Arnaud Dieumegard

Model-based formal specification of a DSL library for a qualified code generator

Critical embedded systems development is a complex and highly sensitive task. Model-driven engineering (MDE) intends to bridge the gaps between the different parts of this process: high-level requirements, design, implementation and verification, by promoting formalization of the various process artefacts as models. This paper focuses on the rigorous and flexible model-based specification and implementation of a part of the requirement language of an embedded code generator. It relies on the use of OCL integrated in a textual specification language as a means to formally specify graphical modeling languages such as Simulink and Scicos and their extensible sophisticated block libraries.

A software product line approach for semantic specification of block libraries in dataflow languages

Dataflow modelling languages such as SCADE or Simulink are the de-facto standard for the Model Driven Development of safety critical embedded control and command systems. Software is mainly being produced by Automated Code Generators whose correctness can only be assessed meaningfully if the input language semantics is well known. These semantics share a common part but are mainly defined through block libraries. The writing of a complete formal specification for the block libraries of the usual languages is highly challenging due to the high variability of the structure and semantics of each block. This contribution relates the use of software product line principles in the design of a domain specific language targeting the formal specification of block libraries. It summarises the advantages of this DSL regarding the writing, validation and formal verification of such specifications. These experiments have been carried out in the context of the GeneAuto embedded code generator project targeting Simulink and Scicos; and are being extended and applied in its follow up projects ProjetP and Hi-MoCo.

Event-B at Work: Some Lessons Learnt from an Application to a Robot Anti-collision Function.

The technical and academic aspects of the Event-B method, and the abstract description of its application in industrial contexts are the subjects of numerous publications. In this paper, we describe the experience of development engineers non familiar with Event-B to getting to grips with this method. We describe in details how we used the formalism, the refinement method, and its supporting toolset to develop the simple anti-collision function embedded in a small rolling robot. We show how the model has been developed from a set of high-level requirements and refined down to the software specification. For each phase of the development, we explain how we used the method, expose the encountered difficulties, and draw some practical lessons from this experiment.

Stepwise Formal Modeling and Verification of Self-Adaptive Systems with Event-B. The Automatic Rover Protection Case Study

For a long time, formal methods have been effectively applied to design and develop safety-critical systems to ensure safety and the correctness of desired functional behaviors through formal reasoning. The development of high confidence self-adaptive autonomous systems, such as Automatic Rover Protection(ARP), is one of the challenging problems in the area of verified software that needs formal reasoning and proof-based development. In this paper, we propose a methodology that reveals the issues involved in the formal modeling and verification of self-adaptive autonomous systems using correct by construction approach. This work also provides a set of guidelines for tacking the different issues to avoid collision by preserving the local and global properties of an autonomous system. We cater for the specification of functional requirements, timing requirements, spatial and temporal behavior, and safety properties. We present a refinement strategy, modeling patterns to capture the essence of a self-adaptive autonomous system, and a substantial example based approach on an industrial case study: TwIRTee. For developing the formal models of autonomous system, we use the Event-B modeling language and associated Rodin tools to check and verify the correctness of required system behavior and internal consistency under the given safety properties.

Correct-by-construction specification to verified code

Event‐B is a formal notation and method for the systems development. The key feature of this method is to produce correct‐by‐construction system designs. Once the correct design is established, the remaining work is to generate or implement correct code from the design. Two main problems remain in the process from the correct‐by‐construction design to the correct software. First, the Event‐B design is “quasi‐correct” due to some technical limitations. For instance, it is still difficult to prove the liveness properties by the Rodin platform; it is not possible to construct the Event‐B design with floating‐point arithmetic, and sometimes, the Event‐B model is incomplete and must rely on the third‐party libraries. Therefore, a method is needed to complement these modeling and proof gaps. Secondly, proving the correctness of an automatic code generator is very difficult; therefore, a method is needed to guarantee the correctness of the produced code without proving the code generator. In this article, we address the above 2 problems by introducing an intermediate formal language called High‐Level Language (HLL) between the Event‐B models and the C code. The Event‐B model is translated to HLL with an additional schedule configuration, where Event‐B invariants and system invariants (here, deadlock‐freeness and liveness properties) are proved using a SAT‐based model checker called S3. This proof guarantees the correctness of the HLL model with respect to the Event‐B model. The C code is then automatically generated from the HLL model for most functions and is manually implemented for the third‐party ones according to the function contracts defined in Event‐B. The correctness of the generated C code is guaranteed using the equivalence proof, and the correctness of the implemented C code is guaranteed using the conformance proof. Through the article, we use a traffic light controller to illustrate the proposed method; then, we apply the method to an automatic protection function of a 3‐wheeled robot to evaluate its feasibility.

Block Library Driven Translation Validation for Dataflow Models in Safety Critical Systems

Model driven engineering is widely used in the development of complex and safety critical systems. Systems’ designs are specified and validated in domain specific modeling languages and software code is often produced by autocoding. Thus the correctness of the final systems depend on the correctness of those tools. We propose an approach for the formal verification of code generation from dataflow languages, such as Simulink, based on translation validation. It relies on the BlockLibrary DSL for the formal specification and verification of the structure, semantics and variability of the complex block libraries found in these languages. These specifications are then used here for deriving model and block-specific semantic contracts that will be woven into the generated C code. We present two different approaches for performing the block matching and weaving step. Finally, we rely on the Frama-C toolset and state-of-the-art SMT solvers for verifying the annotated code.