Difference between pages "Current Developments" and "D23 Code Generation"

From Event-B
(Difference between pages)
Jump to navigationJump to search
imported>Laurent
 
imported>WikiSysop
 
Line 1: Line 1:
{{TOCright}}
+
=Overview and Motivation=
This page sum up the known developments that are being done around or for the [[Rodin Platform]]. ''Please contributes informations about your own development to keep the community informed''
 
  
You may also have a look at [[Past Developments|past developments]].
+
Code generation is an important part of the formal engineering tool chain that will enable complete support for development from high-level models down to executable implementations. Work has commenced on the development of support for code generation from Event-B models.  This is a new line of work for DEPLOY that was not identified in the original Description of Work for the project.  During the first year of the project, as the Deployment Partners gained experience with deployment of formal modelling, it became clear that having support for generation of code from refined Event-B models would be an important factor in ensuring eventual deployment of the DEPLOY approach within their organisations.  This is especially true for Bosch and Space Systems Finland (SSF).  During the DEPLOY re-focus at Month 18, it was decided to introduce a code generation task into a revised workplan and devote resources to this task.
  
== Current Tasks ==
+
After receiving more detailed requirements from Bosch and SSF, it became clear we should focus our efforts on supporting the generation of code for typical real-time embedded control software.  In essence, this involves programs structured as tasks running concurrently such as supported by the Ada tasking model.  The individual tasks are sequential programs and tasks share state variables via some form of monitor mechanism.  For real-time control, both periodic and aperiodic task should be supported; tasks should have priorities to ensure appropriate responsiveness of the control software.
The following tasks were planned at some stage of the [[Deploy]] or [[Advance]] project.
 
  
=== Code Generation ===
+
For the DEPLOY pilots, it is regarded as sufficient to support construction of programs with a fixed number of tasks and a fixed number of shared variables – no dynamic creation of processes or objects is required. It is not our intention to develop a fully-fledged industrial-strength code generation framework within the lifetime of the DEPLOY project.  Instead an aim is to develop a sufficient framework to act as a proof-of-concept to enable code generation for the Bosch and SSF pilots.  A further aim is to gain practical experience with a prototype code generation framework that will serve as a basis for future R&D on a scalable code generation framework.
For an overview of Tasking Event-B see [[Tasking Event-B Overview]].
+
The code generation work is being lead by Southampton with initial input from Newcastle.
  
For information about the recent release see [[Code Generation]].
+
=Choices/Decisions=
 +
Three candidate approaches have been posited as follows;
 +
• Enrich Event-B with explicit algorithmic structures for use in later refinement stages and use these explicit structures to guide code generation
 +
• Synthesise sequential and concurrent code from existing low-level Event-B models
 +
• Exploit the code generation facilities of Atelier-B for “classical” B
  
The tutorial is available at [[Code Generation Tutorial]].
+
Approach 3 will be important for STS in WP2 as it will enable integration of Rodin with the existing development process in STS with AtelierB and some effort will be devoted to this.  However, this approach will not address the needs of all the deployments because of the overhead involved in having to use AtelierB alongside Rodin as well as the lack of support for concurrent code generation in AtelierB.  Supporting Approach 2 has the attraction that developers can remain within the uniform language framework of Event-B.  However, it is not clear that we can meet the real-time performance guarantees required for embedded systems with this approach within the lifetime of the DEPLOY project.  
  
=== Core Platform ===
+
While we will pursue some exploration of this approach, we will focus most effort on Approach 1 as this will enable existing techniques for real-time programming to be incorporated in later stages of development.  Language support for explicit sequential and concurrent programs will be defined to enable construction of code-oriented models at low levels of refinement.  We refer to this form of Event-B as task-oriented. A code generation framework will be developed to enable automated generation of C and Ada subsets suitable for real-time embedded systems from code-oriented models.  A refinement-based proof method for code-oriented models will be defined and incorporated into the Rodin toolset.
  
====Rodin 3.0====
+
An important requirement is that the code generation framework be amenable to extension and tailoring for specific needs.  Rather than hard-wiring the code generation rules into the tool, we will aim to support a declarative rule-based approach to defining translation from task-oriented Event-B to a target implementation language.  The translation should be tailorable by modifying or extending the declarative translation rules.  We will explore the use of a model-based transformation framework such as ATL or ETL for this purpose.  Rather than fixing on a specific set of implementation-level data types, we will exploit the mathematical extension facility being developed for Rodin to enable a flexible approach to defining implementation-level data structures.  For example, arrays could be supported by defining a new theory of arrays.  This theory would define array declarations and operators along with an appropriate set of proof rules for arrays to enable reasoning.  Appropriate declarative rules would then be defined to translate array declarations and expressions to appropriate code in the target language.
  
Preliminary design for [[Rodin Platform 3.0 Release Notes|Rodin 3.0]] has started.
+
=Tasking Language=
 +
The Event-B tasking language will support the following sequential and concurrent algorithmic constructs:
 +
{| border="1"
 +
|Behaviour
 +
|Algorithmic Construct
 +
|-
 +
|Sequence
 +
|;
 +
|-
 +
|Branching
 +
|if
 +
|-
 +
|Iteration
 +
|while
 +
|-
 +
|Task/Thread/Process
 +
|task
 +
|-
 +
|Shared variables
 +
|machine
 +
|}
  
====Better event-B Editor====
+
A task-oriented model will be definable using the following abstract syntax
 +
{| border="0"
 +
|Task :=  
 +
|-
 +
|
 +
| '''task'''  Name 
 +
|-
 +
|
 +
| '''variables''' Variables
 +
|-
 +
|
 +
| '''invariants''' Invariants 
 +
|-
 +
|
 +
| '''begin''' TaskBody  '''end'''
 +
|}
  
Feedback from users indicates strongly that the current layout used in the default event-B editor (edit tab) is sub-optimal and severely hinders usability of the Rodin platform. Ideas for improving this are collected on page: [[Layout improvements in the event-B editor]].
+
{| border="0"
 +
| TaskBody := 
 +
|-
 +
|
 +
| Event
 +
|-
 +
|
 +
|  <math>|</math> TaskBody  ;  TaskBody
 +
|-
 +
|
 +
|  <math>|</math> '''if'''    Guard→ TaskBody  []  … []  Guard→ TaskBody  '''fi'''
 +
|-
 +
|
 +
|  <math>|</math> '''do'''  Guard→ TaskBody  [] … [] Guard→ TaskBody  '''od'''
 +
|}
  
==== Text Editor ====
+
The sequence, branching and iteration constructs correspond to their imperative counterparts. The task construct provides a means to specify the actions of interleaving, concurrent executions. A task may be implemented by an Ada task, or a thread in C.  A task, in isolation, is a sequential program with clearly identified atomic steps, and each step corresponding to an atomic event.  
The efforts in [[Düsseldorf]] ([[User:Fabian|Fabian]]) and [[Newcastle]] ([[User:Alexei|Alexei]]) have been joined to create a single text editor which will be part of the [[#EMF framework for Event-B|EMF framework for Event-B]] (see that [[#EMF framework for Event-B|section]] for details).
 
  
The first version of the TextEditor will be released in a few weeks (following the Rodin 1.0 release). Until then we are going to release a few testing releases (beta) for interested users. Find detailed information on the page [[Text Editor|TextEditor]].
+
The standard machine construct provides the mechanism for sharing data between the executing tasks. The interaction between a task and a machine can be represented synchronized event composition as currently supported by the synchronised-event plugin.  The generated implementation will need to ensure that a task has mutually exclusive access to the variables represented in the machine. This is provided by a machine’s atomic events. A machine representing shared variables may be implemented by an Ada protected object, or in C by an explicit Mutex variable and appropriate lock acquisition.  
  
==== EMF framework for Event-B ====
+
To facilitate real-time programming constructs, we introduce the notion of task type, task period, and task priority
Newcastle, Southampton and Düsseldorf have begun to develop an EMF framework to support Rodin modelling tools based on EMF. The framework includes an EMF representation of Event-B, a synchronising persistence interface for loading and saving models via the Rodin API and facilities to support text editing and parsing. Examples of tools that will be based on the EMF framework for Rodin are, a Text editor, a compare/merge editor (which can be used for team based development), pattern/composition tools, Diagram Editors.
+
{| border="0"
 +
|Task := 
 +
|-
 +
|
 +
| '''task'''  Name 
 +
|-
 +
|
 +
| '''tasktype''' '''periodic'''(p) <math>|</math>  '''triggered''' <math>|</math> '''repeating''' <math>|</math> '''oneshot'''
 +
|-
 +
|
 +
| '''priority''' n
 +
|-
 +
|
 +
| ...
 +
|}
  
More details can be found here: [[EMF framework for Event-B]]
+
A tasktype is used to indicate the scheduling requirements for the required activity.  It is typically the case in real-time systems that the required activity involves some repeating behaviour, this can be a continuously repeating loop, or one that repeats at a predetermined time interval. We introduce repeating and periodic tasktypes. The periodic task is parameterised by a time value.  Activity can also be initiated by externally generated interrupts, which may arise from some user action or from the hardware itself. To accommodate this we introduce the triggered tasktype. The last type of activity that we consider is the one-shot task; where some activity is performed and not repeated. To facilitate this we add the oneshot tasktype.  In some cases it may be useful to delay a task for a period of time; we introduce a delay to the TaskBody to facilitate this.
 +
It may be decided that, during a program’s execution, some of the activities should take precedence over some others.  We introduce priority which allows a developer to assign a numerical value indicating the precedence for scheduling. We adopt the convention that higher priority activities have a greater value, and this corresponds to the Ada convention.
  
==== Preferences for the automatic tactics ====
+
=Methodological Support=
[[Systerel]] is in charge of this task.
+
As previously outlined, the atomic steps of a sequential task will be syntactically explicit.  This is in order to facilitate a direct mapping of task steps with events of an abstract machine.   The development approach that we plan to support fits with the general refinement approach of Event-B in that explicit tasking will be introduced as part of a refinement step. A common approach to specifying a problem is to represent some desired outcome as a single abstract atomic event.  Common patterns of refinement of such abstract events found in existing Event-B developments are as follows:
{{details|http://handbook.event-b.org/current/html/preferences.html#preferences_for_the_automatic_tactics Preferences for the automatic tactics}}
 
  
The purpose is to give more detailed preferences to the user to build his own automated tactics.
+
#Choice refinement:  Event E is refined to E1 [] E2 []…[] En, where each Ei refines E
 +
#Sequential refinement:  Event E is refined to E1 ; E2 ; … En, where some Ei refines E and the other Ej refine skip.
 +
#Loop refinement: Event E is refined to E1 ; do E2 od ; E3, where E3 refines E and E1 and E2 refine skip.
  
==== Extending the Refine/Extend actions ====
+
These patterns motivate a simpler subset of the tasking language as follows
[[Systerel]] is in charge of this task.
+
{| border="0"
{{details|Extending Refinement Actions|this topic}}
+
| TaskBody :=  
 +
|-
 +
|
 +
| Event
 +
|-
 +
|
 +
|  <math>|</math> TaskBody  ;  TaskBody
 +
|-
 +
|
 +
|  <math>|</math> '''if'''    Event  [] … [] Event  '''fi'''
 +
|-
 +
|
 +
| <math>|</math> '''do'''  Event  '''endwith'''  Event  '''od'''
 +
|}
  
Until Rodin 2.1, the {{Menu|Refine}} and {{Menu|Extend}} actions were hard-coded in the event-B UI plug-in. This development aims at opening up their implementation so that external plug-ins can contribute to these actions.
+
Initially we will support refinement to this subset by providing special structure-introduction refinement rules in the manner of the refinement calculus. We will also develop support for a generalisation of this set of rules in which the abstract model consists of a group of atomic events, with each event representing a different possible outcome.  An example use of such a group would be to have an event to represent the normal behaviour of some system feature and a separate event to represent the error behaviour of the feature.
  
==== Views Based on the Current Proof Tree Node ====
+
The above rules prevent the immediate introduction of nested tasking structures such as nested loops.  Following the approach found in the refinement calculus and common practice in Event-B refinements, such nested structures may be introduced through further refinement steps.  For example, to introduce a nested loop, the outer loop is first introduced and the inner loop is introduced in a subsequent refinement step.  We  will explore generalising the refinement support for tasks to support nesting through refinement along these lines.
[[Systerel]] is in charge of this task.
 
{{details|Current Proof Tree Node in UI|this topic}}
 
  
Two views (Proof Details and Type Environment) display some information which is associated to the current proof tree node, if any. However, in Rodin 2.3 the behavior of these views is somewhat strange and someone often has to click in various places to refresh these views. The objective of this task is to make these views more user-friendly.
+
=Timescales=
 
+
We refer to the tasking language outlined above as Version V1. Our planned timescales for further work on code generation are as follows:
=== Plug-ins ===
+
*June 2010: demonstrator tool for language V1
 
+
*June 2010: initial support for user defined datatypes (math extn)
==== Modularisation Plug-in ====
+
*From June to October 2010: experimentation with and assessment of the demonstrator tool on the WP1 and WP3 pilots leading to feedback on V1 and the tool
 
+
*Jan 2011: algorithmic language definition V2
The [[Modularisation Plug-in]] provides facilities for structuring Event-B developments into logical units of modelling, called modules. The module concept is very close to the notion Event-B development (a refinement tree of Event-B machines). However, unlike a conventional development, a module comes with an interface. An interface defines the conditions on how a module may be incorporated into another development (that is, another module). The plug-in follows an approach where an interface is characterised by a list of operations specifying the services provided by the module. An integration of a module into a main development is accomplished by referring operations from Event-B machine actions using an intuitive procedure call notation.
+
*June 2011: prototype tool for V2
 
+
*From June to October 2011: experimentation with and assessment of the V2 tool on the WP1 and WP3 pilots
==== UML-B Improvements ====
 
[[Southampton]] is in charge of [[UML-B]] plug-in.
 
 
 
A new version of UML-B is being developed that will have improved integration with Event-B. The new version will be built as an extension to the EMF framework for Event-B. While this new version is being developed improvements are also being made to the existing version of UML-B. Both topics are covered in more detail on the following page:
 
[[UML-B Integration and Improvements]]
 
 
 
==== ProB Plug-in ====
 
[[Düsseldorf]] is in charge of [[ProB]].
 
<!-- {{details|ProB current developments|ProB current developments}} -->
 
 
 
===== Work already performed =====
 
 
 
We have now ported ProB to work directly on the Rodin AST. Animation is working and the user can now set a limited number of preferences.
 
The model checking feature is now also accessible.
 
It is also possible to create CSP and classical B specification files. These files can be edited with BE4 and animated/model checked with ProB.
 
On the classical B side we have moved to a new, more robust parser (which is now capable of parsing some of the more complicated AtelierB
 
specifications from Siemens).
 
 
 
On the developer side, we have moved to a continuous integration infrastructure using CruiseControl. Rodin is also building from CVS in that infrastructure.
 
 
 
Developers can build tools on top of ProB using the [[ProB API]].
 
 
 
===== Ongoing and future developments=====
 
 
 
We are currently developing a new, better user interface.
 
We also plan to support multi-level animation with checking of the gluing invariant.
 
 
 
We have prototypes for several extensions working, but they need to be fully tested and integrated into the plugin:
 
* an inspector that allows the user to inspect complex predicates (such as invariants or guards) as well as expressions in a tree-like manner
 
* a graphical animator based on SWT that allows the user to design his/her own animations easily within the tool
 
* a 2D viewer to inspect the state space of the specification
 
 
 
==== B2Latex Plug-in ====
 
[[Southampton]] is in charge of [[B2Latex]].
 
 
 
Kriangsak Damchoom will update the plug-in to add [[Event Extension|extensions of events]].
 
 
 
==== Event Model Decomposition (A-style) ====
 
[[Systerel]] ([[User:Carine|Carine]]) is in charge of this task.
 
{{details|Event Model Decomposition|Event Model Decomposition}}
 
 
 
The purpose of (A-style) event model decomposition is to cut a heavy event system into smaller pieces which can be handled more comfortably than the whole. More precisely, each piece can then be refined independently of the others.
 
 
 
==== Parallel Composition Plug-in ====
 
[[Southampton]] is in charge of the [[Parallel Composition using Event-B]] .
 
 
 
The purpose of the plug-in is to allow the parallel composition of several Event-B machines into a composite machine. The machine composition uses a shared event composition, where separate machines operate on disjoint variables and
 
machines interact by synchronising on events that may share parameters.
 
 
 
This plug-in allows:
 
* Selection of machines that will be part of the composition (''Includes'' Section)
 
* Possible selection of an abstract machine (''Refines'' Section)
 
* Possible inclusion of invariants that relate the included machines (''Invariant'' Section and use of the monotonicity )
 
* Invariants of included machines are conjoined.
 
* Selection of events that will be merged. The event(s) must come from different machines. At the moment, events with parameters with same name are merged. If it is a refinement composition, it is possible to choose the abstract event that is being refined.
 
* Initialisation event is the parallel composition of all the included machines' initialisations.
 
* For a composed event, the guards are conjoined and the all the actions are composed in parallel.
 
 
 
Currently, after the conclusion of the composition machine, a new machine can be generated, resulting from the properties defined on the composition file. This allows proofs to be generated as well as a visualisation of the composition machine file. In the future, the intention is to make the validation directly on the composition machine file directly where proofs would be generated ( and discharged) - the new machine generation would be optional. An event-b model for the validation/generation of proofs in currently being developed. Another functionality which should be quite useful for the composition (but not restricted to that) is '''renaming''':
 
 
 
* while composing, two machines may have variables with the same name for instance (which is not allowed for this type of composition). In order to solve this problem, one would have to rename one of the variables in order to avoid the clash, which would mean change the original machine. A possible solution for that would be to rename the variable but just on composition machine file, keeping the original machine intact. A renaming framework designed and developed by Stefan Hallerstede and Sonja Holl exists currently although still on a testing phase. The framework was developed to be used in a general fashion (not constrained to event-b syntax). The idea is to extend the development of this framework and apply to Event-B syntax (current development).
 
 
 
There is a prototype for the composition plug-in available that works for Rodin 0.9.2.1 available from the Rodin Main Update Site soon, under 'Shared Event Composition'.
 
 
 
==== Refactoring Framework Plug-in ====
 
[[Southampton]] is in charge of the [[Refactoring Framework]].
 
 
 
The intention of the plug-in is to allow the renaming/refactoring of elements on a file (and possible related files). Although created to be used in a general way, the idea is to embed this framework on the Rodin platform, using Event-B syntax. This plug-in was initially designed and developed by Stefan Hallerstede and Sonja Holl.
 
 
 
This plug-in allows:
 
* Defining extensions that can be used to select related files.
 
* Defining extesions that can be used to rename elements based on the type of file.
 
* Renaming of elements on a file and possible occurrences on related files.
 
* Generating of a report of possible problems (clashes) that can occur while renaming.
 
 
 
==== Measurement Plug-In ====
 
 
 
The [[Measurement Plug-In]] to the RODIN platform will provide information both about the model itself and about the process of building the model.
 
It has a double purpose:
 
 
 
* provide feedback to the user about the quality of the Event-B model he is building and about potential problems in it or in the way he is building it.
 
* automate the data collection process for the measurement and assessment WP. This data collected will be analyzed to identify global transfer (increase in model quality, size, complexity,...), tool shortcomings (usability, prover), modelling issues (to be addressed by training, language, tool evolution,...), etc.
 
 
 
==== Generic Instantiation ====
 
 
 
The context of a machine can be viewed as defining the parameters of that machine
 
(carrier sets, constants, axioms).  These parameters make a machine generic.
 
We propose an  approach for instantiating Event-B  machines by replacing generic sets and constants
 
with more specific sets and constants.  The axioms of a context represent assumptions on the
 
sets and constants that need to be satisfied whenever the machine is instantiated.
 
The instantiation leads to proof obligations
 
to ensure that the generic axioms are satisfied by the instantiation. For more details see [[Generic Instantiation | Generic Instantiation page]].
 
 
 
==== Rule-based Extensible Prover ====
 
[[Southampton]] is in charge of devising an extensible rule-based prover.
 
 
 
In order to extend the prover with new rewrite and inference rules, it is necessary to write Java code
 
adding to the appropriate extension points. That way, it becomes very difficult to verify the soundness of the
 
implemented rules. We propose a mechanism by which the prover can be extended with new rewrite rules
 
and inference rules without compromising its soundness. Our proposal follows a similar
 
approach employed by Event-B: generating proof obligations. We, initially, focus on adding the facility to specify
 
rewrite rules. We envisage the mechanism to evolve to cover inference rules as well as the many mathematical extensions
 
proposed in [[Mathematical_extensions]]. For more details, we refer to the [[Rule-based_Prover_Plug-in]] page.
 
and [[Image:Rule-based_Prover_Proposal.pdf | Proposal for a rule-based extensible prover]].
 
 
 
==== SMT Plug-in ====
 
 
 
[[Systerel]] ([[User:YGU|YGU]]) is in charge of this task.
 
{{details|SMT Plug-in|SMT Plug-in}}
 
{{details|Event-B to SMT-LIB|Event-B to SMT-LIB}}
 
 
 
The purpose of the plug-in is to integrate SMT solvers into Rodin.
 
 
 
==== New Proof Rules ====
 
 
 
[[New Proof Rules|This document]] describes the set of newly added reasoners for improving the usability of the prover within Rodin Platform.
 
 
 
== Exploratory Tasks ==
 
=== Template Base Exporter ===
 
Some prototyping work is done in python, to explore how to use template engines to export rodin models to text, Latex, docbook, mediawiki,...
 
The [http://www.mercurial.org mercurial] repository is available [https://bitbucket.org/matclab/rodin_exporter/ here]. You can cloned it by installing mercurial on your computer and doing <code>hg clone https://bitbucket.org/matclab/rodin_exporter/</code>.
 
 
 
Be warn that, for now, it bypass the rodin database API and does parse the .bum and .buc files directly. It is also highly experimental, so do not rely to much on the produced output.
 
 
 
(This work is done by [[User:Mathieu|Mathieu]] on his spare time...)
 
 
 
== Others ==
 
 
 
=== AnimB ===
 
[[User:Christophe|Christophe]] devotes some of his spare time for this plug-in.
 
{{details|AnimB Current Developments|AnimB Current Developments}}
 
The current developments around the [[AnimB]] plug-in encompass the following topics:
 
;Live animation update
 
:where the modification of the animated event-B model is instantaneously taken into account by the animator, without the need to restart the animation.
 
;Collecting history
 
:The history of the animation will be collected.
 
 
 
=== Team-Based Development ===
 
 
 
; Usage Scenarios
 
: In order to understand the problem properly, [http://www.stups.uni-duesseldorf.de/ Düsseldorf] created a number of usage [[Scenarios for Team-based Development]].
 
: A page has also been opened for [[Scenarios for Merging Proofs|merging proofs scenarios]].
 
 
 
 
 
;Team working based on EMF Compare
 
:The EMF Compare project provides a comparison/merging style editor (similar to the Java merging editor used for synchronising changes with code repositories). This could be used to synchronise model changes into a repository such as SVN. The use of the EMF Compare editor relies on the  [[EMF framework for Event-B|EMF representation of Event-B]] that has already been developed and is available. A prototype plug-in is available which enables the use of the EMF compare editor for Rodin Machines and Contexts. It is intended that deploy partners will try out this plug-in in order to gather requirements for the Teamwork plug-in.
 
:More details are here: [[Team-based development]]
 
 
 
=== Wishlist ===
 
A [[Plug-in Wishlist | wish list]] of tool plug-ins that cannot be resourced by [[Deploy]] is maintained.
 
 
 
[[Category:Work in progress]]
 

Revision as of 23:26, 30 November 2009

Overview and Motivation

Code generation is an important part of the formal engineering tool chain that will enable complete support for development from high-level models down to executable implementations. Work has commenced on the development of support for code generation from Event-B models. This is a new line of work for DEPLOY that was not identified in the original Description of Work for the project. During the first year of the project, as the Deployment Partners gained experience with deployment of formal modelling, it became clear that having support for generation of code from refined Event-B models would be an important factor in ensuring eventual deployment of the DEPLOY approach within their organisations. This is especially true for Bosch and Space Systems Finland (SSF). During the DEPLOY re-focus at Month 18, it was decided to introduce a code generation task into a revised workplan and devote resources to this task.

After receiving more detailed requirements from Bosch and SSF, it became clear we should focus our efforts on supporting the generation of code for typical real-time embedded control software. In essence, this involves programs structured as tasks running concurrently such as supported by the Ada tasking model. The individual tasks are sequential programs and tasks share state variables via some form of monitor mechanism. For real-time control, both periodic and aperiodic task should be supported; tasks should have priorities to ensure appropriate responsiveness of the control software.

For the DEPLOY pilots, it is regarded as sufficient to support construction of programs with a fixed number of tasks and a fixed number of shared variables – no dynamic creation of processes or objects is required. It is not our intention to develop a fully-fledged industrial-strength code generation framework within the lifetime of the DEPLOY project. Instead an aim is to develop a sufficient framework to act as a proof-of-concept to enable code generation for the Bosch and SSF pilots. A further aim is to gain practical experience with a prototype code generation framework that will serve as a basis for future R&D on a scalable code generation framework. The code generation work is being lead by Southampton with initial input from Newcastle.

Choices/Decisions

Three candidate approaches have been posited as follows; • Enrich Event-B with explicit algorithmic structures for use in later refinement stages and use these explicit structures to guide code generation • Synthesise sequential and concurrent code from existing low-level Event-B models • Exploit the code generation facilities of Atelier-B for “classical” B

Approach 3 will be important for STS in WP2 as it will enable integration of Rodin with the existing development process in STS with AtelierB and some effort will be devoted to this. However, this approach will not address the needs of all the deployments because of the overhead involved in having to use AtelierB alongside Rodin as well as the lack of support for concurrent code generation in AtelierB. Supporting Approach 2 has the attraction that developers can remain within the uniform language framework of Event-B. However, it is not clear that we can meet the real-time performance guarantees required for embedded systems with this approach within the lifetime of the DEPLOY project.

While we will pursue some exploration of this approach, we will focus most effort on Approach 1 as this will enable existing techniques for real-time programming to be incorporated in later stages of development. Language support for explicit sequential and concurrent programs will be defined to enable construction of code-oriented models at low levels of refinement. We refer to this form of Event-B as task-oriented. A code generation framework will be developed to enable automated generation of C and Ada subsets suitable for real-time embedded systems from code-oriented models. A refinement-based proof method for code-oriented models will be defined and incorporated into the Rodin toolset.

An important requirement is that the code generation framework be amenable to extension and tailoring for specific needs. Rather than hard-wiring the code generation rules into the tool, we will aim to support a declarative rule-based approach to defining translation from task-oriented Event-B to a target implementation language. The translation should be tailorable by modifying or extending the declarative translation rules. We will explore the use of a model-based transformation framework such as ATL or ETL for this purpose. Rather than fixing on a specific set of implementation-level data types, we will exploit the mathematical extension facility being developed for Rodin to enable a flexible approach to defining implementation-level data structures. For example, arrays could be supported by defining a new theory of arrays. This theory would define array declarations and operators along with an appropriate set of proof rules for arrays to enable reasoning. Appropriate declarative rules would then be defined to translate array declarations and expressions to appropriate code in the target language.

Tasking Language

The Event-B tasking language will support the following sequential and concurrent algorithmic constructs:

Behaviour Algorithmic Construct
Sequence ;
Branching if
Iteration while
Task/Thread/Process task
Shared variables machine

A task-oriented model will be definable using the following abstract syntax

Task :=
task Name
variables Variables
invariants Invariants
begin TaskBody end
TaskBody :=
Event
| TaskBody ; TaskBody
| if Guard→ TaskBody [] … [] Guard→ TaskBody fi
| do Guard→ TaskBody [] … [] Guard→ TaskBody od

The sequence, branching and iteration constructs correspond to their imperative counterparts. The task construct provides a means to specify the actions of interleaving, concurrent executions. A task may be implemented by an Ada task, or a thread in C. A task, in isolation, is a sequential program with clearly identified atomic steps, and each step corresponding to an atomic event.

The standard machine construct provides the mechanism for sharing data between the executing tasks. The interaction between a task and a machine can be represented synchronized event composition as currently supported by the synchronised-event plugin. The generated implementation will need to ensure that a task has mutually exclusive access to the variables represented in the machine. This is provided by a machine’s atomic events. A machine representing shared variables may be implemented by an Ada protected object, or in C by an explicit Mutex variable and appropriate lock acquisition.

To facilitate real-time programming constructs, we introduce the notion of task type, task period, and task priority

Task :=
task Name
tasktype periodic(p) | triggered | repeating | oneshot
priority n
...

A tasktype is used to indicate the scheduling requirements for the required activity. It is typically the case in real-time systems that the required activity involves some repeating behaviour, this can be a continuously repeating loop, or one that repeats at a predetermined time interval. We introduce repeating and periodic tasktypes. The periodic task is parameterised by a time value. Activity can also be initiated by externally generated interrupts, which may arise from some user action or from the hardware itself. To accommodate this we introduce the triggered tasktype. The last type of activity that we consider is the one-shot task; where some activity is performed and not repeated. To facilitate this we add the oneshot tasktype. In some cases it may be useful to delay a task for a period of time; we introduce a delay to the TaskBody to facilitate this. It may be decided that, during a program’s execution, some of the activities should take precedence over some others. We introduce priority which allows a developer to assign a numerical value indicating the precedence for scheduling. We adopt the convention that higher priority activities have a greater value, and this corresponds to the Ada convention.

Methodological Support

As previously outlined, the atomic steps of a sequential task will be syntactically explicit. This is in order to facilitate a direct mapping of task steps with events of an abstract machine. The development approach that we plan to support fits with the general refinement approach of Event-B in that explicit tasking will be introduced as part of a refinement step. A common approach to specifying a problem is to represent some desired outcome as a single abstract atomic event. Common patterns of refinement of such abstract events found in existing Event-B developments are as follows:

  1. Choice refinement: Event E is refined to E1 [] E2 []…[] En, where each Ei refines E
  2. Sequential refinement: Event E is refined to E1 ; E2 ; … En, where some Ei refines E and the other Ej refine skip.
  3. Loop refinement: Event E is refined to E1 ; do E2 od ; E3, where E3 refines E and E1 and E2 refine skip.

These patterns motivate a simpler subset of the tasking language as follows

TaskBody :=
Event
| TaskBody ; TaskBody
| if Event [] … [] Event fi
| do Event endwith Event od

Initially we will support refinement to this subset by providing special structure-introduction refinement rules in the manner of the refinement calculus. We will also develop support for a generalisation of this set of rules in which the abstract model consists of a group of atomic events, with each event representing a different possible outcome. An example use of such a group would be to have an event to represent the normal behaviour of some system feature and a separate event to represent the error behaviour of the feature.

The above rules prevent the immediate introduction of nested tasking structures such as nested loops. Following the approach found in the refinement calculus and common practice in Event-B refinements, such nested structures may be introduced through further refinement steps. For example, to introduce a nested loop, the outer loop is first introduced and the inner loop is introduced in a subsequent refinement step. We will explore generalising the refinement support for tasks to support nesting through refinement along these lines.

Timescales

We refer to the tasking language outlined above as Version V1. Our planned timescales for further work on code generation are as follows:

  • June 2010: demonstrator tool for language V1
  • June 2010: initial support for user defined datatypes (math extn)
  • From June to October 2010: experimentation with and assessment of the demonstrator tool on the WP1 and WP3 pilots leading to feedback on V1 and the tool
  • Jan 2011: algorithmic language definition V2
  • June 2011: prototype tool for V2
  • From June to October 2011: experimentation with and assessment of the V2 tool on the WP1 and WP3 pilots
Retrieved from ‘https://wiki.event-b.org/index.php?title=Current_Developments&oldid=1843