Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.

Published byFrederick Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School."— Presentation transcript:

1 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

2 © Gudmund Grov & Andrew Ireland Dependable Systems Group Outline Proof planning and software development Event-B and rigorous system development Research opportunities A proposal

3 © Gudmund Grov & Andrew Ireland Dependable Systems Group Conjecture Theorem Proving Automatic Theorem Prover: Proof Rules + Guidance Theory Proofs

4 © Gudmund Grov & Andrew Ireland Dependable Systems Group Conjecture Proof Planning Proof Plans: methods and critics Proof Checker Theory TacticsProofs Proof Planner External tools Program Analysis (SPARK) User Interaction

5 © Gudmund Grov & Andrew Ireland Dependable Systems Group Proof Plans: A Science of Reasoning concrete proofs proofs patterns Patterns provide guidance in the search for concrete proofs, in particular where proof patching is required

6 © Gudmund Grov & Andrew Ireland Dependable Systems Group Proof Planning Reuse: strategies can be easily ported between proof checkers Robustness: critics and middle-out reasoning provide flexibility in how proof search is organized Cooperation: provides a natural level for combining multiple reasoning processes, i.e. complementary techniques compensating for each other’s weaknesses

7 © Gudmund Grov & Andrew Ireland Dependable Systems Group Clam-Oyster, lambdaClam: Functional program verification, synthesis & transformation; hardware verification Periwinkle, lambdaClam, Whelk: Logic program synthesis Bertha: Imperative program verification & synthesis SPADEase: Verification automation for SPARK CORE: Cooperative Reasoning for Automatic Software Verification SEAR: System Evolution via Animation and Reasoning Software Development Applications

8 © Gudmund Grov & Andrew Ireland Dependable Systems Group Automatic Proof Patching Inductive lemmas discovery Conjecture generalization Case splitting Induction rule revision & synthesis Existential witnesses Correcting false conjectures Loop invariant discovery Frame axiom discovery Tactic formation via data-mining

9 © Gudmund Grov & Andrew Ireland Dependable Systems Group Event-B An approach to systems development which seamlessly combines modelling and reasoning Developed from the classical B-method for software development Tackles problem of volatile requirements by promoting model evolution and reformulation Event-B tool: Eclipse based plug-in architecture providing “design-time feedback” EU Projects: RODIN (04-07) DEPLOY (08-12) Industrial partners: Bosch, Siemens, Space Systems Finland, SAP, Nokia

10 © Gudmund Grov & Andrew Ireland Dependable Systems Group Event-B Systems represented as discrete transition systems, using classical logic and set-theory System = Model + Context –Models contain variables, invariants and events (guards + actions) –Contexts contain constants, carrier sets and properties Development of complex systems managed via: –refinement –(de-)composition –generic instantiation

11 © Gudmund Grov & Andrew Ireland Dependable Systems Group User Interaction & Event-B Proving: –autoprover failures –proof-failure analysis –existential witnesses Modelling: –defining models, refinements, (de-)compositions and generic instantiations –defining gluing invariants – links variables between model refinements –patching models using proof-failure analysis –selecting refinement patterns

12 © Gudmund Grov & Andrew Ireland Dependable Systems Group Models and contexts Model Context Variables Invariants Events Constants Carrier sets Properties Sees

13 © Gudmund Grov & Andrew Ireland Dependable Systems Group Development: refinement & (de-)composition

14 © Gudmund Grov & Andrew Ireland Dependable Systems Group instantiates Development: generic instantiation

15 © Gudmund Grov & Andrew Ireland Dependable Systems Group Abrial’s “Cars on a Bridge” Model n

16 © Gudmund Grov & Andrew Ireland Dependable Systems Group First Refinement b a c c a=0 c=0 a

17 © Gudmund Grov & Andrew Ireland Dependable Systems Group b a c First Refinement

18 © Gudmund Grov & Andrew Ireland Dependable Systems Group Second Refinement 0 1 b c=0 ac a=0 a c

19 © Gudmund Grov & Andrew Ireland Dependable Systems Group Second Refinement 0 1 b a c

20 © Gudmund Grov & Andrew Ireland Dependable Systems Group Proof Obligation 1 ML_out preserves inv2_3 Failure analysis: proof obligation unprovable Proof patch: assume negated premise of goal implication, i.e. simplified to Model patch 1 (local): strengthen guard: Model patch 2 (global): strengthen invariant:

21 © Gudmund Grov & Andrew Ireland Dependable Systems Group Proof Obligation 2 IL_out preserves inv2_4 Failure analysis: proof obligation unprovable. Proof patch: assume negated premise of goal implication: simplified to Model patch 1 (local): strengthen guard: Model patch 2 (global): strengthen invariant:

22 © Gudmund Grov & Andrew Ireland Dependable Systems Group Observations on Model Patching Both proof-failures suggest the same global patch, i.e. at least one traffic light must always be set to red! Model patch: inv2_5 is added to the invariant: Note that proof-analysis gives rise to alternative model patches

23 © Gudmund Grov & Andrew Ireland Dependable Systems Group Proof Obligation 3 ML_out preserves inv2_4 Failure analysis: unprovable case Model patch: event splitting First event: (trivial to prove)Second event:

24 © Gudmund Grov & Andrew Ireland Dependable Systems Group Example proof 4 ML_out_2 preserves inv2_4 Note: guard cannot be updated by since it already contains Model patch: update action, i.e.

25 © Gudmund Grov & Andrew Ireland Dependable Systems Group Observations Proof-failure analysis plays a central role in developing systems within Event-B Over coming proof-failures typically involves patching models, e.g. invariant strengthening, modifying events (guards & actions) Strong interplay between modelling and proving: “A program [model] and its proof should be developed [planned] hand-in-hand, with the proof [plan] usually leading the way” “The Science of Programming” Gries, `81 No automation for proof-failure analysis and patching, i.e. currently hand-crafted by users

26 © Gudmund Grov & Andrew Ireland Dependable Systems Group Observations Proof-failure analysis plays a central role in developing systems within Event-B Over coming proof-failures typically involves patching models, e.g. invariant strengthening, modifying events (guards & actions) Event-B promotes strong interplay between modelling and proving No automation for proof-failure analysis and patching, i.e. currently hand-crafted by users

27 © Gudmund Grov & Andrew Ireland Dependable Systems Group Opportunities Proving: –Increasing proof automation with the Event-B tool: proving invariants, refinements, generic instantiations Reuse, reformulation & learning strategies (tactic formation) proof by mathematical induction (Rodin toolset roadmap includes inductive data types) existential witnessing –Proof patching: invariants, generalizations and lemmas Modelling & Proving: –Exploiting the interplay between proving and modelling, i.e. use proof-failure analysis to inform model patching –Discovering gluing invariants –Build upon existing refinement patterns

28 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for Event-B Proof plans represent common patterns of reasoning Model plans represent common patterns of development?

29 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for Event-B Event-B MUI Event-B PUI Event-B POG Event-B POM Event-B SEQP Event-B SC ProB

30 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for Event-B Proof Planner Event-B MUI Event-B PUI Event-B POG ProB Event-B POM Event-B SEQP Event-B SC

31 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for Event-B Proof Planner Event-B MUI Event-B POG ProB Event-B POM Event-B SEQP Event-B SC Model Planner

32 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for Event-B Proof Planner UML-B MUI Event-B POG ProB Event-B POM Event-B SEQP Event-B SC Model Planner Event-B MUI

33 © Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for Event-B Proposal Develop a proof planning plug-in Reuse and develop new proof plans which increase proof automation Investigate the idea of model planning via the development of a plug-in Through the development of proof and model plans, investigate the interplay between proving and modelling, e.g. how proof-failure analysis informs model reformulation and evolution

34 © Gudmund Grov & Andrew Ireland Dependable Systems Group Conclusion Event-B: a mature technology for developing complex systems Open architecture where the interplay between modelling and proving is taken seriously Opportunities for model and proof planning: –Engineering: raise the level at which a developer works – focus on high-level modelling decisions –Science: deepen our understanding of the relation between modelling and proof – a science of rigorous modelling!

Download ppt "© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Teaching Formal Methods for the Unconquered Territory Nestor Catano Madeira ITI, Portugal Camilo Rueda Pontificia Universidad Javeriana (PUJ), Cali, Colombia.

Teaching Formal Methods for the Unconquered Territory Nestor Catano Madeira ITI, Portugal Camilo Rueda Pontificia Universidad Javeriana (PUJ), Cali, Colombia.
© Colin Potts C6-1 Some future trends in requirements engineering Colin Potts Georgia Tech.

© Colin Potts C6-1 Some future trends in requirements engineering Colin Potts Georgia Tech.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Event-B in a Nutshell Test Data Generation 13th CREST Open Workshop 12th-13th of May 2011, London 13th CREST Open Workshop 12th-13th of May 2011, London.

Event-B in a Nutshell Test Data Generation 13th CREST Open Workshop 12th-13th of May 2011, London 13th CREST Open Workshop 12th-13th of May 2011, London.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
FM-SOA workshop 16 th Feb 2009 Formal Modelling and Analysis of Business Information Systems with Fault Tolerant Middleware Jeremy Bryans, John Fitzgerald,

FM-SOA workshop 16 th Feb 2009 Formal Modelling and Analysis of Business Information Systems with Fault Tolerant Middleware Jeremy Bryans, John Fitzgerald,
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.

PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
Software engineering as a model of understanding for learning and problem solving Paul Gibson and Jackie O’Kelly Computer Science Department NUI, Maynooth.

Software engineering as a model of understanding for learning and problem solving Paul Gibson and Jackie O’Kelly Computer Science Department NUI, Maynooth.
VIDE Integrated Environment for Development and Verification of Programs.

VIDE Integrated Environment for Development and Verification of Programs.
The Architecture Design Process

The Architecture Design Process
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Describing Syntax and Semantics

Describing Syntax and Semantics
Department of Computer Science & Engineering College of Engineering Dr. Betty H.C. Cheng, Laura A. Campbell, Sascha Konrad The demand for distributed real-time.

Department of Computer Science & Engineering College of Engineering Dr. Betty H.C. Cheng, Laura A. Campbell, Sascha Konrad The demand for distributed real-time.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
6 Feb 08 Deploying Rodin Michael Butler Dependable Systems and Software Engineering University of Southampton.

6 Feb 08 Deploying Rodin Michael Butler Dependable Systems and Software Engineering University of Southampton.
1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST.

1 3rd of July 2009 CEA LIST Symbolic execution based model checking of open systems with unbounded variables Nicolas RAPIN CEA LIST.

Similar presentations

Ads by Google