Towards an integrated formal method for verification of liveness properties in distributed systems: with application to population protocols

State-based formal methods [e.g. Event-B/RODIN (Abrial in Modeling in Event-B—system and software engineering. Cambridge University Press, Cambridge, 2010; Abrial et al. in Int J Softw Tools Technol Transf (STTT) 12(6):447–466, 2010)] for critical system development and verification are now well established, with track records including tool support and industrial applications. The focus of proof-based verification, in particular, is on safety properties. Liveness properties, which guarantee eventual, or converging computations of some requirements, are less well dealt with. Inductive reasoning about liveness is not explicitly supported. Liveness proofs are often complex and expensive, requiring high-skill levels on the part of the verification engineer. Fairness-based temporal logic approaches have been proposed to address this, e.g. TLA Lamport (ACM Trans Program Lang Syst 16(3):872–923, 1994) and that of Manna and Pnueli (Temporal verification of reactive systems—safety. Springer, New York, 1995). We contribute to this technology need by proposing a fairness-based method integrating temporal and first-order logic, proof and tools for modelling and verification of safety and liveness properties. The method is based on an integration of Event-B and TLA. Building on our previous work (Méry and Poppleton in Integrated formal methods, 10th international conference, IFM 2013, Turku, Finland, pp 208–222, 2013. doi:10.1007/978-3-642-38613-8_15), we present the method via three example population protocols Angluin et al. (Distrib Comput 18(4):235–253, 2006). These were proposed as a theoretical framework for computability reasoning about Wireless Sensor Network and Mobile Ad-Hoc Network algorithms. Our examples present typical liveness and convergence requirements. We prove convergence results for the examples by integrated modelling and proof with Event-B/RODIN and TLA. We exploit existing proof rules, define and apply three new proof rules; soundness proofs are also provided. During the process we observe certain repeating patterns in the proofs. These are easily identified and reused because of the explicit nature of the reasoning.

[1]  Koichi Wada,et al.  How to Prove Impossibility Under Global Fairness: On Space Complexity of Self-Stabilizing Leader Election on a Population Protocol Model , 2012, Theory of Computing Systems.

[2]  Richard Banach Pliant Modalities in Hybrid Event-B , 2013, Theories of Programming and Formal Methods.

[3]  Ralph-Johan Back,et al.  Distributed cooperation with action systems , 1988, TOPL.

[4]  Pramod K. Varshney,et al.  Data-aggregation techniques in sensor networks: a survey , 2006, IEEE Communications Surveys & Tutorials.

[5]  Thai Son Hoang,et al.  Systems Design Guided by Progress Concerns , 2013, IFM.

[6]  Rutger M. Dijkstra,et al.  Computation calculus bridging a formalization gap , 1998, Sci. Comput. Program..

[7]  Reino Kurki-Suonio,et al.  DisCo specification language: marriage of actions and objects , 1991, [1991] Proceedings. 11th International Conference on Distributed Computing Systems.

[8]  Dominique Cansell,et al.  Predicate Diagrams for the Verification of Reactive Systems , 2000, IFM.

[9]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[10]  David Eisenstat,et al.  The computational power of population protocols , 2006, Distributed Computing.

[11]  Jean-Raymond Abrial,et al.  Introducing Dynamic Constraints in B , 1998, B.

[12]  Keijiro Araki,et al.  Proceedings of the 1st International Conference on Integrated Formal Methods , 1999 .

[13]  D. Park A Predicate Transformer for Weak Fair Iteration , 1981 .

[14]  Gian Pietro Picco Software engineering and wireless sensor networks: happy marriage or consensual divorce? , 2010, FoSER '10.

[15]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[16]  Dominique Méry,et al.  Refinement-Based Guidelines for Algorithmic Systems , 2009, Int. J. Softw. Informatics.

[17]  Ian F. Akyildiz,et al.  Wireless sensor networks , 2007 .

[18]  Leslie Lamport,et al.  Artificial Intelligence and Language Processing ]acques Cohen Editor a Simple Approach to Specifying Concurrent Systems , 2022 .

[19]  Davide Brunelli,et al.  Wireless Sensor Networks , 2012, Lecture Notes in Computer Science.

[20]  Michael Butler Towards a Cookbook for Modelling and Refinement of Control Problems , 2009 .

[21]  Dominique Méry A Proof System to Derive Evantually Properties Under Justice Hypothesis , 1986, MFCS.

[22]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[23]  Dines Bjørner Software Engineering 2 - Specification of Systems and Languages , 2006, Texts in Theoretical Computer Science. An EATCS Series.

[24]  Michael J. Butler,et al.  A Systematic Approach to Atomicity Decomposition in Event-B , 2012, SEFM.

[25]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[26]  Joffroy Beauquier,et al.  Self-stabilizing Leader Election in Population Protocols over Arbitrary Communication Graphs , 2013, OPODIS.

[27]  Leslie Lamport,et al.  Specifying and verifying systems with TLA+ , 2002, EW 10.

[28]  Thai Son Hoang,et al.  Reasoning about Liveness Properties in Event-B , 2011, ICFEM.

[29]  Michael J. Fischer,et al.  Self-stabilizing Population Protocols , 2005, OPODIS.

[30]  MSc Mbcs CEng Michael Bronzite BSc System Development , 2000, Springer London.

[31]  Dines Bjørner Software Engineering 1 - Abstraction and Modelling , 2006, Texts in Theoretical Computer Science. An EATCS Series.

[32]  Stefan Hallerstede On the Purpose of Event-B Proof Obligations , 2008, ABZ.

[33]  Michael J. Butler,et al.  Decomposition Structures for Event-B , 2009, IFM.

[34]  J. Paul Gibson,et al.  A Unifying Model for Specification and Design , 1996 .

[35]  Michael J. Butler,et al.  Cruise Control in Hybrid Event-B , 2013, ICTAC.

[36]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[37]  Paul G. Spirakis,et al.  Population Protocols and Related Models , 2011, Theoretical Aspects of Distributed Computing in Sensor Networks.

[38]  Eerke Albert Boiten,et al.  Integrated Formal Methods , 2012, Lecture Notes in Computer Science.

[39]  Dominique Méry,et al.  Fair objects , 1999 .

[40]  Michael J. Butler,et al.  An Open Extensible Tool Environment for Event-B , 2006, ICFEM.

[41]  Mani B. Srivastava,et al.  Power management in energy harvesting sensor networks , 2007, TECS.

[42]  Dines Bjørner,et al.  Software Engineering 3 - Domains, Requirements, and Software Design , 2006, Texts in Theoretical Computer Science. An EATCS Series.

[43]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[44]  Ernst-Rüdiger Olderog,et al.  Proof Rules and Transformations Dealing with Fairness , 1983, Sci. Comput. Program..

[45]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[46]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[47]  Dines Bjørner Software Engineering 1: Abstraction and Modelling (Texts in Theoretical Computer Science. An EATCS Series) , 2005 .

[48]  James Aspnes,et al.  An Introduction to Population Protocols , 2007, Bull. EATCS.

[49]  Michael J. Fischer,et al.  Self-stabilizing Leader Election in Networks of Finite-State Anonymous Agents , 2006, OPODIS.

[50]  Julien Groslambert Verification of LTL on B Event Systems , 2007, B.

[51]  Dines Bjørner,et al.  Logics of Specification Languages , 2007, Monographs in Theoretical Computer Science. An EATCS Series.

[52]  Ralph-Johan Back,et al.  Decentralization of Process Nets with Centralized Control , 1983, PODC.

[53]  Stephan Merz,et al.  TLA + Proofs , 2012, FM.

[54]  Thai Son Hoang,et al.  Rodin: an open toolset for modelling and reasoning in Event-B , 2010, International Journal on Software Tools for Technology Transfer.

[55]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[56]  Dominique Méry Requirements for a Temporal B - Assigning Temporal Meaning to Abstract Machines... and to Abstract Systems , 1999, IFM.

[57]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[58]  Martín Abadi,et al.  On TLA as a logic , 1996, NATO ASI DPD.

[59]  Ernst-Rüdiger Olderog,et al.  Fairness in parallel programs: the transformational approach , 1988, TOPL.

[60]  Dominique Méry,et al.  Formal Modelling and Verification of Population Protocols , 2013, IFM.

[61]  Richard Banach,et al.  Continuous Behaviour in Event-B: A Sketch , 2012, ABZ.

[62]  Leslie Lamport,et al.  Proving Liveness Properties of Concurrent Programs , 1982, TOPL.

[63]  Michael J. Fischer,et al.  Computation in networks of passively mobile finite-state sensors , 2004, PODC '04.

[64]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[65]  Huibiao Zhu,et al.  Formalizing Hybrid Systems with Event-B , 2012, ABZ.

[66]  Steve A. Schneider,et al.  Managing LTL Properties in Event-B Refinement , 2014, IFM.

[67]  Lutz Priese,et al.  Fairness , 1988, Bull. EATCS.

[68]  Biswanath Mukherjee,et al.  Wireless sensor network survey , 2008, Comput. Networks.

[69]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.