Results 1 - 10
of
135
An open extensible tool environment for Event-B
- ICFEM 2006, LNCS
, 2006
"... Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and ..."
Abstract
-
Cited by 57 (24 self)
- Add to MetaCart
(Show Context)
Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and get more powerful, modelling will remain difficult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and proving similar to what is offered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods. 1
ProB: An Automated Analysis Toolset for the B Method
- SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER
, 2007
"... We present ProB, a validation toolset for the B method. ProB’s automated animation facilities allow users to gain confidence in their specifications. ProB also contains a model checker and a refinement checker, both of which can be used to detect various errors in B specifications. We describe the u ..."
Abstract
-
Cited by 41 (12 self)
- Add to MetaCart
We present ProB, a validation toolset for the B method. ProB’s automated animation facilities allow users to gain confidence in their specifications. ProB also contains a model checker and a refinement checker, both of which can be used to detect various errors in B specifications. We describe the underlying methodology of ProB, and present the important aspects of the implementation. We also present empirical evaluations as well as several case studies, highlighting that ProB enables users to uncover errors that are not easily discovered by existing tools.
Combining CSP and B for Specification and Property Verification
- In Proceedings of Formal Methods 2005 (in press), Newcastle upon
, 2005
"... Abstract. ProB is a model checking tool for the B Method. In this paper we present an extension of ProB that supports checking of specifications written in a combination of CSP and B. We explain how the notations are combined semantically and give an overview of the implementation of the combination ..."
Abstract
-
Cited by 33 (14 self)
- Add to MetaCart
(Show Context)
Abstract. ProB is a model checking tool for the B Method. In this paper we present an extension of ProB that supports checking of specifications written in a combination of CSP and B. We explain how the notations are combined semantically and give an overview of the implementation of the combination. We illustrate the benefit that appropriate use of CSP, in conjunction with our tool, gives to B developments both for specification and for verification purposes.
CSP Theorems for Communicating B Machines
- UNDER CONSIDERATION FOR PUBLICATION IN FORMAL ASPECTS OF COMPUTING
, 2004
"... Recent work on combining CSP and B has provided ways of describing systems comprised of components described in both B (to express requirements on state) and CSP (to express interactive and controller behaviour). This approach is driven by the desire to exploit existing tool support for both CSP an ..."
Abstract
-
Cited by 27 (15 self)
- Add to MetaCart
Recent work on combining CSP and B has provided ways of describing systems comprised of components described in both B (to express requirements on state) and CSP (to express interactive and controller behaviour). This approach is driven by the desire to exploit existing tool support for both CSP and B, and by the need for compositional proof techniques. This paper is concerned with the theory underpinning the approach, and proves a number of results for the development and verification of systems described using a combination of CSP and B. In particular, new results are obtained for the use of the hiding operator, which is essential for abstraction. The paper provides theorems which enable results obtained (possibly with tools) on the CSP part of the description to be lifted to the combination. Also, a better understanding of the interaction between CSP controllers and B machines in terms of non-discriminating and open behaviour on channels is introduced, and applied to the deadlock-freedom theorem. The results are illustrated with a toy lift controller running example.
Relational analysis of algebraic datatypes
- In Joint 10th European Software Engineering Conference (ESEC) and 13th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE
, 2005
"... We present a technique that enables the use of finite model finding to check the satisfiability of certain formulas whose intended models are infinite. Such formulas arise when using the language of sets and relations to reason about structured values such as algebraic datatypes. The key idea of our ..."
Abstract
-
Cited by 22 (2 self)
- Add to MetaCart
We present a technique that enables the use of finite model finding to check the satisfiability of certain formulas whose intended models are infinite. Such formulas arise when using the language of sets and relations to reason about structured values such as algebraic datatypes. The key idea of our technique is to identify a natural syntactic class of formulas in relational logic for which reasoning about infinite structures can be reduced to reasoning about finite structures. As a result, when a formula belongs to this class, we can use existing finite model finding tools to check whether the formula holds in the desired infinite model. 1
Automatic refinement checking for B
- Proceedings ICFEM’05, LNCS 3785
, 2005
"... Abstract. While refinement is at the heart of the B Method, so far no automatic refinement checker has been developed for it. In this paper we present a refinement checking algorithm and implementation for B. It is based on using an operational semantics of B, obtained in practice by the ProB animat ..."
Abstract
-
Cited by 17 (8 self)
- Add to MetaCart
(Show Context)
Abstract. While refinement is at the heart of the B Method, so far no automatic refinement checker has been developed for it. In this paper we present a refinement checking algorithm and implementation for B. It is based on using an operational semantics of B, obtained in practice by the ProB animator. The refinement checker has been integrated into ProB toolset and we present various case studies and empirical results in the paper, showing the algorithm to be surprisingly effective. The algorithm checks that a refinement preserves the trace properties of a specification. We also compare our tool against the refinement checker FDR for CSP and discuss an extension for singleton failure refinement.
Automated property verification for large scale b models. submitted
, 2009
"... Abstract. In this paper we describe the successful application of the ProB validation tool on an industrial case study. The case study cen-tres on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the de-velopment contains certain ..."
Abstract
-
Cited by 14 (3 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper we describe the successful application of the ProB validation tool on an industrial case study. The case study cen-tres on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the de-velopment contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for AtelierB. AtelierB, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense (and they need to be revalidated whenever the rail network infrastructure changes). In this paper we show how we were able to use ProB to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in around 17 minutes that were manu-ally uncovered in about one man-month. This achievement required the extension of the ProB kernel for large sets as well as an improved con-straint propagation phase. We also outline some of the effort and fea-tures that were required in moving from a tool capable of dealing with medium-sized examples towards a tool able to deal with actual indus-trial specifications. Notably, a new parser and type checker had to be developed. We also touch upon the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens.
GeneSyst: a Tool to Reason about Behavioral Aspects of B Event Specifications. Application to Security Properties
- ZB 2005: Formal Specification and Development in Z and B, 4th International Conference of B and Z Users
, 2005
"... Abstract. In this paper, we present a method and a tool to build sym-bolic labelled transition systems from B specifications. The tool, called GeneSyst, can take into account refinement levels and can visualize the decomposition of abstract states in concrete hierarchical states. The re-sulting symb ..."
Abstract
-
Cited by 13 (3 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we present a method and a tool to build sym-bolic labelled transition systems from B specifications. The tool, called GeneSyst, can take into account refinement levels and can visualize the decomposition of abstract states in concrete hierarchical states. The re-sulting symbolic transition system represents all the behaviors of the initial B event system. So, it can be used to reason about them. We il-lustrate the use of GeneSyst to check security properties on a model of electronic purse. 1
ProB gets nauty: Effective symmetry reduction for B and Z models
- In Proceedings Symposium TASE 2008
, 2008
"... Symmetry reduction holds great promise to counter the state explosion problem. However, currently it is “conducting a life on the fringe”, and is not widely applied, mainly due to the restricted applicability of many of the techniques. In this paper we propose a symmetry reduction technique applied ..."
Abstract
-
Cited by 12 (4 self)
- Add to MetaCart
(Show Context)
Symmetry reduction holds great promise to counter the state explosion problem. However, currently it is “conducting a life on the fringe”, and is not widely applied, mainly due to the restricted applicability of many of the techniques. In this paper we propose a symmetry reduction technique applied to high-level formal specification languages (B and Z). Not only does symmetry arise naturally in most models, it can also be exploited without restriction by our method. This method translates states of a formal model into directed graphs, and then uses graph canonicalisation to detect symmetries. We use the tool NAUTY to efficiently perform graph canonicalisation, which we have interfaced with the model checker PROB. In this paper we present the general technique, show how states can be translated first into vertex-coloured graphs suitable for NAUTY. We present empirical results, showing the effectiveness of our method as well as analysing the cost of graph canonicalisation.
Symmetry reduction for B by permutation flooding
- Library, Hyundai Microelectronics Co., Ltd., , Seoul, Korea
, 1998
"... Abstract. Symmetry reduction is an established method for limiting the amount of states that have to be checked during exhaustive model checking. The idea is to only verify a single representative of every class of symmetric states. However, computing this representative can be nontrivial, especiall ..."
Abstract
-
Cited by 11 (8 self)
- Add to MetaCart
(Show Context)
Abstract. Symmetry reduction is an established method for limiting the amount of states that have to be checked during exhaustive model checking. The idea is to only verify a single representative of every class of symmetric states. However, computing this representative can be nontrivial, especially for a language such as B with its involved data structures and operations. In this paper, we propose an alternate approach, called permutation flooding. It works by computing permutations of newly encountered states, and adding them to the state space. This turns out to be relatively unproblematic for B’s data structures and we have implemented the algorithm inside the ProB model checker. Empirical results confirm that this approach is effective in practice; speedups exceed an order of magnitude in some cases. The paper also contains correctness results of permutation flooding, which should also be applicable for classical symmetry reduction in B.
