EventB2Java: A Code Generator for Event-B

EventB2Java: A Code Generator for Event-B N´estor Cata˜ no1 and V´ıctor Rivera2 1

Innopolis University Tatarstan, Russia [email protected] 2 Innopolis University Tatarstan, Russia [email protected]

Abstract. Event-B is a formal specification language and a methodology used to build software systems. Formal specifications are more useful when they can be executed. An executable formal specification provides insight on the behaviour of the system being modelled w.r.t an expected behaviour. This paper presents a tool that generates executable implementations of Event-B models. The tool is implemented as a plug-in of the Rodin platform, an Eclipse IDE that provides a set of tools to work with Event-B models. Our tool has extensively been used for generating code for Event-B models of Android applications, reactive systems, Smart Cards, searching algorithms, among others. The first author regularly uses EventB2Java in teaching to help master students of Software Engineering to get a better grasp of the behaviour of a model in Event-B and to detect inconsistencies in the model.

Keywords: Code Generation, Event-B, EventB2Java, Java, JML, Rodin.

1

Introduction

Event-B [2] is a formal method technique to describe and analyse the behaviour of reactive systems. Event-B language is based on predicate logic and set theory. It includes a full-fledged battery of operations over sets and relations for modeling software systems. Event-B represents software systems as discrete transition systems. It represents system components as a succession of states connected through a series of transitions called events. States are composed of constants and variables, and Events are composed of guards and actions. Event guards are written in predicate logic, and event actions are encoded as assignments. Software development with Event-B follows the Parachute strategy [2]. It starts with an initial and very abstract model in Event-B. As the paratrooper descends, more details become clearer to her, and thus she is able to add more details to the initial model. How can the paratrooper make sure that what she modelled in Event-B faithfully reflects what she saw when she was descending? EventB2Java gives a key answer to that question. The EventB2Java tool is a Java code generator for Event-B. It generates Java implementations of Event-B

Fig. 1. Structure of the EventB2Java tool

models. Therefore, the paratrooper can generate a Java code for her EventB models, run them in Java, and check whether the running code meets her expectations. That is, she can validate whether the behaviour of the running code matches the behaviour she expects from the system. This paper presents the EventB2Java tool that generates Java executable implementations of Event-B models.

2

Implementation of EventB2Java

The EventB2Java tool3 implements the rules presented in [13]. It is implemented as a plug-in of Rodin [3]. Left part of Figure 1 shows the main components of Rodin as sub-packages and classes of the org package. The figure also shows the relation among those components and the EventB2Java plug-in through solid arrows. Rodin is built on top of Eclipse. The org.rodinp.core component implements the core functionality of Rodin, e.g. it includes a database for manipulating Event-B models, and classes for storing components such as proofs and proof obligations. The org.eventb.core package implements all the database elements needed for writing models in Event-B. It further includes a static checker, a proof obligation generator and a prover. The org.eventb.core.ast component includes a library for manipulating mathematical formulas in the form of Abstract Syntax Trees (ASTs). This component provides an abstract Visitor class for parsing mathematical formulas. The Sequent Prover (org.eventb.core.seqprover) component contains a library for proving sequents. The Event-B User Interface (org.eventb.ui) component contains the Graphic User Interfaces that permit users to feed Event-B models into Rodin and discharge proof obligations. EventB2Java uses Rodin’s org.eventb.ui component to manipulate context menus so as to enable users to select the type of code implementation that is intended (sequential or multi-threaded). The relationship between org.eventb.ui and EventB2Java is depicted in Figure 1 with a double-headed arrow. org.eventb.ui passes EventB2Java a user request, and this feeds back the generated code for the request. 3

The EventB2Java tool is hosted at http://poporo.uma.pt/EventB2Java/.

Event-B models are written in predicate logic. The org.eventb.core.ast component encodes Event-B’s mathematical language as ASTs. This component provides various services such as parsing a formula (computing its AST from a string of characters), pretty-printing it, constructing new formulas directly using the API library, type-checking formulas (inferring the types of the expressions occurring within and decorating them with their types), testing formulas for equality, among others. The org.eventb.core.ast component implements a library to traverse trees (a Visitor) and to attach information to tree nodes. Figure 1 uses a single-headed arrow between org.eventb.core.ast and the EventB2Java tool since it does not modify any formula. The input to org.eventb.core.ast is part of the information collected from the org.eventb.core component. EventB2Java extends the Visitor class and generates code in one pass. After collecting information of contexts and machines and parsing them using the Visitor implementation, the EventB2Java tool generates an Eclipse Java project, which includes a machine package that contains the translation of the machines and contexts, and a main class with information about carrier sets, constants, and variables from the Event-B model. This package also contains the translation of each machine event. EventB2Java can produce both multi-threaded and sequential implementations of Event-B models. For supporting multi-threaded Java implementations, EventB2Java extends the standard Java Thread class by properly overriding the run() method. Event-B relies on five mathematical languages (see Chapter 9 of [2]): i.) a Propositional Language, ii.) a Predicate Language, iii.) an Equality Language, iv.) a Set-Theoretic Language, and v.) a Boolean and Arithmetic Language. The eventb prelude package of EventB2Java includes classes with implementations of each respective language (some constructs are supported natively by Java, for instance negation in Event-B (¬) is represented as ! in Java). These classes are: BOOL, INT, NAT, NAT1, Enumerated, Pair, BSet, BRelation, and ID, implementing, respectively, booleans, integers, natural numbers with and without 0, the enumerated type, pairs of elements, sets, relations, and the identity relation. Finally, EventB2Java includes a Util class with methods such as SomeVal that returns an arbitrary value within a set, and SomeSet that returns an arbitrary subset of a set. The former is used to assign a variable or a constant an arbitrary value.

3

Experience Using EventB2Java

EventB2Java has extensively been used to generate Java code for diverse Event-B models of systems and programs of various types. Statistics about some of these models are shown in Table 2, where “LOC” stands for Lines of Code in Event-B, and “# Mch” and “# Evt ” are the number of machines and events of each model, respectively4 . For instance, the Event-B model for Social-Event Planner contains 1326 lines of code in Event-B, it is composed of 9 machine refinements 4

Event-B models and respective Java code generated by EventB2Java can be reached at http://poporo.uma.pt/EventB2Java/EventB2Java_studies.html.

Event-B Model Social-Event Planner [12] MIO [4] Heating Controller [7] State Machine [15] Binary Search [1] Linear Search [1] Minimum Element [1] Reversing Array [1] Sorting Array [1] Square Root Number [1]

LOC # Mch # Evt 1326 9 35 586 7 21 458 15 32 86 2 5 101 3 3 54 2 2 64 2 3 64 2 2 137 3 4 84 3 2

Fig. 2. Statistics of the Event-B Models

and 35 events. The Social-Event Planner [12] is an Android application of a planner for social events in which a user can create a social event and invite a list of people to join it. The Android app was developed following the MVC design pattern. The Model part is written in Event-B and EventB2Java was used to generate code of the core functionality of the planner. MIO [4] is an Event-B model of a massive transportation system that includes articulated buses following the main corridor routes of a city. The Heating Controller [7] is an Event-B model of a heating controller that provides an interface to adjust and display a target temperature, and to sense and display the current temperature, among other functionality. The State Machine [15] is an Event-B model of state machines. The rest of the examples are sequential program developments written by J.-R. Abrial in [1]. Linear and Binary Search are the Event-B models of the respective searching algorithms. Minimum Element is an Event-B model for finding the minimum element of an array of integers. Reversing and Sorting Array are Event-B models for reversing and sorting an array respectively. Square Root Number is an Event-B model for calculating the square root of a number. The reader is encouraged to consult [14] for a full discussion on these examples. 3.1

Use of EventB2Java for Teaching

The first author has regularly used EventB2Java in several Formal Methods and SE courses. In Fall 2015, he introduced Event-B and EventB2Java to students of the MSIT-SE (Master of Science in Information Technology - Software Engineering) at Carnegie Mellon University (CMU), Pittsburgh, USA. This course is a mandatory course for master students. He used a social networking example in Event-B [5] to motivate students and to introduce refinement calculus techniques, and used EventB2Java to generate code. He has previously used EventB2Java for teaching similar master courses at the University of Madeira, Portugal, and universities EAFIT, Andes, and PUJ, in Colombia. EventB2Java generates JML [8] annotations in addition to Java code. JML and Java use less intimidating mathematical notations than Event-B, and so less

expertise is required by students or engineers to use tools that provide support to JML and Java. It seems thus reasonable that students can take full advantage of the most appropriate software methodology and tools when developing their software. EventB2Java bridges software development in Event-B with software development with Java and JML, by using Design-by-Contract techniques [10].

4

Related Work

In [9], M´ery and Singh present the EB2ALL tool-set that includes the EB2C, EB2C++, EB2J, and EB2C# plug-ins, which translate Event-B machines into C, C++, Java, and C] respectively. Unlike EventB2Java, EB2ALL provides support for a small part of Event-B’s syntax, and users are required to write a final Event-B implementation refinement in the syntax supported by the tool. In [11], Ostroumov and Tsiopoulos present the EHDL prototype tool that generates VHDL code from Event-B models. The tool supports a reduced part of EventB’s syntax and users are demanded to extend the Event-B model before it can be translated. In [16], Wright defines a B2C extension to the Rodin platform that translates Event-B models into C code. Also, the Code Generation tool [6] generates concurrent Java and Ada programs for a tasking extension of Event-B. As part of the process of generating code with the Code Generation tool, users have to decompose the Event-B model by employing the Machine Decomposition plug-in. The decomposed models are refined and non-deterministic assignments are eliminated. Finally, users are requested to model the flow of the execution of events in the tasking extension. Unlike all these tools, our tool does not require user’s intervention, while it works on the proper syntax of the Event-B model.

5

Conclusion

EventB2Java generates Java implementations of Event-B models written at any level of abstraction. It largely supports Event-B’s syntax and it’s fully integrated to Rodin, but it has some limitations. Code generation of values that adhere to a non-deterministic assignment is not automated. One could use SomeVal (see Section 2) to generate an arbitrary value and then a constraint solver to check if the value adheres to machine axioms, but this is still future work. EventB2Java generates JML software contracts in addition to Java code. This is useful for programmers who want to customise the generated Java code and want to check if their customisations are correct. The second author uses the Event-B tool regularly to generate code of Android apps in his courses of Software Engineering and the Android laboratory of Programming Usable Interfaces lectured at Carnegie Mellon University (CMU), the University of Madeira (UMa), the Pontificia Universidad Javeriana (PUJ), and the EAFIT University. His students are always motivated by the possibility of being able to run mathematical Event-B models in Java automatically.

References 1. Jean-Raymond Abrial. Sequential Program Development: Teaching Resources. (Accessed 2015). Available at http://deploy-eprints.ecs.soton.ac.uk/ 122/1/sld.ch15%2Cseq.pdf, 2009. 2. Jean-Raymond Abrial. Modeling in Event-B: System and Software Design. Cambridge University Press, New York, NY, USA, 2010. 3. Jean-Raymond Abrial, Michael Butler, Stefan Hallerstede, Thai Son Hoang, Farhad Mehta, and Laurent Voisin. Rodin: an open toolset for modelling and reasoning in Event-B. Software Tools for Technology Transfer, 12(6):447–466, 2010. 4. N´estor Cata˜ no and Camilo Rueda. Teaching Formal Methods for the Unconquered Territory. In 2nd International Formal Methods Europe Conference on Teaching Formal Methods, Lecture Notes in Computer Science, The Netherlands, 2009. Springer-Verlag. 5. N´estor Cata˜ no and Camilo Rueda. Matelas: A predicate calculus common formal definition for social networking. In M. Frappier, editor, Proceedings of ABZ 2010, volume 5977 of Lecture Notes in Computer Science, pages 259–272, Qu´ebec, Canada, 2010. 6. Andrew Edmunds and Michael Butler. Tool Support for Event-B Code Generation. In Workshop on Tool Building in Formal Methods 2010, Qu´ebec, Canada, 2010. John Wiley and Sons. 7. Andrew Edmunds and Abdolbaghi Rezazedeh. Development of a Heating Controller System. Accessed March 2015., 2011. Available at http://wiki.event-b.org/index.php/Development_of_a_Heating_ Controller_System. 8. Gary Leavens, Albert Baker, and Clyde Ruby. Preliminary Design of JML: A Behavioral Interface Specification Language for Java. ACM Special Interest Group On Software Engineering, 31(3):1–38, 2006. 9. Dominique M´ery and Neeraj Singh. Automatic code generation from Event-B models. In symposium on Information and Communication Technology, Hanoi, Vietnam, 2011. ACM. 10. Bertrand Meyer. Object-oriented Software Construction (2Nd Ed.). Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1997. 11. Sergey Ostroumov and Leonidas Tsiopoulos. VHDL Code Generation from Formal Event-B Models. In Euromicro Conference on Digital System Design, pages 127– 134, 2011. 12. V´ıctor Rivera and N´estor Cata˜ no. The Social-Event Planner (Accessed 2015), 2012. Available at http://poporo.uma.pt/favas/Social-Event_ Planner.html. 13. Victor Rivera and N´estor Cata˜ no. Translating Event-B to JML-Specified Java programs. In 29th ACM SAC, Gyeongju, South Korea, March 24-28 2014. 14. V´ıctor Rivera, N´estor Cata˜ no, Tim Wahls, and Camilo Rueda. Code generation for Event-B. International Journal on Software Tools for Technology Transfer (STTT), pages 1–22, 2015. 15. State-Machines and Code Generation. Accessed August 2013., 2012. Available at http://wiki.event-b.org/index.php/State-Machines_and_Code_ Generation. 16. Stephen Wright. Automatic Generation of C from Event-B. In Workshop on Integration of Model-based Formal Methods and Tools, Nantes, France, 2009. SpringerVerlag.