B development plans for the Mondex purse

1
B development plans for the Mondex purse

• Michael Butler
• University of Southampton

2
Overview of Plans

• Model and refine using Event B (action systems)
• Abstract spec describes Olympian view of service
• Refinements introduce design details /
  environmental assumptions
• Decomposition to extract architectural components
• Revise refinement chain where necessary
• Tools
• ProB model checker (Soton Dusseldorf)
• B4Free PO generator and prover (ClearSy)

3
Why Im interested in Mondex

• Abstraction, refinement, decomposition for
  distributed systems
• What is the right level of granularity for
  refinement steps?
• Improvements to tools
• Records, record extension in Event B
• Security issues
• Transactions, atomicity, compensation
• Implementation Concurrent OOP
• RODIN

4
Email Service
SERVICE Email SETS User Message VARIABLES mai
lbox User ? P Message EVENTS Send( m
Message u User ) mailbox(u)
mailbox(u) ? m Read( u User )
Message ANY m WHERE m ? mailbox(u)
THEN RETURN m END END
5
Email Service
refined by
6
Refined Email Service
SETS Package destination Server,
recipient User, contents Message
Send( m Message u User ) ANY s, p WHERE sServer pPackage destination(p) address(u) recipient (p) u contents(p) m THEN sendbuf(s) sendbuf(s) ? p END Read( u User ) Message ANY s, p WHERE p receivebuf(s) recipient(p)u THEN RETURN contents(p) END
7
New Events
Forward ANY s, p WHERE psendbuf(s) THEN sendbuf(s) sendbuf(s) - p middleware middleware ? p END Deliver ANY s, p WHERE p middleware destination(p)s THEN middleware middleware - p receivebuf(s) receivebuf(s) ? p END
8
Decomposition
SERVICE Email2 REFINES Email1 IMPORT Internet,
MailServers
Send MailServers.Send Read MailServers.Read Forward MailServers.Forward Internet.Forward Deliver Internet.Deliver MailServers.Deliver
9
Event Composition

• Event1
• ANY v,x! WHERE P(v,v,x!) THEN vv END
• Event2(x?)
• ANY w WHERE Q(w,w,x?) THEN ww END
• Event1Event2
• ANY v,w,x! WHERE P(v,v,x!)
  Q(w,w,x!)
• THEN v,w v,w END

10
Internet
SERVICE Internet
Forward(p?) middleware middleware ? p? Deliver ANY s, p! WHERE p! middleware destination(p) s THEN middleware middleware - p! END
11
Mail Servers
SERVICE MailServers
Send( m Message u User ) as before Read( u User ) Message as before Forward ANY s,p! WHERE p!sendbuf(s) THEN sendbuf(s) sendbuf(s) - p! END Deliver(p?) receivebuf(s) receivebuf(s) ? p?
12
Independent Refinement of subsystems

• MailServers refined by MailServers_m
• Internet refined by Internet_n
• THEN
• MailServers Internet refined by MailServers_m
  Internet_n

13
Interface Extension
SETS Package1 extends Package
priority Priority attachment Attachment
Send( m Message u User pr Priority att Attachment ) ANY s, p WHERE destination(p) address(u) recipient (p) u contents(p) m priority(p) p attachment(p) att THEN sendbuf(s) sendbuf(s) ? p END

• No need to change the middleware
• Previous decomposition still valid

14
Refinement proof issues

• Iterative derivation of invariant via proof
• Trade-off between granularity of refinement steps
  and ease of proof

15
The AAAP Principle

• Keep data As Abstract As Possible when
  introducing algorithmic/distributed structure
• This will minimise proof effort when introducing
  algorithmic/distributed structures
• Engineering perspective abstraction invariant
  provides insight into why a design decision works
• Formulating the abstraction invariant is an
  iterative process that proceeds hand-in-hand with
  proof

16
Code Generation

• Event B has loose algorithmic structure
• Rules for composing events to form sequential
  algorithms have been developed
• Some Challenges
• Design abstractions for concurrency / exception
  handling
• Generating code with concurrency / exception
  constructs
• Gluing, e.g., to distributed middleware
• Web services / XML messaging
• Object oriented code (UML-B)

17
2004-2007

• Partners Univ Newcastle, Åbo Akademi, Univ
  Southampton, ETH Zurich, ClearSy, Nokia,
  Praxis-CS, ATC
• Goal methodology and supporting open tool
  platform for rigorous development of dependable
  complex software systems and services.
• Formal methods fault tolerance

rodin.cs.ncl.ac.uk
18
Expected Results of RODIN

• A collection of reusable development templates
  (models, architectures, proofs, components, etc.)
  produced by the case studies.
• A set of guidelines on a systems approach to the
  rigorous development of complex systems
• An open tool platform supporting extensibility of
  the underlying formalism and integration of
  plug-in tools.
• A collection of plug-in tools for model
  construction, model simulation, model checking,
  verification, testing and code generation.

rodin.cs.ncl.ac.uk
19
Overview of Plans

• Model and refine using Event B (action systems)
• Abstract spec describes Olympian view of service
• Refinements introduce design details /
  environmental assumptions
• Decomposition to extract architectural components
• Revise refinement chain where necessary
• Tools
• ProB model checker (Soton Dusseldorf)
• B4Free PO generator and prover (ClearSy)