An incremental refinement approach to a development of a flash-based file system in Event-B

Nowadays, many formal methods are used in the area of software development accompanied by a number of advanced theories and tools. However, more experiments are still required in order to provide significant evidence that will convince and encourage users to use, and gain more benefits from, those theories and tools. Event-B is a formalism used for specifying and reasoning about systems. Rodin is an open and extensible tool for Event-B specification, refinement and proof. The flash file system is a complex system. Such systems are a challenge to specify and verify at this moment in time. This system was chosen as a case study for our experiments, carried out using Event-B and the Rodin tool. The experiments were aimed at developing a rigorous model of flash-based file system; including implementation of the model, providing useful evidence and guidelines to developers and the software industry. We believe that these would convince users and make formal methods more accessible. An incremental refinement was chosen as a strategy in our development. The refinement was used for two different purposes: feature augmentation and structural refinement (covering event and machine decomposition). Several techniques and styles of modelling were investigated and compared; to produce some useful guidelines for modelling, refinement and proof. The model of the flash-based file system we have completed covers three main issues: fault-tolerance, concurrency and wear-levelling process. Our model can deal with concurrent read/write operations and other processes such as block relocation and block erasure. The model tolerates faults that may occur during reading/writing of files. We believe our development acts as an exemplar that other developers can learn from. We also provide systematic rules for translation of Event-B models into Java code. However, more work is required to make these rules more applicable and useful in the future.

[1]  Peter W. O'Hearn,et al.  Verified Software: A Grand Challenge , 2006, Computer.

[2]  Ralph-Johan Back,et al.  Refinement Calculus , 1998, Graduate Texts in Computer Science.

[3]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[4]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[5]  Dominique Cansell,et al.  Foundations of the B Method , 2003, Comput. Artif. Intell..

[6]  Frank Waters,et al.  The B Book , 1971 .

[7]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[8]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[9]  Michael Butler On the Verified-by-Construction Approach , 2006 .

[10]  Heiko Krumm TEMPORAL LOGIC , 2002 .

[11]  Jim Woodcock,et al.  POSIX file store in Z/Eves: an experiment in the verified software repository , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[12]  Michael J. Butler,et al.  Linking Event-B and Concurrent Object-Oriented Programs , 2008, Refine@FM.

[13]  Graham Hutton,et al.  Programming in Haskell , 2007 .

[14]  Steve Schneider The B-method - an introduction , 2001, The cornerstones of computing series.

[15]  Thai Son Hoang,et al.  Rodin: an open toolset for modelling and reasoning in Event-B , 2010, International Journal on Software Tools for Technology Transfer.

[16]  Michael J. C. Gordon,et al.  From LCF to HOL: a short history , 2000, Proof, Language, and Interaction.

[17]  Gerard J. Holzmann,et al.  A mini challenge: build a verifiable filesystem , 2007, Formal Aspects of Computing.

[18]  Mark Saaltink The Z/EVES System , 1997, ZUM.

[19]  Michael Butler,et al.  Tool Support for Event-B Code Generation , 2010 .

[20]  Jean-Raymond Abrial A System Development Process with Event-B and the Rodin Platform , 2007, ICFEM.

[21]  Stephen Wright,et al.  Automatic Generation of C from Event-B , 2009 .

[22]  Stefan Hallerstede,et al.  Justifications for the Event-B Modelling Notation , 2007, B.

[23]  Wim H. Hesselink,et al.  Formalizing a hierarchical file system , 2009, Formal Aspects of Computing.

[24]  Michael Butler,et al.  Supporting Reuse Mechanisms for Developments in Event-B: Composition , 2009 .

[25]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[26]  Carroll Morgan,et al.  Specification of the UNIX Filing System , 1984, IEEE Transactions on Software Engineering.

[27]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[28]  Jim Woodcock,et al.  Mechanising a formal model of flash memory , 2009, Sci. Comput. Program..

[29]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[30]  Jim Woodcock,et al.  Formalising Flash Memory: First Steps , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[31]  John Hughes,et al.  Specifying a visual file system in Z , 1989 .

[32]  Michael J. Butler,et al.  Modelling and Proof of a Tree-Structured File System in Event-B and Rodin , 2008, ICFEM.

[33]  Christopher D. Clack,et al.  Programming With Standard Ml , 1993 .

[34]  Sivan Toledo,et al.  Algorithms and data structures for flash memories , 2005, CSUR.

[35]  Michael J. Butler,et al.  An incremental development of the Mondex system in Event-B , 2007, Formal Aspects of Computing.

[36]  Michael Butler,et al.  The Rodin formal modelling tool , 2007 .

[37]  W. Marsden I and J , 2012 .

[38]  Cliff B. Jones,et al.  RODIN (Rigorous Open Development Environment for Complex Systems) , 2005 .

[39]  Dominique Cansell,et al.  Tutorial on the event-based B method , 2006 .

[40]  Jean-Raymond Abrial,et al.  A roadmap for the Rodin toolset ? Version 1 . 0 : 12 June 2008 , 2008 .

[41]  Neil Evans,et al.  A Proposal for Records in Event-B , 2006, FM.

[42]  Peter Gorm Larsen,et al.  The IFAD VDM Tools: Lightweight Formal Methods , 1998, FM-Trends.

[43]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[44]  Wolfgang Müller,et al.  Formal refinement and model checking of an echo cancellation unit , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[45]  David Carrington VDM and the Refinement Calculus: a comparison of two systematic design methods , 1993 .

[46]  David Lorge Parnas,et al.  Predicate Logic for Software Engineering , 1993, IEEE Trans. Software Eng..

[47]  Kristina Lundqvist,et al.  Formal Software Verification: Model Checking and Theorem Proving , 2007 .

[48]  Jim Woodcock,et al.  POSIX and the Verification Grand Challenge: A Roadmap , 2008, 13th IEEE International Conference on Engineering of Complex Computer Systems (iceccs 2008).

[49]  Michael J. Butler,et al.  An Open Extensible Tool Environment for Event-B , 2006, ICFEM.

[50]  王云峰,et al.  A Formal Software Development Approach Using Refinement Calculus , 2001 .

[51]  Xiaodong Liu,et al.  Formal methods for the re-engineering of computing systems: a comparison , 1997, Proceedings Twenty-First Annual International Computer Software and Applications Conference (COMPSAC'97).

[52]  Jean-Raymond Abrial,et al.  Formal Methods: Theory Becoming Practice , 2007, J. Univers. Comput. Sci..

[53]  Carroll Morgan,et al.  Programming from specifications , 1990, Prentice Hall International Series in computer science.

[54]  David Flanagan,et al.  Java in a Nutshell , 1996 .

[55]  Joseph M. Morris,et al.  A Theoretical Basis for Stepwise Refinement and the Programming Calculus , 1987, Sci. Comput. Program..

[56]  Michael J. Butler,et al.  Decomposition Structures for Event-B , 2009, IFM.

[57]  C. M. Holloway Why engineers should consider formal methods , 1997, 16th DASC. AIAA/IEEE Digital Avionics Systems Conference. Reflections to the Future. Proceedings.

[58]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[59]  Michael J. Butler A CSP approach to action systems , 1992 .

[60]  Kurt Stenzel,et al.  Formal System Development with KIV , 2000, FASE.

[61]  Sivan Toledo,et al.  Competitive Analysis of Flash-Memory Algorithms , 2006, ESA.

[62]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[63]  Jos C. M. Baeten,et al.  A brief history of process algebra , 2005, Theor. Comput. Sci..

[64]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[65]  Robert Bruce Findler Scheme and Functional Programming 2006: paper abstracts , 2006, SIGP.

[66]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[67]  Jonathan P. Bowen Formal Specification and Documentation Using Z: A Case Study Approach , 1996 .

[68]  Cornelis Pronk,et al.  RAFFS: Model Checking a Robust Abstract Flash File Store , 2009, ICFEM.

[69]  Lawrence Charles Paulson,et al.  ML for the working programmer , 1991 .

[70]  Daniel Jackson,et al.  Designing and Analyzing a Flash File System with Alloy , 2009, Int. J. Softw. Informatics.

[71]  Ahmed Hammad,et al.  Java Card Code Generation from B Specifications , 2003, ICFEM.

[72]  Egon Börger Abstract state machines and high-level system design and analysis , 2005, Theor. Comput. Sci..

[73]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[74]  Alex Groce,et al.  New Challenges in Model Checking , 2008, 25 Years of Model Checking.

[75]  Ralph-Johan Back,et al.  Distributed cooperation with action systems , 1988, TOPL.

[76]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[77]  David Holmes,et al.  Java Concurrency in Practice , 2006 .

[78]  C. A. R. Hoare,et al.  Verified Software: Theories, Tools, Experiments Vision of a Grand Challenge Project , 2005, VSTTE.

[79]  Michael J. Butler,et al.  Stepwise Refinement of Communicating Systems , 1996, Sci. Comput. Program..

[80]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[81]  Michael J. Butler,et al.  Applying Event and Machine Decomposition to a Flash-Based Filestore in Event-B , 2009, SBMF.

[82]  Zohar Manna,et al.  Completing the Temporal Picture , 1991, Theor. Comput. Sci..

[83]  Jonathan P. Bowen,et al.  Formal Methods , 2010, Computing Handbook, 3rd ed..

[84]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[85]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[86]  Gudmund Grov,et al.  Reasoned Modelling Critics: Turning Failed Proofs into Modelling Guidance , 2010, ASM.

[87]  Michael J. Butler,et al.  Some Guidelines for Formal Development of Web-Based Applications in B-Method , 2005, ZB.

[88]  Colin F. Snook,et al.  UML-B: Formal modeling and design aided by UML , 2006, TSEM.

[89]  Susan Eisenbach,et al.  pi -calculus semantics for the concurrent configuration language Darwin , 1993, [1993] Proceedings of the Twenty-sixth Hawaii International Conference on System Sciences.

[90]  MSc Mbcs CEng Michael Bronzite BSc System Development , 2000, Springer London.

[91]  Colin F. Snook,et al.  Tools for System Validation with B Abstract Machines , 2005, Abstract State Machines.

[92]  Tim Clement Combining Transformation and Posit-and Prove in a VDM Development , 1991, VDM Europe.

[93]  Simon L. Peyton Jones,et al.  A history of Haskell: being lazy with class , 2007, HOPL.