From Event-B Models to Dafny Code Contracts

Lecture Notes in Computer Science

Butler

Rezazadeh

et al. 2018

Self Cite

Scheduled Event-B (SEB) augments Event-B with a scheduling language to make the control flow in an Event-B model explicit and facilitate derivation of algorithmic structure in Event-B refinement. A concrete SEB model has a concrete algorithmic structure associated with it. Although this structure reduces the difficulty of code generation, there is still some gap between the model and executable code. This work formulates the translation of SEB models to a programming language called Dafny and proposes an approach in which a number of assertions are generated from the model that allows the verification of the generated code in a static program verifier.

Section: Discussionmentioning

confidence: 99%

Verifiable Code Generation from Scheduled Event-B Models

Lecture Notes in Computer Science

Butler

Rezazadeh

et al. 2018

Self Cite

“…We have developed a proof-of-concept tool to automate the generation of C++ assertions from Event-B formal models. The tool, illustrated in Figure 2, is an extension of our existing contract generation tool [7] and is implemented as a Rodin plug-in. The assertion generation tool translates an Event-B event to a C++ function where the function implements an assertion.…”

Section: Automatic Assertion Generationmentioning

confidence: 99%

Verifying Cross-Layer Interactions Through Formal Model-Based Assertion Generation

Fathabadi

IEEE Embedded Syst. Lett.

Butler

et al. 2020

Self Cite

Cross-layer runtime management (RTM) frameworks for embedded systems provide a set of standard APIs for communication between different system layers (i.e. RTM, applications and device) and simplify the development process by abstracting these layers. Integration of independently developed components of the system is an error-prone process that requires careful verification. In this paper, we propose a formal approach to integration testing through automatic generation of runtime assertions in order to test the implementation of the APIs. Our approach involves a formal model of the APIs, developed using the Event-B formal method which is automatically translated to a set of assertions and embedded in the existing implementation of APIs. The embedded assertions are used at runtime to check the correctness of the integration. 1

“…These existential quantifications can be seen as the specification of other procedures, so if there is a procedure that satisfies this existential quantification then the quantification in the branch condition can be replaced by a procedure call to that procedure (which should return a boolean value) in code level. Using an approach similar to [28], it is possible to transform the guards to a set of pre-and post-conditions in a language which is supported by a static verifier and then implement and verify the aforementioned procedures there.…”

Section: Towards Implementation Of Vbdmentioning

confidence: 99%

Formalising the Hybrid ERTMS Level 3 specification in iUML-B and Event-B

Dghaym

Int J Softw Tools Technol Transfer

Poppleton

et al. 2019

Self Cite

We demonstrate refinement-based formal development of the hybrid, 'fixed virtual block' approach to train movement control for the emerging European Rail Traffic Management System (ERTMS) level 3. Our approach uses iUML-B diagrams as a front end to the Event-B modelling language. We use abstraction to verify the principle of movement authority before gradually developing the details of the Virtual Block Detector component in subsequent refinements, thus verifying that it preserves the safety properties. We animate the refined models to demonstrate their validity using the scenarios from the Hybrid ERTMS Level 3 (HLIII) specification. We reflect on our team-based approach to finding useful modelling abstractions and demonstrate a systematic modelling method based on the state and class diagrams of iUML-B. The component and control flow architectures of the application, its environment and interacting systems emerge through the layered refinement process. The runtime semantics of the specification's state-machine behaviour are modelled in the final refinements. We discuss how the model could be used to generate an implementation using code generation tools and techniques. Abbreviations ADT Abstract Data Type RodinRodin platform ERS