct design of web service compositions in case of failures. It presents a novel correct-by-construction formal approach based on refinement using the Event-B method. The proposed approach defines a compensation mechanism to repair failed services at runtime. It addresses not only behavioral aspects but also, functional ones through the introduction of repairing invariants whose persistence is enforced during compensation at runtime. Different compensation scenarios and modes are addressed. A formal model for equivalent, degraded and upgraded service compensations relying on the Event-B formalization is defined. The proposal is illustrated on a case study.

Comparison of specification decomposition methods in Event-B

Decomposition is an important phase in the design of medium and large-scale systems. Various architectures of software systems and decomposition methods are studied in numerous publications. Presently, formal specifications of software systems are mainly used for experimental purposes; for this reason, their size and complexity are relatively low. As a result, in the development of a nontrivial specification, different approaches to the decomposition should be compared and the most suitable approach should be chosen. In this paper, the experience gained in the deductive verification of the formal specification of the mandatory entity-role model of access and information flows control in Linux (MROSL DP-model) using the formal Event-B method and stepwise refinement technique is analyzed. Two approaches to the refinementbased decomposition of specifications are compared and the sources and features of the complexity of the architecture of the model are investigated.

Formal refinement of extended state machines

In a traditional formal development process, e.g. using the B method, the informal user requirements are (manually) translated into a global abstract formal specification. This translation is especially difficult to achieve. The Event-B method was developed to incrementally and formally construct such a specification using stepwise refinement. Each increment takes into account new properties and system aspects. In this paper, we propose to couple a graphical notation called Algebraic State-Transition Diagrams (ASTD) with an Event-B specification in order to provide a better understanding of the software behaviour. The dynamic behaviour is captured by the ASTD, which is based on automata and process algebra operators, while the data model is described by means of an Event-B specification. We propose a methodology to incrementally refine such specification couplings, taking into account new refinement relations and consistency conditions between the control specification and the data specification. We compare the specifications obtained using each approach for readability and proof complexity. The advantages and drawbacks of the traditional approach and of our methodology are discussed. The whole process is illustrated by a railway CBTC-like case study. Our approach is supported by tools for translating ASTD's into B and Event-B into B.

A correct-by-construction model for asynchronously communicating systems

The design and verification of distributed software systems is often hindered by their ever-increasing complexity and their asynchronous operational semantics. This article considers choreography specifications for distributed systems to reduce that complexity. We use labelled state-transitions systems as ground model for both choreographies and the corresponding distributed systems. Based on Event-B method, we propose a stepwise correct-by-construction model to build asynchronous distributed systems which a priori realise their choreographies. We rely on a sufficient and necessary realisability condition and we apply several refinement steps w.r.t. that condition to generate the distributed peers. The first refinement returns peer behaviours obtained by synchronous projection. The previously computed system is then refined into its asynchronous version using unbounded FIFO buffers. We prove, thanks to invariant preservation, that a sequence of exchanged messages is preserved at each refinement step. We provide a formalised proof of a realisability algorithm for deterministic choreographies. Besides that, our contribution is twofold: the approach is a priori and the problackposed solution scales up to any number of peers communicating with each other.

A refinement-based approach for building valid SOA design patterns

Although design patterns have become increasingly popular, most of them are presented in an informal way, which can give rise to ambiguity and may lead to their incorrect usage. Patterns proposed by the SOA design pattern community are described with informal visual notations. Modelling SOA design patterns with a standard formal notation contributes to avoid misunderstanding by software architects and helps endowing design methods with refinement approaches for mastering system architectures complexity. In this paper, we present a formal refinement-based approach that aims, first, to model message-oriented SOA design patterns with the SoaML standard language, and second to formally specify these patterns at a high level of abstraction using the Event-B method. These two steps are performed before undertaking the effective coding of a design pattern providing correct by construction pattern-based software architectures. Our approach is experimented through an example we present in this paper. We implemented our approach under the Rodin platform, which we use to prove model consistency.

A Mechanically Proved and an Incremental Development of the Session Initiation Protocol INVITE Transaction

The Session Initiation Protocol (SIP) is an application layer signaling protocol used to create, manage, and terminate sessions in an IP based network. SIP is considered as a transactional protocol. There are two main SIP transactions, the INVITE transaction and the non-INVITE transaction. The SIP INVITE transaction specification is described in an informal way in Request for Comments (RFC) 3261 and modified in RFC 6026. In this paper we focus on the INVITE transaction of SIP, over reliable and unreliable transport mediums, which is used to initiate a session. In order to ensure the correctness of SIP, the INVITE transaction is modeled and verified using event-B method and its Rodin platform. The Event-B refinement concept allows an incremental development by defining the studied system at different levels of abstraction, and Rodin discharges almost all proof obligations at each level. This interaction between modeling and proving reduces the complexity and helps in assuring that the INVITE transaction SIP specification is correct, unambiguous, and easy to understand.

Petri Nets to B-Language Transformation in Software Development

Petri nets and B-Method represent a pair of formal methods, for computer systems engineering, with interesting complementary features. Petri nets have nice graphical representation, valuable analytical properties and can express concurrency. B- Method supports verified software development. To gain from these complements, a mapping from Petri nets to the language of B-Method has been defined and its correctness proved. This paper presents, by means of a case study, the usefulness of incorporation of Petri net designs in a software application developed by B-Method. Modifications of this mapping intended for the Event-B method and treatment of concurrency are also discussed.

Combining Formal Methods for the Development of Reactive Systems

This article deals with the use of two verification approaches: theorem proving and model checking. We focus on the Event-B method by using its associated theorem proving tool (Click_n_Prove), and on the language TLA + by using its model checker TLC. By considering the limitation of the Event-B method to invariance properties, we propose to apply the language TLA + to verify liveness properties on a software behavior. We extend first the expressivity and the semantics of a B model (called temporal B model ) to deal with the specification of fairness and eventuality properties. Second, we give transformation rules from a temporal B model into a TLA + module. We present in particular, our prototype system called B2TLA + , that we have developed to support this transformation; then we can verify these properties thanks to the model checker TLC on finite state systems. For the verification of infinite-state systems, we propose the use of the predicate diagrams. We illustrate our approach on a case study of a parcel sorting system.

Experiments in program verification using Event-B

Abstract The Event-B method can be used to model all sorts of discrete event systems, among them sequential programs. In this article we describe our experiences with using Event-B by way of two examples. We present a simple model of a factorial program, explaining the method, and a more intricate model of the Quicksort algorithm, providing some insights into strengths and weaknesses of Event-B. The two models are interspersed with our observations and some suggestions of how, we believe, Event-B could evolve. This evaluation of Event-B is intended to serve for determining directions for the evolution of Event-B and judging progress. It is our hope that the observations and suggestions can also be put to use for similar modelling formalisms, such as Z, ASM or VDM.

A Component-Based Approach for the Development of Automated Systems

This paper addresses a component-based approach using the Event-B method to develop automated systems. These systems are composed of two parts: the control part (controller) and the operative part (controlled component). The first is a software component which controls the operative part that models the physical device and its environment. We propose in this paper the use of the formal Event-B method to develop automated systems applying a codesign technique, where the two components are developed separately, and then, a composition is defined with the Event-B method to prove the automated system correctness. First of all, we define a specification for the composition of these two components in the Event-B method. Second, we give refinement semantics for a component-based system before proposing a method to verify the refinement of a whole system from that of its components.

Embedding and Verification of ZigBee Protocol Stack in Event-B

ZigBee is a specification that enhances the IEEE 802.15.4 standard by adding network and security layers and an application framework for high level communication in Wireless Sensor Networks (WSN). Since ZigBee is essential in the operation of WSN; it is imperative to verify the correctness of its design. Formal methods can be used efficiently to verify a wide range of systems, including ZigBee protocol stack specification. In this paper we use Event-B formal verification method to model and verify ZigBee protocol stack by providing embedding of the protocol primitives in Event-B. Our approach takes advantage of the Event-B method capabilities to model designs at different levels of abstraction which fits the layered nature of the protocol.

Event-B method and liveness properties

Event-B method and liveness properties

A formal approach for the development of reactive systems

Context This paper deals with the development and verification of liveness properties on reactive systems using the Event-B method. By considering the limitation of the Event-B method to invariance properties, we propose to apply the language TLA + to verify liveness properties on Event-B models. Objective This paper deals with the use of two verification approaches: theorem proving and model-checking, in the construction and verification of safe reactive systems. The theorem prover concerned is part of the Click_n_Prove tool associated to the Event-B method and the model checker is TLC for TLA + models. Method To verify liveness properties on Event-B systems, we extend first the expressivity and the semantics of a B model (called temporal B model) to deal with the specification of fairness and eventuality properties. Second, we propose semantics of the extension over traces, in the same spirit as TLA + does. Third, we give verification rules in the axiomatic way of the Event-B method. Finally, we give transformation rules from a temporal B model into a TLA + module. We present in particular, our prototype system called B2TLA +, that we have developed to support this transformation; then we can verify liveness properties thanks to the model checker TLC on finite state systems. For the verification of infinite-state systems, we propose the use of the predicate diagrams and its associated tool DIXIT. As the B refinement preserves invariance properties through refinement steps, we propose some rules to get the preservation of liveness properties by the B refinement. Results The proposed approach is applied for the development of some reactive systems examples and our prototype system B2TLA + is successfully used to transform a temporal B model into a TLA + module. Conclusion The paper successfully defines an approach for the specification and verification of safety and liveness properties for the development of reactive systems using the Event-B method, the language TLA + and the predicate diagrams with their associated tools. The approach is illustrated on a case study of a parcel sorting system.

Proving Quicksort Correct in Event-B

The Event-B method can be used to model all sorts of discrete event systems, among them sequential programs. We have made the experience that the minimalist nature of Event-B is of advantage when it comes to tool support and to using proof as a means to analyse a model. The downside of the minimalism is that when models get more complex the lack of structure in the models can make them cluttered with auxiliary variables. System decomposition will not solve this problem. This can not be reasonably applied to a sequential program.In this article we describe our experiences with using Event-B by way of an example. We show how we verified iterative Quicksort in Event-B and intersperse our observations and criticisms. We use them to formulate some suggestions of how we believe Event-B should evolve in future. Some of the minimalism may have to be abandoned in favour of more clarity of the produced formal models.

Proved development of the real-time properties of the IEEE 1394 Root Contention Protocol with the event-B method

We present a model of the IEEE 1394 Root Contention Protocol with a proof of Safety. This model has real-time properties which are expressed in the language of the event-B method: first-order classical logic and set theory. Verification is done by proof using the event-B method and its prover, we also have a way to model-check models. Refinement is used to describe the studied system at different levels of abstraction: first without time to fix the scheduling of events abstractly, and then with more and more time constraints.

Linking Event-B and Concurrent Object-Oriented Programs

The Event-B method is a formal approach to modelling systems, using refinement. Initial specification is done at a high level of abstraction; detail is added in refinement steps as the development proceeds toward implementation. In software systems that use concurrent processing it is necessary to provide details of concurrent features before implementation. Our contribution is to show how Event-B models can be linked to concurrent, object-oriented implementations using an intermediate, object-oriented style specification notation. To validate our approach and gain further insight we automated the translation process with an Eclipse plug-in which produces an Event-B model and Java code. We call the new notation Object-oriented Concurrent-B (OC-B). The notation facilitates specification of the concurrent aspects of a development, and facilitates reasoning about concurrency issues in an abstract manner. We abstract away implementation details, such as locking, and provide the developer with a clear view of atomicity using labelled atomic clauses. We build on techniques introduced in UML-B to model object-oriented developments, introducing non-atomic operations and features for specifying implementation level details.