D45 General Platform Maintenance: Difference between revisions

From Event-B
Jump to navigationJump to search
imported>Tommy
imported>Tommy
Line 137: Line 137:
The communication between a developer and a domain expert (or manager) is very important for successful deployment of formal methods. On the one hand it is crucial for the developer to get feedback from the domain expert for further development. On the other hand the domain expert needs to check whether his expectations are met. To avoid this problem, it is useful to create domain specific visualisations. However, creating the code that defines the mapping between a state and its graphical representation is a rather time consuming task. It can take several weeks to develop a custom visualisation. To overcome this problem, BMotion Studio comes with a graphical editor that allows to create a visualisation  with static images and drag and drop within the modeling environment, not requiring additional skills.
The communication between a developer and a domain expert (or manager) is very important for successful deployment of formal methods. On the one hand it is crucial for the developer to get feedback from the domain expert for further development. On the other hand the domain expert needs to check whether his expectations are met. To avoid this problem, it is useful to create domain specific visualisations. However, creating the code that defines the mapping between a state and its graphical representation is a rather time consuming task. It can take several weeks to develop a custom visualisation. To overcome this problem, BMotion Studio comes with a graphical editor that allows to create a visualisation  with static images and drag and drop within the modeling environment, not requiring additional skills.


* An often stated limitation in using formal methods is the difficult in understanding the formal notation. To overcome this problem and to support the user we made first experiments towards visualizing mathematical assertions found in formal specifications using Venn Diagrams/Euler Diagrams/Constraint Diagrams.
* An often stated limitation in using formal methods is the difficulty in understanding the formal notation. To overcome this problem and to support the user we made first experiments towards visualizing mathematical assertions found in formal specifications using Venn Diagrams/Euler Diagrams/Constraint Diagrams.


== Mode/FT Views ==
== Mode/FT Views ==

Revision as of 12:22, 26 March 2012

Overview

The Rodin platform versions concerned by this deliverable are:

  • 2.1(08.02.2011),
  • 2.2(01.06.2011),
  • 2.2.2(01.08.2011),
  • 2.3(04.10.2011),
  • 2.4(31.01.2012),
  • 2.5(30.04.2012).

This year, the maintenance carried on fixing identified bugs, although an emphasis was put on correcting usability issues. Indeed, during the annual meeting in Nice, the WP9 members agreed to refocus on the needed tasks to address some specific bugs and issues reported by DEPLOY partners, and wished resolved by the end of DEPLOY. Thus, no new features were implemented but those appearing in the description of work. The tasks to be performed by the WP9 members were then scheduled, prioritized and regularly updated during the WP9 bi-weekly meetings. The updates allowed to capture and integrate rapidly some minor changes to enhance the usability of the platform which were required by the DEPLOY partners. The following paragraphs will give an overview of the the work that has been performed concerning maintenance on the existing platform components (i.e. core platform and plug-ins).

See the Release Notes[1] and the SourceForge[1] databases (bugs and feature requests) for details about the previous and upcoming releases of the Rodin platform.

  • General platform maintenance

The maintenance done to overcome Rodin scalability weaknesses and enhance the proving experience will be detailed in a separate chapter. However, some features initially planned and some other which were later added and prioritized are worth to mention:

  • Possibility to highlight patterns in the ProverUI,
  • A better output providing warnings and errors in case of wrong or missing building configurations,
  • The switch to Eclipse 3.7,
  • A Handbook to complete and enhance the existing documentation.
  • Plug-in incompatibilities

Some plug-in incompatibilities occured and were handled throught the lifetime of the project. A special paragraph will detail these points.

An overview of the contribution about Mathematical extensions / Theory Plug-in (Issam Maamria)

Mathematical extensions have been co-developed by Systerel (for the Core Rodin platform) and Southampton (for the Theory plug-in). The main purpose of this new feature was to provide the Rodin user with a way to extend the standard Event-B mathematical language by supporting user-defined operators, basic predicates and algebraic types. Along with these additional notations, the user can also define new proof rules (prover extensions). The scope of the ongoing work on the Theory plug-in centers around bug fixes, improving usability and performance and exploring other venues for operator definitions.

An overview of the contribution about Decomposition (Renato Silva)

Decomposition can advantageously be used to decrease the complexity and increase the modularity of large systems, especially after several refinements. Main benefits are the distribution of proof obligations over the sub-components which are expected to be easier to be discharged and the further refinement of independent sub-components in parallel introducing team development of a model which is attractive for the industry. Shared variable and shared event decomposition are supported in the same tool: the former seems suitable when designing concurrent programs while the latter seems particularly suitable for message-passing distributed programs. The tool was initially developed in ETH Zurich. The further development of the tool was a collaboration between ETH Zurich, Southampton and Systerel. After some user feedback, the tool was improved in terms of usability and performance. The ongoing work aims for a more automated tool that can propagate changes in the sub-components and minimise the user intervention as much as possible while maintaining or enhancing the performance.

An overview of the contribution about UML-B (Colin Snook, Vitaly Savicks)

The UML-B plug-in supports modelling in a UML-like diagrammatic notation with conversion to Event-B for verification. UML-B supports class and state machine diagrams as well as a project structure diagram (showing machines and contexts. UML-B continues to be supported but currently is not undergoing new development. Some enhancements were made last year in order to improve the usability of state machines, however, most new development concentrates on the new Event-B diagrammatic extensions to Event-B (such as the Event-B Statemachines plug-in).

The Event-B Statemachines plug-in is a new tool, based on the UML-B state machine diagrams, which allows to integrate state machines into normal Event-B machines. It provides a graphical diagram editor, an Event-B generator and, as an optional plug-in, diagram animator for ProB.

An overview of the contribution about ProR (Michael Jastram)

ProR is a replacement of the original requirements plug-in, which got discontinued in 2010. It is based on the OMG ReqIF standard[2], which provides interoperability with industry tools. It evolved into the Eclipse Foundation project "Requirements Modeling Framework" (RMF[3]), resulting in significant visibility. ProR is independent from Rodin. Integration is achieved with a separate plug-in that provides support for traceability and model integration.

An overview of the contribution about BMotion Studio (Lukas Ladenberger)

BMotion Studio is a visual editor which enables the developer of a formal model to set-up easily a domain specific visualisation for discussing it with the domain expert. BMotion Studio comes with a graphical editor that allows to create a visualisation within the modeling environment. Also, it does not require to use a different notation for gluing the state and its visualisation. BMotion Studio is based on the ProB animator and is integrated into the RODIN tool. However, BMotion Studio is independent from Rodin. Integration is achieved with a separate plug-in.

  • BMotion Studio has been quite successful, and besides a number of bug fixes and some performance profiling and tuning, the useability of the tool was improved.
  • One of our students made experiments towards visualizing industry standards with BMotion Studio. The first experiments were quite successful.
  • First experiments towards visualizing mathematical assertions found in formal specifications using Venn Diagrams/Euler Diagrams/Constraint Diagrams were made.

An overview of the contribution about Mode/FT Views

The Mode/FT Views plug-in is a modelling environment for constructing modal and fault tolerance features in a diagrammatic form and formally linking them to Event-B models. The consistency conditions between the modal/FT views and Event-B models are ensured by additional proof obligations. The views form a refinement chain of system modal and fault tolerant behaviour which contribute to the main Event-B development. The views reserve a place for tracing modal and FT requirements.

Motivations

The tasks to solve the issues faced by the DEPLOY partners have been listed and have been assigned to groups according to their priority. A high priority means a high need in the outcome of a given task. The group 1 has the highest priority, the group 2 has an intermediate priority, and the group 3 has the lowest priority. The group 4 concerns topics that could not be resourced during the lifetime of DEPLOY. The prover integrity item, although not being directly covered, has been partially addressed thanks to Isabelle and SMT integration. Unfortunately, the originally planned export of full proofs and integrity check was too ambitious to be fully achieved in the scope of DEPLOY.


Group 1 (highest priority) Responsible
Performance
- Core (large models, etc.)
- GUI (incl. prover UI, edition, etc.)
SYSTEREL
Prover Performances
- New rewriting rules / inference rules
- Automatic tactics (preferences, timeout, etc.)
SYSTEREL
ProB Disprover (incl. counter examples to DLF POs) Düsseldorf
Stability (crash, corruption, etc.) SYSTEREL
Editors SYSTEREL/Düsseldorf
Group 2 Responsible
Prover Performances
- SMT provers integration
- connection with Isabelle
- Mathematical extensions
- ProB

SYSTEREL
ETH Zürich
Southampton/SYSTEREL
Düsseldorf
Scalability
- Decomposition
- Modularisation plug-in
- Team-based development

Southampton
Newcastle
Southampton
Plug-in incompatibilities Newcastle
Model-based testing Pitesti/Düsseldorf
ProR Düsseldorf
Group 3 Responsible
Scalability
- Generic instantiation
- UML-B maintenance

Southampton
ETH Zürich/Southampton
Code Generation Southampton
Group 4
Prover Integrity
Integrity of Code Generation

Platform maintenance

The platform maintenance, as it can be deduced from the above tables in section Motivations, mainly concerned stability and performance improvement. These topics will be discussed and detailed in a separate chapter about scalability improvements.
However, other improvements of utmost importance were made on the platform. These improvements either came from DEPLOY partners specific needs, or were corresponding to previously identified needs (listed in D32 - Model Construction tools & Analysis III Deliverable). Hence we review below the motivations of some noteworthy implemented features:

  • A Possibility to highlight patterns in the Prover UI.

This feature came from a request of DEPLOY partners[4], often facing the need to find particular patterns such as expressions in long predicates (e.g. long goals). Since Rodin 2.2, and its new Proving UI interface, a nice feature was added, allowing to search and highlight a string pattern into the whole Proving UI views and editors. This function as also been enabled on direct selection of text in this UI.

  • A better output providing warnings and errors in case of wrong or missing building configurations.

This issue, often seen as a bug or as a plug-in incompatibility, was raised when a user imports and tries to use a model on a platform with some missing required plug-ins. The user often thought his models corrupted whereas Rodin was not able to build them, and hid this information to the user. This is why, since Rodin 2.3, an output has been provided in such case, taking the form of warnings or errors that any user can understand and review. This is a first answer to Rodin plug-in incompatibility issues.

  • The switch to Eclipse 3.7.

Due to the major improvements made every year in Eclipse releases and the continuously growing number of contributing projects which are for some of them used as basis for Rodin plug-ins, the Rodin platform follows the evolution and is adapted every year quickly to the latest Eclipse version available. This year, Rodin 2.3 originated the switch from Eclipse 3.6 to Eclipse 3.7.

  • A Handbook to complete and enhance the existing documentation.

At the DEPLOY Plenary Meeting in Zürich in 2010, it has been stated that the current documentation, in its state at that time, would not support a engineer starting using the tools without significant help of an expert[5]. Significant efforts to improve the documentation were performed and coordinated by Düsseldorf, and took form of a handbook[6]. The Rodin handbook has the aim to minimize the access to an expert, by providing the necessary assistance to an engineer in the need to be productive using Event-B and the Rodin toolset. The contents of the handbook, user oriented, were originated by some contents of the Event-B wiki.

Mathematical extensions / Theory Plug-in (Issam Maamria)

The Theory plug-in provides a high-level interface to the Rodin Core capabilities which enables the definition of mathematical and prover extensions grouped into files called theories. These mathematical and prover extensions are new algebraic types, new operators/predicates and new proof rules. Theories are developed in the Rodin workspace, and proof obligations are generated to validate prover and mathematical extensions. When a theory is completed and (optionally) validated, the user can make it available for use in models (this action is called the deployment of a theory). Theories are deployed to the current workspace (i.e., Workspace Scope), and the user can use any defined extensions in any project within the workspace. The Rule-based Prover was originally devised to provide an usable mechanism for user-defined rewrite rules through theories. Theories were, then, deemed a natural choice for defining mathematical extensions as well as proof rules to reason about such extensions. In essence, the Theory plug-in provides a systematic platform for defining and validating extensions through a familiar technique: proof obligations.

Support for using polymorphic theorems in proofs was added in version 1.1.

Plug-in Incompatibilities

By its extensibility nature, the Rodin platform is susceptible to incompatibilities. Indeed, there are many ways in which incompatibilities could occur, and some occurred in the lifetime of DEPLOY. A good example, is the dependency management. Suppose that a bundle x_v1.0 is needed by a plug-in A (i.e. a dependency from A has been defined to x in at most the version 1.0) and installed in Rodin. Then the plug-in x_v1.1 is needed by a plug-in B. The both versions 1.0 and 1.1 of x could not be installed and used at the same time and create thus some usage incompatibility.

Decomposition

The top-down style is one of the most used in modelling in Event-B. It allows the introduction of new events and data-refinement of variables during refinement steps. A consequence of this development style is an increasing complexity of the refinement process when dealing with many events and state variables. The main purpose of the model decomposition is precisely to address such difficulty by cutting a large model into smaller components. Two methods have been identified for the Event-B decomposition: shared variable (proposed by Abrial) and shared event (proposed by Butler). We developed a plug-in in the Rodin platform that supports these two decomposition methods for Event-B. Because decomposition is monotonic, the generated sub-components can be further refined independently. Therefore we can expand the team development options: several developers share parts of the same model and work independently in parallel. Moreover the decomposition also partition the proof obligations which are expected to be easier to be discharged in the sub-components.

Team-based Development

The team-based development plug-in enables Rodin models to be stored in a version repository such as SVN. This is achieved by maintaining a synchronised copy of the model resources in an EMF format. EMF comparison tools can then be used to examine differences between versions.

UML-B

The Event-B Statemachines plug-in has been introduced as a result of the necessity to integrate higher level constructs into established Event-B modelling process. From the experience of working with the UML-B tool it became apparent that a tighter integration is required between Event-B models under development and high level extensions such as state machines. In particular, this integration should be flexible enough to make it easy for a user to add new constructs at any point of Event-B development and work with them through refinement, which is a key feature of the Event-B language and Rodin tool.

ProR

While the original requirements plug-in for Rodin was useful as a prototype, a number of shortcomings lead to a new development. In particular, the original plug-in was a traceability tool with externally managed requirements. With ProR, requirements are authored and edited within Eclipse. The original plug-in supported only a limited number of attributes and flat (unstructured) requirements. ProR supports all data structures that the ReqIF standard[2] supports. Further, ReqIF-support for industry tools like Rational DOORS, MKS or IRqA is expected in the near future, while the original plug-in required a custom adaptor for each data format.

ProR is developed independently from Rodin. Dependencies to Rodin exist only in the Rodin integration plug-in. This significantly decreases the maintenance effort for the integration plugin, while increasing the visibility of ProR in the Open Source community. The move of ProR from the University of Düsseldorf to the Eclipse Foundation increases visibility even further. The Rodin integration plug-in is maintained as an independent project at github.

BMotion Studio

The communication between a developer and a domain expert (or manager) is very important for successful deployment of formal methods. On the one hand it is crucial for the developer to get feedback from the domain expert for further development. On the other hand the domain expert needs to check whether his expectations are met. To avoid this problem, it is useful to create domain specific visualisations. However, creating the code that defines the mapping between a state and its graphical representation is a rather time consuming task. It can take several weeks to develop a custom visualisation. To overcome this problem, BMotion Studio comes with a graphical editor that allows to create a visualisation with static images and drag and drop within the modeling environment, not requiring additional skills.

  • An often stated limitation in using formal methods is the difficulty in understanding the formal notation. To overcome this problem and to support the user we made first experiments towards visualizing mathematical assertions found in formal specifications using Venn Diagrams/Euler Diagrams/Constraint Diagrams.

Mode/FT Views

There are two major motivations for creating the Mode/FT Views plug-in:

  • An overview of the requirements documents within Deploy indicated that systems are often described in terms of operational modes and configurations. This led to a work on formal definition of modal systems.
  • Fault-tolerance is the crucial part of the behaviour of dependable critical systems that needs to benefit from formal modelling as functionality does. The requirements documents for the pilot studies in Deploy contain a high number of requirements related to fault handling and fault tolerant behaviour. A significant part of them are also described by using recoveries and degraded modes.

The plug-in provides an environment for specifying modal and fault tolerant behaviour which are often interrelated. By having a refinement chain of system-level modal diagrams, the development benefits from additional modelling constraints and improved requirements traceability.

Choices / Decisions

Platform maintenance

  • Revisited task priority

This year, the process of giving priority to maintenance tasks was revisited according the the refocus mentioned above. The aim was to address all the major scalability issues before the end of DEPLOY. Thus, the requests coming from DEPLOY partners were given high priorities, and they were also prioritized against the already planned tasks coming from both DEPLOY partners and the Description of Work.

  • Keep 32-bit versions of the Rodin platform on linux and windows systems

It was asked by end users to make both 32-bit and 64-bit versions of the Rodin platform available for Linux and Windows platforms. Only a 64-bit version of Rodin is available on Mac platforms as 32-bit Mac (early 2006) platforms are no longer maintained. The request to offer 64-bit was motivated by the possibility to increase for them the available Java heap size for some memory greedy platforms (these before 2.3). However, the drawbacks of assembling and maintaining more platforms (5 platforms instead of 3) and the corrections brought to the database which improved the memory consumption pushed away the limitations of the platform, made this request not relevant for now.

Mathematical extensions / Theory Plug-in (Issam Maamria)

The Theory plug-in contributes a theory construct to the Rodin database. Theories were used in the Rule-based Prover (before it was discontinued) as a placeholder for rewrite rules. Given the usability advantages of the theory component, it was decided to use it to define mathematical extensions (new operators and new datatypes). Another advantage of using the theory construct is the possibility of using proof obligations to ensure that the soundness of the formalism is not compromised. Proof obligations are generated to validate any properties of new operators (e.g., associativity). With regards to prover extensions, it was decided that the Theory plug-in inherits the capabilities to define and validate rewrite rules from the Rule-based Prover. Furthermore, support for a simple yet powerful subset of inference rules is added, and polymorphic theorems can be defined within the same setting. Proof obligations are, again, used as a filter against potentially unsound proof rules.

Plug-in Incompatibilities

It has been decided in cooperation with all the WP9 partners to find better ways to address the plug-in incompatibility issues. First of all, the various partners refined the concept of "plug-in incompatibility". Hence, various aspects could be identified and some specific answers were given to each of them. The user could then defined more clearly the incompatibility faced. Plug-in incompatibilities can be separated in two categories:

  • Rodin platform/plug-in incompatibilities, due to some wrong match between Rodin included packages and the plug-in dependencies (i.e. needed packages). These incompatibilities, when reported, allowed the plug-in developers to contact SYSTEREL in charge of managing the packages shipped with a given version of Rodin. It could also allow traceability of incompatibilities and information to the user through a specific and actualized table on each Rodin release notes page on the Wiki[7].
  • Plug-in/plug-in incompatibilities, due to some wrong match between needed/installed packages, or API/resources incompatible usage. A table was created on each release notes wiki page, and a procedure was defined[8] so that identified incompatibilities are listed and corrected by the concerned developers.

It appeared that cases of using a model which references some missing plug-ins were formerly often seen as compatibility issues although they were not.
After the incompatibilities have been identified, the developing counterparts being concerned assigned special tasks and coordination to solve issues the soonest as possible. Incompatibilities are often due to little glitches or desynchronisation and such direct coordination of counterpart appeared appropriate because quick and effective.

Decomposition

The tasks performed on the decomposition plug-in were focused on consolidation.

Team-based Development

The EMF default XMI format was used to store models in a form that can be accessed independently of the Rodin database. Since an EMF framework for Event-B already existed (but relied on serialisation into the Rodin database), it was easy to provide an option to serialise into the XMI format. The EMF compare was customised to provide a more user friendly comparison.

UML-B

For the Event-B Statemachines plug-in the following key decisions were made:

  • The UML-B state machines example was taken as a concept.
  • Well-established Eclipse development frameworks — EMF and GMF — were chosen for implementation of the new plug-in and simplified (from the original UML-B state machines) EMF metamodel and diagram have been implemented.
  • The integration idea between Event-B and state machines was based on EMF extension mechanism and serialisation principle: a state machine was designed as an extension to EMF Event-B metamodel that would be serialised as a string to an attribute in Rodin database, thus making the details of it transparent to Rodin.
  • For the translation of state machines to Event-B the QVT framework has been selected, considering it as a well-supported framework, used in other Eclipse projects such as GMF, and more declarative nature of it compared to pure Java, which would improve maintainability.

As a result of work on Event-B Statemachines plug-in a set of additional plug-ins has been developed that forms a framework to support developer effort in implementing other similar tools and high level extensions for Event-B. These plug-ins include generic serialised persistence and navigator support for new EMF extensions, generic diagram metamodel and navigator actions, generic refinement and Event-B generator modules for new extensions.

ProR

The following key decisions were made when developing ProR:

  • New development, rather than continuing the original plug-in - the architecture of ProR differs significantly from that of the original plug-in (see D45_General_Platform_Maintenance#ProR. In addition, new technologies like EMF promised a cleaner, more powerful framework for an implementation.
  • ReqIF as the underlying data model - the ReqIF standard [2] is gaining traction and promises interoperability with industry tools. In addition, a digital version of the data model was available for free and could serve as the foundation for the model code.
  • The Eclipse Modeling Framework (EMF) was identified as a technology that would allow a quick and clean foundation for an implementation. Further, the Rodin EMF-plug-in represents a convenient interface for integrating ProR and ProB. Last, the digital data model from the OMG could be imported directly into EMF and used for generating the model code.
  • Keeping ProR independent from Rodin - There is significant interest in ReqIF right now, but this interest is unrelated to formal methods. By providing an implementation that is independent from Rodin, we have a much larger target group of potential users and developers. By carefully designing extension points, we can still provide a powerful Rodin integration.
  • Eclipse Foundation Project - we were actively establishing an open source community around ProR. By recruiting engaged partners early on, development progressed faster than anticipated. By becoming an Eclipse Foundation project [3], we exceeded our goals in this respect.

BMotion Studio

The following key decisions were made when developing BMotion Studio:

  • Keeping BMotion Studio user-friendly - The user should be able to create a visualization not requiring additional skills in programming languages.
  • ProB as animator for providing state information - With the ProB animator, we have a powerful tool for interacting with the model.
  • Provide extensibility for specific domains - By carefully designing extension points, we can provide a powerful integration for specific domains.
  • Keeping BMotion Studio independent from Rodin - By providing an implementation that is independent from Rodin, we have a much larger target group of potential users and developers.

Mode/FT Views

The following key decisions were made when developing Mode/FT Views:

  • The Eclipse Graphical Modelling Framework (GMF) was used as a platform for building a user-friendly modelling environment.
  • Proof obligations for the views are injected into the standard PO repository of the models - This ensures that all the tools related to theorem proving can be used in the same way as they are used for Event-B proof obligations.

Available Documentation

  • Core platform:
The following pages give useful information about the Rodin platform releases:
  • The Rodin handbook is proposed as a PDF version and a HTML version and a dedicated plug-in makes it available as help within Rodin[6].

Status

Platform maintenance

By the end of the project, the ultimate version of the Rodin platform is 2.5. One can download it on the sourceforge repository and read the release notes on the wiki.

Mathematical extensions / Theory Plug-in (Issam Maamria)

Work on the Theory plug-in includes:

  • Bug fixes.
  • Usability improvements.
  • Exploring other potential ways of defining operators and types (e.g., axiomatic definitions).

Plug-in Incompatibilities

As the time of writing this deliverable, no plug-in incompatibilities are left or have been reported between the platform and plug-ins or between plug-ins.

Decomposition

The decomposition plug-in is available in version 1.2.2 and works on Rodin 2.4 and 2.5. It is available from the main Rodin update site.

Team-based Development

The Team-Based Development plug-in is available on the main Rodin update site. Currently 3-way comparison is not supported. (3-way comparison is needed if 2 people check out and change the model so that there are 2 working copies as well as a repository baseline).

UML-B

The Event-B State machines plug-in is available on the main Rodin update site.

ProR

ProR took on a life on its own as part of the Requirements Modeling Framework[3]. It is currently in the incubation stage of an Eclipse project. There are currently five committers in total, with two from the Rodin project, namely Michael Jastram (Project Lead) and Lukas Ladenberger.

The Rodin integration supports:

  • Creating traces between model elements and requirements
  • Highlighting of model elements in the requirements text
  • Marking of invalidated traces, where either the requirement or model element had changed.

The Rodin integration is hosted at GitHub.

BMotion Studio

The tool is available as a part of the ProB animator and is ready for use for visualizing Event-B models within the Rodin tool. Of course, we are working on new features.

Mode/FT Views

The Mode/FT Views is a plug-in for the Rodin platform. The tool is available from its update site [14]

References