MOSEL project proposal Proof-oriented development of computer

MOSEL project proposal Proof-oriented development of computer-based systems System Modelling, Design, and Validation January 30, 2003

Dominique Méry

LORIA UMR 7503 CNRS INPL INRIA Lorraine Université de Metz Université Henri Poincaré Nancy 1 Université Nancy 2

Contents 1

Project Members

2

Project Overview 2.1 Summary . . . . . . . . . . . . . . 2.2 Main challenges . . . . . . . . . . . 2.3 Rationale . . . . . . . . . . . . . . 2.4 Strategic Implications of the Theme

3

4

5

Background and State of the Art 3.1 Background . . . . . . . . . 3.2 Formal methods . . . . . . . 3.3 Verification techniques . . . 3.4 Best practices . . . . . . . .

4

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

5 . . . 5 . . . 7 . . . 7 . . . 10

. . . .

. . . .

. . . .

11 . . . . 11 . . . . 12 . . . . 14 . . . . 16

Proposed Directions of Research 4.1 Foundations and methodology . . . . . . . . . . . . . . . . . . 4.1.1 Incremental system development . . . . . . . . . . . . . 4.1.2 Proof engineering . . . . . . . . . . . . . . . . . . . . . 4.1.3 Refinement and abstraction for particular system models 4.2 Notation and tools . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Predicate diagrams . . . . . . . . . . . . . . . . . . . . 4.2.2 Integration with Semi-Formal Approaches . . . . . . . . 4.2.3 Pedagogical Applications . . . . . . . . . . . . . . . . . 4.3 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Project RNRT EQUAST . . . . . . . . . . . . . . . . . 4.3.2 Project DIXIT . . . . . . . . . . . . . . . . . . . . . . 4.3.3 Project ADHOC . . . . . . . . . . . . . . . . . . . . . 4.3.4 Project HUGO . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

17 17 18 19 21 22 22 24 25 25 25 26 26 27

Scientific Context 28 5.1 Neighbor projects within INRIA . . . . . . . . . . . . . . . . . . 28 5.1.1 Closely related INRIA projects . . . . . . . . . . . . . . . 28 5.1.2 INRIA projects with potential overlap . . . . . . . . . . . 29

2

5.2 5.3 5.4

5.5

Local context . . . . . . . . . . . . . . . . . . . . . National context . . . . . . . . . . . . . . . . . . . . International context . . . . . . . . . . . . . . . . . 5.4.1 Refinement and action systems . . . . . . . . 5.4.2 Theory of abstractions . . . . . . . . . . . . 5.4.3 Formal Engineering and System Engineering 5.4.4 Theorem proving . . . . . . . . . . . . . . . Visibility in the scientific community . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

30 31 33 33 33 34 35 36

References

38

6

47

Recent Publications of Project Members

3

1

Project Members

Project head Dominique Méry, Professeur, Université Henri Poincaré, Nancy 1, LORIA

Researchers • Dominique Cansell, Maître de conférences, Université de Metz, on leave to INRIA Lorraine, LORIA: permanent project member. • Stephan Merz, Directeur de recherche, INRIA Lorraine, LORIA: permanent project member.

Lecturers • Jacques Jaray, Professeur, INPL (Ecole des Mines de Nancy), LORIA: parttime project member. • Denis Roegel, Maître de conférences, Université de Nancy 2, LORIA.

PhD students • Olfa Mosbahi • Cyril Proch • Yann Zimmermann

Secretary • Josiane Reffort, Assistante du projet, Université Henri Poincaré, Nancy 1, LORIA.

4

2

Project Overview

Keywords. Refinement, semantics, proof, systems, modelling, design, validation.

2.1

Summary

Proof-oriented system development aims to reinforce standard methods for the design of computer-based systems by formal description and analysis techniques that can help to ensure higher levels of reliability and correctness. Based on a precise mathematical semantics, it offers powerful techniques for the validation and analysis of system models, including comprehensive testing and verification, that accompany and guide the development process. We are interested in a class of systems that includes reactive, distributed, real-time, and mobile systems, possibly concerning both hardware and software aspects. The design of systems of realistic scale requires models to be built at different levels of abstraction and detail. In a formal approach to system development, these models are related by the key concept of refinement, which ensures that properties established at an abstract level are preserved by the implementation. The refinement relationship between system specifications is established by a rigorous proof showing that the class of models of the detailed specification is contained in the class of models of the abstract one. The benefits of an approach based on refinement are numerous: from the point of view of the system developer, system requirements can be addressed in several steps (or cycles) of system development, and feedback on the properties of the current model of the system or on design errors is obtained quite early. From the point of view of the verifier, the burden of proof is spread over the development process, and the preservation of key properties such as safety, security or availability is guaranteed. The presence of intermediate system models both reduces the complexity of the proof obligations (allowing for a higher degree of automation) and produces a trace of “milestones” produced during the development of a system, documenting the design. Validation techniques such as tests and simulation can be applied to the intermediary models and enable the early detection of design faults.

5

We intend to work along the following lines of research: Foundations and methodology. A credible formal design method must take into account the typical development life cycle from requirement engineering through component design to integration. These phases result in different system models; refinement ensures that these models are coherent. We believe that the basic elements of the theory of refinement are well-established and we propose to base our approach on existing theories (specifically, Abrial’s B method, especially in its event-based variant, and Lamport’s TLA+ ). However, we will not refrain from foundational research where necessary. In particular, new system paradigms such as agent-based and mobile systems require appropriate extensions. Moreover, serious consideration of proofs as artefacts of system design requires conceptual work on proof engineering, including the representation, management, and reuse of proofs and of entire developments, based on composition and genericity. Notation and tools. A second line of research derives concrete notations, methods, and associated tools from our conceptual work. We have previously defined the framework of predicate diagrams and have shown how system verification and refinement can be carried out (and can partly be automated) within this framework. We want to further develop this approach, support it by tools that we and others can use, and also relate it to semi-formal notations and methods that are widely used in practice. Finally, we see interesting pedagogical applications of our approach, which can in turn reinforce the design of new systems. Applications. Academic and industrial case studies, which have always been an important element of our work, serve to validate our ideas and lay the basis for their transfer to actual use by practitioners. In turn, realistic case studies require the availability of (semi-)automatic tools that generate and, where possible, discharge the relevant proof obligations. Although we do not view the development of new tools as our primary focus of research, we envisage to integrate and adapt existing tools for our approach. These research subjects are strongly interrelated and mutually dependent. The originality of our approach resides in the combination of the following aspects: 6

• Our work relies on refinement and abstraction as a methodological basis for system development as well as, more technically, to combat the state explosion problem in algorithmic verification techniques. • Our notion of proof is based on an integration of different verification techniques (e.g., model checking, abstract interpretation, and interactive proof). We try to find the right balance, both methodologically and technically, between automatic and interactive proof methods. • We aim at a large class of systems that includes reactive, distributed, realtime, and mobile, possibly embedded systems, and we intend our approach to scale to systems of realistic size. • Part of our work aims at an integration with standard, “semi-formal” description techniques such as UML or hardware description languages.

2.2

Main challenges

The overall goal of a proof-oriented development process for improving the quality of computer-based systems translates into a number of individual key challenges along which our progress should be measured: • integrate proof techniques in the development process, • apply refinement throughout the development process, from the elaboration of the requirements to obtaining efficient code or hardware, • combine certified components through refinement and genericity, • validate the approach by application to industrial case studies, • establish and improve courses on formal methods and associated tools.

2.3

Rationale

Although formal development techniques have been studied since several decades and have had a substantial impact on the understanding of the development activity as well as on language design, they have not yet found widespread acceptance 7

in the development community. Individual techniques such as model checking, formal approaches to testing, and semantic analysis have been successfully applied in industry, following some spectacular failures (e.g., Therac 25, Ariane 5, Pentium bug, . . . ) as well as certification requirements for certain products that contain software components. The mastering of quality and safety requirements of computer-based systems has thus become a challenge for system developers. However, the above-mentioned techniques are limited in principle by their restricted applicability to certain classes of systems, such as finite-state systems, and in practice by state-explosion problems. Methods based on interactive proof are generally applicable in principle but are much less mastered. A central problem, beyond the limited degree of automation, is the lack of methodological guidance to the developer. Approaches based on refinement allow to gradually introduce complexity into the design, incrementally verifying its correctness by automatic or interactive tools. In fact, verification-oriented techniques such as model checking, formal testing or abstract interpretation make more and more use of abstraction, which is the counterpart to refinement. However, starting from an existing system, it is difficult to “re-discover” the appropriate abstraction. Previous experience with the B method has led us to observe that a refinement-based method has considerable advantages because the complexity of the overall verification effort is spread over the entire development cycle. Besides, the trace of intermediate system models is a useful supplement to system documentation. We would like to emphasize that the idea of refinement is not an original invention of computing science but is fundamental to the scientific approach to engineering. Traditional engineering disciplines translate a given physical problem into a mathematical model. From this “conceptual” mathematical model, a solution is derived by applying engineering methods that embody scientific knowledge. Typically, the solution cannot be obtained in one step; intermediate models serve to identify subproblems, sufficient approximations etc. Every step in the development is justified by mathematical proof (e.g., calculation). The abstraction gained by considering mathematical models instead of physical, chemical or biological reality helps to concentrate on the relevant aspects of the problem and (for the scientist) to state laws that are universally applicable. Validation is still necessary, e.g. by conducting experiments on scale models, to ensure that all relevant aspects have been accounted for in the abstraction. Applying this view to the de8

velopment of computer-based systems, we see that refinement enables a rational approach to system development, separating the engineering invention from the mechanical aspects related to proofs. Moreover, system designers should be able to follow standard “patterns” that are generic to well-identified problem classes and whose correctness has been established once and for all. Clearly, much work remains to be done to make such an approach practical and applicable to complex systems. We believe that it should be integrated with standard methods of system design that have proven in practice to represent useful views of systems. In this respect, the UML has over the past years established itself as the lingua franca of object-oriented software design, offering several types of diagrams to represent static, dynamic, and architectural views of systems, at different phases of the development cycle. Formal methods should provide the necessary semantics to justify such transitions between development phases as valid refinement steps. Second, specific classes of systems require extensions of existing theories of refinement. For example, fairness has been recognized as a key abstraction concept in the description of reactive and distributed systems. However, despite its maturity, the B method does not support fairness conditions and their refinement, but forces the specifier to describe progress operationally. In our work on predicate diagrams, we have shown how fairness and liveness properties can be represented at a high level of abstraction, and that associated proof obligations can often be discharged automatically using model-checking techniques. We also intend to study refinement of real-time, embedded, and mobile systems. Third, an important element in coping with the complexity of realistic systems is their decomposition into components. A development method based on refinement and proof should take into account the knowledge about the environment of the individual components defined by the interfaces and protocols provided by the other components. Although powerful general theories of composition exist, these are often impractical because they entail too complicated proof obligations. Finally, the method should encourage reuse, both of components and of developments as a whole. This requires to clearly identify relevant parameters and assumptions. Reuse then means to instantiate parameters and prove the validity of the associated assumptions. In contrast, the correctness of the obtained solution is guaranteed once and for all by the development of the generic solution. 9

2.4

Strategic Implications of the Theme

The development of reliable software and systems has been widely recognized as a priority research goal. In particular, the report “High Confidence Software and Systems Research Needs” [24] issued by the U.S. National Coordination Office for Information Technoloy Research and Development, and reinforced by the Blue Book describing the Supplement for the President’s Budget for Fiscal Year 2003, analyzes the research needs for augmenting confidence in software systems. It insists in particular that fundamental understanding and a formal scientific grounding is necessary for the construction of reliable systems, a point of view that is not widely followed in the United States. Our project falls within the following priority research theme mentioned in the European Unions’s 6th Framework Programme for Research and Technological Development: software technologies architecture, distributed and embedded systems supporting the development of multifunctional and complex services that involve multiple actors, and engineering and control of complex and large-scale systems to ensure reliability and robustness. The CNRS promotes researchs in information technology in the newly created scientific department STIC. Our research can contribute to the following “Réseaux Thématiques Pluridisciplinaires”: 23. Mathématique de l’informatique, 19. Systèmes embarqués complexes ou contraints, 20. Fiabilité, diagnostic et tolérance aux fautes des systèmes complexes, 21. Sûreté de fonctionnement des systèmes ouverts, 22. System on chip. Among the major scientific challenges mentioned in the strategy plan of INRIA, we address the following: • to be capable of producing reliable software, • to design and master the automatic control of complex systems, • to master digital infrastructures by being capable of programming, computing, and communicating on the Internet and on heterogeneous networks.

10

3

Background and State of the Art

3.1

Background

Computer-based systems pervade our daily lives; the quest for increased functionality or higher comfort at lower cost induces system designers to provide an ever higher proportion of the implementation to be delivered by software components. This overall tendency has also become relevant for safety-critical systems, as for example in car manufacturing (where computer-based control components nowadays contribute 20% or more of the overall cost), avionics or electronic commerce, systems whose malfunctioning may endanger the safety and security of persons and assets. The development of applications of realistic scale requires the cooperation of teams including both domain experts and programmers (or system experts), who have to agree on the functionality and on the overall design of the system. One important task of the system experts consists in decomposing the overall system into a set of components that need to cooperate along well-defined interfaces. The individual components (which may in turn be subdivided into subcomponents) are developed separately, relying on the adherence of all components to the defined interfaces and protocols. In the case of embedded systems that represent a privileged class of target applications for our project, both hardware and software components have to be taken into account during development. The increasing complexity of such applications implies that overall system quality cannot be ensured using traditional, mainly empirical techniques. Precise, mathematical models play a prime role in the quest for more robust and more reliable systems.1 Many different kinds of models and associated formalisms have been suggested, differing in the types of target systems and in the underlying mathematical theories. We review some of the formalisms that we believe to be most relevant for our work. 1 This

remark applies in principle to quantitative as well as qualitative methods of analysis, although the proposed project will concentrate on the latter.

11

3.2

Formal methods

Algebraic methods of specification [36, 27, 32, 77] are based on (usually firstorder) predicate logic and describe classes of models in terms of the expected observable properties. These methods have been particularly successful to describe data structures and operations; in certain cases such specifications can easily be translated into implementations in functional programming languages such as ML. It is also conceptually simple to define refinement of algebraic specifications as inclusion of model classes, although some care has to be taken in designating the observable features of specifications, and most notably of equality [8, 27, 34]. Standard algebraic formalisms do not support features such as non-determinism, parallelism, and specifications of (potentially infinite) reactive behavior, which are essential for our target class of systems. It has recently been proposed to combine algebraic and dual, co-algebraic specifications [67] to describe such systems. While this combination appears very interesting, it is not sufficient to abstractly express properties of fairness and liveness. A less radical departure from standard algebraic specification languages is represented by Algebraic State Machines [10, 31] that combine an algebraic description of the underlying data space with an operational specification of dynamic behavior in terms of updates to interpretations that represent system states. Similarly, the Maude formalism [54] combines algebraic specifications with rewriting to describe dynamic system behavior. Again, whereas these formalisms are intended to describe the behavior of discrete transition systems, they lack abstract representations of fairness and liveness properties. Process algebras such as CCS [56], CSP [35] or ACP [7] concentrate on the control aspects of systems characterized by parallelism and non-determinism and can be considered as abstractions of parallel programs. Research in this area has in particular resulted in a rich mathematical theory of system simulations and equivalences, which serves as a guiding reference even when the actual formalism is different, as in our project. More recently, there has been widespread interest to define calculi that capture elements of programming languages for mobile systems. The earliest of these is Milner’s π calculus [57, 68], spawning a line of research that has produced calculi emphasizing different aspects of mobility, including Fournet and Gonthier’s Join Calculus [25], Cardelli and Gordon’s Ambi-

12

ent Calculus [14] or the Seal Calculus developed by Vitek and Castagna [75]. Applications of such foundational calculi to the design of real-world systems requires the combination of formalisms that describe data and control aspects. For example, LOTOS [74, 73] combines the algebraic specification language ACT ONE with a process-algebraic description of dynamic behavior. It has received widespread attention in the telecommunication domain where it has been used to model ISO/OSI protocols. So-called model-based formalisms describe systems in terms of specific, though abstract mathematical models.2 Typical representatives include VDM [39], Z [70], and B [2], which are based on Zermelo-Fraenkel set theory but differ in the class of target systems. These formalisms induce the developer to describe the system as a whole, rather than via an open-ended set of requirements as in the alternative, property-oriented approaches. It is therefore widely believed, and our project adheres to this view, that model-oriented specifications tend to scale better to larger systems. Rich refinement theories allow a lower-level specification to be based on abstractions different from the higher-level models, thus avoiding the danger of overspecification. Our group has ample experience with Abrial’s B method (in turn strongly inspired by Back’s Action Systems [3]). There, a system is described as a set of actions, expressed as guarded, nondeterministic updates of the system state, and constrained by an invariant. System development proceeds by step-wise refinement of data and actions; proof obligations ensure that the abstract behavior (and its invariants) are preserved throughout the development. New events may be introduced provided that they have no effect on the higher-level state variables and that they preserve relative deadlock-freeness and ensure the eventual execution of some event present at the higher level. However, the B method lacks a high-level representation of fairness concepts to ensure progress, and liveness properties cannot be abstractly specified. Instead, progress has to be ensured very explicitly, leading to low-level specifications and inducing unnecessary complexity in associated proof obligations. Temporal logic [22, 51, 52] provides a high-level language to succinctly de2A

useful analogy in mathematics can be found in the contrast between algebra, which describes mathematical structures in terms of their characteristic properties, and analysis, where objects are constructed in an appropriate mathematical universe.

13

scribe run-time properties of reactive systems, and in particular liveness and fairness properties. Unity [16, 58] can be considered as a combination of Action Systems, selected fairness concepts, and a restricted form of temporal logic, and has been demonstrated to support the development of reactive and parallel systems at a reasonably high level of abstraction. Even more abstract and therefore, in our opinion, more elegant specifications are possible in Lamport’s Temporal Logic of Actions TLA [46]. Based on a small set of orthogonal concepts, its main strength is to capture both system specifications and properties in a single formalism. Logical connectives such as conjunction, implication, and quantification correspond to structural operations on system specifications and express relationships such as parallel composition, hiding, and refinement. Lamport has also defined a complete specification language TLA+ based on TLA and ZF whose underpinnings are very similar to the B method, but which adds fairness and liveness properties in a natural way. However, TLA+ lacks good support for genericity, decomposition, and reuse, as well as theorem-proving support that will allow realistic developments to be carried out with a sufficient degree of automation. The work proposed in section 4.1 addresses some of these shortcomings. We also intend to study relevant extensions of TLA and TLA+ for particular system models such as mobile systems or probabilistic distributed algorithms.

3.3

Verification techniques

Whatever concrete formalism is chosen, formal methods of system development require the discharge of appropriate proof obligations to ensure the correctness of the resulting system. Their application to real-scale systems therefore requires the support by computerized verification engines that can establish a significant fraction of the proofs without human intervention and allow the developer to concentrate on those verification steps that represent the core of the design. Building on results from research into efficient decision procedures as well as on foundational, e.g. type-theoretic, studies of the nature of proof and verification, much effort has been devoted to the construction of powerful interactive and automatic theorem provers that can be applied to system development. On the one hand, calculi and logics can be embedded in general-purpose theorem provers such as Coq [49], Isabelle [63], PVS [61] or ACL2 [40]. For example, 14

Coq has been applied with great success to the verification of cryptographic protocols, which has enabled the launch of the start-up company Trusted Logic where the acquired know-how is applied to the verification and certification of commercially relevant protocols. The proof system PVS developed at SRI has been used for the verification and analysis of large safety-critical systems, let us only mention recent work on the verification of the Time-Triggered Architecture [66] that underlies control systems in both automobiles and aircraft. On the other hand, some verification engines systems have been carefully designed to support a specific formalism. For example, Larch and VDM have been supported by dedicated toolsets [26, 30], and the STeP system [9] is a specialpurpose prover for linear-time temporal logic. Our group has particular experience with the use of the set of tools supporting the B method, collectively known as the Atelier B [71]. In typical case studies, its proof engine can effectively discharge 80–90% of the required proof obligations. The toolset has been successfully applied to the development of large projects, including the driverless subway line Météor of the RATP system in Paris. In an ongoing project (see section 4.3.3) we are trying to improve the effectiveness of the prover’s interface, based on a conceptual analysis of the proof process. In contrast to machine support for deductive verification, model checking techniques [6, 17] analyse the set of system executions. Their success is mainly due to two factors: first, the approach is easy to integrate into standard practices of system development and rewards the user with meaningful counter-examples in case of failure; an important feature since designs are initially expected to contain errors. Second, model checking does not require the mastering of an interactive theorem prover, which invariably requires an intimate knowledge of its proof methods and the structure of its standard library. However, model checking also has inherent problems: it is necessarily restricted to sufficiently “regular” classes of systems such as finite-state systems, and it is plagued by problems of scale known as the state-explosion problem. It must therefore be applied to approximative system models, and the choice of a meaningful approximation that captures the essential properties of the system while allowing an algorithmic exploration of its state space becomes an essential skill. Although model checking is therefore best viewed as a debugging technique, it can be successfully applied within verification and development methods when coupled with theories relying 15

on compositionality and abstraction [28, 41], as we will describe in section 4.2. Within the general context of the automatic analysis of systems (or system specifications), abstract interpretation [18, 19] provides a general-purpose framework for the algorithmic analysis of arbitrary classes of systems that has been demonstrated to be applicable in practice to realistic systems [44]. We intend to use similar techniques for the verification and development of system models, exploiting the duality of abstraction and refinement (see sections 4.3.1 and 4.3.2).

3.4

Best practices

Whereas formal techniques of modelling and system development have so far found only limited application in industry, semi-formal notations and methods are widely used to document design decisions and to guide system development. Beginning with entity-relationship diagrams and leading to the UML notation [65], currently considered as the de-facto standard for the design of object-oriented systems, such notations have been promoted in parallel to advances in the formal methods community, with at most superficial interaction. These notations focus on means to visualize and structure the emerging system design. They are often accompanied by guidelines or processes that suggest how to proceed during system development, associating different types of diagrams with different phases of development. Despite the traditional lack of interaction between the two communities, we believe that the acceptance of notations such as UML in practice indicates their usefulness, and that formal techniques can be fruitfully applied to them. It is one of the aspects of the proposed project (cf. section 4.2.2) to provide system developers with notations and tools that allow them to analyse the coherence of UML models and to incrementally add formal annotations, being rewarded with greater confidence in the quality of the resulting product. From the side of the formal methods community, this not only requires to define a formal semantics of individual semi-formal notations, which has sometimes be attempted [11, 15, 48], but also to seriously consider the relationships between the models produced in different phases of system development processes. We find it encouraging to see terms such as “abstraction” and “refinement” appear in OMG documents [55]. We also intend to study the use of UML to illustrate formal designs. 16

4

Proposed Directions of Research

We now describe in more detail the work that we propose to carry out in this project, along the three principal lines of research mentioned in section 2.1.

4.1

Foundations and methodology

The goal of this line of research is to study the applicability of formal methods of system development to the design of systems approaching realistic scale, within accepted design processes. Our goal is to provide added value by supplementing and guiding the development process by advanced analysis and verification methods, from the elaboration of requirements to the generation of efficient program code or hardware chips. Although system verification a posteriori constitutes a first solution to ensuring the quality and correctness of a system, it is applied too late to have an impact on system development. Moreover, the gap between a complete implementation and abstract correctness properties is usually too wide to enable a sufficient degree of automation. On the other hand, early attempts at transformational design [4, 62] have been formulated at too low a level to be practically useful. Our approach builds on the idea that a scalable method of system development requires the construction of several system models that progressively add detail to the design. In the initial stages of system development, the models help to elicit requirements and to identify system components. Being formal, they are amenable to validation and verification, in order to establish correctness properties or reveal design errors at a time where they are still easy to correct. The models produced successively are related by precise, and preferrably formally proven, semantical relationships of refinement, ensuring that they respect the design choices taken earlier, and that properties are preserved. Proof obligations should be discharged as automatically as possible, using whatever verification technology is most appropriate. The basic foundations of abstraction of refinement have been studied since the 1960’s. Our intentions are not primarily in defining new foundational formalisms: formally, our work will mainly be based on Abrial’s B method [2] and Lamport’s TLA [46]. Instead, we focus on applying refinement concepts throughout the de-

17

velopment of larger-scale systems, as well as adapt them to new paradigms of system design. We will particularly focus on embedded and distributed systems, including systems incorporating mobility of code. Applications to novel paradigms of systems may suggest variations and extensions of the basic formalisms, inspiring more theoretical work. On the other hand, we are interested in formally incorporating concepts of abstraction and refinement into standard, informal notations and processes of system design. 4.1.1

Incremental system development

It is widely accepted in software engineering that system development proceeds in several stages that successively elaborate the structure of the system, identifying sub-components and adding implementation detail up to a point where code can be generated. Initial analysis models serve to identify actors, key system components, and their interaction, commonly expressed via use cases [38]. The rôle of the analysis model is to determine the overall tasks and behavior of the system, establishing a contract between software developers and clients. It confines the subsequent design and represents a decisive milestone in system development. Expressed in a sufficiently formal notation, it enables validation, by simulation or by establishing key system properties, and defines test cases to be applied to the future implementation. For example, UML interaction diagrams can be used to describe system runs in terms of messages exchanged between objects. An important research issue is how to enable a designer to find a good analysis model. A catalog of standard, elementary problem classes, such as Jackson’s problem frames [37], helps to classify the requirements and suggests appropriate solutions. In a refinement-based development method, such elementary classes would be accompanied by proven, generic developments that could be instantiated to suit the problem at hand. Subsequent stages of system development produce new, more detailed models of the system under construction. Even without formal analysis, the intermediate models constitute an important element of documentation, aiding the understanding of the final system, but also of its development process. Within a formal framework, as proposed in our project, added value is obtained by proving theo-

18

rems that assert the refinement between successive models, implying that properties (including correctness, security or availability) are preserved throughout the development process. The idea of refinement allows the developer to concentrate on a single problem at a time, and to establish relevant properties “just in time”, that is, at the appropriate level of abstraction rather than only at the level of the final design. Because design steps are relatively small, one may hope for a high degree of automation when proving refinement. Moreover, the failure to prove correctness of a refinement step indicates that a design error has been introduced during the current refinement step, when it is still easy to correct. The notion of proof used in this project should be understood in a broad sense, including both syntactic and semantic theories and tools of verification. The precise nature of the proof obligations necessary to ensure refinement depends on the system models as well as on the classes of properties that must be preserved. Whereas safety and liveness properties represent two basic classes of properties of reactive systems, they may be complemented by additional requirements, e.g. architectural specifications, quantitative (e.g., performance) indications or probabilistic properties, which respectively require appropriate specification formalisms and refinement notions. We will mainly base our approach on the B method, because we have found it to strike a good balance between expressiveness and simplicity, and because it is supported by a powerful tool set that can be used to discharge many proof obligations quasi-automatically. However, the B method as defined by Abrial does not offer means to abstractly describe fairness and liveness properties, and therefore our approach will integrate ideas from temporal logic, and in particular from TLA. More expressive formalisms will be considered as necessary for the systems considered, without giving up the basic philosophy of describing models in terms of few orthogonal concepts. 4.1.2

Proof engineering

Proof-oriented system development requires proofs to be associated with every model, and consequently proofs become an artifact that must be maintained during system development, and possibly even across projects. Beyond the mere assurance of correctness, proofs serve as documentation and explanation of the development process and must be accessible for validation and inspection during

19

reviews. We therefore expect typical software engineering problems to appear at the level of proofs. Such issues of “proof engineering” have so far been considered only superficially by the formal-methods and verification communities. Declarative proofs. Current interactive theorem provers are mostly restricted to a machine-oriented language of proofs, comparable to the level of assembly languages. A proof is entered as a sequence of commands that can be replayed to verify the assertion but is usually incomprehensible on its own. The only facilities available to the user of introducing structure into a verification effort are to assert intermediate lemmas and theorems. This is even more true of automatic theorem provers and model checkers where the “level of granularity” is dictated by the problem size that can be verified automatically by the tool. On the other hand, proof objects generated and stored by the prover (if at all) are represented at a level of detail that makes it easy to check the correctness of the proof by machine, but are not externally meaningful. We therefore view the structure and presentation of proofs as an interesting research problem. Issues that need to be considered are structuring facilities, hierarchy, and declarative vs. operational views intended for presentation and machine checking. Existing projects such as MBase/OmDoc [43] attempt to provide an interchange format for mathematical objects between various tools, but do not address the issues of proof. Implemented, declarative proof languages such as Mizar [64] and Isabelle/Isar [76], on the other hand, are tied to their respective theorem provers, and do not take into account interchange between several tools. A related problem is that of providing the developers with a friendly and productive interface to actually carry out the verification tasks, and let them be distributed among the members of a development team. Within the ADHOC project (see section 4.3.3), a conceptual study of the proof process has been carried out, resulting in a new interface to the B prover whose effectiveness has been demonstrated with the help of several case studies. Change management. Experience dictates that system requirements change throughout the development process, and that existing designs are retrofitted to accomodate new features. In proof-oriented system development, it would in principle be necessary to repeat the entire verification to ensure the correctness 20

of the modified model, which will be unacceptably costly. However, a precise proof provides the structure necessary to trace which parts of the development are affected. This will not only help to limit the amount of re-verification but can, more importantly, be useful to assess the feasibility of the proposed change by pointing out unanticipated effects on the overall design. Genericity and reusability. The component-based approach to software development emphasizes the design of generic and reusable components, which are instantiated in different projects, or even within a single project. A similar concept underlies the concept of design patterns where entire designs are being parameterized and reused. In our approach, we expect reusable components and designs to be expressed in the form of parameterized theories, whose parameters are constrained by formulas of appropriately expressive logics. Reuse then requires the parameters to be instantiated and the associated proof obligations to be discharged. We have already successfully experimented these ideas to some extent in the context of process automation [45], but they will have to be put on a firmer and more general basis. 4.1.3

Refinement and abstraction for particular system models

B and TLA+ , the two formalisms on which our work is based, have been designed for the specification and development of standard reactive and distributed systems. As such, they do not include notations and concepts for specific classes of systems. Even in cases where system models can be expressed in the base languages, it may nevertheless be appropriate to identify abstraction and/or refinement notions that are particularly relevant for specific classes of systems, for example to obtain a higher degree of automation. For example, abstraction methods for the automated verification of parameterized systems have been successfully studied in the literature [1, 5, 23]. Focussing on embedded systems and hardware-software codesign, we expect to apply refinement-based system development to the development of real-time systems where functional requirements at an abstract level of description are implemented by relying on timing assumptions. We also intend to study the specification and refinement of mobile systems.

21

In contrast to existing calculi for modelling mobile systems such as the π calculus [57, 68] or the Ambient, Join or Seal Calculi [14, 25, 75], we intend to work on a TLA-based logic that allows a more declarative specification of systems that employ mobility of code. Beyond a conventional description of an action system, the topology of nodes and its evolution is an essential part of the specification of a mobile system. In preliminary work [79] we have identified three basic refinement principles for mobile systems and have suggested an appropriate, spatio-temporal logic. It remains to validate these concepts at the hand of suitable case studies, to study the properties of the proposed logic (expressiveness, axiomatizability, and decidability problems) and to integrate it into our overall approach.

4.2

Notation and tools

The more conceptual research described in the previous section will be complemented, and largely driven, by work aiming at more tangible results, which we describe in the following. This line of research is concerned with developing concrete, user-friendly notation and tools to experiment our approach. We are also interested in applying proof-oriented development within standard, semi-formal approaches to system design. We often validate our concepts at the hand of classical distributed algorithms that we use in teaching. 4.2.1

Predicate diagrams

Visual representations and models are routinely used by engineers in system design. There have also been proposals for visual representations of proofs, including proof lattices [60], proof charts [20, 29], and proof diagrams [51, 52]. In previous work [12, 13], we have defined the concept of predicate diagrams as a framework to represent and visualize predicate abstractions [50] for reactive systems. A predicate diagram represents a reactive system as a finite statetransition system whose nodes and edges are labelled with state predicates and action names. Thus, a node of a predicate diagram identifies a set of states via its characteristic predicate, whereas the edges describe permissible transitions. In order to characterize liveness as well as safety predicates, fairness conditions may be imposed on actions, and edges may carry annotations that indicate descent with respect to well-founded orderings. 22

For a developer, predicate diagrams resemble standard state-machine notation that is routinely used in system design. On the examples we have considered, we have found them to significantly aid the understanding and documentation of systems. Moreover, predicate diagrams have a precise semantics; in fact, as a verification formalism, they enjoy the same (relative) completeness properties as traditional deductive verification rules. Because they separate clearly between aspects concerning individual states or state transitions and aspects of temporal behavior, predicate diagrams (and predicate abstractions in general) constitute a natural interface between verification tools such as interactive and automatic theorem provers, methods of abstract interpretation, and model checkers. In particular, all temporal reasoning necessary to verify liveness properties is performed by model checking. We have also defined refinement notions for predicate diagrams and have used them to derive some basic distributed algorithms. Notably, fairness properties at the abstract level may be implemented by a mix of low-level fairness and ordering annotations; the correctness of the refinement is again verified by model checking. We intend to continue this line of research. In particular, we intend to define a notion of hierarchy and decomposition, perhaps resembling orthogonal regions in Harel’s Statecharts formalism [33], in order to effectively represent larger-scale systems. It also appears interesting to define specific kinds of abstractions tailored to particular classes of systems, such as parameterized and real-time systems. Finally, we are interested in presenting given formal models, say in the B formalism, as predicate diagrams (via user-defined abstractions). In the context of the DIXIT project (see section 4.3.2), a prototype tool has been developed that allows the user to draw a predicate diagram, generate proof obligations with respect to a given TLA+ specification, and apply a theorem prover (the B prover) and a model checker (Spin) to verify these proof obligations. We intend to continue to develop this implementation. In particular, we would like to compute a predicate diagram from a given TLA+ specification and user-defined predicate abstractions via abstract interpretation rather than prove its correctness a posteriori. We also would like to add support for different back-end provers and model checkers. Moreover, the current version lacks support for the top-down development of systems based on refinement.

23

4.2.2

Integration with Semi-Formal Approaches

As described in section 3.4, semi-formal notation is widely being used today to design and communicate system models. Aiming at a transfer of proof-oriented development to actual development projects where full-scale verification is neither cost-effective nor relevant except for restricted application areas, our methods should be applicable in varying degree of rigor, and they should integrate smoothly with standard notations and processes. Considering the evolution of semi-formal development methods, we observe a tendency to produce more intermediate models of the system under development. The Unified Modeling Language (UML), today’s most widely accepted software engineering notation, provides a multitude of diagrammatic notations that emphasize different aspects of systems and are appropriate in different phases of analysis and design. The diverse diagrams representing a system should be coherent; however, current UML editors at best perform limited syntactic checks. In our belief, this presents an excellent opportunity to employ formal analysis techniques to detect inconsistencies at relatively early design stages. Within the context of our project, we will concentrate on state machine and interaction (i.e., sequence and collaboration) diagrams that focus on the dynamics of system execution. Section 4.3.4 describes a prototype tool that we have developed to model check UML state machines against interaction diagrams. Conversely, it also appears useful to visualize B or TLA+ models as Statecharts: besides a more intuitive representation, this would allow to apply state-space analysis techniques. Going a step further, it appears promising to define a notion of refinement for these types of diagrams (extended by Live Sequence Charts [21]). In fact, the recent suggestion of Model Driven Architecture [55] endorsed by the OMG proposes to distinguish platform-independent and platform-dependent models, and to maintain explicit mappings in-between. The concepts of abstraction and refinement are emphasized as the keys to integration and interoperability. Although the usage of these terms in this context is strictly more specialized than ours, it certainly demonstrates a convergence of ideas and terminology, and encourages us to intensify the transfer of our techniques to semi-formal notation. We believe that the experience that we have gained in defining refinement notions for predicate diagrams will be useful to define refinement of UML Statecharts.

24

4.2.3

Pedagogical Applications

We have found the development of algorithms and systems by means of refinement to be extremely effective in helping to understand how and why the design accomplishes its goals, and have used refinement-based expositions in our lectures. We would like to continue the retrospective application of refinement concepts to classical algorithms for distributed systems and eventually envisage to write a “Handbook of formally developed distributed algorithms”. Besides the value of such a collection in the classroom, we believe that it could contribute to understanding the beauty of many of the classical solutions, their commonalities and distinctive features, and indicate a number of design patterns to follow in the design of new distributed algorithms.

4.3

Applications

Our goal of making proof-oriented techniques usable in actual system development obviously requires experimentation on realistic, medium-scale case studies. This leads us to develop or adapt prototype tools that help to discharge proof obligations that arise during refinement-based system development. This line of research will initially be carried out within existing operations of our group, although we expect new applications to emerge during the duration of the project. By way of example, we now describe the applications and tools that are being developed within the current operations. 4.3.1

Project RNRT EQUAST

The project EQUAST aims to define, to develop and implement a system on chip (SoC) providing a way to evaluate the quality of service in the domain of digital video broadcasting. Standardisation committees (DVB/ETSI) recommend the use of certain parameters and their analysis techniques, as described in the standard TR 101 290. These techniques for analysing signals of DVB are not available in existing measuring equipment, mainly because the analyses are complex. The goal is to build an architecture able to provide a tool for analysing signals, and our team is mainly involved in the development of a formal model of the system. We explore the applicability of successive refinement for developing the chip. We

25

are studying issues concerning the codesign and mapping techniques related to VHDL. The project is carried out jointly between THALES B&M as the partner from industry, the research center TDF, the laboratory LIEN in electronics, and our group. 4.3.2

Project DIXIT

DIXIT is a two years old project whose goal is to provide an effective tool environment for the application of predicate diagrams, cf. section 4.2.1. The project is supported within the chapter Qualité et Sûreté du Logiciel of the regional and national initiative PRST Intelligence Logicielle. We have developed a first prototype that allows to generate the necessary proof obligations for submission to the B prover, as well as to run model checkers to establish the desired property from the predicate diagram. We intend to further develop this prototype, and in particular apply abstract interpretation techniques as well as support the refinement of predicate diagrams. We conjecture that predicate diagrams can also be a useful basis for analysing and refining statechart diagrams of UML and to understand distributed systems, and we intend to substantiate this conjecture in future work. Within this project, we also intend to collaborate with the group led by Leslie Lamport and Yuan Yu at Microsoft Research on the further development of the TLC analysis tool for the specification language TLA+ . 4.3.3

Project ADHOC

Within this project, which is again carried out within the chapter Qualité et Sûreté du Logiciel of the PRST Intelligence Logicielle and in collaboration with the company ClearSy, we are developing methods and tools for promoting the use of formal method-based engineering in different domains of industry and education. As a first result, an ergonomic interface has been developed within XE MACS that emphasizes the subset of tools (proof methods and commands) of the interactive proof component of Atelier B that are most relevant for the current development step. The goal is to focus the attention of the developer to the task at hand and to allow a “click-and-prove” style of development. One often-mentioned problem with the use of interactive theorem provers is 26

the fact that a proof may fail simply because of a lack of familiarity with the prover, because of insufficient resources, or because in fact the assertion is not valid. On the other hand, model checkers provide an informative explanation for a failed verification in the form of a counter-example. Within an incremental, refinement-based approach to formal system development, proof obligations tend to be more focused, hence we believe that failure to prove them can be used to guide or correct refinement. Finally, the aspect of modifications introduced during the development process merits careful attention. In particular, the effect of changes should be traceable throughout the design in order to limit the number of proof obligations that need to be reproved, but also to alert the developer to possible inconsistencies introduced by modifications. 4.3.4

Project HUGO

In joint work with Alexander Knapp from the University of Munich we have developed a prototype tool [42, 69] that allows to perform model checking, but also generate code, from UML models. Our tool takes as its input an XMI representation of an UML model, which can be produced by conventional UML editors, and produces either Java classes or models for analysis by the S PIN or U PPAAL model checkers. We intend to integrate this work with the refinement-based approach of our project. This requires, beyond a more precise formalization of the UML semantics, an appropriate definition of refinement of UML models, concentrating on state machine and interaction diagrams (extended by Live Sequence Charts), but also taking into account class diagrams. Similarly to the tool described in section 4.3.2, appropriate proof obligations should be generated and be discharged by either theorem proving or model checking. In this work, we attempt to hide the formal background from the user as much as possible by working entirely at the level of UML. For example, we encourage the use of interaction diagrams instead of temporal logic formulas to describe properties of sets of state machines.

27

5

Scientific Context

The underlying theme of applying formal techniques of description and analysis to systems of realistic scale is common to many research projects. We describe some of the context of our project, emphasizing differences and possible or existing areas of cooperation.

5.1

Neighbor projects within INRIA

Within INRIA, several projects explore the design and application of formal methods to system development. We first list those projects that we believe to be most related to our work and with which we already collaborate or seriously envisage to collaborate in the near future. A second subsection lists projects that address related topics and where fruitful discussions may be expected in the longer term. 5.1.1

Closely related INRIA projects

LOGICAL. This project develops the Coq proof environment, designed for the specification and verification of safety-critical systems. The focus is on typetheoretical and computational foundations of the notion of mathematical proof itself. Common points of interest include notably the development of structured, generic theories and reuse of developments, as well as interfaces to interactive provers and proof languages. LEMME. The goal is to introduce and develop formal methods for the construction of safe software, targeting scientific computing software and Smartcard designs. The focus of the work is on verification and on the formalization of complex mathematical theories, including computer arithmetic, whereas our project emphasizes methodological aspects of refinement in the development of distributed and reactive systems. The two projects are therefore complementary; for example, arithmetical reasoning is fundamental to most systems. A common point of interest is the issue of interfaces to interactive provers, exemplified by the pCoq interface developed in the LEMME project.

28

TRISKELL. The project studies UML-based models of distributed systems with quality of service constraints, as well as the assembly of such systems from pre-existing components using industry-standard frameworks such as CORBA or JavaBeans. Notably, the tool UMLAUT for simulation and model checking UML specifications has been developed within the project. Common subjects of interest include the semantic foundations of UML, but also on refinement notions for UML models. MOSCOVA. The focus in on the design, compilation, and semantics of concurrent and functional languages for distributed environments. While technically working in a language-centric setting, there is an overlap with our project in the design of key abstractions for the description and analysis of mobile systems. 5.1.2

INRIA projects with potential overlap

LANDE. This project investigates techniques for the design and validation of software systems, based on the specification or extraction of partial views of the architecture and dynamic behavior of software. One of the central issues, shared with our project, is to establish the coherence of these views, preliminary to code generation. The development techniques are mainly centered around executable code (aspect oriented programming, test case generation, static analysis etc.), although it is also envisaged to apply techniques of static analysis and verification. Thus, our approach introduces formal models earlier, while LANDE is more concerned about the final product. The two projects are natural partners on topics such as (automatic) validation and analysis. VASY. The project aims at description languages and associated analysis tools for safety-critical systems. The focus is on efficient techniques of model checking and compilation, based on process algebra formalisms. Our approach uses such tools to automatically discharge proof obligations, in particular when refining fairness and liveness properties. VERTECS. The work aims at improving the quality of reactive systems via test case generation and controller synthesis, starting from formal specifications. The

29

focus is on marrying techniques developed in the fields of model checking and discrete-event systems. OASIS. Topics of interest are fundamental principles, techniques, and tools for the development of distributed, Internet-related applications. The emphasis rests on providing a sound semantical basis for distributed object-oriented programming languages and concepts. We share interest on the description of mobile systems. ESPRESSO. Within this project, formal methods are applied to the design of synchronous languages and systems. The overlap with MOSEL concerns the application of abstract interpretation to model checking infinite-state systems, although the focus of ESPRESSO is on verification rather than development by refinement. REFLECS. Our project shares some of its motivation with the former INRIA project REFLECS where the notion of “proof-based system engineering” [47] was coined. Although that designation could equally well be used to describe the work that we propose, REFLECS focussed principally on quantitative aspects of system engineering, whereas we are mainly concerned with correctness (which, however, may include performance properties when explicitly stated). To summarize, there are many points of interaction and common interest with existing INRIA projects. What sets MOSEL apart is its focus on refinement as the prime basis for system development, allowing interesting properties to be established very early during the development cycle and preserved all the way to the final product.

5.2

Local context

MOSEL actively contributes to the Qualité et Sureté du Logiciel (QSL) chapter of the PRST Intelligence Logicielle project of Région Lorraine by developing the scientific operations DIXIT, ADHOC, and XProve (see also section 4.3). DIXIT develops techniques and tools related to predicate diagrams. ADHOC focuses activities on the development of systems on chip and the improvement of proof 30

techniques related to the B method. XProve explores the implementation of a prototypical proof language as a means to federate different automatic and interactive provers in larger verification efforts. The QSL operations involve others local partners, including a team led by Jean-François Pétin and Hervé Panetto of the CRAN laboratory on modelling aspects, a team led by Serge Weber of the LIEN laboratory on the development of systems on chip, the TYPES team of the LORIA laboratory on mobility, and the DEDALE team of the LORIA laboratory on UML and the translation of UML into B. Overall, different research teams participate in the QSL chapter, comprising roughly 100 participants interested in questions of software quality and safety. The CASSIS project studies techniques for the verification of infinite-state systems, including protocols for cryptography and e-commerce. MIRO is concerned with the semantics and verification of object-oriented and distributed languages, based on concepts of type theory. PROTHEO investigates rewriting techniques, constraint solvers, and automatic proofs of correctness properties.

5.3

National context

Outside INRIA, there are again many research projects that are clearly related. In order to avoid an exhaustive listing, we only highlight those that we believe to be most relevant to our work. B community. The national B community is organized in a working group of GDR ALP of the STIC department of CNRS, but it also maintains strong links with researchers abroad. We participate actively in the dissemination of new results on B in the working group (D. Cansell is a correspondant of one of its operations), especially on the event-based variant of B. Work is done in cooperation with J.-R. Abrial and the ClearSy company. Many people of the B community are also working in the AFADL group, which is mainly involved in research on the integration of formal and semi-formal methods. The laboratory VERIMAG. This is a leading research center in the area of embedded systems. The laboratory has produced many techniques and tools for improving the quality of software and enjoys an excellent reputation in France 31

and in the world. We consider similar domains of applications, namely avionics/aeronautics, space, transport, automotive, telecommunications, smart cards, consumer electronics. Embedded systems are composed of hardware and software components specifically designed for controlling a given application device. Researchers of this laboratory have also studied techniques of abstraction, and we foresee interactions on techniques for improving the automation of verification, for instance based on our predicate diagrams. A difference in focus is that we emphasize the construction of correct system by a series of models related by refinement over verification; nevertheless, many of the underlying concepts are the same. The laboratory LSV. This is again a leading research institute in the domain of verification of software and systems. We mainly share interests about theoretical aspects of temporal logics and automata theory, which underly our program. The principal difference is our emphasis on relatively small refinement steps rather than on verification based on full-scale abstraction of complete (and complex) system specifications. The laboratory LABRI. We have good relationships with members of the team “Modélisation, vérification et test de systèmes informatisés”, which develops research on topics related to verification and modelling for safety critical systems. Their work is focused on verification and more recently on automatic synthesis; again, refinement is not included as a main concept. The laboratories LIENS and LIX. The teams of P. and R. Cousot have developed the theory of abstract interpretation for software-based systems. It is a clear and powerful mathematical framework for analysing (a posteriori) existing systems, which require further validation. In our project, we use techniques of abstract interpretation to generate predicate diagrams from given system specifications, but our main focus is on analysing the path of development from abstract to concrete models rather than from concrete to abstract. We view both approaches as being complementary in a scientific sense. Practically, the main intention of abstract interpretation is to supply automatic analysis of systems rather than assisted ones like refinement. 32

The project FERIA. It coordinates activities of the three laboratories LAAS, CERT, and IRIT located at Toulouse. The synergy leads to promote horizontal actions like the “Spécification et Vérification Formelles” group. We have common interests in notations and techniques. Earlier projects, such as TOOLUSE, have also considered formal assistance to the development of systems.

5.4

International context

It is impossible to attempt to give an exhaustive list of research projects that work on subjects related to the MOSEL project. We describe some of the work of groups that appear to us to be most relevant, and with which we have already established or foresee good working contacts. 5.4.1

Refinement and action systems

The seminal work on the refinement was developed by R. Back, who defines a refinement relationship based on the predicate transformers semantics of Dijkstra. The group of Back is clearly a leading research group on refinement; they also work on the B method and on applications of refinement to object-oriented systems and UML specifications. We plan to develop more formal cooperation with the group; we already cooperate indirectly with respect to the B event-based approach of J.-R. Abrial and on UML. Work on abstract systems refinement extends the scope of the B method; Butler analyses the relationship between B and UML. Formalisms like UNITY or TLA formalize the refinement of traces in logical frameworks; our work will extend the scope of these approaches and we are actively cooperating with the authors of these formalisms. Collaboration with B. Sanders will increase and will mainly concern development of distributed systems. 5.4.2

Theory of abstractions

Techniques for abstracting software systems are developed in the abstract interpretation frameworks initially developed by P. and R. Cousot. The approach consists in computing abstract models from existing systems, without regard to how these have been developed. Abstract interpretation provides automatic techniques

33

for computing abstractions in order to discover bugs. In a technical sense, our approach is dual to abstract interpretation, but their combination can be useful. We have used abstract interpretation for computing predicate diagrams as abstractions of reactive systems. Similar approaches are now widely used, including the groups led by Dill or Henzinger. They also underly most of the work in the software model checking community, including the Bandera and Java PathExplorer projects. 5.4.3

Formal Engineering and System Engineering

Our project contributes to the dissemination of formal system development methods such as B, Z or TLA+ , which attempt to apply techniques based on logics and mathematics to problems of software and systems engineering. Thus, we do not consider empirical techniques for measuring and improving system quality [59, 72], and we do not primarily focus on programming paradigms such as object-oriented or aspect-oriented programming. Instead, we want to concentrate on the underlying concepts. Of course, formal methods are not a panacea, and they have to be complemented by general engineering techniques. Major projects in formal engineering include the Interdisciplinary Research Collaboration on Dependability of Computer-Based Systems led by Cliff Jones, which gathers researchers of different scientific domains (thus not only “formalists”) and a major proposed EU project managed by Dines Bjørner, which intends to unify notations and techniques for improving engineering techniques not limited to computer or computing engineering. Both projects are obviously of broader scope than ours. A common interest is the focus on issues of methodology, beyond pure mathematical formalism. The precise UML group intends to define formal semantics for UML models, including the OCL constraint language, sharing our view that UML’s semantics (and refinement notion) deserves further study, always in the light of its pragmatics. We are actively collaborating with the programming and software engineering group at the University of Munich on UML semantics and tools, and on calculi and refinement of mobile systems. A similar intention, but focussing more on programming languages, is pursued by the Java Markup Language defined by Leavens and others, as well as the Alloy project headed by Daniel Jackson.

34

Many research groups intend to apply formal methods to real-scale applications; we have already joint research projects wit Ganesh Gopalakrishnan and Mike Jones from the University of Utah. 5.4.4

Theorem proving

Research in the verification community aimed at applying interactive and automatic provers to the development of hardware and software systems is of great interest to the work proposed here. In particular, work in the PVS (and SAL) community at SRI, Grenoble, and Ulm on the integration of model checking and theorem proving via abstraction is immediately relevant to the work described in section 4.2.1. Whereas this community has emphasized the automatic computation of predicate abstractions, we have focused on taking into account liveness and fairness properties in abstraction-based verification, and intend to base our approach on the notion of refinement. The STeP group at Stanford University pursues an abstraction-based approach that is also based on diagrammatic representations. Partly due to their distinction between system and property specifications, they do not consider questions of refinement. We have good contacts with the Isabelle and KIV groups at Munich and Augsburg, concerning on one hand the formalization of temporal logics and related formalisms and on the other hand questions of genericity and evolution of logical theories. In particular, the KIV prover incorporates a fine-grained mechanism to trace the propagation of changes of theories to descendants in the development graph. At present, our group has mainly experience in applying the B prover and Isabelle. Experience shows that effective use of any theorem prover requires a massive investment. Moreover, we see our rôle mainly as users rather than as developers of theorem provers. Therefore, we mainly envisage interactions on subjects such as the applicability of provers to system development, effective interfaces, and proof languages. Collaboration with G. Hamilton from Dublin City University will be reinforced in a joint proposal on this topic.

35

5.5

Visibility in the scientific community

The principal members of the MOSEL project are actively participating in the scientific community. D. Cansell is mainly interested in the application and further development of the B method. He is also working on theorem proving and on refinement concepts. He has acted in program committees (ZB conferences 2002 and 2003, workshop SFP of FDL’02). He is a consultant in the EU-funded PUSSEE project for the KeesDA company and is closely working with J.-R. Abrial on the B event-based methodology and related tools. He gave an invited talk at SFP 2002, on the development of circuits using the refinement relationship. J. Jaray is interested in the B method, in the development and analysis of hybrid systems, and in case studies. He has acted in program committees (AFADL 2001, . . . ). He is Head of Studies at Ecole des Mines de Nancy. D. Méry is working on the semantics of distributed and reactive systems and adequate formal development methods based on refinement. He has been working on the B and TLA+ methods and their application in case studies and industrial development projects. He has acted in program committees (ICFEM since 1999, RENPAR since 1997, FME 1997, 2001, FMPPTA since 1996, MSR 2003). He was a junior member of the Institut Universitaire de France between 1995 and 2000. He gave invited talks at ZB 2000, IWFM 2000, PSI 2000. He was an expert for Enterprise Ireland projects in 2001 and 2002, and an ITR expert in 2000. S. Merz is interested in temporal logics and their application to system development. He has studied abstraction concepts for an integration of theorem proving and model checking. He has also worked on model checking UML models and on the specification and refinement of mobile systems. He has acted in program committees (MOVEP 2000, 2002, MSR 2003). He gave invited talks at CSDUML, Dresden, 2002 and at the UML theme days, 36

Turku, 2002. He is working with Yuan Yu and Leslie Lamport on TLA+ and the TLC model checker. D. Roegel is interested in logics and semantics for reactive and concurrent systems and has more specifically worked on TLA+ and its relationship to real parallel programs. He is also interested in computer graphics and typesetting.

37

References [1] P. Abdulla, A. Annichini, S. Bensalem, A. Bouajjani, P. Habermehl, and Y. Lakhnech. Verification of infinite-state systems by combining abstraction and reachability analysis. In 11th Intl. Conf. on Computer Aided Verification (CAV’99), volume 1633 of Lecture Notes in Computer Science. SpringerVerlag, 1999. [2] J.-R. Abrial. The B Book — Assigning Programs to Meanings. Cambridge University Press, 1996. [3] R. J. R. Back. A calculus of refinements for program derivations. Acta Informatica, 25:593–624, 1988. [4] F.L. Bauer, H. Ehler, A. Horsch, B. Möller, H. Partsch, O. Paukner, and P. Pepper. The Munich project CIP. Volume II: The transformation System CIP-S, volume 292 of Lecture Notes in Computer Science. Springer-Verlag, 1987. [5] K. Baukus, S. Bensalem, Y. Lakhnech, and K. Stahl. Abstracting WS1S systems to verify parameterized networks. In S. Graf and M. Schwartzbach, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2000), volume 1785 of Lecture Notes in Computer Science, pages 188–203. Springer-Verlag, 2000. [6] B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and Ph. Schnoebelen. Systems and Software Verification. Model-Checking Techniques and Tools. Springer-Verlag, 2001. [7] J. A. Bergstra and J. W. Klop. Process algebra for synchronous communication. Information and Control, 60:109–137, 1984. [8] Michel Bidoit and Rolf Hennicker. Behavioural theories and the proof of behavioural properties. Theoretical Computer Science, 165(1):3–55, 1996. [9] Nikolaj Bjørner, Anca Browne, Edward Chang, Michael Colón, Arjun Kapur, Zohar Manna, Henny B. Sipma, and Tomás E. Uribe. STeP: deductivealgorithmic verification of reactive and real-time systems. In Rajeev Alur 38

and Thomas A. Henzinger, editors, Computer Aided Verification: 8th International Conference, volume 1102 of Lecture Notes in Computer Science, pages 415–418. Springer-Verlag, 1996. See also the STeP home page at http://www-step.stanford.edu/. [10] E. Börger. The Origins and the Development of the ASM Method for High Level System Design and Analysis. Journal of Universal Computer Science, 8(1):2–74, 2002. [11] Achim D. Brucker and Burkhart Wolff. A proposal for a formal OCL semantics in Isabelle/HOL. In C. Muñoz, S. Tahar, and V. Carreño, editors, Theorem Proving in Higher Order Logics, number 2410 in Lecture Notes in Computer Science, pages 99–114. Springer-Verlag, Hampton, VA, USA, 2002. [12] D. Cansell, D. Méry, and S. Merz. Diagram refinements for the design of reactive systems. Journal of Universal Computer Science, 7(2):159–174, 2001. [13] Dominique Cansell, Dominique Méry, and Stephan Merz. Predicate diagrams for the verification of reactive systems. In 2nd Intl. Conf. on Integrated Formal Methods (IFM 2000), volume 1945 of Lecture Notes in Computer Science, pages 380–397, Dagstuhl, Germany, November 2000. Springer-Verlag. [14] Luca Cardelli and Andrew Gordon. Mobile ambients. Theoretical Computer Science, 240:177–213, 2000. [15] María Victoria Cengarle and Alexander Knapp. A formal semantics for OCL 1.4. In M. Gogolla and C. Kobryn, editors, 4th Intl. Conf. on UML, volume 2185 of Lecture Notes in Computer Science, pages 118–133. SpringerVerlag, 2001. [16] K. Mani Chandy and Jayadev Misra. Parallel Program Design. AddisonWesley, Reading, Mass., 1988. [17] Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model Checking. MIT Press, Cambridge, MA, 1999. 39

[18] P. Cousot and R. Cousot. Refining model checking by abstract interpretation. Automated Software Engineering, 6(1):69–96, January 1999. [19] Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In 4th ACM Symp. on Principles of Programming Languages (POPL’77), pages 238–252, Los Angeles, California, 1977. ACM Press. [20] Radhia Cousot. Fondements de méthodes de preuve d’invariance et de fatalité de programmes parallèles. PhD thesis, INPL, 1985. [21] Werner Damm and David Harel. LSCs: Breathing Life into Message Sequence Charts. Formal Methods in System Design, 19(1):45–80, 2001. [22] E. Allen Emerson. Handbook of theoretical computer science, chapter Temporal and modal logic, pages 997–1071. Elsevier Science Publishers B.V., Amsterdam, 1990. [23] E. Allen Emerson and Kedar S. Namjoshi. Automatic verification of parameterized synchronous systems. In R. Alur and T. Henzinger, editors, 8th International Conference on Computer Aided Verification (CAV’96), Lecture Notes in Computer Science. Springer-Verlag, 1996. [24] National Coordination Office for Information Technology Research and Development. High confidence software and systems research needs. http: //www.ccic.gov/pubs/hcss-research.pdf, 2001. [25] Cédric Fournet and Georges Gonthier. The reflexive chemical abstract machine and the join-calculus. In Proc. 23rd ACM Symp. on Principles of Programming Languages (POPL’96), pages 372–385, St. Petersburg Beach, Florida, 1996. ACM. [26] Stephen J. Garland and John V. Guttag. A guide to LP, the Larch Prover. Report 82, DEC Systems Research Center, Palo Alto, CA, December 1991. [27] Joseph Goguen, Timothy Winkler, José Meseguer, Kokichi Futatsugi, and Jean-Pierre Jouannaud. Introducing OBJ. In Joseph Goguen and Grant Malcolm, editors, Software Engineering with OBJ: algebraic specification in action, page 103 pages. Kluwer Academic Publishers, 2000. 40

[28] Susanne Graf and Hassan Saidi. Construction of abstract state graphs with PVS. In Orna Grumberg, editor, Computer Aided Verification: 9th International Conference, volume 1254 of Lecture Notes in Computer Science, pages 72–83. Springer-Verlag, 1997. [29] E. P. Gribomont. Design, verification and documentation of concurrent systems. In C. Morgan and J. C. P. Woodcock, editors, 4th BCS-FACS Refinement Workshop, pages 360–377, 1991. [30] The VDM-SL Tool Group. Users Manual for the IFAD VDM-SL tools. The Institue of Applied Computer Science, December 1994. http://www.ifad. dk/Products/vdmtools.htm. [31] Y. Gurevich. Evolving Algebras 1993: Lipari Guide. In E. Börger, editor, Specification and Validation Methods, pages 9–36. Oxford University Press, 1995. [32] John V. Guttag and James J. Horning, editors. Larch: Languages and Tools for Formal Specification. Texts and Monographs in Computer Science. Springer-Verlag, 1993. With Stephen J. Garland, Kevin D. Jones, Andrés Modet, and Jeannette M. Wing. [33] David Harel. Statecharts: A Visual Formalism for Complex Systems. Science of Computer Programming, 8(3):231–274, 1987. [34] Rolf Hennicker and Michel Bidoit. Observational logic. In 7th Intl. Conf. on Algebraic Methodology and Software Technology, volume 1548 of Lecture Notes in Computer Science, pages 263–277. Springer-Verlag, 1998. [35] C.A.R. Hoare. Communicating Sequential Processes. Prentice Hall International, 1985. [36] CoFI: The Common Framework Initiative. Casl – the common algebraic specification language. http://www.brics.dk/Projects/CoFI/, 1997– 2002. [37] Michael Jackson. Problem Frames: Structuring and Analyzing Software Development Problems. Addison-Wesley, 2000. 41

[38] Ivar Jacobson, Magnus Christerson, Patrik Jonsson, and Gunnar Övergaard. Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley, Wokingham (England), 1992. [39] Cliff B. Jones. Systematic Software Development Using VDM. Prentice-Hall International, Englewood Cliffs, New Jersey, second edition, 1990. ISBN 013-880733-7. [40] Matt Kaufmann, Panagiotis Manolios, and J Strother Moore. ComputerAided Reasoning: An Approach. Kluwer Academic Publishers, 2000. See also the ACL2 home page at http://www.cs.utexas.edu/users/moore/ acl2/. [41] Y. Kesten and A. Pnueli. Modularization and abstraction: The keys to practical formal verification. In 23rd Intl. Symp. Mathematical Foundations of Computer Science (MFCS’98), volume 1450 of Lecture Notes in Computer Science, pages 54–71. Springer-Verlag, 1998. [42] Alexander Knapp, Stephan Merz, and Christopher Rauh. Model checking timed UML state machines and collaborations. In W. Damm and E.-R. Olderog, editors, 7th Intl. Symp. on Formal Techniques in Real-Time and Fault Tolerant Systems (FTRTFT 2002), volume 2469 of Lecture Notes in Computer Science, pages 395–414, Oldenburg, Germany, September 2002. Springer-Verlag. [43] Michael Kohlhase and Andreas Franke. Mbase: Representing knowledge and context for the integration of mathematical software systems. Journal of Symbolic Computation, 23(4):365–402, 2001. [44] P. Lacan, J.N. Monfort, Le Vinh Quy Ribal, A. Deutsch, and G. Gonthier. The software reliability verification process: The Ariane 5 example. In Proc. DASIA 98 – Data Systems in Aerospace, Athens, Greece. ESA Publications, SP-422, May 25–28 1998. [45] P. Lamboley, J.-F. Pétin, and D. Méry. Towards a formal engineering framework for process automation. In Seventh IEEE Intl. Conf. on Emerging Technologies and Factory Automation (EFTA’99), pages 1167 – 1175. IEEE, October 1999. 42

[46] Leslie Lamport. The Temporal Logic of Actions. ACM Transactions on Programming Languages and Systems, 16(3):872–923, May 1994. [47] Gérard Le Lann. Proof-based system engineering and embedded systems. In G. Rozenberg and F. Vaandrager, editors, Lectures on Embedded Systems, volume 1494 of Lecture Notes in Computer Science, pages 208–248. Springer-Verlag, 1998. [48] D. Latella, I. Majzik, and M. Massink. Automatic verification of a behavioural subset of uml statechart diagrams using the spin model-checker. Formal Aspects of Computing, 11(6):637–664, 1999. [49] Project Logical. The Coq proof assistant. http://coq.inria.fr/. [50] Claire Loiseaux, Susanne Graf, Joseph Sifakis, Ahmed Bouajjani, and Saddek Bensalem. Property preserving abstractions for the verification of concurrent systems. Formal Methods in System Design, 6:11–44, 1995. [51] Zohar Manna and Amir Pnueli. The temporal logic of reactive and concurrent systems—Specification. Springer-Verlag, New York, 1992. [52] Zohar Manna and Amir Pnueli. The temporal logic of reactive and concurrent systems—Safety properties. Springer-Verlag, New York, 1995. [53] Stephan Merz, Júlia Zappe, and Martin Wirsing. A spatio-temporal logic for the specification and refinement of mobile systems. In Mauro Pezzè, editor, Fundamental Approaches to Software Engineering (FASE 2003), Lecture Notes in Computer Science, Warsaw, Poland, April 2003. Springer-Verlag. To appear. [54] José Meseguer. Rewriting logic and maude: A wide-spectrum semantic framework for object-based distributed systems. In Formal Methods for Object-Oriented Distributed Systems (FMOODS 2000), pages 89–117. Kluwer, 2000. [55] Joaquin Miller and Jishnu Mukerji (eds.). Model driven architecture. Technical Report ormsc/2001-07-01, Object Management Group, July 2001. http://www.omg.org/mda. 43

[56] Robin Milner. A Calculus of Communicating Systems. Prentice-Hall, London, 1989. [57] Robin Milner. Communicating and Mobile Systems: the π-Calculus. Cambridge University Press, 1999. [58] Jayadev Misra. New UNITY. Available from http://www.cs.utexas. edu/users/psp/welcome.html. [59] M. Morisio, C. Seaman, A. Parra, V. Basili, S. Condon, and S. Kraft. Investigating and improving a cots-based software development process. In Proc. 22nd Intl. Conf. Software Engineering (ICSE 2000), Limerick, Ireland, June 2000. [60] Susan Owicki and Leslie Lamport. Proving liveness properties of concurrent programs. ACM Transactions on Programming Languages and Systems, 4(3):455–495, July 1982. [61] Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal verification for fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107–125, 1995. See also the PVS home page at http://pvs.csl.sri.com/. [62] Helmut Partsch. Specification and Transformation of Programs. A Formal Approach to Software Development. Springer-Verlag, 1990. [63] Lawrence C. Paulson. Isabelle: A Generic Theorem Prover, volume 828 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, 1994. See also the Isabelle home page at http://isabelle.in.tum.de/. [64] Piotr Rudnicki and Andrzej Trybulec. On equivalents of well-foundedness. Journal of Automated Reasoning, 23:197–234, 1999. [65] J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison Wesley, 1998. [66] John Rushby. An overview of formal verification for the time-triggered architecture. In W. Damm and E.-R. Olderog, editors, Formal Techniques 44

in Real-Time and Fault-Tolerant Systems, volume 2469 of Lecture Notes in Computer Science, pages 83–105, Oldenburg, Germany, September 2002. Springer-Verlag. [67] J.J.M.M. Rutten. Universal coalgebra: a theory of systems. Theoretical Computer Science, 249(1):3–80, 2000. [68] Davide Sangiorgi and David Walker. The pi-calculus: a Theory of Mobile Processes. Cambridge University Press, 2001. [69] Timm Schäfer, Alexander Knapp, and Stephan Merz. Model checking UML state machines and collaborations. Electronic Notes in Theoretical Computer Science, 55(3):13 pages, 2001. [70] Mike Spivey. The Z Notation: A Reference Manual. Prentice Hall International, Englewood Cliffs, New Jersey, second edition, 1992. [71] Steria Méditerrannée. Atelier B, Version 3.5, Manuel de Référence du Langage B. GEC Alsthom Transport and Steria Méditerrannée and SNCF and INRETS and RATP, 1999. [72] G. Travassos, F. Shull, J. Carver, and V. Basili. Reading techniques for oo design inspections,. Technical Report CS-TR-4353, University of Maryland, Department of Computer Science, April 2002. [73] Kenneth J. Turner, editor. Using formal description techniques — An Introduction to Estelle, LOTOS and SDL. Wiley, 1993. [74] P. H. J. van Eijk, C. A. Vissers, and M. Diaz, editors. The formal description technique LOTOS. Elsevier Science Publishers B.V., Amsterdam, 1989. [75] Jan Vitek and Giuseppe Castagna. Seal: A framework for secure mobile computations. In ICCL Workshop: Internet Programming Languages, pages 47–77, 1998. [76] Markus Wenzel. Isar—a generic interpretative approach to readable formal proof documents. In Y. Bertot et al, editor, TPHOLs’99: 12th International Conference on Theorem Proving in Higher Order Logics, volume 1690 of Lecture Notes in Computer Science. Springer-Verlag, 1999. 45

[77] Martin Wirsing. Algebraic specification. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, pages 675–788. Elsevier Science Publishers B.V., Amsterdam, 1990.

46

6

Recent Publications of Project Members

Edition of Books and Monographs [1] D. M ÉRY, G.-R. P ERRIN (ed.). – Dixièmes Rencontres Francophones du Parallélisme (RenPar’10). – ICPS and LORIA, Nancy, June 1998. [2] D. M ÉRY, G.-R. P ERRIN (ed.). – Edition Spéciale Dixièmes Rencontres Francophones du Parallélisme (RenPar’10), Technique et Science Informatique. – Hermès, May 1998. [3] D. M ÉRY, B. S ANDERS (ed.). – Third Intl. Workshop Formal Methods for Parallel Programming: Theory and Applications, IEEE Computer Society Technical Committee, IPPS. – Orlando, Florida, U.S.A., LORIA, Nancy, April 1998. [4] D. M ÉRY, B. S ANDERS (ed.). – Fourth Intl. Workshop Formal Methods for Parallel Programming: Theory and Applications, Lecture Notes in Computer Science, IEEE Computer Society Technical Committee, IPPS. – Puerto Rico, SpringerVerlag, April 1999. [5] D. M ÉRY (ed.). – Second International Workshop on Formal Methods for Parallel Programming: Theory and Applications, IEEE Computer Society Technical Committee, IPPS. – Geneva. Switzerland, LORIA, Nancy, avril 1997. [6] D. M ÉRY (ed.). – Special Issue FMPPTA98, Parallel Processing Letters. – World Scientific, December 1998. [7] D. M ÉRY, B. S ANDERS (ed.). – Special Issue on UNITY, 20, 1. – Kluwer, January 2002.

Doctoral and Habilitation Theses [8] R. C OUTURIER. – Utilisation des méthodes formelles pour le développement de programmes parallèles. – Thèse d’université, Université Henri Poincaré – Nancy1, January 2000. [9] J. JARAY. – Le temps dans le processus de développement des applications informatiques. – Habilitation à diriger des recherches, February 1999.

47

[10] B. M ERMET. – Qualité de service dans une logique temporelle compositionnelle. – Thèse d’université, Université Henri Poincaré – Nancy I, 1998. [11] S. M ERZ. – Logical Description and Analysis of Reactive Systems. – Habilitationsschrift, Ludwig-Maximilians-Universität München, December 2001. [12] Y. M OKHTARI. – Validation des spécifications formelles de la logique temporelle des actions. – Thèse d’université, Nancy, February 2000. [13] D. ROEGEL. – Etude de la sémantique de programmes parallèles «réels» en TLA. – Thèse d’université, Université Henri Poincaré – Nancy I, 1996. [14] D. S AMBORSKI. – Problème d’interaction des services téléphoniques. – Thèse d’université, Université Henri Poincaré – Nancy I, 2000.

Journal Articles and Book Chapters [15] J.-R. A BRIAL , D. C ANSELL , D. M ÉRY. – -A Mechanically Proved and Incremental Development of IEEE 1394 Tree Identify Protocol-. – Formal Aspects of Computing (December 2002). [16] D. C ANSELL , D. M ÉRY, S. M ERZ. – -Diagram Refinements for the Design of Reactive Systems-. – Journal of Universal Computer Science 7, 2 (2001), pp. 159– 174. [17] D. C ANSELL , D. M ÉRY. – -Abstraction and refinement of features-. – In : Language Constructs for Designing Features, S. Gilmore et M. Ryan (ed.). Springer Verlag, 2000. [18] R. C OUTURIER , C. C HIPOT. – -Parallel Molecular Dynamics Using OpenMP on a Shared Memory Machine-. – Computer Physics Communications 124, 1 (January 1999), pp. 49–59. [19] R. C OUTURIER. – -Trois expérimentations parallèles différentes en simulation numérique-. – Technique et Science Informatique (1999). [20] J.-P. G IBSON , D. M ÉRY. – -A Unifying Framework for Multi-Semantic Software Development-. – In : Special Issues in Object-Oriented Programming, M. Mühlhäuser (ed.). Dpunkt, 1997.

48

[21] J.-P. G IBSON , D. M ÉRY. – -Fair Objects-. – In : Object-oriented technology and computing systems re-engineering, H. Zedan et A. Cau (ed.), Computer Science and Electronic Engineering. Horwood Publishing Ltd, 2000. – ISBN 1-89856356-X. [22] P. L ADKIN , L. L AMPORT, B. O LIVIER , D. ROEGEL. – -Lazy Caching in TLA-. – Distributed Computing 12, 2–3 (1999), pp. 151–174. [23] B. M ERMET, D. M ÉRY, D. S AMBORSKI. – -Spécification de services : une approche avec B-. – Technique et Science Informatique 17, 9 (1998). [24] B. M ERMET, D. M ÉRY. – -Spécification de services et gestion des interactions-. – La Lettre B., 2 (April 1997), pp. 6–7. [25] D. M ÉRY. – -Logiques temporelles-. – In : Ecole d’été - Temps réel 1997, C. N. R. S. (ed.). August 1997, p. 17. [26] D. M ÉRY. – -La méthode B : Fondements et Applications-. – In : Ecole d’été Temps réel 1999, C. N. R. S. (ed.). 1999, p. 17. [27] S. M ERZ. – -Model Checking: A Tutorial Overview-. – In : Modeling and Verification of Parallel Processes, F. Cassez (ed.), Lecture Notes in Computer Science, 2067. Springer-Verlag, Berlin, 2001, pp. 3–38. [28] S. M ERZ. – -Model Checking Techniques for the Analysis of Reactive Systems-. – Synthèse 133, 1–2 (November 2002). – Special Issue Foundations of the Formal Sciences. [29] D. ROEGEL. – -Anatomie d’une macro-. – Cahiers GUTenberg, 31 (December 1998), pp. 19–27. [30] D. ROEGEL. – -Anatomy of a macro-. – TUGboat (2001). [31] D. ROEGEL. – -La géométrie dans l’espace avec METAPOST-. – Cahiers GUTenberg 39-40 (May 2001), pp. 107–138. [32] D. ROEGEL. – -METAPOST, l’intelligence graphique-. – Cahiers GUTenberg 41 (November 2001), pp. 5–16. [33] D. ROEGEL. – -Space geometry with MetaPost-. – TUGboat (December 2002).

49

[34] T. S CHÄFER , A. K NAPP, S. M ERZ. – -Model checking UML state machines and collaborations-. – Electronic Notes in Theoretical Computer Science 55, 3 (2001), p. 13 pages.

Conference Papers [35] J.-R. A BRIAL , D. C ANSELL , G. L AFFITTE. – -“Higher-Order” Mathematics in B-. – In : 2nd Intl. Conf. of B and Z Users (ZB 2002), D. Bert, J. Bowen, M. Henson, K. Robinson (ed.), Lecture Notes in Computer Science, 2272, SpringerVerlag, pp. 370–393. – Grenoble, France, January 2002. [36] J.-R. A BRIAL , D. C ANSELL , D. M ÉRY. – -Specification and Design of the Leader Election Protocol of IEEE 1394 -. – In : IEEE 1394 (FireWire) Workshop : International Workshop on Application of Formal Methods to IEEE 1394 Standard, S. Maharaj, J. Romijn, C. Shankland (ed.), University of Stirling. – Berlin, Germany, March 2001. [37] D. C ANSELL , G. G OPALAKRISHNAN , M. J ONES , D. M ÉRY, A. W EIN ZOEPFLEN . – -Incremental Proof of the Producer/Consumer Property for the PCI Protocol-. – In : 2nd Intl. Conf. of B and Z Users (ZB 2002), D. Bert, J. Bowen, M. Henson, K. Robinson (ed.), Lectures Notes in Computer Science, 2272, Springer-Verlag, pp. 22–41. – Grenoble, France, January 2002. [38] D. C ANSELL , J. JARAY, D. M ERY. – -Utilisation de B pour l’aide à la spécification d’un système de diagnostic-. – In : Approches Formelles dans l’Assistance au Développement de Logiciels (AFADL’2001). – Nancy, France, June 2001. [39] D. C ANSELL , D. M ÉRY, S. M ERZ. – -Predicate diagrams-. – In : Workshop on Requirement, Design, Correct Construction, and Verification, M. Cengarle (ed.). – Munich, Germany, April 2000. [40] D. C ANSELL , D. M ÉRY, S. M ERZ. – -Predicate Diagrams for the Verification of Reactive Systems-. – In : 2nd Intl. Conf. on Integrated Formal Methods (IFM 2000), B. Stoddart (ed.), Lecture Notes in Computer Science, 1945, SpringerVerlag, pp. 380–397. – Dagstuhl, Germany, November 2000. [41] D. C ANSELL , D. M ÉRY, S. M ERZ. – -Verifying Reactive Systems Using Predicate Diagrams-. – In : FM-TOOLS’2000, W. Reif, G. Schellhorn (ed.). – Ulm, Germany, July 2000.

50

[42] D. C ANSELL , D. M ÉRY, S. M ERZ. – -Formal Analysis of a Self-Stabilizing Algorithm Using Predicate Diagrams-. – In : Integrating Diagrammatic and Formal Specification Techniques, M. Wirsing (ed.), GI Fachgruppe 0.1.7 Specification and Semantics, pp. 39–45. – Wien, Austria, September 2001. [43] D. C ANSELL , D. M ÉRY, C. TABACZNYJ. – -Abstraction and Refinement of Concurrent Programs and Formal Specification-. – In : Formal Methods for Parallel Programming: Theory and Applications (FMPPTA’2000), D. Méry, B. Sanders (ed.), LNCS, 1800, Springer Verlag. – Cancun, May 2000. [44] D. C ANSELL , D. M ÉRY. – -Interprétation de spécifications temporelles à l’aide d’un outil de preuve-. – In : Approches formelles dans l’assistance au développement de logiciels (AFADL’98), N. Lévy, Y. Ledru (ed.). – September 1998. [45] D. C ANSELL , D. M ÉRY. – -Abstract animator for temporal specifications Application to TLA-. – In : Static Analysis Symposium (SAS’99), G. Filè, A. Cortesi (ed.), LNCS, Springer Verlag. – Venice, Italy, September 1999. [46] D. C ANSELL , D. M ÉRY. – -Playing with abstraction and refinement for managing features interactions – A methodological approach to feature interaction problem. – In : Intl. Conf. of B and Z Users (ZB2000), A. Galloway, B. Stoddart (ed.), Springer-Verlag. – York, August 2000. [47] D. C ANSELL , D. M ÉRY. – -Integration of the proof process in the system development through refinement steps-. – In : 5th Forum on Specification and Design Languages (Workshop SFP in FDL), E. Villar (ed.). – Marseille, France, September 2002. [48] D. C ANSELL , D. M ÉRY, A. W EINZOEPFLEN. – -Modélisation et analyse de la documentation technique d’un système-. – In : Colloque Francophone sur la Modélisation des Systèmes Réactifs (MSR2001), Hermès. – Toulouse, France, October 2001. [49] R. C OUTURIER , B. C OUTURIER , D. M ÉRY. – -A compiler for parallel Unity programs using OpenMP-. – In : Parallel and Distributed Processing Techniques and Applications (PDPTA’99). – July 1999. [50] R. C OUTURIER , D. M ÉRY. – -Coordination of abstract machines-. – In : CSIT’97, Yerevan, Armenia. – September 1997.

51

[51] R. C OUTURIER , D. M ÉRY. – -An experiment in parallelizing an application using formal methods-. – In : Computer-Aided Verification (CAV’98), A. Hu, M. Vardi (ed.), Lecture Notes in Computer Science, Springer-Verlag. – Vancouver, Canada, June 1998. [52] R. C OUTURIER , D. M ÉRY. – -Parallelization of a Monte Carlo simulation of a spins system-. – In : Parallel and Distributed Processing Techniques and Applications (PDPTA’98), H. R. Arabnia (ed.). – Las Vegas, Nevada, U.S.A., July 1998. [53] R. C OUTURIER. – -Formal engineering of the bitonic sort using PVS-. – In : 2nd Irish Workshop in Formal Methods (IWFM’98), A. Butterfield, S. Flynn (ed.). – Cork, Ireland, July 1998. [54] R. C OUTURIER. – -Parallélisation d’une simulation Monte Carlo d’un système de spins et preuve-. – In : Dixièmes Recontres Francophones du Parallélisme (RenPar’10), D. Méry, G.-R. Perrin (ed.). – Strasbourg, France, June 1998. [55] J.-P. G IBSON , G. H AMILTON , D. M ÉRY. – -Integration Problems in Telephone Feature Requirements-. – In : Integrated Formal Methods (IFM’99), A. Galloway, K. Taguchi (ed.), Lecture Notes in Computer Science, Springer-Verlag. – York, U.K., June 1999. [56] J.-P. G IBSON , G. H AMILTON , D. M ÉRY. – -Composing Fair Objects-. – In : Intl. Conf. Software Engineering Applied to Networking and Parallel/ Distributed Computing (SNPD ’00), H. Fouchal (ed.), IEEE. – Reims, France, May 2000. [57] J.-P. G IBSON , G. H AMILTON , D. M ÉRY. – -A Taxonomy for triggered interactions using fair objects semantics-. – In : Sixth Intl. Workshop Feature Interactions in Telecommunications and Software Systems (FIW’00), M. Calder, E. Magill (ed.). – Glasgow, Scotland, United Kingdom, May 2000. [58] J.-P. G IBSON , B. M ERMET, D. M ÉRY. – -Feature Interactions: A Mixed Semantic Model Approach-. – In : 1st Irish Workshop on Formal Methods, G. O’Regan, S. Flynn (ed.), Irish Formal Methods Special Interest Group (IFMSIG), SpringerVerlag. – Dublin, Ireland, July 1997. [59] J.-P. G IBSON , D. M ÉRY, Y. M OKHTARI. – -Animating formal specifications: a telephone simulation case study-. – In : 13th European Simulation Multiconfer-

52

ence, The International Society for Computer Simulation, pp. 139–145. – Warsaw, Poland, June 1999. [60] J.-P. G IBSON , D. M ÉRY. – -Telephone Feature Verification: Translating SDL to TLA+-. – In : Eighth SDL Forum Evolving Methods, North-Holland. – Evry, France, 1997. [61] J.-P. G IBSON , D. M ÉRY. – -Always and Eventually in Object Requirements-. – In : Rigorous Object Oriented Methods ROOM2. – Bradford, U.K., 1998. [62] J.-P. G IBSON , D. M ÉRY. – -Fair Objects-. – In : 1st UK Colloquium on Object Technology and System Reengineering (COTSR) in conjunction with Object Technology 98 (OT98), H. Zedan (ed.). – April 1998. [63] J.-P. G IBSON , D. M ÉRY. – -Teaching Formal Methods: Lessons to learn-. – In : Irish Workshop For Formal Methods 1998. – Cork, Ireland, July 1998. [64] P. G IBSON , D. M ÉRY. – -Formal modelling of services for getting a better understanding of the feature interaction problem – a multi-view approach-. – In : Perspectives of System Informatics (PSI’99), Andrei Ershov Third International Conference, Lecture Notes in Computer Science, Springer-Verlag, p. 25. – Novosibirsk, Akademgorodok, Russia, July 1999. [65] L. J EMNI , J. JARAY, A. M AHJOUB. – -Specifying Historical Consequence and Postponed Effect Properties in Real-Time Systems-. – In : IASTED International Conference in Modelling, Identification, and Control. – Innsbruck, Austria, 1999. [66] L. J EMNI , A. M AHJOUB , J. JARAY. – -Historical Consequence and Postponed Effects in Real-Time Systems-. – In : IFAC Intl. Symp. Artificial Intelligence in Real-Time Control. – Kuala Lumpur, Malaysia, September 1997. [67] A. K NAPP, S. M ERZ , C. R AUH. – -Model Checking Timed UML State Machines and Collaborations-. – In : 7th Intl. Symp. Formal Techniques in Real-Time and Fault Tolerant Systems (FTRTFT 2002), W. Damm, E.-R. Olderog (ed.), Lecture Notes in Computer Science, 2469, Springer-Verlag, pp. 395–414. – Oldenburg, Germany, September 2002. [68] P. L AMBOLEY, J.-F. P ÉTIN , D. M ÉRY. – -Towards a formal engineering framework for process automation-. – In : Seventh IEEE Intl. Conf. Emerging Technologies and Factory Automation (ETFA’99), pp. 1167–1175. – October 1999.

53

[69] B. M ERMET, D. M ÉRY. – -Détection d’interactions de services : une approche avec B-. – In : Approches formelles dans l’assistance au développement de logiciels (AFADL97). – Toulouse, France, May 1997. [70] B. M ERMET, D. M ÉRY. – -Incremental Specification of Telecommunication Services-. – In : First IEEE International Conference on Formal Engineering Methods (ICFEM), M. Hinchey (ed.), IEEE. – Hiroshima, Japan, November 1997. [71] B. M ERMET, D. M ÉRY. – -Safe combinations of services using B-. – In : 16th Intl. Conf. Computer Safety, Reliability and Security (SAFECOMP97), Lecture Notes in Computer Science, Springer-Verlag, p. 12. – York, U.K., September 1997. [72] B. M ERMET, D. M ÉRY. – -Service specifications : to B, or not to B-. – In : Second Workshop on Formal Methods in Software Practice, M. Ardis (ed.), ACM Press. – Clearwater Beach, Florida, March 1998. [73] D. M ÉRY, Y. M OKHTARI. – -Validation of formal specifications-. – In : AAAI’99 Fall Symposium. – November 1999. [74] D. M ÉRY, J.-F. P ÉTIN. – -Formal engineering methods for modelling and validation of control systems-. – In : 9th Symp. Information Control Problems in Manufacturing (INCOM 98), G. Morel, F. Vernadat (ed.), IFAC, Elsevier Science Ltd. – Nancy, France, June 1998. [75] D. M ÉRY. – -Requirements for a temporal B : Assigning Temporal Meaning to Abstract Machines . . . and to Abstract Systems-. – In : Integrated Formal Methods (IFM’99), A. Galloway, K. Taguchi (ed.), Lecture Notes in Computer Science. – York, U.K., June 1999. [76] S. M ERZ. – -A User’s Guide to TLA-. – In : Modélisation et vérification des processus parallèles : Actes de l’école d’été, F. Cassez, C. Jard, O. Roux, B. Rozoy (ed.), Ecole centrale de Nantes, pp. 29–44. – Nantes, France, July 1998. [77] S. M ERZ. – -A More Complete TLA-. – In : World Congress on Formal Methods (FM’99), J. Wing, J. Woodcock, J. Davies (ed.), Lecture Notes in Computer Science, 1709, Springer-Verlag, pp. 1226–1244. – Toulouse, France, September 1999.

54

[78] S. M ERZ. – -Weak Alternating Automata in Isabelle/HOL-. – In : Theorem Proving in Higher Order Logics: 13th Intl. Conf. (TPHOLs 2000), J. Harrison, M. Aagaard (ed.), Lecture Notes in Computer Science, 1869, Springer-Verlag, pp. 423– 440. – Portland, Oregon, U.S.A., 2000. [79] S. M ERZ , M. W IRSING , J. Z APPE. – -A spatio-temporal logic for the specification and refinement of mobile systems-. – In : Fundamental Approaches to Software Engineering (FASE 2003), M. Pezzè (ed.), Lecture Notes in Computer Science, Springer-Verlag. – Warsaw, Poland, April 2003. To appear. [80] Y. M OKHTARI , S. M ERZ. – -Animating TLA Specifications-. – In : 6th Intl. Conf. Logic for Programming and Automated Reasoning (LPAR’99), H. Ganzinger, D. McAllester, A. Voronkov (ed.), Lecture Notes in Artificial Intelligence, 1705, Springer-Verlag, pp. 92–110. – Tbilisi, Georgia, 1999. [81] Y. M OKHTARI. – -The invoice system problem in TLA+-. – In : International Workshop on Specification Techniques and Formal Methods, H. Habrias (ed.). – Nantes, France, 1998. [82] O. M OSBAHI , L. J EMNI , S. B EN -A HMED , J. JARAY. – -A Specification and Validation Technique Based on STATEMATE and NLOG-. – In : Formal Methods and Software Engineering: 4th Intl. Conf. Formal Engineering Methods (ICFEM 2002), C. George, H. Mia (ed.), Lectures Notes in Computer Science, 2495, Spinger-Verlag. – Shanghai, China, October 2002. [83] H. PANETTO , J.-F. P ETIN , D. M ÉRY. – -Formalisation of enterprise modelling standards using UML and the B method-. – In : 8th Intl. Conf. Concurrent Enterprising (ICE 2002), pp. 93–101. – Rome, Italy, June 2002. ISBN 0 85358 113 4. [84] J.-F. P ÉTIN , G. M OREL , D. M ÉRY, P. L AMBOLEY. – -Process control engineering: contribution to a formal structuring framework with the B method-. – In : Proc. 2nd Intl. B Conference (B’98), D. Bert (ed.), Springer-Verlag. – Montpellier, France, April 1998. [85] D. ROEGEL. – -Separating Algorithm and Implementation in Refinement of Parallel Program Specifications-. – In : Electronic Proc. BCS-FACS 7th Refinement Workshop – Theory and Practice of System Design, H. Jifeng, J. Cooke, P. Wallis (ed.), Springer-Verlag. – Bath, UK, July 1996.

55

[86] D. ROEGEL. – -METAOBJ : Very High-Level Objects in METAPOST-. – In : 23rd Annual Meeting and Conf. TEX Users Group (TUG 2002). – Trivandrum, India, September 2002. [87] D. S AMBORSKI. – -Stack Service Model-. – In : Language Constructs for Designing Features, S. Gilmore et M. Ryan (ed.), pp. 177–196. – Springer Verlag, 2000.

Course Material [88] F. K RÖGER , S. M ERZ. – Temporale Logik. – Ludwig-Maximilians-Universität München, Third Year Undergraduate Course, 2001, 2002. – http://www.pst. informatik.uni-muenchen.de/lehre/SS01/tl/. [89] D. M ÉRY. – Modèles et Algorithmes. – Université Henri Poincaré, ESIAL Informatique Seconde Année, December 2002. – http://www.loria.fr/~mery/ malg/. [90] S. M ERZ , M. W IRSING. – Grundlagen der Systementwicklung. – LudwigMaximilians-Universität München, Third Year Undergraduate Course, 2000, 2001. – http://www.pst.informatik.uni-muenchen.de/lehre/WS0102/ gse/. [91] S. M ERZ. – Praktikum Modelchecking. – Ludwig-Maximilians-Universität München, Advanced Undergraduate Course, 1999–2001. – http://www.pst. informatik.uni-muenchen.de/lehre/WS0102/mc/.

Research Reports and Internal Publications [92] J.-M. A NTOINE , J.-M. H UFFLEN , D. ROEGEL , K. T OMBRE. – Guide local (LA)TEX du site LORIA Millésime 1996. – Nancy, 1996. [93] P. B ERLIOUX , D. B ERT, M. C HARPENTIER , B. C OULETTE , X. C RÉGUT, L. D U B OUSQUET, M. F ILALI , P. JACQUET, J. JARAY, Y. L EDRU , N. L EVY, P. M AURAN , P. M AURICE , B. M ERMET, F. O UABDESSELAM , G. PADIOU , M.-L. P OTET, P. Q UÉINNEC , S. RONGVIRIYAPANISH , J. S OUQUIÈRES. – Formalisation du Développement de Logiciels : un banc d’essai des méthodes formelles-. – Report, LORIA, Nancy, 1997.

56

[94] D. C ANSELL , J.-P. G IBSON , B. M ERMET, D. M ÉRY. – -Spécification de services dans une logique temporelle compositionnelle-. – Rapport final du marché no 96 1B CNET-CNRS-CRIN, LORIA, Nancy, February 1999. [95] D. C ANSELL , J. JARAY, D. M ÉRY. – -Rapport final de contrat Cifre entre le LORIA et Peugeot SA et de contrat d’expertise sur l’utilisation de la méthode B-. – Report, Peugeot SA, April 2000. [96] D. C ANSELL , J. JARAY, D. M ÉRY. – -Utilisation de B pour l’aide à la spécification d’un système de diagnostic-. – Report, LORIA, Nancy, 2001. [97] D. C ANSELL , D. M ÉRY. – -Développement de fonctions définies récursivement en B : Application du B événementiel-. – Rapport de recherche, LORIA, Nancy, January 2002. [98] J.-P. G IBSON , B. M ERMET, D. M ÉRY. – -Spécification de services dans une logique temporelle compositionnelle-. – Rapport de fin du lot2 du marché no 96 1b cnet-cnrs-crin, LORIA, Nancy, décembre 1997. [99] J.-P. G IBSON , Y. M OKHTARI. – -POTS : An OO LOTOS Specification-. – Rapport de recherche, LORIA, Nancy, 1998. [100] J.-M. H UFFLEN , D. ROEGEL , K. T OMBRE. – Guide local (La)TeX du LORIA – Millésime 1998. – LORIA, Nancy, September 1998. [101] J. JARAY, O. G ALIBERT. – -A Data-Parallel Implementation of the Gauss-Seidel Iteration Method Applied to the Sliding Box Problem-. – Rapport de recherche, INPL, Nancy, April 2000. [102] J. JARAY. – -Fixing Race Condition Errors with Formal Techniques. A Case Study in Concurrent Java Programming-. – Rapport de recherche, INPL, Nancy, April 2000. [103] T. L AMBOLEY, D. M ÉRY, J.-F. P ÉTIN. – -Spécification de la documentation d’exploitation d’une installation de production d’éléctricité-. – Contrat d’étude ard p3136r, CRAN and LORIA, Nancy, June 1999. [104] B. M ERMET. – B Mode Manual. – Centre de Recherche en Informatique de Nancy, Vandoeuvre-lès-Nancy, 1996.

57

[105] S. M ERZ , M. W IRSING , J. Z APPE. – -A Spatio-Temporal Logic for the Specifiation and Refinement of Mobile Systems-. – Rapport de recherche, LORIA, Nancy, October 2002. [106] S. M ERZ. – -On the verification of a self-stabilizing algorithm-. – http://www.pst.informatik.uni-muenchen.de/personen/merz/papers/ dijkstra.ps.gz, 1998. [107] S. M ERZ. – -A More Complete TLA-. – Report, Institut für Informatik, Universität München, Munich, Germany, July 1999. [108] D. ROEGEL , S. S MOLKA. – -Code Generation From Hierarchical Concurrency Specifications-. – Rapport de recherche, LORIA, Nancy, October 2001. [109] D. ROEGEL. – -Creating 3D animations with METAPOST-. – recherche, LORIA, Nancy, 1997.

Rapport de

[110] D. ROEGEL. – -Detecting interference through graph reduction-. – Rapport de recherche, LORIA, Nancy, 1997. [111] D. ROEGEL. – -Study of the Semantics of “Real” Parallel Languages in TLA-. – Rapport de recherche, LORIA, Nancy, 1997. [112] D. ROEGEL. – The METAOBJ tutorial and reference manual, December 2001.

Software [113] A. K NAPP, S. M ERZ. – HUGO—Model Checking UML State Machines and Collaborations. – 2001. [114] S. M ERZ. – Isabelle/TLA. – 1997, Revised 1999.

58