From Event-B to Verified C via HLL

This work addresses the correct translation of an Event-B model to C code via an intermediate formal language, HLL. The proof of correctness follows two main steps. First, the final refinement of the Event-B model, including in-variants, is translated to HLL. At that point, additional properties (e.g., deadlock-freeness, liveness properties, etc.) are added to the HLL model. The proof of the invariants and additional properties at the HLL level guarantees the correctness of the translation. Second, the C code is automatically generated from the HLL model for most of the system functions and manually for the remaining ones; in this case, the HLL model provides formal contracts to the software developer. An equivalence proof between the C code and the HLL model guarantees the correctness of the code.

[1]  Eric Jenn,et al.  An Experiment on Exploiting Virtual Platforms for the Development of Embedded Equipments , 2016 .

[2]  Faqing Yang,et al.  An Event-B Plug-in for Creating Deadlock-Freeness Theorems , 2011, SBMF 2011.

[3]  James Demmel,et al.  IEEE Standard for Floating-Point Arithmetic , 2008 .

[4]  Mary Sheeran,et al.  Checking Safety Properties Using Induction and a SAT-Solver , 2000, FMCAD.

[5]  Ning Ge,et al.  Industrial grade model checking: use Cases, constraints, tools and applications , 2016 .

[6]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[7]  Hoyt Lougee,et al.  SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICATION , 2001 .

[8]  Viktor Schuppan,et al.  Liveness Checking as Safety Checking , 2002, FMICS.

[9]  Michael Butler Towards a Cookbook for Modelling and Refinement of Control Problems , 2009 .

[10]  Dominique Méry,et al.  Transforming Event B Models into Verified C# Implementations , 2013, VPT@CAV.

[11]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[12]  Michael Butler,et al.  Tasking Event-B: An Extension to Event-B for Generating Concurrent Code , 2011 .

[13]  Pontus Boström Creating Sequential Programs from Event-B Models , 2010, IFM.

[14]  Stephen Wright,et al.  Automatic Generation of C from Event-B , 2009 .

[15]  Koen Claessen,et al.  SAT-Based Verification without State Space Traversal , 2000, FMCAD.

[16]  Kunihiko Miyazaki,et al.  Code Generation for Event-B , 2014, IFM.

[17]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[18]  Ning Ge,et al.  An Experiment Report on a Process Combining Formal Refinement and Formal Software verification , 2016 .

[19]  Stavros Tripakis,et al.  From simulink to SCADE/lustre to TTA: a layered approach for distributed embedded applications , 2003, LCTES '03.

[20]  Kaisa Sere,et al.  Derivation of concurrent programs by stepwise scheduling of Event-B models , 2012, Formal Aspects of Computing.

[21]  Dominique Méry,et al.  Automatic code generation from event-B models , 2011, SoICT '11.

[22]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[23]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[24]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[25]  Ning Ge,et al.  Formal Verification of a Rover Anti-collision System , 2016, FMICS-AVoCS.

[26]  Cliff B. Jones,et al.  RODIN (Rigorous Open Development Environment for Complex Systems) , 2005 .

[27]  Thai Son Hoang,et al.  Reasoning about Liveness Properties in Event-B , 2011, ICFEM.