Providing concurrent implementations for Event-B developments

The Event-B method is a formal approach to modelling systems which incorporates the notion of refinement. This work bridges the abstraction gap between the lowest level of Event-B refinement and a working implementation. We focus on the link between Event-B and concurrent, object-oriented implementations and introduce an intermediate, object-oriented style specification notation called Object-oriented Concurrent-B (OCB). The OCB level of abstraction hides implementation details of locking and blocking, and provides the developer with a clear view of atomicity using labelled atomic clauses. OCB non-atomic clauses are given Event-B semantics, and OCB atomic clauses map to atomic events. Automatic translation of an OCB specification gives rise to an Event-B model and Java source code. The Java program will have atomicity that corresponds to the formal model (and therefore OCB clauses), and structure that is derived from the OCB model. We introduce process and monitor classes. Process classes allow specification of interleaving behaviour using non-atomic constructs, where atomic regions are defined by labelled atomic clauses. Monitor classes may be shared between the processes and provide mutually exclusive access to the shared data using atomic procedure calls. Labelled atomic clauses map to events guarded by a program counter derived from the label. This allows us to model the ordered execution of the implementation. The approach can be applied to object-oriented systems in general, but we choose Java as a target for working programs. Java's built-in synchronisation mechanism is used to provide mutually exclusive access to data. We discuss some problems related to Java programming, with regard to locking and concurrency, and their effect on OCB. The OCB syntax and mappings to Event-B and Java are defined, details of tool support and case studies follow. An extension to OCB is described in which a number of objects can be updated within a single atomic clause; facilitated by Java SDK 5.0 features. The extension allows direct access to variables of a monitor using dot notation, and multiple procedure calls in a clause. We also introduce new features to atomic actions such as a sequential operator, and atomic branching and looping.

[1]  Mark Saaltink,et al.  Z and Eves , 1991, Z User Workshop.

[2]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[3]  Bertrand Meyer The Start of an Eiffel Standard , 2002, J. Object Technol..

[4]  Edsger W. Dijkstra,et al.  Guarded commands, non-determinacy and a calculus for the derivation of programs , 1975, Language Hierarchies and Interfaces.

[5]  Jim Woodcock,et al.  Operational Semantics for Model Checking Circus , 2005, FM.

[6]  David Frankel,et al.  Model Driven Architecture: Applying MDA to Enterprise Computing , 2003 .

[7]  Yuri Gurevich,et al.  An Automatic Verification Tool for UML , 2000 .

[8]  Jean-Raymond Abrial Discrete System Models , 2002 .

[9]  Michael J. Butler,et al.  Linking Event-B and Concurrent Object-Oriented Programs , 2008, Refine@FM.

[10]  Gregory R. Andrews,et al.  An overview of the SR language and implementation , 1988, TOPL.

[11]  David F. Bacon,et al.  Guava: a dialect of Java without data races , 2000, OOPSLA '00.

[12]  Michael J. Butler,et al.  On an Extensible Rule-Based Prover for Event-B , 2010, ASM.

[13]  Keir Fraser,et al.  Language support for lightweight transactions , 2003, SIGP.

[14]  Jeff Magee,et al.  Concurrency - state models and Java programs , 2006 .

[15]  Peter Gorm Larsen,et al.  Validated Designs for Object-oriented Systems , 2004 .

[16]  Joakim von Wright,et al.  Correctness and Refinement of Dually Nondeterministic Programs , 2003 .

[17]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[18]  S. Tucker Taft,et al.  Consolidated Ada Reference Manual Language and Standard Libraries , 2002, Lecture Notes in Computer Science.

[19]  Edsger W. Dijkstra,et al.  Chapter I: Notes on structured programming , 1972 .

[20]  Colin F. Snook,et al.  UML-B: Formal modeling and design aided by UML , 2006, TSEM.

[21]  Wolfram Schulte,et al.  Verification of Multithreaded Object-Oriented Programs with Invariants , 2004 .

[22]  Colin F. Snook,et al.  Experimental Comparison of the Comprehensibility of a UML-based Formal Specification versus a Textual One , 2007, EASE.

[23]  Jim Woodcock,et al.  POSIX and the Verification Grand Challenge: A Roadmap , 2008, 13th IEEE International Conference on Engineering of Complex Computer Systems (iceccs 2008).

[24]  Carroll Morgan Procedures, parameters, and abstraction: Separate concerns , 1988, Sci. Comput. Program..

[25]  Michael J. Butler,et al.  An Open Extensible Tool Environment for Event-B , 2006, ICFEM.

[26]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[27]  Daniel Jackson,et al.  An intermediate design language and its analysis , 1998, SIGSOFT '98/FSE-6.

[28]  Yuri Gurevich,et al.  Evolving algebras 1993: Lipari guide , 1995, Specification and validation methods.

[29]  Martin Odersky,et al.  Abstract State Machines - Theory and Applications , 2002, Lecture Notes in Computer Science.

[30]  Michael J. Butler,et al.  csp2B: A Practical Approach to Combining CSP and B , 1999, Formal Aspects of Computing.

[31]  Bjarne Stroustrup,et al.  The C++ Programming Language, Second Edition , 1991 .

[32]  Doug Lea,et al.  Concurrent Programming In Java , 1996 .

[33]  Steve A. Schneider,et al.  Communicating B Machines , 2002, ZB.

[34]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[35]  Matthias Anlauff,et al.  XASM - An Extensible, Component-Based ASM Language , 2000, Abstract State Machines.

[36]  Simon L. Peyton Jones,et al.  Composable memory transactions , 2005, CACM.

[37]  Michael Butler,et al.  UML-B and Event-B: an integration of languages and tools , 2008, ICSE 2008.

[38]  C. A. R. Hoare,et al.  Monitors: an operating system structuring concept , 1974, CACM.

[39]  Bernhard Beckert,et al.  Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[40]  Willem Visser,et al.  Addressing dynamic issues of program model checking , 2001, SPIN '01.

[41]  Jim Woodcock,et al.  A Concurrent Language for Refinement , 2001, IWFM.

[42]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[43]  Leslie Lamport The +CAL Algorithm Language , 2006, NCA.

[44]  Michael Butler,et al.  Incremental Design of Distributed Systems with Event-B , 2009 .

[45]  Frank Piessens,et al.  A Statically Verifiable Programming Model for Concurrent Object-Oriented Programs , 2006, ICFEM.

[46]  Ralph-Johan Back,et al.  Correctness preserving program refinements: Proof theory and applications , 1980 .

[47]  Yuri Gurevich Abstract state machines : theory and applications : International Workshop, ASM 2000, Monte Verità, Switzerland, March 19-24, 2000 : proceedings , 2000 .

[48]  David Hovemeyer,et al.  Atomic Instructions in Java , 2002, ECOOP.

[49]  Peter H. Welch,et al.  A CSP model for Java multithreading , 2000, 2000 Proceedings International Symposium on Software Engineering for Parallel and Distributed Systems.

[50]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[51]  Carroll Morgan,et al.  Programming from specifications , 1990, Prentice Hall International Series in computer science.

[52]  Matthew B. Dwyer,et al.  Extending JML for Modular Specification and Verification of Multi-threaded Programs , 2005, ECOOP.

[53]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[54]  David Hovemeyer,et al.  Finding Concurrency Bugs in Java , 2004 .

[55]  Cormac Flanagan,et al.  A type and effect system for atomicity , 2003, PLDI.

[56]  Steve A. Schneider,et al.  CSP theorems for communicating B machines , 2005, Formal Aspects of Computing.

[57]  Edsger W. Dijkstra Non-determinacy and a calculus for the derivation of programs , 1975 .

[58]  Michael Butler,et al.  U2B - A tool for translating UML-B models into B , 2004 .

[59]  Bertrand Meyer,et al.  Specification Language , 1980, On the Construction of Programs.

[60]  Dominique Cansell,et al.  UML-B specification for proven embedded systems design , 2004 .

[61]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[62]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[63]  David Clark,et al.  Structuring and Design of Reactive Systems Using RSDS and B , 2000, FASE.

[64]  Graeme Smith,et al.  The Object-Z Specification Language , 1999, Advances in Formal Methods.

[65]  Steve A. Schneider,et al.  Verifying Controlled Components , 2004, IFM.

[66]  Doug Lea Concurrent Programming in Java. Second Edition: Design Principles and Patterns , 1999 .

[67]  Kurt Stenzel,et al.  Structured Specifications and Interactive Proofs with KIV , 1998 .

[68]  Michael J. Butler,et al.  ProB: A Model Checker for B , 2003, FME.

[69]  Michael J. Butler A System-Based Approach to the Formal Development of Embedded Controllers for a Railway , 2002, Des. Autom. Embed. Syst..

[70]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[71]  M. A Jackson,et al.  System development (Prentice-Hall International series in computer science) , 1983 .

[72]  Jim Davies,et al.  Formality, Evolution, and Model-driven Software Engineering , 2005, Electron. Notes Theor. Comput. Sci..

[73]  Michael J. Butler,et al.  Modelling and Proof of a Tree-Structured File System in Event-B and Rodin , 2008, ICFEM.

[74]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multi-threaded programs , 1997, TOCS.

[75]  Brian Stevens Implementing Object-Z with Perfect Developer , 2006, J. Object Technol..

[76]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[77]  Frank Budinsky,et al.  Eclipse Modeling Framework , 2003 .

[78]  Edsger W. Dijkstra,et al.  Guarded commands, non-determinacy and a calculus for the derivation of programs , 1975, Language Hierarchies and Interfaces.

[79]  Ana Cavalcanti,et al.  Automatic Translation from Circus to Java , 2006, FM.

[80]  Tingjian Ge,et al.  JR: flexible distributed programming in an extended Java , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[81]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[82]  J. Michael Spivey,et al.  Understanding Z : A specification language and its formal semantics , 1985, Cambridge tracts in theoretical computer science.

[83]  Kirsten Winter,et al.  Model Checking Support for the ASM High-Level Language , 2000, TACAS.

[84]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[85]  Jörg Kienzle On Atomicity and Software Development , 2005, J. Univers. Comput. Sci..

[86]  Martin C. Rinard,et al.  ACM Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), November 2002 Ownership Types for Safe Programming: Preventing Data Races and Deadlocks , 2022 .

[87]  Ralph-Johan Back,et al.  Contracts, Games, and Refinement , 2000, Inf. Comput..

[88]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[89]  Fred L. Drake,et al.  The Python Language Reference Manual , 1999 .

[90]  Ian Johnson,et al.  Rigorous development of reusable, domain-specific components, for complex applications , 2004 .

[91]  Michael Butler,et al.  Towards a UML profile for UML-B , 2003 .

[92]  Gary T. Leavens,et al.  Design by Contract with JML , 2006 .

[93]  Michael J. Butler,et al.  Decomposition Structures for Event-B , 2009, IFM.

[94]  Timothy L. Harris,et al.  Exceptions and side-effects in atomic blocks , 2005, Sci. Comput. Program..

[95]  Charles Wallace,et al.  Investigating Java Concurrency Using Abstract State Machines , 2000, Abstract State Machines.

[96]  Jim Woodcock,et al.  Formalising Flash Memory: First Steps , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[97]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[98]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[99]  Anna Mikhajlova,et al.  Ensuring Correctness of Object and Component Systems , 1999 .

[100]  Jeremy M. R. Martin,et al.  Formal Analysis of Concurrent Java Systems , 2000 .

[101]  David Clark,et al.  UML to B: Formal Verification of Object-Oriented Models , 2004, IFM.

[102]  Emina Torlak,et al.  Kodkod: A Relational Model Finder , 2007, TACAS.

[103]  Leslie Lamport Checking a Multithreaded Algorithm with +CAL , 2006, DISC.

[104]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[105]  Peter H. Welch,et al.  CSP Networking for Java (JCSP.net) , 2002, International Conference on Computational Science.

[106]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[107]  Guy L. Steele,et al.  Java(TM) Language Specification , 2005 .

[108]  Divakar Yadav,et al.  Formal Development of Fault Tolerant Transactions for a replicated Database using Ordered Broadcasts , 2007 .

[109]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[110]  Bjarne Stroustrup,et al.  The C++ Programming Language: Special Edition , 2000 .

[111]  Ralph-Johan Back,et al.  Class Refinement as Semantics of Correct Object Substitutability , 2000, Formal Aspects of Computing.

[112]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[113]  Armin Biere,et al.  Using Block-Local Atomicity to Detect Stale-Value Concurrency Errors , 2004, ATVA.

[114]  Andrew M. Lister The problem of nested monitor calls , 1977, OPSR.

[115]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[116]  Colin F. Snook,et al.  Comprehensibility of UML-based formal model: a series of controlled experiments , 2007, WEASELTech '07.

[117]  Doug Lea,et al.  The java.util.concurrent synchronizer framework , 2005, Sci. Comput. Program..

[118]  Michael J. Butler,et al.  An incremental development of the Mondex system in Event-B , 2007, Formal Aspects of Computing.

[119]  David Crocker,et al.  Safe Object-Oriented Software: The Verified Design-By-Contract Paradigm , 2004 .

[120]  Bart Jacobs,et al.  Specifying and Verifying a Decimal Representation in Java for Smart Cards , 2002, AMAST.

[121]  Dominique Cansell,et al.  Click'n Prove: Interactive Proofs within Set Theory , 2003, TPHOLs.