1 / 19

A Systematic Approach to Atomicity Decomposition in Event-B

A Systematic Approach to Atomicity Decomposition in Event-B. Asieh Salehi Fathabadi , Michael Butler and Abdolbaghi Rezazadeh (asf08r, mjb , ra3@ecs.soton.ac.uk) School of Electronics and Computer Science University of Southampton, UK SEFM 2012, Thessaloniki, Greece

kamala
Télécharger la présentation

A Systematic Approach to Atomicity Decomposition in Event-B

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Systematic Approach to AtomicityDecomposition in Event-B AsiehSalehiFathabadi, Michael Butler and AbdolbaghiRezazadeh (asf08r, mjb, ra3@ecs.soton.ac.uk) School of Electronics and Computer Science University of Southampton, UK SEFM 2012, Thessaloniki, Greece Wednesday 3rd October www.event-b.org www.deploy-project.eu

  2. Overview & Road Map • Event-B Formal Method • Motivation (AtomcityDecomposition Overview) • Case Studies Overview • AD Language (ADL) • Translation Rules (TRs) • Tool Support • Evaluation • Conclusion Initial Atomicity Decomposition iFM 2009 Butler ManualDevelopments of Case Studies FMCO 2010 NFM 2011 ADLand Translation Rules SEFM 2012 AD ToolSupport Automatic Developments of Case Studies

  3. Event-B (Abrial) • A model based formal method • models the state and events of a system (state-transition model) • Simple modelling notation • Set theory and predicate logic • Mathematical proofs • Verifying correctness and consistency of models • Supported by an open tool platform (Rodin) • Extension of Eclipse IDE • Extensible • Integrated environment for modelling and proving • Proof obligation generator, automatic and interactive provers

  4. Refinement-based Development • Starts with an abstract representation of the system. • A simple view of the system • Focus on main purpose of the system • Adding details during a sequence of steps, instead of building a single large model. • During refinement steps: • Add details to current functionality • Introduce new functionality • Use proofs to verify the consistency of refinement steps

  5. Motivation Atomicity Decompositionuses a graphical notation to enhance Event-B development approach by • Introducing explicit control flows • Event-B is a state-based formal method; control flow between events is typically modelled implicitly via variables and event guards. • Introducing explicit refinement relationships • New events may be introduced in Event-B refinement; there is no explicit link between such new events and the abstract event. * Initially introduced by Butler: Butler, M. J. Decomposition Structures for Event-B. In Integrated Formal Methods iFM2009 (2009).

  6. Atomicity Decomposition Diagram* Root, abstract event, is decomposed into sub events AbstractEvent (par) refines skip refines AbstractEvent Event2 (par) Event1 (par) The sub events are read from left to right and indicate sequential control * Based on Jackson Structure Diagram (JSD): M.A Jackson: System Development. Prentice-Hall, Englewood Cliffs (1983)

  7. Case Studies Overview • The initial AD approach is evaluated and extended in development of two case studies: • Multimedia Protocol* • A media channel is established for transferring multi-media data. There are three phases in the protocol: establish, modifyand close. • BepiColombo Spacecraft** • A TeleCommand(TC) is received by the core from Earth. • The Software Core (CSW) checks the syntax of the received TC. • Further semantic checking has to be carried out on the syntactically validated TC. • For each valid TC a control TeleMessage(TM) is generated and sent to Earth. * Zave, P. & Cheung, E. Compositional Control of IP Media. IEEE Trans. Software Eng. (2009). ** ESA Media Center, Space Science. Factsheet: Bepicolombo. http://www.esa.int/esaSC/SEMNEM3MDAF_0_spk.html.

  8. Atomicity Decomposition Language (ADL) flow (p1, pn) one(p) * xor leaf leaf leaf leaf (p) leaf …

  9. Translation Rules (sequencing) BepiColombo (tc) Translation Rule1 Translation Rule1 TC_Validation_Ok (tc) ReceiveTC (tc) TR1 TR1 TR2 TR3 TR4 TR4 TR5 TR5 TR6 TR7 TR7

  10. Translation Rules (loop-constructor) Media Channel (ch) * TR8 establishMediaChannel (ch) modify (ch) close (ch)

  11. Translation Rules (solid line) TC_Validation_Ok (tc) TCCheck_Ok (tc) TCExecute_Ok (tc) TCExecOk_ReplyCtrlTM (tc) TR9 TR10

  12. Translation Rules (xor-constructor) TCExecute_Ok (tc) xor TCCore_Execute_Ok (tc) TCDevice_Execute_Ok (tc) TR11 TR12 TR12

  13. Translation Rules (one-constructor) TCExecOk_ReplyCtrlTM (tc) one(tm) TCExecOk_ProcessCtrlTM(tc, tm) TCExecOk_CompleteCtrlTM (tc) TR13 TR14

  14. Translation Rules (Overview and a closer view) TR1

  15. Tool Support • The Rodin platform is an Eclipse-based IDE for Event-B and is extendablewith plug-ins. • The AD tool support is developed as a plug-in for Rodin provides: • an environment for graphical modelling in Event-B. • automatic translation of the AD diagrams into Event-B models in terms of control flows and refinement relationships. Uses: • Eclipse Modelling Framework (EMF) • Epsilon Transformation Language (ETL) Event-B EMF Meta-model AD EMF Meta-model ETL Rules rule Leaf2Varibale transform l : Source!Leaf to v : Target!Variable{ v.name := l.name; }

  16. Evaluation • The AD plug-in provides a consistent encoding of the AD diagrams in a systematicway. The manually generated Event-B models are less systematic and less consistent. • Systematic naming protocol:each control variable has the same name as the corresponding event name. • Alternative approaches of control flow modelling in Event-B: subsets, disjoint sets, … • A merged guard versus separate guards: complicated proof obligations.

  17. The ADL (other constructors)* one(p) all(p) some(p) and or xor leaf (p) leaf (p) leaf leaf leaf … leaf … leaf … leaf leaf (p) * Available at http://eprints.soton.ac.uk/340357/

  18. Combined AD Diagram: An Overall Overview of the Refinement Process BepiColombo (tc) ReceiveTC(tc) TC_Validation_Ok(tc) TCValid_GenerateData(tc) TCValid_ReplyDataTM(tc) TCCheck_Ok(tc) TCExecute_Ok(tc) TCExecOk_ReplyCtrlTM(tc) xor TCCore_Execute_Ok (tc) TCDevice_Execute_Ok (tc) SendTC_Core_to_Device (tc) CheckTC_in_Device_Ok (tc) SendOkTC_Device_to_Core (tc)

  19. Conclusion • FM 2009: The initial AD approach is introduced by Butler. • FMCO 2010, NFM 2011: • How the AD approach provides a means of introducing explicit flow controlinto Event-B development process (in development of two complex case studies). • SEFM 2012: • The formal description of the ADL. • Translation rules from the ADL to the Event-B language. • A tool supporting the AD methodology. • Re-developthe models of the previous case studies in an automatic way (more consistent and systematic). • Future work: • Combining the AD approach and other approaches like state machine. • Applying to furtherreal world case studies. • Publishing the complete version of ADL and translation rules (as an extension of SEFM2012).

More Related