Difference between pages "Current Developments" and "D23 ProB"

From Event-B
(Difference between pages)
Jump to navigationJump to search
imported>Steve
 
imported>Leuschel
 
Line 1: Line 1:
{{TOCright}}
+
= Overview =
This page sum up the known developments that are being done around or for the [[Rodin Platform]]. ''Please contributes informations about your own development to keep the community informed''
+
This part of the deliverable describes improvement of the ProB animation and model checking plugin.
  
== Deploy Tasks ==
+
The improvements and development of ProB were mainly carried out by University of Düsseldorf, with some support by the University of Southampton.
The following tasks were planned at some stage of the [[Deploy]] project.
+
Furthermore, the work was driven by requirements of Siemens and SAP; some tool development was also undertaken by SAP.
=== Core Platform ===
 
==== New Mathematical Language ====
 
==== Rodin Index Manager ====
 
[[Systerel]] is in charge of this task.
 
{{details|Rodin Index Design|Rodin index design}}
 
  
The purpose of the Rodin index manager is to store in a uniform way the entities that are declared in the database together with their occurrences. This central repository of declarations and occurrences will allow for fast implementations of various refactoring mechanisms (such as renaming) and support for searching models or browsing them.
+
New features:
 +
* Multi-level animation and validation
 +
* B-Motion Studio
 +
* Disprover Support
 +
* first steps towards test-case generation
  
==== Text Editor ====
+
Improvements:
[[Düsseldorf]] has a prototype text-based editor for Event-B (courtesy of [[User:Fabian|Fabian]]). As of end of sempteber 2008, it still needs more work to fully integrate into Rodin.
+
* Scalability improvements driven by Siemens and SAP applications
 +
* Using proof information to improve model checking
  
[[Newcastle]] has another text editor based on EMF. Among other things, it defines an EMF model of Event-B machines and contexts. At some point, the editor code is to be split into two plugins - an EMF adapater to rodin and the editor itself. Source code is currently available from [http://iliasov.org/editor-source.zip].
+
Other works:
 +
  * First steps towards validation of ProB for usage by Siemens in SIL-4 chain
 +
* Evaluation against SAT/SMT/BDD-based approaches
  
=== Plug-ins ===
+
= Motivations =
==== Requirement Management Plug-in ====
+
This paragraph shall express the motivation for each tool extension and improvement. More precisely, it shall first indicate the state before the work, the encountered difficulties, and shall highlight the requirements (eg. those of industrial partners). Then, it shall summarize how these requirements are addressed and what are the main benefits.
[[User:Jastram|Michael]] at [[Düsseldorf]] is in charge of the [[:Category:Requirement Plugin|Requirements Management Plug-in]].
 
  
{{See also|ReqsManagement|Requirements Tutorial|l1=Requirements Management Plug-in}}
 
  
This plug-in allows:
+
=== Multi-level Animation and Validation ===
* Requirements to be edited in a set of documents (independently from Rodin)
 
* Requirements to be viewed within Rodin
 
* Individual Requirements to be linked to individual Event-B-Entities
 
* A basic completion test to be performed
 
  
==== UML-B Plug-in ====
+
Thus far ProB only alllowed single-level animation, i.e., the animator would animate a single refinement level in isolation.
[[Southampton]] is in charge of [[UML-B]] plug-in.
+
This meant that ProB was not able to detect a large class of potential errors in the model:
 +
* a broken gluing invariant
 +
* an invalid witness
 +
* violation of guard strengthening
 +
* violation of variant decrease (resp. decrease or stability) for convergent (resp. anticipated) events
  
* Support for synchronisation of transitions from different statemachines. This feature will allow two or more transitions in different statemachines to contribute to a single event. This feature is needed because a single event can alter several variables (in this case statemachines) simultaneously.
+
The new validation algorithm now can animate a range of refinements together. The user can decide which levels are to be animated together.
 +
As such, all of the above errors can now be detected by ProB.
 +
User experience is also improved, as he or she can inspect also the abstract variables.
 +
The new algorithm has been sucessfully applied to various case studies, and thus far up to 14 levels have been animated concurrently without problem.
  
*Allow user to allocate the name of the 'implicit contextual instance' used in a class. Events and Transitions owned by a class are implicitly acting upon an instance of the class which has formerly been denoted by the reserved word 'self'. This modification allows the modeller to override 'self' (which is now the default name) with any other identifier. This feature is needed to avoid name clashes when synchronising transitions into a single event. It also allows events to be moved between different classes (or outside of all classes) during refinement without creating name clashes.
 
  
* Better support for state machine refinement in UML-B. This revision to UML-B allows a statemachine to be recognised as a refinement of another one and to be treated in an appropriate way during translation to Event-B. The states and transitions of a refined statemachine can be elaborated by adding more detailed hierarchical statemachines.
+
=== B-Motion Studio ===
  
==== ProB Plug-in ====
+
It is often very important to be able to show a formal model to a domain expert or manager, not versed in formal methods.
[[Düsseldorf]] is in charge of [[ProB]].
+
For example, only a domain expert will be able to detect certain mistakes in the formal model.
<!-- {{details|ProB current developments|ProB current developments}} -->
+
To enable to easily and quickly build graphical visualisations of Rodin models, we have developed B-Motion Studio.
 +
B-Motion Studio comes with a graphical editor to arrange graphical components and link them with the formal model.
 +
No new programming language has to be learned: the linking is described in B itself.
 +
To run a graphical visualisation, the ProB animator is used.
  
===== Work already performed =====
+
=== Test-Case Generation ===
  
We have now ported ProB to work directly on the Rodin AST. Animation is working and the user can now set a limited number of preferences.
+
During deployment in the SAP workpackage it became clear that test-case generation from the Event-B models
The model checking feature is now also accessible.
+
is required for success.
It is also possible to create CSP and classical B specification files. These files can be edited with BE4 and animated/model checked with ProB.
+
In this task, we have developed a first algorithm for test-case generation, which ensures complete transition coverage of a high-level model, and translates the test-cases into traces of a refined model, so that the tests can be run on the "real" system.
On the classical B side we have moved to a new, more robust parser (which is now capable of parsing some of the more complicated AtelierB
+
Optimisations, to reduce the length and number of test cases, as well as to minimise race conditions, have been implemented.
specifications from Siemens).
 
  
On the developer side, we have moved to a continuous integration infrastructure using CruiseControl. Rodin is also building from CVS in that infrastructure.
+
=== Scalability and Validation ===
 +
We tackled  a  case study in WP2, which centres on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the development contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for AtelierB. AtelierB, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense (and they need to be revalidated whenever the rail network infrastructure changes). I
  
===== Ongoing and future developments=====
+
The motivation then was to try and use ProB for this task.
 +
This required a considerable amount of work on improving the scalability of the ProB kernel, to be able to deal with large sets and relations.
 +
The ProB parser and type checker also had to be re-developed to be able to deal with large industrial specifications.
  
We are currently developing a new, better user interface.
+
The case study was a succcess:ProB was able to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in around 17 minutes that were manually uncovered in about one man-month.  
We also plan to support multi-level animation with checking of the gluing invariant.
 
  
We have prototypes for several extensions working, but they need to be fully tested and integrated into the plugin:
+
This leads to the next task: the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens
* an inspector that allows the user to inspect complex predicates (such as invariants or guards) as well as expressions in a tree-like manner
 
* a graphical animator based on SWT that allows the user to design his/her own animations easily within the tool
 
* a 2D viewer to inspect the state space of the specification
 
  
==== B2Latex Plug-in ====
+
=== Proof Directed Model Checking ===
[[Southampton]] is in charge of [[B2Latex]].
 
  
Kriangsak Damchoom will update the plug-in to add [[Event Extension|extensions of events]].
+
Jens: can you insert something?
  
==== Parallel Composition Plug-in ====
 
[[Southampton]] is in charge of the [[Parallel Composition using Event-B]] .
 
  
The intention of the plug-in is to allow the parallel composition of events using Event-B syntax. The composition uses a value-passing style (shared event composition), where parameters can be shared/merged.
+
=== SAT/SMT/Kodkod ===
  
This plug-in allows:
+
In this subtask we investigate alternate approaches for validating high-level B models using techniques and tools based on BDDs, SAT-solving and SMT-solving.
* Selection of machines that will be part of the composition (''Includes'' Section)
+
The overall motivation is to improve the scalability of the animator and model checker.
* Possible selection of an abstract machine (''Refines'' Section)
 
* Possible inclusion of invariants that relate the included machines (''Invariant'' Section and use of the monotonicity )
 
* Invariants of included machines are conjoined.
 
* Selection of events that will be merged. The event(s) must come from different machines. At the moment, events with parameters with same name are merged. If it is a refinement composition, it is possible to choose the abstract event that is being refined.
 
* Initialisation event is the parallel composition of all the included machines' initialisations.
 
* For a composed event, the guards are conjoined and the all the actions are composed in parallel.
 
  
Currently, after the conclusion of the composition machine, a new machine can be generated, resulting from the properties defined on the composition file. This allows proofs to be generated as well as a visualisation of the composition machine file. In the future, the intention is to make the validation directly on the composition machine file directly where proofs would be generated ( and discharged) - the new machine generation would be optional. An event-b model for the validation/generation of proofs in currently being developed. Another functionality which should be quite useful for the composition (but not restricted to that) is '''renaming''':
+
=== Disprover ===
  
* while composing, two machines may have variables with the same name for instance (which is not allowed for this type of composition). In order to solve this problem, one would have to rename one of the variables in order to avoid the clash, which would mean change the original machine. A possible solution for that would be to rename the variable but just on composition machine file, keeping the original machine intact. A renaming framework designed and developed by Stefan Hallerstede and Sonja Holl exists currently although still on a testing phase. The framework was developed to be used in a general fashion (not constrained to event-b syntax). The idea is to extend the development of this framework and apply to Event-B syntax (current development).
+
In order to help the user, we wanted to make it possible to apply ProB to individual proof obligations.
 +
In some cases, this enables proving a sequent by exhaustive case analysis.
 +
Also, if ProB finds a counter example, the user gets important feedback: the proof obligation cannot be discharged, along with a reason why.
  
There is a prototype for the composition plug-in available, but only works for Rodin 0.8.2. A release for the Rodin 0.9 should be made available soon.
+
= Choices / Decisions =
 +
This paragraph shall summarize the decisions (eg. design decisions) and justify them. Thus, it may present the studied solutions, through their main advantages and inconvenients, to legitimate the final choices.
  
==== Refactoring Framework Plug-in ====
+
= Available Documentation =
[[Southampton]] is in charge of the [[Refactoring Framework]].
 
  
The intention of the plug-in is to allow the renaming/refactoring of elements on a file (and possible related files). Although created to be used in a general way, the idea is to embed this framework on the Rodin platform, using Event-B syntax. This plug-in was initially designed and developed by Stefan Hallerstede and Sonja Holl.
+
== User Manual ==
  
This plug-in allows:
+
[http://asap0.cs.uni-duesseldorf.de/trac/prob/wiki/ ProB User Manual]
* Defining extensions that can be used to select related files.
 
* Defining extensions that can be used to rename elements based on the type of file.
 
* Renaming of elements on a file and possible occurrences on related files.
 
* Generating of a report of possible problems (clashes) that can occur while renaming.
 
  
== Exploratory Tasks ==
+
== Published Papers ==
=== One Single View ===
 
[[Maria]] is in charge of this exploratory work during is internship.
 
{{details|Single View Design|Single View Design}}
 
The goal of this project is to present everything in a single view in Rodin. So the user won't have to switch perspectives.
 
  
 +
Below is a list of published papers, along with an abstract.
  
 +
=== Improved Kernel to deal with large sets and relations ===
 +
In this part we describe the successful application of the ProB validation tool on an industrial case study. The case study centres on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the development contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for AtelierB. AtelierB, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense (and they need to be revalidated whenever the rail network infrastructure changes). In this paper we show how we were able to use ProB to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in around 17 minutes that were manually uncovered in about one man-month. This achievement required the extension of the ProB kernel for large sets as well as an improved constraint propagation phase. We also outline some of the effort and features that were required in moving from a tool capable of dealing with medium-sized examples towards a tool able to deal with actual industrial specifications. Notably, a new parser and type checker had to be developed. We also touch upon the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens
  
== Others ==
 
  
=== AnimB ===
+
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=248 Michael Leuschel, Jérôme Falampin, Fabian Fritz, Daniel Plagge. Automated Property Verification for Large Scale B Models, FM'2009.]
[[Christophe]] devotes some of its spare time for this plug-in.
 
{{details|AnimB Current Developments|AnimB Current Developments}}
 
The current developments around the [[AnimB]] plug-in encompass the following topics:
 
;Live animation update
 
:where the modification of the animated event-B model is instantaneously taken into account by the animator, without the need to restart the animation.
 
;Collecting history
 
:The history of the animation will be collected.
 
  
=== Team-Based Development ===
+
=== Multi-Level Animation and Validation ===
 +
We provide a detailed description of refinement in Event-B, both as a contribution in itself and as a foundation for the approach to simultaneous animation of multiple levels of refinement that we propose.
 +
We present an algorithm for simultaneous multi-level animation of refinement, and show how it can be used to detect a variety of errors that occur frequently when using refinement.
 +
The algorithm has been implemented in ProB and we applied it to several case studies, showing that multi-level animation is tractable also on larger models.
  
; Usage Scenarios
+
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=256 Stefan Hallerstede, Michael Leuschel, Daniel Plagge. Refinement-Animation for Event-B --- Towards a Method of Validation. ABZ'2010 ]
: In order to understand the problem properly, [http://www.stups.uni-duesseldorf.de/ Düsseldorf] created a number of usage [[Scenarios for Team-based Development]].
 
: A page as also been opened for [[Scenarios for Merging Proofs|merging proofs scenarios]].
 
[[Category:Work in progress]]
 
  
=== B2C ===
+
See also [http://www.springerlink.com/content/282p2316x7165588/ Stefan Hallerstede, Michael Leuschel. How to Explain Mistakes. TFM'09.]
This plug-in translates Event-B models to C source code, which may then be compiled using external C development tools. [[Steve]] wrote B2C with the specific purpose of translating the  [http://dx.doi.org/10.1007/978-3-540-87603-8_21 MIDAS] model, an Event-B implementation of a Virtual Machine instruction set.
 
  
B2C supports a sub-set of Event-B that can be easily translated to C form. The user provides a final refinement step that does nothing except restate the model in this translatable form: symbolic constants must be replaced by their literal values, range membership guards are replaced by greater-than and less-than guards, and actions are restated not to use global statments on their left-sides (this because the variable may have been modified by an earlier action, and may not be valid). The manipulations are done within EventB where they can be checked by the Proof Obligation system, and B2C made as simple as possible to maximise reliability. This re-write process is currently a manual step, but could in principle be done by another plug-in
+
=== Test-Case Generation ===
 +
Choreography models describe the communication protocols between services. Testing of service choreographies is an important task for the quality assurance of service-based systems as used e.g. in the context of service-oriented architectures (SOA). The formal modeling of service choreographies enables a model-based integration testing (MBIT) approach. We present MBIT methods for our service choreography modeling approach called Message Choreography Models (MCM). For the model-based testing of service choreographies, MCMs are translated into Event-B models and used as input for our test generator which uses the model checker ProB.
  
B2C source code is not currently available for download: contact [[Steve]] directly if it is required.
+
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=252 Sebastian Wieczorek, Vitaly Kozyura, Andreas Roth, Michael Leuschel, Jens Bendisposto, Daniel Plagge, Ina Schieferdecker. Applying Model Checking to Generate Model-based Integration Tests from Choreography Models. TESTCOM/FATES 2009.]
 +
 
 +
 
 +
=== Proof-Directed Model Checking ===
 +
With the aid of the ProB Plugin, the Rodin Platform provides an integrated environment for editing, proving, animating and model checking Event-B models. This is of considerable benefit to the modeler, as it allows him to switch between the various tools to validate, debug and improve his or her models. The crucial idea of this paper is that the integrated platform also provides benefits to the tool developer, i.e., it allows easy access to information from other tools. Indeed, there has been considerable interest in combining model checking, proving and testing. In previous work we have already shown how a model checker can be used to complement the Event-B proving environment, by acting as a disprover. In this paper we show how the prover can help improve the efficiency of the animator and model checker.
 +
 
 +
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=253 Jens Bendisposto, Michael Leuschel. Proof Assisted Model Checking for B. ICFEM 2009.]
 +
 
 +
=== Debugging Tricky Proof Obligations with the ProB Disprover ===
 +
While a large number of proof obligations can be discharged automatically by tools such as the RODIN platform, a considerable number still have to be proven interactively.  In this paper, we we describe a disprover plugin for RODIN that utilizes ProB to automatically find counterexamples for a given problematic proof obligation.  In case the disprover finds a counterexample, the user can directly investigate the source of teh problem, as pinpointed by the counterexample.  We also discuss under which circumstances our plug-in can be used as a prover, i.e., when the absence of a counterexample
 +
actually is a proof of the proof obligation.
 +
 
 +
[http://www.stups.uni-duesseldorf.de/publications_detail.php?id=219 Olivier Ligot, Jens Bendisposto, Michael Leuschel. Debugging Event-B Models using the ProB Disprover Plug-in.  AFADL 2007.]
 +
 
 +
=== Inspection of Alternate Approaches ===
 +
 
 +
ProB is a model checker for high-level B and Event-B models based on constraint-solving. In this paper we investigate alternate approaches for validating high-level B models using alternative techniques and tools based on using BDDs, SAT-solving and SMT-solving. In particular, we examine whether ProB can be complemented or even supplanted by using one of the tools BDDBDDB, Kodkod or SAL.
 +
 
 +
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=249 Daniel Plagge, Michael Leuschel, Ilya Lopatkin, Alexander Romanovsk. SAL, Kodkod, and BDDs for Validation of B Models. Lessons and Outlook. AFM'09.]
 +
 
 +
=== Validation of ProB ===
 +
 
 +
Symmetry reduction is a model checking technique that can help alleviate the problem of state space explosion, by preventing redundant state space exploration. In previous work, we have developed three effective approaches to symmetry reduction for B that have been implemented into the ProB model checker, and we have proved the soundness of our state symmetries. However, it is also important to show our techniques are sound with respect to standard model checking, at the algorithmic level. In this paper, we present a retrospective B development that addresses this issue through a series of B refinements. This work also demonstrates the valuable insights into a system that can be gained through formal modelling.
 +
 
 +
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=257 Edd Turner, Michael Butler, Michael Leuschel. A Refinement-Based Correctness Proof of Symmetry Reduced Model Checking. ABZ'2010.]
 +
 
 +
 
 +
=== B-Motion Studio ===
 +
 
 +
B-Motion Studio provides a way to quickly generate domain specific visualisations for a formal model, enabling domain experts and managers to understand and validate the model. We also believe that our tool will be of use when teaching formal methods, both during lectures as a way to motivate students to write their own formal models.
 +
 
 +
[http://www.stups.uni-duesseldorf.de/~leuschel/publication_detail.php?id=258 Lukas Ladenberger, Jens Bendisposto, Michael Leuschel. Visualising Event-B models with B-Motion Studio. FMICS'2009.]
 +
 
 +
= Planning =
 +
This paragraph shall give a timeline and current status (as of 29 Jan 2010).
 +
 
 +
=== Model-based Testing ===
 +
 
 +
* Directed Model Checking to achieve coverage (Deploy extension; Flow Graphs)
 +
* Integrate Algorithm into Rodin
 +
* Make Algorithm more generic
 +
* Top-down multi-level animation
 +
* Move from prototype to real product
 +
 
 +
=== B-Motion Studio ===
 +
 
 +
* Experiment with existing Flash animation and B model of ClearSy
 +
* Improve usability, more widgets
 +
 
 +
=== Validation of ProB ===
 +
 
 +
* Test coverage analysis for Prolog code
 +
* Validation Document to be delivered to Siemens
 +
 
 +
=== Scalability ===
 +
 
 +
* More experiments with SAT, SMT, BDD techniques
 +
 
 +
* Integration of Kodkod into ProB for solving complicated predicates over first order relations and simple sets
 +
 
 +
=== Usability ===
 +
* Feedback errors found by ProB into the PO view (as red icons)
 +
* Improve Disprover, detect when it is a decision procedure
 +
* Further improvments to GUI: 2-D Viewer, better multi-level animation view

Revision as of 08:22, 27 November 2009

Overview

This part of the deliverable describes improvement of the ProB animation and model checking plugin.

The improvements and development of ProB were mainly carried out by University of Düsseldorf, with some support by the University of Southampton. Furthermore, the work was driven by requirements of Siemens and SAP; some tool development was also undertaken by SAP.

New features: 

* Multi-level animation and validation
* B-Motion Studio
* Disprover Support
* first steps towards test-case generation

Improvements: 

* Scalability improvements driven by Siemens and SAP applications
* Using proof information to improve model checking

Other works: 

* First steps towards validation of ProB for usage by Siemens in SIL-4 chain
* Evaluation against SAT/SMT/BDD-based approaches

Motivations

This paragraph shall express the motivation for each tool extension and improvement. More precisely, it shall first indicate the state before the work, the encountered difficulties, and shall highlight the requirements (eg. those of industrial partners). Then, it shall summarize how these requirements are addressed and what are the main benefits.


Multi-level Animation and Validation

Thus far ProB only alllowed single-level animation, i.e., the animator would animate a single refinement level in isolation. This meant that ProB was not able to detect a large class of potential errors in the model:

  • a broken gluing invariant
  • an invalid witness
  • violation of guard strengthening
  • violation of variant decrease (resp. decrease or stability) for convergent (resp. anticipated) events

The new validation algorithm now can animate a range of refinements together. The user can decide which levels are to be animated together. As such, all of the above errors can now be detected by ProB. User experience is also improved, as he or she can inspect also the abstract variables. The new algorithm has been sucessfully applied to various case studies, and thus far up to 14 levels have been animated concurrently without problem.


B-Motion Studio

It is often very important to be able to show a formal model to a domain expert or manager, not versed in formal methods. For example, only a domain expert will be able to detect certain mistakes in the formal model. To enable to easily and quickly build graphical visualisations of Rodin models, we have developed B-Motion Studio. B-Motion Studio comes with a graphical editor to arrange graphical components and link them with the formal model. No new programming language has to be learned: the linking is described in B itself. To run a graphical visualisation, the ProB animator is used.

Test-Case Generation

During deployment in the SAP workpackage it became clear that test-case generation from the Event-B models is required for success. In this task, we have developed a first algorithm for test-case generation, which ensures complete transition coverage of a high-level model, and translates the test-cases into traces of a refined model, so that the tests can be run on the "real" system. Optimisations, to reduce the length and number of test cases, as well as to minimise race conditions, have been implemented.

Scalability and Validation

We tackled a case study in WP2, which centres on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the development contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for AtelierB. AtelierB, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense (and they need to be revalidated whenever the rail network infrastructure changes). I

The motivation then was to try and use ProB for this task. This required a considerable amount of work on improving the scalability of the ProB kernel, to be able to deal with large sets and relations. The ProB parser and type checker also had to be re-developed to be able to deal with large industrial specifications.

The case study was a succcess:ProB was able to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in around 17 minutes that were manually uncovered in about one man-month.

This leads to the next task: the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens

Proof Directed Model Checking

Jens: can you insert something?


SAT/SMT/Kodkod

In this subtask we investigate alternate approaches for validating high-level B models using techniques and tools based on BDDs, SAT-solving and SMT-solving. The overall motivation is to improve the scalability of the animator and model checker.

Disprover

In order to help the user, we wanted to make it possible to apply ProB to individual proof obligations. In some cases, this enables proving a sequent by exhaustive case analysis. Also, if ProB finds a counter example, the user gets important feedback: the proof obligation cannot be discharged, along with a reason why.

Choices / Decisions

This paragraph shall summarize the decisions (eg. design decisions) and justify them. Thus, it may present the studied solutions, through their main advantages and inconvenients, to legitimate the final choices.

Available Documentation

User Manual

ProB User Manual

Published Papers

Below is a list of published papers, along with an abstract.

Improved Kernel to deal with large sets and relations

In this part we describe the successful application of the ProB validation tool on an industrial case study. The case study centres on the San Juan metro system installed by Siemens. The control software was developed and formally proven with B. However, the development contains certain assumptions about the actual rail network topology which have to be validated separately in order to ensure safe operation. For this task, Siemens has developed custom proof rules for AtelierB. AtelierB, however, was unable to deal with about 80 properties of the deployment (running out of memory). These properties thus had to be validated by hand at great expense (and they need to be revalidated whenever the rail network infrastructure changes). In this paper we show how we were able to use ProB to validate all of the about 300 properties of the San Juan deployment, detecting exactly the same faults automatically in around 17 minutes that were manually uncovered in about one man-month. This achievement required the extension of the ProB kernel for large sets as well as an improved constraint propagation phase. We also outline some of the effort and features that were required in moving from a tool capable of dealing with medium-sized examples towards a tool able to deal with actual industrial specifications. Notably, a new parser and type checker had to be developed. We also touch upon the issue of validating ProB, so that it can be integrated into the SIL4 development chain at Siemens


Michael Leuschel, Jérôme Falampin, Fabian Fritz, Daniel Plagge. Automated Property Verification for Large Scale B Models, FM'2009.

Multi-Level Animation and Validation

We provide a detailed description of refinement in Event-B, both as a contribution in itself and as a foundation for the approach to simultaneous animation of multiple levels of refinement that we propose. We present an algorithm for simultaneous multi-level animation of refinement, and show how it can be used to detect a variety of errors that occur frequently when using refinement. The algorithm has been implemented in ProB and we applied it to several case studies, showing that multi-level animation is tractable also on larger models.

Stefan Hallerstede, Michael Leuschel, Daniel Plagge. Refinement-Animation for Event-B --- Towards a Method of Validation. ABZ'2010

See also Stefan Hallerstede, Michael Leuschel. How to Explain Mistakes. TFM'09.

Test-Case Generation

Choreography models describe the communication protocols between services. Testing of service choreographies is an important task for the quality assurance of service-based systems as used e.g. in the context of service-oriented architectures (SOA). The formal modeling of service choreographies enables a model-based integration testing (MBIT) approach. We present MBIT methods for our service choreography modeling approach called Message Choreography Models (MCM). For the model-based testing of service choreographies, MCMs are translated into Event-B models and used as input for our test generator which uses the model checker ProB.

Sebastian Wieczorek, Vitaly Kozyura, Andreas Roth, Michael Leuschel, Jens Bendisposto, Daniel Plagge, Ina Schieferdecker. Applying Model Checking to Generate Model-based Integration Tests from Choreography Models. TESTCOM/FATES 2009.


Proof-Directed Model Checking

With the aid of the ProB Plugin, the Rodin Platform provides an integrated environment for editing, proving, animating and model checking Event-B models. This is of considerable benefit to the modeler, as it allows him to switch between the various tools to validate, debug and improve his or her models. The crucial idea of this paper is that the integrated platform also provides benefits to the tool developer, i.e., it allows easy access to information from other tools. Indeed, there has been considerable interest in combining model checking, proving and testing. In previous work we have already shown how a model checker can be used to complement the Event-B proving environment, by acting as a disprover. In this paper we show how the prover can help improve the efficiency of the animator and model checker.

Jens Bendisposto, Michael Leuschel. Proof Assisted Model Checking for B. ICFEM 2009.

Debugging Tricky Proof Obligations with the ProB Disprover

While a large number of proof obligations can be discharged automatically by tools such as the RODIN platform, a considerable number still have to be proven interactively. In this paper, we we describe a disprover plugin for RODIN that utilizes ProB to automatically find counterexamples for a given problematic proof obligation. In case the disprover finds a counterexample, the user can directly investigate the source of teh problem, as pinpointed by the counterexample. We also discuss under which circumstances our plug-in can be used as a prover, i.e., when the absence of a counterexample actually is a proof of the proof obligation.

Olivier Ligot, Jens Bendisposto, Michael Leuschel. Debugging Event-B Models using the ProB Disprover Plug-in. AFADL 2007.

Inspection of Alternate Approaches

ProB is a model checker for high-level B and Event-B models based on constraint-solving. In this paper we investigate alternate approaches for validating high-level B models using alternative techniques and tools based on using BDDs, SAT-solving and SMT-solving. In particular, we examine whether ProB can be complemented or even supplanted by using one of the tools BDDBDDB, Kodkod or SAL.

Daniel Plagge, Michael Leuschel, Ilya Lopatkin, Alexander Romanovsk. SAL, Kodkod, and BDDs for Validation of B Models. Lessons and Outlook. AFM'09.

Validation of ProB

Symmetry reduction is a model checking technique that can help alleviate the problem of state space explosion, by preventing redundant state space exploration. In previous work, we have developed three effective approaches to symmetry reduction for B that have been implemented into the ProB model checker, and we have proved the soundness of our state symmetries. However, it is also important to show our techniques are sound with respect to standard model checking, at the algorithmic level. In this paper, we present a retrospective B development that addresses this issue through a series of B refinements. This work also demonstrates the valuable insights into a system that can be gained through formal modelling.

Edd Turner, Michael Butler, Michael Leuschel. A Refinement-Based Correctness Proof of Symmetry Reduced Model Checking. ABZ'2010.


B-Motion Studio

B-Motion Studio provides a way to quickly generate domain specific visualisations for a formal model, enabling domain experts and managers to understand and validate the model. We also believe that our tool will be of use when teaching formal methods, both during lectures as a way to motivate students to write their own formal models.

Lukas Ladenberger, Jens Bendisposto, Michael Leuschel. Visualising Event-B models with B-Motion Studio. FMICS'2009.

Planning

This paragraph shall give a timeline and current status (as of 29 Jan 2010).

Model-based Testing

  • Directed Model Checking to achieve coverage (Deploy extension; Flow Graphs)
  • Integrate Algorithm into Rodin
  • Make Algorithm more generic
  • Top-down multi-level animation
  • Move from prototype to real product

B-Motion Studio

  • Experiment with existing Flash animation and B model of ClearSy
  • Improve usability, more widgets

Validation of ProB

  • Test coverage analysis for Prolog code
  • Validation Document to be delivered to Siemens

Scalability

  • More experiments with SAT, SMT, BDD techniques
  • Integration of Kodkod into ProB for solving complicated predicates over first order relations and simple sets

Usability

  • Feedback errors found by ProB into the PO view (as red icons)
  • Improve Disprover, detect when it is a decision procedure
  • Further improvments to GUI: 2-D Viewer, better multi-level animation view
Retrieved from ‘https://wiki.event-b.org/index.php?title=Current_Developments&oldid=2031