Jacques Julliand

B 2007: Formal Specification and Development in B

Invited Talks.- E-Voting and the Need for Rigourous Software Engineering - The Past, Present and Future.- Using B Machines for Model-Based Testing of Smartcard Software.- The Design of Spacecraft On-Board Software.- Regular Papers.- Interpreting Invariant Composition in the B Method Using the Spec# Ownership Relation: A Way to Explain and Relax B Restrictions.- Chorus Angelorum.- Augmenting B with Control Annotations.- Justifications for the Event-B Modelling Notation.- Automatic Translation from Combined B and CSP Specification to Java Programs.- Symmetry Reduction for B by Permutation Flooding.- Instantiation of Parameterized Data Structures for Model-Based Testing.- Verification of LTL on B Event Systems.- Patterns for B: Bridging Formal and Informal Development.- Time Constraint Patterns for Event B Development.- Modelling and Proof Analysis of Interrupt Driven Scheduling.- Refinement of Statemachines Using Event B Semantics.- Formal Transformation of Platform Independent Models into Platform Specific Models.- Refinement of eb 3 Process Patterns into B Specifications.- Security Policy Enforcement Through Refinement Process.- Integration of Security Policy into System Modeling.- Industrial Papers.- Experiences in Using B and UML in Industrial Development.- B in Large-Scale Projects: The Canarsie Line CBTC Experience.- A Tool for Firewall Administration.- The B-Method for the Construction of Microkernel-Based Systems.- Hardware Verification and Beyond: Using B at AWE.- Tool Papers.- A JAG Extension for Verifying LTL Properties on B Event Systems.- A Generic Flash-Based Animation Engine for ProB.- BE4: The B Extensible Eclipse Editing Environment.- BRAMA: A New Graphic Animation Tool for B Models.- LEIRIOS Test Generator: Automated Test Generation from B Models.- Meca: A Tool for Access Control Models.- JML2B: Checking JML Specifications with B Machines.- Invited Talk.- Plug-and-Play Nondeterminacy.

Program slicing enhances a verification technique combining static and dynamic analysis

Recent research proposed efficient methods for software verification combining static and dynamic analysis, where static analysis reports possible runtime errors (some of which may be false alarms) and test generation confirms or rejects them. However, test generation may time out on real-sized programs before confirming some alarms as real bugs or rejecting some others as unreachable. To overcome this problem, we propose to reduce the source code by program slicing before test generation. This paper presents new optimized and adaptive usages of program slicing, provides underlying theoretical results and the algorithm these usages rely on. The method is implemented in a tool prototype called sante (Static ANalysis and TEsting). Our experiments show that our method with program slicing outperforms previous combinations of static and dynamic analysis. Moreover, simplifying the program makes it easier to analyze detected errors and remaining alarms.

Ready-Simulation Is Not Ready to Express a Modular Refinement Relation

The B method has been successfully used to specify many industrial applications by refinement. Previously, we proposed enriching the B event systems by formulating its dynamic properties in LTL. This enables us to combine model-checking with theorem-proving verification technologies. The model-checking of LTL formulae necessitates that the B event system semantics is a transition system. In this paper, we express the refinement relation by a relationship between transition systems. A result of our study shows that this relation is a special kind of simulation allowing us to exploit the partition of the reachable state space for a modular verification of LTL formulae. The results of the paper allow us to build a bridge between the above view of the refinement and the notions of observability characterized as simulation relations by Milner, van Glabbeek, Bloom and others. The refinement relation we define in the paper is a ready-simulation generalization which is similar to the refusal simulation of Ulidowsky. The way the relation is defined allows us to obtain a compositionality result w.r.t. parallel composition operation. For complex systems, it is important in practice to associate a design by refinement with a design by a parallel composition of their components. This refinement relation has two main applications: - it allows the splitting of the refined transition system into modules; - it allows the construction of complex systems by a parallel composition of components. It makes sense to qualify the refinement relation as being modular.

Generating security tests in addition to functional tests

This paper is about generating security tests, in addition to functional tests previously generated by a model-based testing approach. The method that we present re-uses the functional model and the adaptation layer developed for the functional testing, and relies on an additional security model. We propose to compute the tests by using some test purposes as guides for the tests to be extracted from the models. We see a test purpose as the combination of a security property and a test need issued from the know-how of a security engineer. We propose a language based on regular expressions for the expression of such test purposes. We illustrate our approach with experiments on IAS.

Refinement preserves PLTL properties

We are interested in verifying dynamic properties of reactive systems. The reactive systems are specified by a B event systems in a refinement development. We use labelled transition systems to express the semantics of these event systems on which we define a refinement relation. The main advantage is that the user does not need to express a variant and a loop invariant to obtain automatic proofs of dynamic properties, at least for finite state event systems. Another advantage is that the model-checking is done on an abstraction with few states and the property is preserved in the following refinements of the system. The originality of this work concerns the proof that this refinement relation preserves the properties expressed with propositional linear temporal logic.

Synchronized Parallel Composition of Event Systems in B

A large system typically is or can be decomposed as a composition of components. Usually, these components have to cooperate so, their composition is a synchronized parallel composition. Components are often reactive systems. In the B method, each component is an event system. Then, two development paradigms - refinement and component composition - can be used. To provide both paradigms we have a compositionality result of a synchronized parallel composition with respect to refinement. We make use of this result to get an efficient approach to verify the refinement of a synchronized parallel composition between components. Therefore, our proposal allows introducing a second development paradigm in B, the component paradigm.

Modular Verification for a Class of PLTL Properties

The verification of dynamic properties of a reactive systems by model-checking leads to a potential combinatorial explosion of the state space that has to be checked. In order to deal with this problem, we define a strategy based on local verifications rather than on a global verification. The idea is to split the system into subsystems called modules, and to verify the properties on each module in separation. We prove for a class of PLTL properties that if a property is satisfied on each module, then it is globally satisfied. We call such properties modular properties. We propose a modular decomposition based on the B refinement process. We present in this paper an usual class of dynamic properties in the shape of □(p ⇒ Q), where p is a proposition and Q is a simple temporal formula, such as ○q, ⋄q or qUr (with q and r being propositions). We prove that these dynamic properties are modular. For these specific patterns, we have exhibited some syntactic conditions of modularity on their corresponding Buchi automata. These conditions define a larger class which contains other patterns such as □(p ⇒ ○(qUr)). Finally, we show through the example of an industrial Robot that this method is valid in a practical way.

Safety property driven test generation from JML specifications

This paper describes the automated generation of test sequences derived from a JML specification and a safety property written in an ad hoc language, named JTPL. The functional JML model is animated to build the test sequences w.r.t. the safety properties, which represent the test targets. From these properties, we derive strategies that are used to guide the symbolic animation. Moreover, additional JML annotations reinforce the oracle in order to guarantee that the safety properties are not violated during the execution of the test suite. Finally, we illustrate this approach on an industrial JavaCard case study.

Verification of Dynamic Constraints for B Event Systems under Fairness Assumptions

A B event systems is supposed to specify a closed system, i.e., the system is meant to be specified in isolation. So, the specification includes the specification of the system of interest and of its environment. Often, the environment supposes fairness constraints. Therefore, classically in a B system approach, we express the fairness of the environment by the specification of fair scheduler together with the events of the system of interest. This leads to an infinite state model even when the system is finite state by nature. This does not facilitate PLTL properties verification by model checking which is only effective on finite state models. In this paper, we propose to keep separate the fairness of the environment from the specification of the system of interest by a B event system. Then, the fairness is expressed as events which have to be fairly fired. So, a finite state system of interest has a finite state model. The chosen model is a finite labeled transition system which allows the model checking of PLTL properties using the fair events as assumptions. In the paper, we make diverse proposals-some of them are proposed as perspectives-for a verification under fairness assumptions. We use the protocol T=1 as a running example.

The sante tool: value analysis, program slicing and test generation for C program debugging

This short paper presents a prototype tool called SANTE (Static ANalysis and TEsting) implementing an original method combining value analysis, program slicing and structural test generation for verification of C programs. First, value analysis is called to generate alarms when it can not guarantee the absence of errors. Then the program is reduced by program slicing. Alarm-guided test generation is then used to analyze the simplified program(s) in order to confirm or reject alarms.