and legal aspects. Our approach proposes a new way to combine abstract ... of services: as LOTOS 6], SDL 11], Temporal Logic 2], Logical Approach 8],. Z 15].
Safe combinations of services using B Bruno Mermet
CRIN-CNRS URA 262 BP 239, 54506 Vand÷uvre-lès-Nancy, France
Dominique Méry
Université Henri Poincaré Nancy 1 and CRIN-CNRS URA 262 BP 239, 54506 Vand÷uvre-lès-Nancy, France
Abstract
The paper reports on the use of the B method and related tools to handle the feature interaction problem in telecommunications. The feature interaction problem states critical questions with respect to safety, sociological and legal aspects. Our approach proposes a new way to combine abstract machines and evaluates the resulting generation of proof obligations. The B method is a framework for specifying, re�ning and developing systems in a mathematical and rigorous, but simple way, and services are speci�ed in the B method. The feature interaction problem is modelled simply as a violation of an invariant. The B method is supported by sofware that helps the speci�er of services and features. We have not only modelled services within the B technology, but we have also extended possibilities of B by combining abstract machines.
1 Introduction Feature interactions [3, 5] happen when di�erent features of a software system interfere with each other. Within the area of telecommunications many problems are acknowledged with respect to the development of services and combinations of services. Combination of services is achieved in very di�erent ways and requires the use of formal methods to handle questions of correctness and safety. The speci�cation of service is a way to solve problems for detecting, avoiding and solving interactions among services. An interaction is, within this paper, treated as an interference among processes modelling services. However, our view of interaction is still a partial approach to the general problem, since interactions may be introduced at late stages of development during design and implementation. The key idea is to describe a service using an abstract machine and to analyse the combination of services by combining abstract machines. An obvious step is to inherit invariants of abstract machines, but these can be violated since B does not allow machines to share variables. However, we obtain an extension of the B technology that is supported by the environments, namely the Atelier B [17] and the BToolkit [13], to overcome this di�culty. Our method of using B is based on the method of Owicki-Gries [16]; a proof of invariance is carried out in two steps : a �rst step annotates sequential processes and proves 1
proof obligations related to pre and postconditions and a second step proves that every invariant property is not invalidated by an action of a concurrent process. The B method [1] is adequate to model services but it is limited to the expression of invariance properties. It does not address the question of fairness in services, but a lot of services can be speci�ed and validated in B. The most interesting aspect of B is the possibility of using a tool to build, transform, re�ne, translate and validate abstract machines. As no animator was provided by Atelier B1 , we had to use the BToolKit to animate speci�cations and several problems were discovered during the animation. However, the proof tool of Atelier B provides a very e�cient way to prove the correctness of abstract machines; either it leads us to a development state where every proof obligation was proved by Atelier B, or it fails on an unproved proof obligation indicating a possible interaction between the combined services. The user has to solve the unproved proof obligation by proving it in an interactive way or by interpreting it as an interaction and resolving it. In fact, this point emphasizes the practicability of the B method in the development of safe combined services. The analysis is based on a case study relying on three services:
� the basic service providing administration operations and user operations. � the screening list service. � the call forwarding service. In a �rst report [14], we have shown how to use the B method for modelling services and detecting feature interactions. Now, we explain the way to combine abstract machines and review the process. Others methods or languages can be used to address the question of the feature interaction and the speci�cation of services: as LOTOS [6], SDL [11], Temporal Logic [2], Logical Approach [8], Z [15]. Our approach is in essence very simple to use by a non-specialist of algebraic framework but it is based on a very powerfull tool. However, we are limited, as with the most of the other methods, to the expression of safety properties. We have developed a study for handling fairness questions by using TLA [12] and we address the question of specifying services requiring fairness assumption. The paper is organized as follows. Section 2 presents the B method and tools for B. Section 3 contains details on the proofs generated during services composition. Section 4 is devoted to statistics. Finally, section 5 concludes our paper.
2 The B method This section describes the foundations of the B method, and,the environments and tools that we utilised during our case studies. 1
The version 3.2 of the Atelier B provides now an animator.
2.1 The B technology
The B technology is a set of techniques and tools that implement the re�nement of abstract machines into concrete machines and �nally into C code. It uses the re�nement of operations as a way to preserve invariance properties through the re�nement process, and provides an environment that is really used in the development of safety critical systems [10, 4]. An abstract machine modi�es data with operations and the B technology helps the user to de�ne these objects in a formal and rigorous way. Abrial [1] introduces a notation to describe large systems using the B notation and there are two available tools for managing them: � the B-Toolkit [13] is currently developed and maintained by B-Core and provides the following set of facilities : a theorem prover (namely the B Tool), a generator of proof obligations, an animator of abstract machines, and a B document processor. � Atelier B [17] is developed and maintained by STERIA-Digilog and provides the following set of facilities : a powerful theorem prover (namely KRT), a generator of proof obligations, and a B document processor. The two tools are complementary and we have used both. The fundamental aspect of these two tools is the power of the underlying theorem prover that aids the user. As the re�nement of abstract machines is validated by proving generated proof obligations, proof process is not completely automated. However, the question of the power of a theorem prover is not within the scope of this paper; if the prover is not able to prove all the proof obligations, the user can use it in an interactive way or prove the remaining theorems (as mathematicians have been doing for centuries). The animator helps the user to visualize the speci�ed system and it can help the customer to acknowledge the suggested expression of problem requirements. An abstract machine can be considered like a pocket calculator with buttons that allows one to execute certain actions and to activate operations over data. Furthermore, an abstract machine must satisfy proof obligations and the de�nition of proof obligations is expressed by the generalized substitution [1]. A B model considers that a set of data is modi�ed by operations. The B technology provides a way to express operational semantics, in an encapsulated object-based manner. This naive view of the B underlying model can be taken when one builds a speci�cation in B. Now, we describe the di�erent aspects of B as operations, abstract machines,structuration mechanisms, theorem prover, and language properties. Predicates are formulae of the predicate calculus extended by set-theoretical predicates. As we will transform predicates, we need to de�ne a notion of substitution over predicates. De�nition 1 substitution over predicate A substitution [x := E]F is de�ned as the formula obtained by replacing all free occurences of x in F by E. It is de�ned by induction over the syntax of formulae F.
The B environment provides procedures to check that predicates are well de�ned and to manage theories required by the current speci�cation. Properties are expressed using the language of predicates for constants. A constant is possibly a function and we need to express properties that we know and these properties are used by the prover for trying a successful processing of required proofs. Many properties can be stated in the set-theoretical framework but it is clearly di�cult for the prover to derive theorems in a fully automatical way. The B book [1] contains chapters on set notations and mathematical objects that show how to use the di�erent mechanisms provided by the B environment. The substitution is extended to express predicate transformation over predicates language, and is called the generalized substitution. De�nition 2 generalized substitution A generalized substitution GSubstitution is either a substitution x := E, or a skip, or preconditioned generalized substitution PjGSubstitution or a guarded generalized substitution P =) GSubstitution, or a nondeterministic generalized substitution GSubstitution1 [] GSubstitution2, or a quanti�ed generalized substitution @ Variable GSubstitution, or a sequential generalized substitution GSubstitution1 ; GSubstitution2, a parallel generalized substitution GSubstitution1 k GSubstitution2, or an applied generalized substitution [Variable := Expression] , or a �xed-point generalized substitution GSubstitution�. De�nition 3 operation An operation O consists of a header and a generalized substitution header^=Gsubstitution where the header has one of the following forms : Id List ? Identi er(Id List), Identi er(Id List), Id List ? Identi er, Identi er.
The B technology uses a concrete syntax for substitutions and operations, such as : 1. BEGIN generalized substitution END 2. PRE precondition THEN generalized substitution END Now, using the above syntax, we can state what an abstract machine is in the B technology. De�nition 4 abstract machine An abstract machine is a notation that describes a collection of sets, properties, constants, an initialisation statement, an invariant and a set of operations acting on data. An abstract machine has to satisfy the invariant and it may be structured with the help of other abstract machines using speci�c structuring clauses such as IMPORTS, INCLUDES, etc.
The properties language of B allows one to state invariance properties of abstract machines. An invariant is simply a conjunction of basic properties de�ned in the set-theoretical language. A B operation, namely O, is equivalent to trm(O)j@x0 :(prd (S ) ) x := x0 ) where trm(O) denotes the terminating states of S and prd (S ) is the computation relation for S. We do not want to present what is in the B book [1]. x
x
2.2 Theoretical background
The HOARE logic [9, 7] formalizes the correctness of programs with the concept of asserted programs. An asserted program is a triple { pre } P { post } where pre is the precondition, P is a program and post is the postcondition. The HOARE logic provides a set of rules and axioms to infer HOARE triples. The semantics of { pre } P { post } is intuitively de�ned as follows : if
P is executed from a current state satisfying pre and if P terminates, then the �nal state satis�es post . The classical HOARE triples express the partial
correctness of programs. An axiomatic system for HOARE triples allows one to derive valid HOARE triples and the system is syntax-directed. When one wants to extend the HOARE logic to deal with concurrency, one needs to take into account the possible interferences between concurrent processes. Clearly, the HOARE logic does not allow an easy way to extend its language to handle concurrent processes. We need to clearly state the problem of communication in the case of safety properties. The notation pre ) [P ]post expresses the total correctness of P with respect to pre and post, if we use the generalized substitution notation of Abrial [1]. We can state invariance properties using the generalized substitution as follows: De�nition 5 invariance property An invariance property I for a set of operations fO1; : : :Ong and a generalized � substitution Initialisation for initial states satis�es :
[Initialization]I
8 i 2 f1 : : :ng : I ^ trm(O ) ) [O ]I We use the notation (Init; O) for expressing the system of operations and we will use the notation invariance(Init; fO1 ; : : :O g) to denote the class of invariant properties for a set of operations fO1 ; : : :O g and a speci�cation of i
i
n
n
the initial states Init. [:] is the generalized substitution operator de�ned by Abrial [1] and maps every B operation to a predicate transformer. A set of proof obligations is generated from an abstract machine to ensure that the invariant is respected by the operations of the machine. An abstract machine M is made up of chapters describing di�erent aspects of the mathematical model. We will use the notations as M.SEES, M.SETS, M.INITIALIZATION, M.INVARIANT, M.OPERATIONS to represent these chapters. De�nition 6 proof obligations for an abstract machine Let M be an abstract machine with M:I as invariant, M:INITIALISATION as speci�cation of initial states and M:OPERATIONS as the set of operations
of M . Let Context(M ) be the semantical context of M ( specifying domain properties, constraints, sets properties etc see pages 763-773 in [1]). M:PO are proof8 obligations for M and de�ned as
Check(Context(M )) > < Context (M ) ) [M:INITIALISATION ]M:INV ARIANT 8 O 2 M:OPERATIONS : > : Context(M ) ^ M:INV ARIANT ^ trm(O) ) [O]M:INV ARIANT The expression of predicate transformers is based on the notion of generalized substitution. The proofs are attempted by the B tools and remaining proofs are done by hand. The statement of the invariance of I is combined together with the satisfaction of I by initial states. We use the expression always true but, as pointed out by Van Gasteren et al. [18], invariant properties are always true properties but the converse does not hold. Abstract machines can be combined into systems as is shown in �gure 1. We limit the combination of abstract machines by considering only the union of a set of operations (see the �gure 1). De�nition 7 system A system S of processes fP1; : : :; Png is modelled as a set of operations, an initial condition INITIALISATION and a set of initial conditions as follows: S = (Init; (P1 :Init; P1:O1); : : :; (Pn:Init; Pn:On)) where Init speci�es the initial conditions of S , P:Init is the initial condition of P and P:O is the set of actions executed by P .
Now, we can de�ne proof obligations for a system. A property is an invariance property for a system if it is an invariance property for every process of the system and if the initial condition of the system strengthens initial conditions of every process of the system. De�nition 8 invariance for a system An invariance property for a system S is a property satisfying the following requirements: �
8 P 2 S :Process : P:PO(I ) 8 P 2 S :Process : S :Init ) P:Init
The problem is that we want to combine abstract machines to model the composition of services. If a service S1 and a service S2 are developed in the B technology, we obtain an invariant for S1, I 1, and another one for S2, namely I 2. However, I 1 ^ I 2 is not necessarly an invariant for the system obtained by the combination of the two abstract machines. Additional proof obligations must be proved. Property 1 Let M 1 and M 2 be two abstract machines, and M 1 � M 2 the abstract machine obtained by strengthening the initial conditions and by gathering the operations of M 1 and M 2 in the operations part of M .
If 8 [M:INITIALISATION ]M 1:INV ARIANT ^ M 2:INV ARIANT , and,
M 1:PO(M 1:INV ARIANT ) > > : M 2:PO (M 1:INV ARIANT ) then M 1:INV ARIANT ^ M 2:INV ARIANT is invariant for M Proof: 8 [M :INITIALISATION ]M 1:INVARIANT ^ M 2:INVARIANT > > > < M 1:PO (M 1:INVARIANT ) M 2:PO (M 2:INVARIANT ) Assume: > 1:PO (M 2:INVARIANT ) > :M M 2:PO (M 1:INVARIANT ) Prove: M 1:INVARIANT ^ M 2:INVARIANT is invariant for M h1i1. Initial conditions Proof:[M :INITIALISATION ]M 1:INVARIANT ^ M 2:INVARIANT states the establishment of the invariant initially. h1i2. Operations conditions Proof:Let O be an operation of M. M 1:INVARIANT ^M 2:INVARIANT ) M 1:INVARIANT and M 1:INVARIANT ^ trm (O ) ) [O ]M 1:INVARIANT by assumption. Then M 1:INVARIANT ^ M 2:INVARIANT ^ trm (O ) ) [O ]M 1:INVARIANT . M 1:INVARIANT ^ M 2:INVARIANT ) M 2:INVARIANT and M 2:INVARIANT ^ trm (O ) ) [O ]M 2:INVARIANT by assumption. Then M 1:INVARIANT ^ M 2:INVARIANT ^ trm (O ) ) [O ]M 2:INVARIANT . Hence, we can derive M 1:INVARIANT ^ M 2:INVARIANT ^ trm (O ) ) [O ](M 1:INVARIANT ^ M 2:INVARIANT ), by conjunction of the second part of implication. h1i3. Q.E.D. Proof:By h1i1 and h1i2, we derive that M 1:INVARIANT ^M 2:INVARIANT is invariant for M . The main result of our observation is that the B technology is su�cient to provide tools and notations for expressing combinations of services. However, we have to take care of the new proof obligations that are generated because of the possible interferences [16]. As the B property language does not allow one to express fairness, we can not express this notion formally.
3 Modelling services in the B technology 3.1 Composition of B machines
The B method allows di�erent kinds of composition. The most commonly used is introduced by the IMPORTS keyword. It allows encapsulation of data and code during the re�nement process. As we do not focus on re�nement in this paper, it cannot be used. An other solution to combine subsystems is to use the INCLUDES keyword or its variant EXTENDS. However, the machine including another one cannot, for safety reasons modify variables declared in the included
DATA 1
DATA 2
DATA 1
DATA 2
111 000 000 111 000 111 000 000 111 111 000 111 000 111 000 111 000 111 000 111 000 000 111 111 000 111 000 111 000 111
111 000 000 111 000 111 000 000 111 111 000 111
111 000 000 111 000 111 111 000 000 111 000 111 000 000 111 111 000 111
Figure 1: Combining abstract machines M 1 � M 2 machine. This restriction has been chosen to avoid the generation of new proof obligations linked to the invariant of the included machine, but it is not well suited to our problems, where data may be read and written by more than one service. Finally, the last kind of composition is introduced by the word USES. It allows a machine A to see variables encapsulated in a machine B that will be later included together with A in a machine C. But once again, two machines cannot write to a shared variable. Consequently, we chose a new kind of composition, consisting in merging the di�erent clauses of the machines we compose. However, in order to use as well as possible the existing tools, we describe a solution limiting the number of the proof obligations introduced by this step. If we want to compose two services S1 and S2 , we can imagine the service S1 as the environment of S2 . So, S2 must not break the invariant of its environment. This can be checked by proving that S2 operations preserve the S1 Invariant. Moreover, environment operations (S1 operations) must not break the invariant of the S2 service. If this is true, then, provided both invariants are established by the initialisation of the machines, they will remain true, whatever operation is executed. This is a practical point of view of the theory explained in the beginning of this paper. If we want to implement this technique with the tools that already exist, we have to proceed in two steps; we assume that S1 and S2 speci�cations are independently correct, and go on to
informal specification
informal specification
FORMALISATION IN B
abstract machine abstract machine ANIMATOR NAVIGATOR
abstract machine abstract machine
abstract machine REFINEMENT
abstract machine
TRANSLATOR
code (C or ADA)
Figure 2: Combining abstract machines in the B cycle the following : � prove that S2 operations preserve the invariant of S1 , by adding the invariant of S1 to S2 ; � prove that S1 operations preserve the invariant of the S2 , by adding the invariant of S2 to S1 . These two steps will also prove the compatibility of the initialisations. However, merging the invariants is not enough : we also have to add parts of the VARIABLES, CONSTANTS, PROPERTIES, INITIALISATION, etc. clauses. The technique of strenghtening the invariant of a machine with a given number of operations instead of adding operations to a machine with a stable
invariant has been chosen because it supports a more modular strategy, with fewer proof obligations.
3.2 Composing POTS and the Screening List services
We introduce two services. The �rst one, called POTS2 introduces the basic functions of a telephone system. We combine POTS with the Screening List service, a service that allows a telephone subscriber to forbid some people to call him. We apply the theory summarized above. POTS is taken as service S1 , and Screening list is taken as serviceS2 . 1. Checking that Screening List operations preserve the POTS invariant : The speci�cation of the Screening List feature generates, (with the Atelier B [17]) 17 POs3 and 60 ObvPOs4 , all true. When we add the invariant properties of POTS that were not part of the Screening List invariant, we do not obtain any false PO. 2. Checking that POTS operations preserve the Screening List invariant Doing this, we obtain two false POs. Explanations are given below. A greater understanding of the following formula can be given by the B source code of the services, which can be found on the internet5 � for the remove subscriber operation : screening list subscribers � subscribers-{subs}-{Null Subscriber} � for the establish communication operation : ran((call states C? {com 7! st}) ?1 [{Established,Communicating}] C (called caller)) \ screening list = ; The �rst false PO corresponds to an interaction that occurs when a person stops subscribing to the POTS service, but remains as a subscriber to the Screening List. This is forbidden by the Screening List invariant, which require Screening List subscribers being POTS subscribers. The second corresponds to the fact that the Establish communication operation of the POTS service can establish a communication prohibited by the Screening List service.
3.3 Adding the Call Forwarding service
The call forwarding service allows a user to forward calls to another telephone user. In order to combine the three services POTS, Screening List, and Call Forwarding, we can re-use the mixed system POTS + Screening List, that 2 3 4 5
Plain Old Telephone System Proof Obligations Obvious Proof Obligations http://www.loria.fr/~mermet/Services/index.html
becomes our new service S1 , and use the same technique, with Call Forwarding as service S2 . 1. Checking that Call Forwarding operations preserve the POTS + Screening List invariant We �nd that an interaction appears in the initialisation clause : in the POTS speci�cation, we initialize the connected phones variable to {Null Phone}, whereas in the Call Forwarding speci�cation, we initialize it to ;, because we did not introduce the notion of the Null Phone. So, the problem can be solved by choosing the POTS initialisation. This combination does not generate any false PO. So, we do not detect any kind of interaction. 2. Checking that POTS + Screening List operations preserve the Call Forwarding invariant This step produces 3 false POs, corresponding to the following interactions :
� when we remove a POTS subscriber, it remains a Call Forwarding
subscriber (PO associated to the remove subscriber operation); � When we remove a POTS subscriber, it might be a Call Forwarding Target of somebody else. But the Call Forwarding speci�cation forbid targets that are not POTS subscribers (PO associated to the remove subscriber operation); � the Establish operation can establish a communication to somebody who forwarded calls to him (PO associated to the Establish operation). From the case study presented above, we analyse di�erent kinds of interactions:
� Two of the interactions produced by the remove
subscriber operation can be resolved by adding a new action to the operation : removing a subscriber removed from the screening list subscribers and call forwarding subscribers sets.
� The interactions produced by the Establish operation can be resolved by re-inforcing the precondition of this operation.
� Finally, the interaction produced by the remove
subscriber operation when the target of a call forwarding is removed is slightly more di�cult : a solution could be to automatically cancel the call forwardings to him.
4 Practical experiments with the tools 4.1 Animating speci�cations
The Atelier B [17] does not yet have an animator, so, we used the animator of the B Toolkit [13]. Animating speci�cation is useful to help other people (like clients) understanding the speci�cation. Moreover, it helps the programmer to check that the speci�cation is correct with respect to an informal description: it allows to check if properties not speci�ed in the invariant (either because they cannot be expressed or because they were forgotten) are true. Here, for instance, we forgot to specify that a call with no more subscribers involved in it must be removed : in an earlier speci�cation, if two people A and B where communicating, if we �rst removed A from the subscribers set, and then B, the communication between them was remaining in the current calls set. This could have been detected if we had added the following invariant: caller?1[Null Subscriber] \ called ?1 [Null subscriber] = ;
4.2 Statistics using the tool
4.2.1 Proofs of services
Proofs were made by the Atelier B [17]. We observed that the form of the speci�cation has a great importance on the percentage of proof obligations proved. With the current speci�cation, for example, we obtain the following results on POTS: operation ObvPO PO Unproved initialisation 4 0 0 add subscriber 20 4 0 remove subscriber 7 17 10 connect 17 7 0 disconnect 4 20 8 show 18 5 0 hide 8 15 8 dial 13 11 1 establish communication 17 6 1 Total 108 85 28 Moreover, 4 proofs can be achieved easily6 by the interactive prover, a tool that helps the prover without adding, new possibly wrong, rules. So, we can say that 72% of the non-obvious proofs are achieved quite automatically (88% of all the proof obligations). Most of the unproved POs are in fact quite similar, making the solution to one PO a great help for �nding the solution to another. An interesting point is the localisation of the unproved POs : they correspond to the operations like remove subscriber or disconnect. This can be explained by the role of these 6
less than 5 minutes of re�exion for a human
operations that are permissive, but have to preserve a very strong invariant. The POs remaining could perhaps be proved by the interactive prover, but we did not try. Services are easier to prove. Here are the results of the prover for the two services described in this paper: service ObvPO PO Unproved screening list 60 17 0 call forwarding 57 21 1 However, once again, the Unproved PO of the call forwarding service can be easily proved with the interactive prover. Thus, our services are completely proved. 4.2.2 Proofs of compositions
When combining services, the problem becomes slightly more di�cult. However, the bene�t of the POs proved on each service independantly is a great help. Here is a table which summarizes the number of new POs generated. (S L and C F respectively mean Screening List and Call Forwarding.) The numbers given correspond to the new obvious POs, POs and Unproved POs generated. composition �ObvPO �PO �Unproved S L with POTS invariant 67 8 0 POTS with S L invariant 17 22 8 C F with S L and POTS invariant 80 10 2 S L and POTS with C F invariant 29 12 8 An interesting aspect of the method is the small number of new unproved POs at each composition. When we compose POTS and the screening list, we have only eight new unproved POs. Two of them are generated by interactions. The other are true, but the prover did not succeed in the proof. When we add a new service, the Call Forwarding service, we have ten more unproved POs, three of them corresponding to interactions. The help provided by the prover and this technique is important : instead of examining by hand all the proof obligations of our composition (436 Obvious POs and 136 POs) to detect possible interactions, we focus on only 10 POs.
4.3 Limits of the method
In B, we can not express temporal properties. Thus, the fact that a particular service will happen cannot be guaranteed. Here, for instance, if we combine POTS, Screening List, and Call Forwarding services, we can imagine the following scenario : � B subscribes to Screening List and Call Forwarding services ;
� A is on the screening list of B ; � B has forwarded calls to him to C ; � A calls B. Then, either the rejecting a Call or the forward call operations can be activated. But if one of them is activated, the precondition of the other becomes false. So, we have an undeterministic behaviour of our system, and this cannot be detected by the B method. The interaction of the two services could, of course, be detected if we could specify temporal properties in B machines, by saying that if the call forwarding system is on, then calls will eventually be forwarded : a rejected call would not check this property. The method lacks real structuring mechanisms. The composition is very basic and restrictive.
5 Concluding remarks The scope of the B technology can be extended by introducing a new structuring operator of abstract machines; the new structuring operator implements the method of Owicki and Gries and introduces new proof obligations. In a preliminary paper [14], we have shown how abstract machines could model services and help in detecting interactions among services. This paper reports on practical experiments with tools showing that tools for formal methods are at a mature level. As the B technology is based on invariance properties, we have not considered the question of fairness in services. Other approaches are mainly based on formal methods for telecommunications such as LOTOS, SDL or assertional and logical methods [8]. There are two main problems with these other approaches that are partially solved by our method. A �rst problem is to provide a su�ciently expressive speci�cation language and a second one is to provide a real environment for dealing with formalisms. We think that tools for B [13, 17] are realistic solutions for users that are not real specialist for formal methods, even if the prover and the environment have some limitations. It is clear that we need to extend the scope of the property language but the inclusion of a temporal semantics based TLA [12] is under development in our group. Our results are based on a simple way to combine abstract machines and the main problem is now to extend the scope of property language and the power of the prover. The development of case studies allows us to discover new possible feature interactions among classical services.
Acknowledgments This work is partially supported by the contract n 96 1B CNET-FRANCETELECOM & CRIN-CNRS-URA 262 and by the Institut Universitaire de France. o
References [1] J.-R. Abrial. The B book - Assigning Programs to Meanings. Cambridge University Press, 1996. [2] J. Blom, B. Jonsson, and L. Kempe. Using temporal logic for modular speci�cation of telephone services. In L. G. Bouma and H. Velthuijsen, editors, Feature Interactions in Telecommunications Systems. IOS Press, 1994. [3] L. G. Bouma and H. Velthuijsen, editors. Feature Interactions in Telecommunications Systems. IOS Press, 1994. [4] M. Carnot, C. DaSilva, B. Dehbonei, and F. Mejia. Error-free sofware development for critical systems using the b technology. In Proceedings of the Third IEEE International Conference on Software Reliability Engineering, October 1992. [5] K. E. Cheng and T. Ohta, editors. Feature Interactions in Telecommunications Systems. IOS Press, 1996. [6] M. Faci and L. Logrippo. Formlisation of a user view of network and services for feature interaction detection. In L. G. Bouma and H. Velthuijsen, editors, Feature Interactions in Telecommunications Systems. IOS Press, 1994. [7] R. W. Floyd. Assigning meanings to programs. In J. T. Schwartz, editor, Proc. Symp. Appl. Math. 19, Mathematical Aspects of Computer Science, pages 19 � 32. American Mathematical Society, 1967. [8] A. Gammelgaard and J. E. Kristensen. Interaction detection, a logical approach. In L. G. Bouma and H. Velthuijsen, editors, Feature Interactions in Telecommunications Systems. IOS Press, 1994. [9] C. A. R. Hoare. An axiomatic basis for computer programming. Communications of the Association for Computing Machinery, 12:576�580, 1969. [10] J. Hoare, J. Dick, D. Neilson, and I. Sorensen. Applying the B technologies to CICS. In J. Woodcock, editor, FME.96. Springer-Verlag, March 1996. LNCS 1051. [11] B. Kelly, M. Crowther, and J. King. Feature interaction detection using sdl models. In GLOBECOM. Communications: The Global Bridge. Conference Record, pages 1857�61. IEEE, 1994. [12] L. Lamport. A temporal logic of actions. Transactions On Programming Languages and Systems, 16(3):872�923, May 1994. [13] B-Core(UK) Ltd. B-Toolkit User's Manual, relase 3.2 edition, 1996.
[14] B. Mermet and D. Méry. Feature interaction detection in b. Internal report, Centre de Recherche en Informatique de Nancy CNRS URA262, january,15 1997. [15] J. Nyström. A formalization of service indepedent building blocks. In AIN'96. Mars 25-26, 1996. [16] S. Owicki and D. Gries. An axiomatic proof technique for parallel programs i. Acta Informatica, 6:319�340, 1976. [17] GEC Alsthom Transport, DIGILOG, SNCF, INRETS, and RATP. Atelier B, Version 3.0, Manuel de Référence du Langage B. STERIA DIGILOG, 1996. [18] A. J. M. van Gasteren and G. Tel. Comments on "on the proof of a distributed algorithm": always true is not invariant. Information Processing Letters, 35:277�279, 1990.
