A formal approach for the development of reactive systems

Context: This paper deals with the development and verification of liveness properties on reactive systems using the Event-B method. By considering the limitation of the Event-B method to invariance properties, we propose to apply the language TLA^+ to verify liveness properties on Event-B models. Objective: This paper deals with the use of two verification approaches: theorem proving and model-checking, in the construction and verification of safe reactive systems. The theorem prover concerned is part of the Click_n_Prove tool associated to the Event-B method and the model checker is TLC for TLA^+ models. Method: To verify liveness properties on Event-B systems, we extend first the expressivity and the semantics of a B model (called temporal B model) to deal with the specification of fairness and eventuality properties. Second, we propose semantics of the extension over traces, in the same spirit as TLA^+ does. Third, we give verification rules in the axiomatic way of the Event-B method. Finally, we give transformation rules from a temporal B model into a TLA^+ module. We present in particular, our prototype system called B2TLA^+, that we have developed to support this transformation; then we can verify liveness properties thanks to the model checker TLC on finite state systems. For the verification of infinite-state systems, we propose the use of the predicate diagrams and its associated tool DIXIT. As the B refinement preserves invariance properties through refinement steps, we propose some rules to get the preservation of liveness properties by the B refinement. Results: The proposed approach is applied for the development of some reactive systems examples and our prototype system B2TLA^+ is successfully used to transform a temporal B model into a TLA^+ module. Conclusion: The paper successfully defines an approach for the specification and verification of safety and liveness properties for the development of reactive systems using the Event-B method, the language TLA^+ and the predicate diagrams with their associated tools. The approach is illustrated on a case study of a parcel sorting system.

[1]  Dominique Cansell,et al.  "Higher-Order" Mathematics in B , 2002, ZB.

[2]  John Wordsworth Education in formal methods for software engineering , 1987 .

[3]  J. Michael Spivey,et al.  Understanding Z : A specification language and its formal semantics , 1985, Cambridge tracts in theoretical computer science.

[4]  Michael J. Butler,et al.  ProB: A Model Checker for B , 2003, FME.

[5]  Myla Archer,et al.  Proceedings STRATA 2003. First International Workshop on Design and Application of Strategies/Tactics in Higher Order Logics; Focus on PVS Experiences , 2003 .

[6]  Edmund M. Clarke Automatic Verification of Finite-state Concurrent Systems , 1994, Application and Theory of Petri Nets.

[7]  Claes Wohlin,et al.  An analysis of the most cited articles in software engineering journals - 2002 , 2009, Inf. Softw. Technol..

[8]  Natarajan Shankar,et al.  Combining Theorem Proving and Model Checking through Symbolic Analysis , 2000, CONCUR.

[9]  Tore Dybå,et al.  A systematic review of statistical power in software engineering experiments , 2006, Inf. Softw. Technol..

[10]  Jacques Julliand,et al.  Modular Verification for a Class of PLTL Properties , 2000, IFM.

[11]  Stephan Merz,et al.  DIXIT: a Graphical Toolkit for Predicate Abstractions , 2005 .

[12]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[13]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[14]  Edmund M. Clarke,et al.  Temporal Logic Model Checking (Abstract) , 1997, ILPS.

[15]  Edsger W. Dijkstra,et al.  Predicate Calculus and Program Semantics , 1989, Texts and Monographs in Computer Science.

[16]  Sarfraz Khurshid,et al.  Integrating Model Checking and Theorem Proving for Relational Reasoning , 2003, RelMiCS.

[17]  Gerard J. Holzmann,et al.  Trends in Software Verification , 2003, FME.

[18]  Barbara A. Kitchenham,et al.  Combining empirical results in software engineering , 1998, Inf. Softw. Technol..

[19]  Jean-Raymond Abrial,et al.  Introducing Dynamic Constraints in B , 1998, B.

[20]  Stephan Merz,et al.  Model Checking , 2000 .

[21]  Samir Chouali,et al.  Verification of Dynamic Constraints for B Event Systems under Fairness Assumptions , 2002, ZB.

[22]  Jacques Julliand,et al.  Modular Verification of Dynamic Properties for Reactive Systems , 1999, IFM.

[23]  Markus Kaltenbach,et al.  Model Checking for UNITY , 1994 .

[24]  Dominique Cansell,et al.  Diagram Refinements for the Design of Reactive Systems , 2001, J. Univers. Comput. Sci..

[25]  Formal Analysis of a Self-Stabilizing Algorithm Using Predicate Diagrams , 2001, GI Jahrestagung.

[26]  Kaisa Sere,et al.  Stepwise Refinement of Action Systems , 1991, Struct. Program..

[27]  Rutger M. Dijkstra An Experiment With the Use of Predicate Transformers in UNITY , 1995, Inf. Process. Lett..

[28]  Claes Wohlin,et al.  An analysis of the most cited articles in software engineering journals - 1999 , 2005, Inf. Softw. Technol..

[29]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[30]  Edward Y. Chang,et al.  STeP: The Stanford Temporal Prover , 1995, TAPSOFT.

[31]  Dominique Méry,et al.  Crocos: An Integrated Environment for Interactive Verification of SDL Specifications , 1992, CAV.

[33]  K. Mani Chandy Parallel program design , 1989 .

[34]  M. Kaufman Some Key Research Problems in Automated Theorem Proving for Hardware and Software Verification , 2004 .

[35]  Jean-Raymond Abrial B#: Toward a Synthesis between Z and B , 2003, ZB.

[36]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[37]  Didier Bert,et al.  Specification and Proof of Liveness Properties under Fairness Assumptions in B Event Systems , 2002, IFM.

[38]  Ralph-Johan Back,et al.  Refinement Calculus , 1998, Graduate Texts in Computer Science.

[39]  Myla Archer,et al.  Developing User Strategies in PVS: A Tutorial , 2003 .

[40]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[41]  Helmut Veith,et al.  Progress on the State Explosion Problem in Model Checking , 2001, Informatics.

[42]  Ralph-Johan Back,et al.  Refinement Calculus, Part II: Parallel and Reactive Programs , 1989, REX Workshop.

[43]  Didier Bert,et al.  Construction of Finite Labelled Transistion Systems from B Abstract Systems , 2000, IFM.

[44]  Dominique Méry,et al.  Formal Engineering Methods for Modelling and Verification of Control Systems , 1998 .

[45]  Olfa Mosbahi,et al.  Specification and Proof of Liveness Properties in B Event Systems , 2007, ICSOFT.

[46]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[47]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[48]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[49]  Louis Mussat,et al.  Specification and Design of a Transmission Protocol by Successive Refinements Using B1 , 1997 .

[50]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.