Czeslaw Jeske

Engineering and theoretical underpinnings of retrenchment

Refinement is reviewed, highlighting in particular the distinction between its use as a specification constructor at a high level, and its use as an implementation mechanism at a low level. Some of its shortcomings as a specification constructor at high levels of abstraction are pointed out, and these are used to motivate the adoption of retrenchment for certain high level development steps. Basic properties of retrenchment are described, including a justification of the operation proof obligation, simple examples, its use in requirements engineering and model evolution, and simulation properties. The interaction of retrenchment with refinement notions of correctness is overviewed, as is a range of other technical issues. Two case study scenarios are presented. One is a simple digital redesign control theory problem, and the other is an overview of the application of retrenchment to the Mondex Purse development.

Composition mechanisms for retrenchment

Retrenchment is a flexible model evolution formalism that arose as a reaction to the limitations imposed by refinement, and for which the proof obligations feature additional predicates for accommodating design data. Composition mechanisms for retrenchment are studied. Vertical, horizontal, dataflow, parallel and fusion compositions are described. Of particular note are the means by which the additional predicates compose. It is argued that all of the compositions introduced are associative, and that they are mutually coherent. Composition of retrenchment with refinement, so important for the smooth interworking of the two techniques, is discussed. Decomposition, allowing finer grained retrenchments to be extracted from a single large grained retrenchment, is also investigated.

Retrenching the purse: finite sequence numbers, and the tower pattern

The Mondex Electronic Purse system [18] is an outstanding example of formal refinement techniques applied to a genuine industrial scale application, and notably, was the first verification to achieve ITSEC level E6 certification. A formal abstract model including security properties, and a formal concrete model of the system design were developed, and a formal refinement was hand-proved between them in Z. Despite this success, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. Retrenchment is reviewed in a form suitable for integration with Z refinement, and is used to address one such issue in detail: the finiteness of the transaction sequence number in the purse funds transfer protocol. A retrenchment is constructed from the lowest level model of the purse system to a model in which sequence numbers are finite, using a suitable elaboration of the Z promotion [21 ] technique. We overview the lifting of that retrenchment to the abstraction level of the higher models of the purse system. The concessions of the various retrenchments generated, formally capture the dissonance between the unbounded sequence number idealisation and the bounded reality. Reasoning about when the concession can become valid influences the actual choice of sequence number bound. The retrenchment-enhanced formal development is proposed as an example of a widely applicable methodological pattern for formal developments of this kind: the Tower Pattern.

Retrenching the Purse: Hashing Injective CLEAR Codes, and Security Properties

The Mondex Electronic Purse is an outstanding example of industrial scale formal refinement, and was the first verification to achieve ITSEC level E6 certification. A formal abstract model and a formal concrete model were developed, and a formal refinement was hand-proved between them. Nevertheless, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. The retrenchment tower pattern is used to address one such issue in detail: the use of a hash function rather than a total injective function when clearing the highly constrained purse logs. A retrenchment is constructed from the lowest level model to a model using a hash, and is then lifted to create two refinement developments, working at different levels of detail, and connected via retrenchments. The tower development is appropriately validated, vindicating the design used.

Retrenchment and Refinement Interworking: the Tower Theorems.

Retrenchment is a flexible model evolution formalism that compensates for the limitations imposed by specific formulations of refinement. Its refinementlike proof obligations feature additional predicates for accommodating design data describing the model change. The best results are obtained when refinement and retrenchment cooperate, the paradigmatic scheme for this being the commuting square or Tower, in which ‘horizontal retrenchment rungs’ commute with ‘vertical refinement columns’ to navigate through a much more extensive design space than permitted by refinement alone. In practice, the navigation is accomplished via ‘square completion’ constructions, and a full suite of square completion theorems is presented and proved.

Retrenchment and the Atomicity Pattern

The issues surrounding the question of atomicity, both in the past and nowadays, are briefly reviewed, and a picture of an ACID (atomic, consistent, isolated, durable) transaction as a refinement problem is presented. An example of a simple air traffic control system is introduced, and the discrepancies that can arise when read-only operations examine the state at atomic and finegrained levels are handled by retrenchment. Non-ACID timing aspects of the ATC example are also handled by retrenchment, and the treatment is generalised as the retrenchment Atomicity Pattern. The utility of the pattern is confirmed against a different case study, the Mondex Electronic Purse.

Minimally and Maximally Abstract Retrenchments

The drawbacks of using refinement alone in the construction of specifications from simple abstract models is used as the spur for the introduction of retrenchment -- a method based on the main ideas of refinement but one which is more liberal in character. The basics of the retrenchment mechanism are reviewed in preparation for exploring its integration with refinement. The particular aspect of integration investigated in this paper is the factorisation of a retrenchment step from an abstract to a concrete model into a refinement followed by a retrenchment. The objective is to engineer a system which is at the level of abstraction of the concrete model, but is refinable from the abstract one. The construction given here solves the problem in a universal manner, there being a canonical factorisation of the original retrenchment into an I/O-filtered refinement to the universal system followed by a retrenchment. The universal property arises from the fact that the refinement component of any similar factorisation is refinable to the universal system. An idempotence property supports the claim that the construction is at the correct level of abstraction. A synopsis of an earlier result which factorised a retrenchment step into a canonical retrenchment to a universal system followed by a refinement is presented. A refinement relationship is then shown to exist between the two universal systems. Finally, the consequences of including termination criteria are briefly explored.

Stronger compositions for retrenchments

Abstract Noting that the usual ‘propositionally’ based way of composing retrenchments can yield many ‘junk’ cases, alternative approaches to composition are introduced (via notions of tidy, neat, and fastidious retrenchments) that behave better in this regard. These alternatives do however make other issues such as associativity harder. The technical details are presented for vertical composition of retrenchments (i.e. the composition of successive retrenchment steps).

Atomicity failure and the retrenchment atomicity pattern

The issues surrounding the question of atomicity, both in the past and nowadays, are briefly reviewed, and a picture of an ACID (atomic, consistent, isolated, durable) transaction as a refinement problem is presented. An example of a simple air traffic control system is introduced, and the discrepancies that can arise when read-only operations examine the state at atomic and finegrained levels are handled by retrenchment. Non-ACID timing aspects of the ATC example are also handled by retrenchment, and the treatment is generalised to yield the Retrenchment Atomicity Pattern. The utility of the pattern is confirmed against a number of different case studies. One is the Mondex Electronic Purse, its protocol treated as a conventional atomic transaction. Another is the recovery protocol of Mondex, viewed as a compensated transaction (leading to the view that compensated transactions in general fit the pattern). A final one comprises various unruly phenomena occurring in the implementations of software transactional memory systems, which can frequently display non-ACID behaviour. In all cases the Atomicity Pattern is seen to perform well.

Simple feature engineering via neat default retrenchments

Abstract Feature engineering deliberately stages the incorporation of elements of functionality into a system according to perceived user and market needs. Conventional refinement based techniques for feature engineering suffer from the need to have successive features build smoothly on their predecessors, since contradicting what has already been established is anathema for any refinement technique. Real feature engineering however must at times insist on such contradictions. Retrenchment offers a more flexible approach for capturing such less well behaved development steps within a formal framework that interworks smoothly with refinement, and a generic account of ‘simple’ feature engineering (encompassing situations in which operations may be dealt with, one at a time) is given, using a simple language to express feature oriented descriptions (FODs) of operations, and a simple rewriting formalism to express changes in the FOD. The generic account shows that under a set of reasonable assumptions, the retrenchments belong to the class of neat, default retrenchments.