Laurent Voisin

Rodin: an open toolset for modelling and reasoning in Event-B

Event-B is a formal method for system-level modelling and analysis. Key features of Event-B are the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels. In this article we present the Rodin modelling tool that seamlessly integrates modelling and proving. We outline how the Event-B language was designed to facilitate proof and how the tool has been designed to support changes to models while minimising the impact of changes on existing proofs. We outline the important features of the prover architecture and explain how well-definedness is treated. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods.

An open extensible tool environment for event-b

We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and get more powerful, modelling will remain difficult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and proving similar to what is offered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods.

Adaptable Translator of B Specifications to Embedded C Programs

This paper presents the results of the RNTL BOM project, which aimed to develop an approach to generate efficient code from B formal developments. The target domain is smart card applications, in which memory and code size is an important factor. The results detailed in this paper are a new architecture of the translation process, a way to adapt the B0 language in order to include types of the target language and a set of validated optimizations. An assessment of the proposed approach is given through a case study, relative to the development of a Java Card Virtual Machine environment.

The Rodin Platform Has Turned Ten

In this talk, we give an historical account of the development of the Rodin Platform during the last 10 years.

A Roadmap for the Rodin Toolset

Event-B is a formal method for system-level modelling and analysis. Key features of Event-B are the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels.

Correct-by-construction specification to verified code

Event‐B is a formal notation and method for the systems development. The key feature of this method is to produce correct‐by‐construction system designs. Once the correct design is established, the remaining work is to generate or implement correct code from the design. Two main problems remain in the process from the correct‐by‐construction design to the correct software. First, the Event‐B design is “quasi‐correct” due to some technical limitations. For instance, it is still difficult to prove the liveness properties by the Rodin platform; it is not possible to construct the Event‐B design with floating‐point arithmetic, and sometimes, the Event‐B model is incomplete and must rely on the third‐party libraries. Therefore, a method is needed to complement these modeling and proof gaps. Secondly, proving the correctness of an automatic code generator is very difficult; therefore, a method is needed to guarantee the correctness of the produced code without proving the code generator. In this article, we address the above 2 problems by introducing an intermediate formal language called High‐Level Language (HLL) between the Event‐B models and the C code. The Event‐B model is translated to HLL with an additional schedule configuration, where Event‐B invariants and system invariants (here, deadlock‐freeness and liveness properties) are proved using a SAT‐based model checker called S3. This proof guarantees the correctness of the HLL model with respect to the Event‐B model. The C code is then automatically generated from the HLL model for most functions and is manually implemented for the third‐party ones according to the function contracts defined in Event‐B. The correctness of the generated C code is guaranteed using the equivalence proof, and the correctness of the implemented C code is guaranteed using the conformance proof. Through the article, we use a traffic light controller to illustrate the proposed method; then, we apply the method to an automatic protection function of a 3‐wheeled robot to evaluate its feasibility.

Modelling Dynamic Data Structures with the B Method.

The software B method has so far been mainly used in the industrial world to develop safety critical software with very basic memory management limited to arrays of fixed size defined at compilation time.