Frédéric Gervais

Extending statecharts with process algebra operators

This paper describes an adaptation of statecharts to take advantage of process algebra operators like those found in CSP and EB3. The resulting notation is called algebraic state transition diagrams (ASTDs). The process algebra operators considered include sequence, iteration, parallel composition, and quantified synchronization. Quantification is one of the salient features of ASTDs, because it provides a powerful mechanism to precisely and explicitly define cardinalities in a dynamic model. The formal semantics of ASTDs is expressed using the operational style typically used in process algebras. The target application domain is the specification and implementation of information systems.

Systematic translation rules from ASTD to event-B

This article presents a set of translation rules to generate Event-B machines from process-algebra based specification languages such as ASTD. Illustrated by a case study, it details the rules and the process of the translation. The ultimate goal of this systematic translation is to take advantage of Rodin, the Event-B platform to perform proofs, animation and model-checking over the translated specification.

Refinement patterns for ASTDs

This paper introduces three refinement patterns for algebraic state-transition diagrams (astds): state refinement, transition refinement and loop-transition refinement. These refinement patterns are derived from practice in using astds for specifying information systems and security policies in two industrial research projects. Two refinement relations used in these patterns are formally defined. For each pattern, proof obligations are proposed to ensure preservation of behaviour through refinement. The proposed refinement relations essentially consist in preserving scenarios by replacing abstract events with concrete events, or by introducing new events. Deadlocks cannot be introduced; divergence over new events is allowed in one of the refinement relation. We prove congruence-like properties for these three patterns, in order to show that they can be applied to a subpart of a specification while preserving global properties. These three refinement patterns are illustrated with a simple case study of a complaint management system.

Generating relational database transactions from eb3 attribute definitions

Abstracteb3 is a trace-based formal language created for the specification of information systems. In eb3, each entity and association attribute is independently defined by a recursive function on the valid traces of external events. This paper describes an algorithm that generates, for each external event, a transaction that updates the value of affected attributes in their relational database representation. The benefits are twofold: eb3 attribute specifications are automatically translated into executable programs, eliminating system design and implementation steps; the construction of information systems is streamlined, because eb3 specifications are simpler and shorter to write than corresponding traditional specifications, design and implementations. In particular, the paper shows that simple eb3 constructs can replace complex SQL queries which are typically difficult to write.

Specification of a localization component driven by a goal-based approach: some lessons we learned

The transition from the requirements phase to the formal specification phase is one of the most painful steps in software development. Up to now, no well-defined process to build initial formal models has been proposed. We have proposed a method in which initial formal models are built incrementally, driven by a goal-based approach. This paper aims at sharing the salient points of our experience to specify a localization component. We discuss the benefit of using a goal-based modeling to obtain an abstract Event-B specification.

Refinement patterns for ASTD

astd is a formal and graphical language specifically defined for information system specification. Up to now, a specifier had to build an astd specification from scratch and there were no refinement techniques for stepwise construction. This paper aims at introducing refinement patterns for astd, which are inspired from real case studies. For each pattern, proof obligations have been identified to define the refinement semantics we want to provide. The three refinement patterns presented in the paper are illustrated by an example of a basic complaint management system.

A metamodel for the design of access-control policy enforcement managers: work in progress

This paper presents a metamodel of a policy enforcement manager responsible for applying the rules defined in security policies with the aim to constraint the access to the functionalities and data of information systems. The metamodel is useful to derive platform-specific security models that provide the basis for the design and implementation of such managers for Web services as well as legacy information systems in various business sectors.

Tool building in formal methods

Formal methods can be complex to apply and integrate in industrial processes. Changing developers’ habits is a difficult task. That is why sophisticated and easy-to-use tools are needed. Tools are almost as difficult to build as the theory. They must hide the formalism behind a convivial interface and must provide readable feedback and error messages. Moreover, they must be highly reliable. It would be ironic to use formal methods through a defective tool. In the academic world, using formal-method-engineered tools is not so straightforward. Many researchers working on formal methods recommend to apply formal notations and technologies for building software. However, in practice, the tools that they are using in their research context are rarely built by means of formal methods. One of the reasons is that on the one hand, academic institutions have limited resources and big turnover of Ph.D. students and research assistants, and on the other hand, building tools represents a big amount of work, which is not greatly recognized, especially regarding to research evaluation criteria. Many other issues about tool building in formal methods can be addressed. For instance, maintenance is an important feature of the software development life-cycle. By applying formal methods, tools should be well specified and documented. Open source is also an interesting issue. Since we did not find an international event that focuses on the complex relationships between formal methods and tool building, we have decided in summer 2009 to organize a workshop on these specific topics.

B-ASM: specification of ASM à la B

We aim at extending the B language in order to build ASM programs which are correct with respect to B-like logical specifications. On the one hand, the main strengths of the B formal method are: i) the ability to express logical statements, and ii) the construction of a correct implementation by refinement. On the other hand, from our viewpoint, the striking aspects of ASM are the non-bounded outer loop that can reach the fixed point of a program and the power to express naturally any kind of (sequential) algorithms.

Formal refinement of extended state machines.

In a traditional formal development process, e.g. using the B method, the informal user requirements are (manually) translated into a global abstract formal specification. This translation is especially difficult to achieve. The Event-B method was developed to incrementally and formally construct such a specification using stepwise refinement. Each increment takes into account new properties and system aspects. In this paper, we propose to couple a graphical notation called Algebraic State-Transition Diagrams (ASTD) with an Event-B specification in order to provide a better understanding of the software behaviour. The dynamic behaviour is captured by the ASTD, which is based on automata and process algebra operators, while the data model is described by means of an Event-B specification. We propose a methodology to incrementally refine such specification couplings, taking into account new refinement relations and consistency conditions between the control specification and the data specification. We compare the specifications obtained using each approach for readability and proof complexity. The advantages and drawbacks of the traditional approach and of our methodology are discussed. The whole process is illustrated by a railway CBTC-like case study. Our approach is supported by tools for translating ASTDs into B and Event-B into B.