The B Formal Method Bibliography


  • Georges Mariano
  • Héctor Ruíz Barradas
  • Rafael Marcano
  • Eric Meyer
  • Nicole Levy

Abstract : In this paper, an approach for refining B abstract specifications describingdata-intensive applications into relational database implementations is presented. Usingthe refinement process of the B method, a set of generic refinement rules are describedthat take into account both data and operations. The last step consists of mapping thefinal refined component into a relational database implementation. The different ruleshave been checked with the AtelierB prover. The aim of the work is to automate therefinement steps. This is possible thanks to the genericity feature of the rules. The ap-proach is illustrated through a running example. In this paper, an approach for refining B abstract specifications describingdata-intensive applications into relational database implementations is presented. Usingthe refinement process of the B method, a set of generic refinement rules are describedthat take into account both data and operations. The last step consists of mapping thefinal refined component into a relational database implementation. The different ruleshave been checked with the AtelierB prover. The aim of the work is to automate therefinement steps. This is possible thanks to the genericity feature of the rules. The ap-proach is illustrated through a running example. [Laleau2001] Régine Laleau and Fiona Polack. A rigorous metamodel for UML static conceptual modelling ofinformation systems. In K. R. Dittrich, A. Geppert, and M. C. Norrie, editors, Advanced Informa-tion Systems Engineering, volume 2068 of Lecture Notes in Computer Science (Springer-Verlag),pages 402–416, Interlaken, Switzerland, June 2001. Springer-Verlag. [Laleau2006] Régine Laleau and Amel Mammar. From UML Diagrams to B Specifications. ISTE London, 2006. [Lanet2004] Jean-Louis Lanet. Produire des logiciels sûrs. Thèse d’habilitation, Université de Méditerranée,March 2004. [Lanet98] Jean-Louis Lanet and Pierre Lartigue. The use of formal methods for smartcards, a comparisonbetween B and SDL to model the T=1 protocol. In Proceedings of International Workshop onComparing Systems Specification Techniques, Nantes, March 1998. Abstract : In order to obtain high confidence in the software embedded into a smartcard, we evaluated different techniques like model checking and theorem proving. Nev-ertheless due to the low cost of smart cards and mechanical constraints, the amount ofmemory available on chips is small. The code generated by the tools must be compactenough to fit the constraints. In this paper we compare different code generators with acase study of a protocol dedicated to smart cards. We show that under some conditions,the model checking tools are able to generate code with an acceptable overhead forsmart cards. Our work on the B method is in progress. The invariants are more difficultto express and to prove but we pointed out some ambiguities and errors contained inthe standard. [email protected] c©1999–2007 INRETS-ESTAS35/59 B Method BibliographyGeorges Mariano In Pro-ceedings of the Third Smart Card Research and Advanced Application Conference (CARDIS’98),pages 85–97, Louvain-la-Neuve, (be), September 1998. Abstract : The new Gemplus smart card is based on the Java technology, embeddinga virtual machine. The security policy uses mechanisms that are based on Java prop-erties. This language provides segregation between applets. But due to the smart cardconstraints a byte code verifier can not be embedded. Moreover, in order to maximisethe number of applets the byte code must be optimised. The security properties mustbe guaranteed despite of these optimisations. For this purpose, we propose an originalmanner to prove the equivalence between the interpreter of the JVM and our Java Cardinterpreter. It is based on the refinement and proof process of the B formal method. The new Gemplus smart card is based on the Java technology, embeddinga virtual machine. The security policy uses mechanisms that are based on Java prop-erties. This language provides segregation between applets. But due to the smart cardconstraints a byte code verifier can not be embedded. Moreover, in order to maximisethe number of applets the byte code must be optimised. The security properties mustbe guaranteed despite of these optimisations. For this purpose, we propose an originalmanner to prove the equivalence between the interpreter of the JVM and our Java Cardinterpreter. It is based on the refinement and proof process of the B formal method. [Lano95] K. Lano and H. Haughton. Formal development in B Abstract Machine Notation. Information andSoftware Technology, 37(5-6) :303–316, May–June 1995. Abstract : The paper gives a comprehensive introduction to the B Abstract MachineNotation (AMN), a formal method which is based on Z and which is supported byan industrial quality toolset. The paper describes development techniques for AMN,including the formalization of requirements, specification construction, design and im-plementation. Results from a large scale safety critical development using the methodare also given. (17 Refs) The paper gives a comprehensive introduction to the B Abstract MachineNotation (AMN), a formal method which is based on Z and which is supported byan industrial quality toolset. The paper describes development techniques for AMN,including the formalization of requirements, specification construction, design and im-plementation. Results from a large scale safety critical development using the methodare also given. (17 Refs) [Lano96] Kevin Lano. The B Language and Method : A guide to Practical Formal Development. Springer-Verlag London Ltd., 1996. Abstract : B is a formal approach to software specification and development basedon the Z specification language. It has been successfully applied in industry, and hasrobust, commerciallly available tool support for the entire development lifecycle, fromspecification through to code generation. "The B language and method" provides a com-prehensive introduction to the B abstract machine notation, and how it can be used tosupport formal specification and development of high integrity systems. Beginning witha discussion of the history of B, it builds up a description of the notation from the basicmathematical notation for sets and sequences, through to the structuring mechanismsof the language, and how it supports "programming in the large". Particular emphasis isplaced on the use of B in the context of existing software development methods, includ-ing object-oriented analysis and design. Specifically designed to support the teaching ofB at undergraduate and postgraduate level, the text includes a large number of workedexamples and graduated exercises in B AMN specification. It also includes two ex-tended case studies of the development process, and an appendix of proof techniquessuitable for B. B is a formal approach to software specification and development basedon the Z specification language. It has been successfully applied in industry, and hasrobust, commerciallly available tool support for the entire development lifecycle, fromspecification through to code generation. "The B language and method" provides a com-prehensive introduction to the B abstract machine notation, and how it can be used tosupport formal specification and development of high integrity systems. Beginning witha discussion of the history of B, it builds up a description of the notation from the basicmathematical notation for sets and sequences, through to the structuring mechanismsof the language, and how it supports "programming in the large". Particular emphasis isplaced on the use of B in the context of existing software development methods, includ-ing object-oriented analysis and design. Specifically designed to support the teaching ofB at undergraduate and postgraduate level, the text includes a large number of workedexamples and graduated exercises in B AMN specification. It also includes two ex-tended case studies of the development process, and an appendix of proof techniquessuitable for B. [Lee91] M. K. O. Lee. The B formal software engineering technology and its technology transfer intoindustry. In K. R. Subramanian and E. S. Seumahu, editors, Computer, Communication and Net-working Systems : An Integrated Perspective. Proceedings of the International Conference on In-formation Engineering ICIE 91, volume 1, pages 332–40. Dept. of Inf. Syst., City Polytech. ofHong Kong, Kowloon, Hong Kong, Elsevier, Amsterdam, Netherlands, December 1991. three components, viz, the B-method, the B Toolkit, and the B-Tool. The B-method isa software development process based on Dijkstra's guarded command notation, withbuilt-in structuring mechanisms for the construction of large systems. The B Toolkit isa fully integrated CASE toolset supporting the B-method from formal systems spec-ification through automatic coding to correctness verification. The operating platformof the B Toolkit is a flexible symbolic inference engine which also acts as a theoremproving assistant. This paper gives a brief summary of the B Technology. (9 Refs) The B Toolkit isa fully integrated CASE toolset supporting the B-method from formal systems spec-ification through automatic coding to correctness verification. The operating platformof the B Toolkit is a flexible symbolic inference engine which also acts as a theoremproving assistant. This paper gives a brief summary of the B Technology. (9 Refs) [Levy02a] Nicole Levy, Rafael Marcano, and Jeanine Souquières. From requirements to formal specifica-tion using UML and B. In 2nd International Conference in Computer Systems and TechnologiesCompSysTech2002, Sofia, Bulgaria, June 2002. [MOSIM06-Fadil] H. Fadil and Jean-Luc Koning. Vers une spécification formelle des protocoles d’interactiondes systèmes multi-agents en B. In 6ème Conférence Francophone de Modélisation et SimulationModélisation, Optimisation et Simulation des Systèmes, Rabat, Maroc, April 2006. [MOSIM06-Mosbahi] O. Mosbahi and L. Jemni Ben Ayed. Utilisation conjointe de B événementiel et la logiquetemporelle TLA+ pour la modélisation et la vérification de systèmes réactifs. In 6ème ConférenceFrancophone de Modélisation et Simulation Modélisation, Optimisation et Simulation des Sys-tèmes, Rabat, Maroc, April 2006. [Marcano-PhD] Rafael Marcano-Kamenoff. Spécification formelle à objets en UML/OCL et B : Une approchetransformationnelle. Thèse de doctorat, Université de Versailles – PRiSM, December 2002. [Marcano00c] Rafael Marcano. Formalizing patterns applicability : An approach based on UML and B. InAutomated Software Engineering (ASE’2000) Doctoral Symposium, Grenoble, France, September2000. Technical report number PI-1353, IRISA. [Marcano02a] Rafael Marcano and Nicole Levy. Using B formal specifications for analysis and verification ofUML/OCL models. In Workshop on consistency problems in UML-based software development.5th International Conference on the Unified Modeling Language, Dresden, Germany, September2002. [Marcano02b] Rafael Marcano and Nicole Levy. Transformation rules of OCL constraints into B formal expres-sions. In CSDUML’2002, Workshop on critical systems development with UML. 5th InternationalConference on the Unified Modeling Language, Dresden, Germany, September 2002. [Mariano-PhD] Georges Mariano. Évaluation de logiciels critiques développés par la méthode B : une approchequantitative. Thèse de doctorat, Universitée de Valenciennes et du Hainaut-Cambrésis, December1997. [Mariano2002] Georges Mariano, Jean-Louis Boulanger, and Ammar Aljer. Formalization of digital circuits usingthe B method. In CompRail VIII, Eighth International Conference on Computer Aided Design,Manufacture and Operation in the Railway and Other Advanced Mass Transit Systems, Lemnos,Greece, June 2002. [Mariano96] Georges Mariano and El Miloudi El Koursi. Formal methods and metrics : Application to B devel-opment assessment. In W. B. Samson, I. M. Marshall, and D. G. Edgar-Nevill, editors, Proceedingsof the 5th Software Quality Conference, pages 37–55, University of Abertay Dundee, Bell Street,Dundee DD1 HG, July 1996. [Masson-2001] Pierre-Alain Masson. Vérification par model-checking modulaire de propriétés dynamiques PLTLexprimées dans le cadre de spécifications B événementielles. PhD thesis, UFR des Sciences etTechniques de Besançon, Université de Franche-Comté, December 2001. [email protected] c©1999–2007 INRETS-ESTAS37/59 B Method BibliographyGeorges MarianoAbstract : Le travail présenté dans cette thèse prend pour cadre la spécification desystèmes réactifs sous forme d’événements B. A une spécification B événementielle,on intègre l’expression de propriétés dynamiques décrites en termes de formules delogique temporelle linéaire propositionnelle (PLTL). La vérification de ces propriétéspar une technique de preuve n’est pas automatisable, aussi nous proposons d’effectuerleur vérification par modelchecking. Afin de faire face au problème de l’explosioncombinatoire lié à l’utilisation du modelchecking, nous proposons de découper parpartition le graphe d’accessibilité issu de la spécification en un ensemble de modulesde petite taille, et de mener la vérification sur chacun des modules de manière séparée.Cette méthode est appelée Vérification Modulaire. Nous voulons être en mesure, à par-tir de la vérification séparée d’une propriété sur chacun des modules, de décider si lapropriété est vérifiée globalement. Toutes les propriétés ne se prêtent pas à une tellevérification car certaines d’entre elles peuvent être fausses globalement bien que vraiessur chacun des modules. Nous définissons alors les propriétés qui se prêtent à une tellevérification de la maniêre suivante (ces propriétés sont dites modulaires) : une propriétéest modulaire si et seulement si le fait qu’elle est vraie sur chaque module impliquequ’elle est vraie globalement. Il faut noter également que tous les découpages n’aurontpas la même efficacité relativement à la vérification des propriétés. En effet, la propriétéa besoin d’être vraie sur chaque module pour que nous puissions conclure. Or, un dé-coupage aléatoire aurait de fortes chances de voir échouer la vérification d’une propriétédans un ou plusieurs modules, du fait que certains chemins qui rendent la propriété vraiepourraient être coupés. Le problème est donc de produire un découpage modulaire enaccord avec les propriétés que l’on cherche à vérifier. En résumé, nous tentons de répon-dre aux questions suivantes : * Quelles sont les propriétés vérifiables modulairement ? *Comment produire un "bon" découpage modulaire ? En réponse à la première question,nous prouvons formellement que les propriétés PLTL issues des 3 schémas de con-traintes dynamiques introduits par J.-R. Abrial et L. Mussat sont vérifiables de manièremodulaire. Nous prouvons également que tout une classe de propriétés PLTL, incluantles 3 schémas précités, est vérifiable de manière modulaire. Nous exhibons une con-dition suffisante de modularité d’une propriété. Cette condition de modularité reposesur l’analyse syntaxique de l’automate de Büchi qui code la négation d’une propriétéPLTL. Elle est donc facilement automatisable. Afin de répondre à la deuxième question,nous proposons de guider la décomposition modulaire par le raffinement B, ce qui of-fre l’avantage de produire un découpage sémantique du graphe d’accessibilité à chaqueniveau du raffinement. Nous faisons alors la distinction entre les nouvelles propriétés,introduites à un niveau donné de raffinement, et les anciennes propriétés, établies auxniveaux précédents de raffinement et conservées par celui-ci. La vérification modulaireporte sur les nouvelles propriétés. [Mejia93] Babak Dehbonei and Fernando Mejia. Verification of proofs for the B formal development process.ACM SIGPLAN Notices, 28(11) :16–21, November 1993. Abstract : Formal methods are more frequently used in the realization of industrialsafety-critical systems. From the specification through a refinement process, all thesteps are mathematically proved, generally with the help of automatic tools such asprovers. This papers adresses the problem of the verification of such tools in the frame-work of the B formal development technique. The tools are written in the languagecalled Theory Language for wich the basic proof mechanism is pattern-matching. We Formal methods are more frequently used in the realization of industrialsafety-critical systems. From the specification through a refinement process, all thesteps are mathematically proved, generally with the help of automatic tools such asprovers. This papers adresses the problem of the verification of such tools in the frame-work of the B formal development technique. The tools are written in the languagecalled Theory Language for wich the basic proof mechanism is pattern-matching. We propose a technique, based on a unification mechanism, for verifying programs writ-ten in this language. Some figures concerning the experimentation of this technique onreal-life programs are given. Abstract : A smart card is an embedded system that is generally used to supply securityto an information system. Traditionally the application and the OS were developed in asecure environment by the card issuer. For a few years, open platforms (e.g., Java Card,MultOS and Smart Card for Windows) have provided new facilities for application de-velopers. They allow dynamic storage and execution of downloaded executable code.Such architecture introduces new risks : it offers the possibility to attack the card froman applet by exploiting some implementation faults. This document provides a practi-cal overview of a Common Criteria (CC) high Evaluation Assurance Level (EAL) of aJava Card. It is not dedicated to smart card specialist as it presents the security stakesof such a technology. We present the motivation for a Java Card evaluation : reach thesame security level for the new open smart card than for traditional embedded plat-forms. We introduce the SDL, UML and the B method to illustrate the semi-formaland formal models required for a high level evaluation. The B method has been alreadyused in GEMPLUS to formal model security parts of the Java Card : bytecode verifier,interpreter and firewall. These case studies reveal the interest to use the B method toformalise the Java Card Virtual Machine (JCVM). SDL and UML are both semi-formalmodelling languages that could be used in a high EAL. This document also proposesa comparison between these two languages based on the analysis of the Java Card se-curity mechanisms specification. In a CC evaluation the use of semi-formal and formaltechniques is required to obtain the assurance of a high security level. A smart card is an embedded system that is generally used to supply securityto an information system. Traditionally the application and the OS were developed in asecure environment by the card issuer. For a few years, open platforms (e.g., Java Card,MultOS and Smart Card for Windows) have provided new facilities for application de-velopers. They allow dynamic storage and execution of downloaded executable code.Such architecture introduces new risks : it offers the possibility to attack the card froman applet by exploiting some implementation faults. This document provides a practi-cal overview of a Common Criteria (CC) high Evaluation Assurance Level (EAL) of aJava Card. It is not dedicated to smart card specialist as it presents the security stakesof such a technology. We present the motivation for a Java Card evaluation : reach thesame security level for the new open smart card than for traditional embedded plat-forms. We introduce the SDL, UML and the B method to illustrate the semi-formaland formal models required for a high level evaluation. The B method has been alreadyused in GEMPLUS to formal model security parts of the Java Card : bytecode verifier,interpreter and firewall. These case studies reveal the interest to use the B method toformalise the Java Card Virtual Machine (JCVM). SDL and UML are both semi-formalmodelling languages that could be used in a high EAL. This document also proposesa comparison between these two languages based on the analysis of the Java Card se-curity mechanisms specification. In a CC evaluation the use of semi-formal and formaltechniques is required to obtain the assurance of a high security level. [Motre2000] Stéphanie Motré. A B automaton for authentication process. In WITS’2000, Geneva (Switzerland),July 2000. Abstract : An authentication procedure can be used in various occasions. Nowadays,you have to show your personal badge to enter your firm building, your car is identifiedby an electronic tag on its windshield at the parking entrance, your retina is scanned atyour desk door, and a finger prints analyzer permits you to access confidential networkfrom your computer. All these procedures are applications that include informationcollection (tag information obtaining, retina picture construction...), client server infor-mation exchanges (Who corresponds to the collected information ? Which permissionsare granted to the person that has been identified ?), and an authentication policy. Thesecurity policy describes the constraints that should be enforced by any execution ofthe authentication procedure. It is represented by a security automaton, which shall beglobal to any authentication mechanism. F. Schneider [She-99] exposes that a securityautomaton can be applied to access control, information flow or resources availability An authentication procedure can be used in various occasions. Nowadays,you have to show your personal badge to enter your firm building, your car is identifiedby an electronic tag on its windshield at the parking entrance, your retina is scanned atyour desk door, and a finger prints analyzer permits you to access confidential networkfrom your computer. All these procedures are applications that include informationcollection (tag information obtaining, retina picture construction...), client server infor-mation exchanges (Who corresponds to the collected information ? Which permissionsare granted to the person that has been identified ?), and an authentication policy. Thesecurity policy describes the constraints that should be enforced by any execution ofthe authentication procedure. It is represented by a security automaton, which shall beglobal to any authentication mechanism. F. Schneider [She-99] exposes that a securityautomaton can be applied to access control, information flow or resources availability processes. In this document, he describes the execution monitoring as a way to super-vise an application execution and to detect any illegal action. D. Walker [Wal-00] hasgiven a way to type those automata using formal semantics. It comprises a formal specifica-tion language, called abstract machine notation (AMN), a B method and a B toolkit.AMN allows a large specification to be structured as a number of component specifica-tions, and supports the progressive refinement of these components down to executablecode. The B method provides guidance on the use of AMN for a software development,and the B toolkit provides advanced facilities to support a formal AMN development,including specification construction, animation, proof and code generation. This paperreports on a case study which has been undertaken as part of a DTI-funded project toevaluate the broader applicability of the B technology. The case study is concerned withthe use of AMN with the CORE requirements modelling method for a short term con-flict alert (STCA) air traffic control function. The paper provides a brief introduction tothe B technology and the STCA CORE experiment, before discussing the overall resultsof the case study. Generally, the B technology is considered to offer potential advan-tages over existing formal specification technologies, but enhancements are requiredto improve its effectiveness for the analysis and design stages of complex informationsystems ; notably, in the handling of highly structured data. (5 Refs) The B technology is a novel mathematically-formal approach to the de-velopment of software, which has been devised primarily to address the stages fromsoftware design specification to executable program. It comprises a formal specifica-tion language, called abstract machine notation (AMN), a B method and a B toolkit.AMN allows a large specification to be structured as a number of component specifica-tions, and supports the progressive refinement of these components down to executablecode. The B method provides guidance on the use of AMN for a software development,and the B toolkit provides advanced facilities to support a formal AMN development,including specification construction, animation, proof and code generation. This paperreports on a case study which has been undertaken as part of a DTI-funded project toevaluate the broader applicability of the B technology. The case study is concerned withthe use of AMN with the CORE requirements modelling method for a short term con-flict alert (STCA) air traffic control function. The paper provides a brief introduction tothe B technology and the STCA CORE experiment, before discussing the overall resultsof the case study. Generally, the B technology is considered to offer potential advan-tages over existing formal specification technologies, but enhancements are requiredto improve its effectiveness for the analysis and design stages of complex informationsystems ; notably, in the handling of highly structured data. (5 Refs) [NFM96-DT] Jonathan Draper and Helen Treharne. The refinement of embedded software with the B-method. InNorthern Formal Methods Workshops in Computer Science, Workshops in Computing, Bradford,November 1996. Springer-Verlag. Abstract : The paper described the use of formal refinement within the MIST project.MIST (Measurable Improvement in Specification Techniques) was ESSI applicationexperiment 10228. It details a specification style developed by the project that modelsembedded software within a system context. The paper described the use of formal refinement within the MIST project.MIST (Measurable Improvement in Specification Techniques) was ESSI applicationexperiment 10228. It details a specification style developed by the project that modelsembedded software within a system context. [Nei91] D. Neilson. Machine support on Z : the zedB tool. In J. E. Nicholls, editor, Z User Workshop,Oxford 1990. Proceedings of the Fifth Annual Z User Meeting, pages 105–28. Springer-Verlag,Berlin, Germany, December 1991. Abstract : Many operations on schemas are purely systematic processes ; for exam-ple, decoration, expansion, evaluation of Delta and Xi schemas, and the calculation ofschema composition, hiding, and precondition, up to the application of the so-calledone-point rule. Each of these activities may therefore be fully automated. The ITRU(Information Technology Research Unit) at BP Research is engaged in research intoformal software development methods has developed B : a formal method built on theB tool. The author describes an application of the B tool which provides a theorem prov-ing environment for the analysis of Z specifications, incorporating the full automationof many schema operations. (11 Refs) Many operations on schemas are purely systematic processes ; for exam-ple, decoration, expansion, evaluation of Delta and Xi schemas, and the calculation ofschema composition, hiding, and precondition, up to the application of the so-calledone-point rule. Each of these activities may therefore be fully automated. The ITRU(Information Technology Research Unit) at BP Research is engaged in research intoformal software development methods has developed B : a formal method built on theB tool. The author describes an application of the B tool which provides a theorem prov-ing environment for the analysis of Z specifications, incorporating the full automationof many schema operations. (11 Refs) [Neilson94] D. S. Neilson and I. H. Sorensen. The B-Technologies : a system for computer aided programming.In Proceedings 6th Nordic Workshop on Programming Theory, pages 18–35, 1994. [email protected] c©1999–2007 INRETS-ESTAS40/59 B Method BibliographyGeorges MarianoAbstract : The paper introduces the B-Technologies, a mathematically based formalmethod and a toolset for computer aided software engineering. The B-Technologies(comprising three components-the B-Method, the B-Tool and the B-Toolkit) have beendesigned to scale up formal methods for practical application. The B-Method and the B-Toolkit are described. The B-Method is designed to provide a notation and a methodol-ogy for the formal specification, design, implementation and maintenance of industrial-scale software systems. The features of incremental construction of layered software aswell as its incremental verification have been guiding principles in the development ofthe B-Method. The method uses Abrial’s (1993) Abstract Machine Notation (AMN) asthe language for specification, design and implementation within the software process.AMN is is based on an extension of Dijkstra’s (1976) guarded command notation, withbuilt-in structuring mechanisms for the construction of large systems. The B-Toolkitsupports the method over the entire spectrum of activities from specification throughdesign and implementation into maintenance. The B-Toolkit comprises automatic andinteractive theorem-proving assistants, a proof printer and a set of software develop-ment tools : an AMN syntax and type checker, a specification animator and generatorspromoting an object oriented approach at all stages of development, and the reuse ofspecification models/software modules. All tools are integrated with the proof assistantsinto a window-based development environment. (22 Refs) [Okalas-PhD] Dieudonné Okalas-Ossami. Construction Simultanée de Spécifications Multi-Vues UML et B. PhDthesis, LORIA-Université Nancy2, October 2006. [PRA95b] C. H. Pratten. The AMN-PROOF tool : Proving AMN specifications with the HOL theorem prover.http :// chp/papers.html, May 1995. [Parreaux-PhD] Benoît Parreaux. Vérification de systèmes d’événements B par model-checking PLTL ; Con-tribution à la réduction de l’explosion combinatoire en utilisant de la résolution de contraintesensemblistes. Thèse de doctorat, Laboratoire d’Informatique de l’Université de Franche-Comté(L.I.F.C.), 2000. [Petit-PhD] Dorian Petit. Génération automatique de composants logiciels sûrs à partir de spécificationsformelles B. Thèse de doctorat, Université de Valenciennes et du Hainaut-Cambrésis, December2003. [Plosila-2000] Juha Plosila, Kaisa Sere, and Marina Waldén. Component-based asynchronous circuit design inB. Technical Report 377, Turku Center for Computer Science, December 1999. Abstract : Action systems offer a component-based approach to circuit design.Component-based approaches are well established in hardware design, but are only re-cently more established in software design. However, software oriented methods allowa higher level of abstraction than the often quite low-level hardware design methodsused today. We propose a method to organise a large circuit derivation within the BMethod via its library facilities as provided by the tools. The developer proceeds froman abstract high-level specification of the intended behaviour of the target circuit viacorrectness-preserving transformation steps towards an implementable circuit descrip-tion. At each step some part of the specification is implemented using a library com-ponent chosen by the designer and the correctness of the step is proved using the toolsupport of the B Method. We develop the needed program transformation rules that thedesigner can appeal to when using library components in his or her design. Action systems offer a component-based approach to circuit design.Component-based approaches are well established in hardware design, but are only re-cently more established in software design. However, software oriented methods allowa higher level of abstraction than the often quite low-level hardware design methodsused today. We propose a method to organise a large circuit derivation within the BMethod via its library facilities as provided by the tools. The developer proceeds froman abstract high-level specification of the intended behaviour of the target circuit viacorrectness-preserving transformation steps towards an implementable circuit descrip-tion. At each step some part of the specification is implemented using a library com-ponent chosen by the designer and the correctness of the step is proved using the toolsupport of the B Method. The paper discusses the authors' experiences in reengineering and subse-quently refining part of a Z style specification of the Graphics Kernel System using theAbstract Machine Notation as supported in the B Toolkit. (10 Refs) (10 Refs) [RODIN-BEvt] Christophe Metayer, Jean-Raymond Abrial, and Laurent Voisin. Event-B language. RODINProject Deliverable D7, May 2005. [Requet00] Antoine Requet. A B model for ensuring soundness of the Java card virtual machine. InFMICS’2000, Berlin, March 2000. Abstract : Java Cards are a new generation of smart cards that use the Java program-ming language. As smart cards are usually used to supply security to a system, securityrequirements are very strong and certification can become a competitive advantage.Such a certification to a high Common Criteria or ITSEC level requires the proof of allthe security mechanisms. Those security mechanisms include the byte code interpreterand verifier of the virtual machine. Previous works have been done on methodology forproving the soundness of the byte code interpreter and verifier using the B method. Itrefines an abstract defensive interpreter into a byte code verifier and a byte code inter-preter. However, this work had only been tested on a very small subset of the Java Cardinstruction set. This paper presents a work aiming at verifying the scalability of thisprevious work. The original instruction subset of about ten instructions has been ex-tended to more than one hundred instructions, and the additional cost of the proof hasbeen managed by modifying the specification in order to group opcodes by properties. Java Cards are a new generation of smart cards that use the Java program-ming language. As smart cards are usually used to supply security to a system, securityrequirements are very strong and certification can become a competitive advantage.Such a certification to a high Common Criteria or ITSEC level requires the proof of allthe security mechanisms. Those security mechanisms include the byte code interpreterand verifier of the virtual machine. Previous works have been done on methodology forproving the soundness of the byte code interpreter and verifier using the B method. Itrefines an abstract defensive interpreter into a byte code verifier and a byte code inter-preter. However, this work had only been tested on a very small subset of the Java Cardinstruction set. This paper presents a work aiming at verifying the scalability of thisprevious work. The original instruction subset of about ten instructions has been ex-tended to more than one hundred instructions, and the additional cost of the proof hasbeen managed by modifying the specification in order to group opcodes by properties. [Robinson97] K. A. Robinson. The B-method and the B-toolkit. In Sixth International Conference, AlgebraicMethodology and Software Technology, pages 576–580. Sydney, Springer, December 1997. Abstract : The B Method is a full spectrum formal software development method thatcovers the software process from specification to implementation. The method usesstate machines, defined using logic and set theory with a notation similar to that of Z,that export operations. The method supports a notion of refinement and implementation,which is based on the notion of refinement in the refinement calculus with the exceptionthat there is no distinction between procedural and data refinement. The B Toolkit is aconfiguration tool that manages developments under the B Method, generating proofobligations and supporting tools for the discharge of those proof obligations. There isalso support for the generation of documentation, and for the browsing of developments. The B Method is a full spectrum formal software development method thatcovers the software process from specification to implementation. The method usesstate machines, defined using logic and set theory with a notation similar to that of Z,that export operations. The method supports a notion of refinement and implementation,which is based on the notion of refinement in the refinement calculus with the exceptionthat there is no distinction between procedural and data refinement. The B Toolkit is aconfiguration tool that manages developments under the B Method, generating proofobligations and supporting tools for the discharge of those proof obligations. There isalso support for the generation of documentation, and for the browsing of developments. [SAC06-Fekih] Houda Fekih, Leila Jemni Ben Ayed, and Stephan Merz. Transformation of B specifications intoUML class diagrams and state machines. In 21st Annual ACM Symposium on Applied ComputingSAC 2006, volume 2, pages 1840–1844, Dijon, France, April 2006. [SCI04-Boulanger] Jean-Louis Boulanger. BHDL an example. In SCI 2004 The 8th World Multi-Conferenceon Systemics, Cybernetics and Informatics, Orlando, Florida, USA, volume IX, pages 150–155.International Institute of Informatics and Systemics, July 2004. [SH94] A. C. Storey and H. P. Haughton. A strategy for the production of verifiable code using the BMethod. In Springer-Verlag, editor, FME ’94 : Industrial Benefit of Formal Methods. SecondInternational Symposium of Formal Methods Europe. 1994.Abstract : The purpose of this paper is to describe extensions to the B Method in or-der to facilitate the generation of provably correct SPARK Ada, code. Two strategies [email protected] c©1999–2007 INRETS-ESTAS42/59 B Method BibliographyGeorges Marianoare provided. Firstly, a process model for the B Method is stated that allows the semi-automatic production of refinements through the use of standard library machines. Sec-ondly, transformation rules are given for the automatic generation of SPARK Ada codefrom these refinement’s. Finally, an overview is given of how the semantics of AbstractMachine Notation and SPARK Ada can be used in order to verify these transformationrules. (7 Refs) [SOFSEM95] J. C. Bicarregui and B. M. Matthews. Formal methods in practice : a comparison of two supportsystems for proof. In Bartosek and al., editors, SOFSEM’95 : Theory and Practice of Informatics,volume 1012 of Lecture Notes in Computer Science (Springer-Verlag). Springer-Verlag, 1995. Abstract : http :// :80/ jcb1/ http :// :80/ jcb1/ [Schneider05] Steve Schneider, Thai Son Hoang, Ken Robinson, and Helen Treharne. Tank monitoring : A pAMNcase study. Electronic Notes in Theoretical Computer Science, 137(2) :183–204, 2005. Abstract : The introduction of probabilistic behaviour into the B-Method is a recentdevelopment. In addition to allowing probabilistic behaviour to be modelled, the rela-tionship between expected values of the machine state can be expressed and verified.This paper explores the application of probabilistic B to a simple case study : trackingthe volume of liquid held in a tank by measuring the flow of liquid into it. The flow canchange as time progresses, and sensors are used to measure the flow with some degreeof accuracy and reliability, modelled as non-deterministic and probabilistic behaviourrespectively. At the specification level, the analysis is concerned with the expectationclause in the probabilistic B machine and its consistency with machine operations. Atthe refinement level, refinement and equivalence laws on probabilistic GSL are used toestablish that a particular design of sensors delivers the required level of reliability. The introduction of probabilistic behaviour into the B-Method is a recentdevelopment. In addition to allowing probabilistic behaviour to be modelled, the rela-tionship between expected values of the machine state can be expressed and verified.This paper explores the application of probabilistic B to a simple case study : trackingthe volume of liquid held in a tank by measuring the flow of liquid into it. The flow canchange as time progresses, and sensors are used to measure the flow with some degreeof accuracy and reliability, modelled as non-deterministic and probabilistic behaviourrespectively. At the specification level, the analysis is concerned with the expectationclause in the probabilistic B machine and its consistency with machine operations. Atthe refinement level, refinement and equivalence laws on probabilistic GSL are used toestablish that a particular design of sensors delivers the required level of reliability. [Schneider2002] Steve Schneider. The B-Method : An Introduction. Palgrave, 2002. Abstract : This book provides a comprehensive introduction to the B-Method, whichis a rigorous methodology for the development of correct software, underpinned bypowerful state-of-the-art tool support. It covers the B approach to software developmentfrom specification through refinement, down to implementation and automatic codegeneration, with verification at each stage. The book assumes no prior knowledge andis written in a tutorial style, containing numerous illustrative examples, exercises andself-tests with answers. http :// This book provides a comprehensive introduction to the B-Method, whichis a rigorous methodology for the development of correct software, underpinned bypowerful state-of-the-art tool support. It covers the B approach to software developmentfrom specification through refinement, down to implementation and automatic codegeneration, with verification at each stage. The book assumes no prior knowledge andis written in a tutorial style, containing numerous illustrative examples, exercises andself-tests with answers. http :// [Sekerinski2001] E. Sekerinski and R. Zurob. iState : A statechart translator. In M. Gogolla and Kobryn C.,editors, UML 2001 The Unified Modeling Language, Toronto, Canada, number 2185, pages 376–390. Lecture Notes in Computer Science, Springer-Verlag, October 2001. [Sekerinski2002] E. Sekerinski and R. Zurob. Translating statecharts to B. In Proceedings of Integrated FormalMethods, Turku, Finland. IFM 2002, Lecture Notes in Computer Science, Springer-Verlag, May2002. Abstract : We present algorithms for the translation of statecharts to the Abstract Ma-chine Notation of the B method. These algorithms have been implemented in iState, atool for translating statecharts to various programming languages. The translation pro-ceeds in several phases. We give a model of statecharts, a model of the code in AMN,as well as the intermediate representations in terms of class diagrams and their textualcounterpart. The translation algorithms are expressed in terms of these models. We alsodiscuss optimizations of the generated code. The translation scheme is motivated bymaking the generated code comprehensible. We present algorithms for the translation of statecharts to the Abstract Ma-chine Notation of the B method. These algorithms have been implemented in iState, atool for translating statecharts to various programming languages. The translation pro-ceeds in several phases. We give a model of statecharts, a model of the code in AMN,as well as the intermediate representations in terms of class diagrams and their textualcounterpart. The translation algorithms are expressed in terms of these models. We alsodiscuss optimizations of the generated code. The translation scheme is motivated bymaking the generated code comprehensible. [email protected] c©1999–2007 INRETS-ESTAS43/59 B Method BibliographyGeorges Mariano[Snook-2002] Colin Snook. Combining UML and B. In In Proceedings of Forum on Specification & DesignLanguages, Marseille. FDL 2002, 2002. Abstract : Formal specification is recognised as a difficult task (Snook & Harrison,2001) and the adaptation of semi-formal object oriented modelling tools has beenproposed by several authors including Meyer & Souquieres (1999). Here we give anoverview of a prototype tool for converting annotated UML (OMG, 2001) class andstate diagrams into the B notation. The tool was developed during the "MATISSE"project in a healthcare case study (Petre, Troubitsyna, and Waldén, 2002). In this casestudy, B-Action systems were used to analyse the safety of a pharmaceutical labora-tory instrument in several stages of refinement. B-Action systems (Butler and Waldén,1998, Waldén and Sere, 1998) are specifications of distributed systems written in the BMethod (Abrial, 1996) using a style based on stepwise refinement of event based mod-els. The tool enabled each stage of refinement to be specified in a clear visual (UMLbased) form prior to conversion to B for verification. The U2B translator converts Ra-tional Rose (Rational 2000) UML Class diagrams and attached state charts, into the Bnotation. Formal specification is recognised as a difficult task (Snook & Harrison,2001) and the adaptation of semi-formal object oriented modelling tools has beenproposed by several authors including Meyer & Souquieres (1999). Here we give anoverview of a prototype tool for converting annotated UML (OMG, 2001) class andstate diagrams into the B notation. The tool was developed during the "MATISSE"project in a healthcare case study (Petre, Troubitsyna, and Waldén, 2002). In this casestudy, B-Action systems were used to analyse the safety of a pharmaceutical labora-tory instrument in several stages of refinement. B-Action systems (Butler and Waldén,1998, Waldén and Sere, 1998) are specifications of distributed systems written in the BMethod (Abrial, 1996) using a style based on stepwise refinement of event based mod-els. The tool enabled each stage of refinement to be specified in a clear visual (UMLbased) form prior to conversion to B for verification. The U2B translator converts Ra-tional Rose (Rational 2000) UML Class diagrams and attached state charts, into the Bnotation. [Snook-2003] Colin Snook and Kim Sandström. Using UML-B and U2B for formal refinement of digital com-ponents. In In Proceedings of Forum on specification & design languages, Frankfurt. FDL2003,2003. Abstract : In this paper we look at using formal methods to verify the transformationof a digital design from abstract functional specification to bit level implementation. Asboth authors are in-experienced in formal proof we saw this as a test of the practical-ity of introducing proof tools in an industrial setting rather than an exemplar of suchmethods Rigorous verification is desirable in digital design because mistakes can beextremely costly. However, there are drawbacks and barriers to introducing formal no-tations. Formal notations are abstraction hungry, viscous and require insight, experienceand look-ahead. Hence we specialise the UML to alleviate these problems by providinga semi-graphical form of the formal notation B based on existing visual modelling tools.With a small case study, we show the use of B-UML using an event style of modellingto refine a macro level function into a cascade of single bit cells. We attempt to provethe refinement with the assistance of available proof tools but find that the problem isdeceptively difficult In this paper we look at using formal methods to verify the transformationof a digital design from abstract functional specification to bit level implementation. Asboth authors are in-experienced in formal proof we saw this as a test of the practical-ity of introducing proof tools in an industrial setting rather than an exemplar of suchmethods Rigorous verification is desirable in digital design because mistakes can beextremely costly. However, there are drawbacks and barriers to introducing formal no-tations. Formal notations are abstraction hungry, viscous and require insight, experienceand look-ahead. Hence we specialise the UML to alleviate these problems by providinga semi-graphical form of the formal notation B based on existing visual modelling tools.With a small case study, we show the use of B-UML using an event style of modellingto refine a macro level function into a cascade of single bit cells. We attempt to provethe refinement with the assistance of available proof tools but find that the problem isdeceptively difficult [Sorensen2001] Ib Sorensen and David Neilson. B : towards zero defect software. pages 23–42, 2001. [Sorensen94] I. H. Sorensen. Demonstration of the B-Toolkit. In Proceedings 6th Nordic Workshop on Pro-gramming Theory, 1994. Abstract : The B-Toolkit is a suite of integrated programs which implement the B-Method for software development. The B-Toolkit is a suite of integrated programs which implement the B-Method for software development. The BMethod is a collection of formal techniqueswhich give a basis to those activities of software development that range from tech-nical software specification, through design and integration, to code generation andinto maintenance. The B-Method and the specification language AMN (Abstract Ma-chine Notation) are in many respects similar to other "model oriented" formal methods.They employ a conventional "pseudo" programming style. The B-Tool is a languageinterpreter for the B Theory Language. This language is a special purpose languagefor writing interactive and automatic proof assistants and other systems where patternmatching, substitution and re-write mechanisms can be used. The B-Toolkit's component tools are implemented in the B Theory Language and is interpreted by the B-Tool.(0 Refs) The BMethod is a collection of formal techniqueswhich give a basis to those activities of software development that range from tech-nical software specification, through design and integration, to code generation andinto maintenance. The B-Method and the specification language AMN (Abstract Ma-chine Notation) are in many respects similar to other "model oriented" formal methods.They employ a conventional "pseudo" programming style. The B-Tool is a languageinterpreter for the B Theory Language. This language is a special purpose languagefor writing interactive and automatic proof assistants and other systems where patternmatching, substitution and re-write mechanisms can be used. The B-Toolkit’s [email protected] c©1999–2007 INRETS-ESTAS44/59 B Method BibliographyGeorges Marianonent tools are implemented in the B Theory Language and is interpreted by the B-Tool.(0 Refs) [Sto92] A. Storey. A specification case study using the B-methodology. Software Testing, Verification andReliability, 2(4) :187–202, December 1992. Abstract : The B-Method is a complete formal development process for mathemat-ically transforming software systems from specification through to code. This articleprovides the reader with an overview of the process including a description of the lan-guage used for specifying systems (Abstract Machine Notation) and demonstrates itsapplication by a simple, real-life case study. The method has tool support in the form ofa tool-kit which is described and applied to the case study. The results of the case studyshow how a system can be validated and verified in the early stages of its developmentthrough proof of the mathematical specification and an animating tool. (12 Refs) The B-Method is a complete formal development process for mathemat-ically transforming software systems from specification through to code. This articleprovides the reader with an overview of the process including a description of the lan-guage used for specifying systems (Abstract Machine Notation) and demonstrates itsapplication by a simple, real-life case study. The method has tool support in the form ofa tool-kit which is described and applied to the case study. The results of the case studyshow how a system can be validated and verified in the early stages of its developmentthrough proof of the mathematical specification and an animating tool. (12 Refs) [Stoddart94] Bill Stoddart. Forth as an abstract machine. In euroForth ’94 Conference Proccedings, MPE Ltd,133 Hill Lane, Southampton SO1 5AF, UK, November 1994. Forth Interest Group. Abstract : This is a work in progress paper on producing a formal equivalent to theForth ANSI Standard. The chosen notation is AMN (Abstract Machine Notation). Thepaper gives some comments on the formalisation process and on some features of AMN. This is a work in progress paper on producing a formal equivalent to theForth ANSI Standard. The chosen notation is AMN (Abstract Machine Notation). Thepaper gives some comments on the formalisation process and on some features of AMN. [Stoddart99] Bill Stoddart, Steve Dunne, and Andy Galloway. Undefined expressions and logic in Z and B.Formal Methods in System Design : An International Journal, 15(3) :201–215, November 1999. [TSI20-Julliand] J. Julliand, P.-A. Masson, and H. Mountassir. Vérification par model-checking modulaire despropriétés dynamiques introduites en B. TSI (Technique et Science Informatiques), 20(7) :927–957, 2001. [TSI21-Boite] Olivier Boite. Automatiser les preuves d’un sous-langage de la méthode B. Technique et ScienceInformatique, 21(8), 2002. [TSI22-Abrial] Jean-Raymond Abrial. B : passé, présent, futur. Technique et Science Informatique, 22(1) :89–118, 2003. [TSI22-Burdy] Lilian Burdy, Ludovic Casset, and Antoine Requet. Développement formel d’un vérifieur embar-qué de byte-code java. Technique et Science Informatique, 22(1) :33–60, 2003. [TSI22-Dolle] D. Dollé, D. Essamé, and J. Falampin. B dans le transport ferroviaire. L’expérience de siemens.Technique et Science Informatique, 22(1) :11–32, 2003. [TSI22-Potet] Marie-Laure Potet. Spécificiation et développements structurés dans la méthode B principes etvalidation. Technique et Science Informatique, 22(1) :61–88, 2003. [TTV96] S. Taouil-Traverson and S. Vignes. A preliminary analysis cycle for B development. In Bey-ong 2000 : Hardware and Software Design Strategies, pages 319–325. EUROMICRO 96, Prague,Czech Republic, September 1996. [TUCS-TR-53] Michael J. Butler and M. Walden. Distributed system development in B. Technical Report 53,Turku Centre for Computer Science, Finland, October 1996. Abstract : The B-Method is a method for the stepwise derivation of sequential pro-grams. In this paper we show how the B-Method can be used for designing distributedsystems by embedding action systems within this method. The action system formalismis designed for the construction of parallel and distributed systems in a stepwise mannerwithin the refinement calculus. We describe how action systems are written in B AMN.We also show the correspondence between refinement rules for action systems and the The B-Method is a method for the stepwise derivation of sequential pro-grams. In this paper we show how the B-Method can be used for designing distributedsystems by embedding action systems within this method. The action system formalismis designed for the construction of parallel and distributed systems in a stepwise mannerwithin the refinement calculus. We describe how action systems are written in B AMN.We also show the correspondence between refinement rules for action systems and the [email protected] c©1999–2007 INRETS-ESTAS45/59 B Method BibliographyGeorges Marianoproof obligations generated in the B-Method. Furthermore, we propose an extensionof the B-Method to cover parallel and distributed systems. Familiarity with B AMN isassumed. [Tatibouet2001] Bruno Tatibouët and J. C. Voisinet. jBTools and B2UML : a platform and a tool to provide aUML class diagram since à B specification. In ICSSEA’2001 – 14th Int. Conf. on Software SystemsEngineering and Their Applications, volume 2, CNAM, Paris, France, December 2001. [Tatibouet2003] Bruno Tatibouët, Antoine Requet, Jean-Christophe Voisinet, and Ahmed Hammad. Java cardcode generation from B specifications. In J. S. Dong and J. Woodcock, editors, ICFEM, volume2885, pages 306–318. Formal Methods and Software Engineering, Springer-Verlag, 2003. [Thuan-PhD] N. Thuan. Utilisation de B pour la vérification de spécifications UML et le développement formelorienté objet. PhD thesis, LORIA -Université Nancy2, 2006.Abstract : The coupling of object-oriented approaches with the B method makes im-provement the activities of software specification and development. The B methodprovides notations for the specification and powerful tools, allowing to specify andverify models. The object-oriented approaches provide interesting mechanisms for thestructuring and the development of large systems. The contribution of this thesis dealswith the activities of coupling between these two formalisms by using the B proversto validate and verify UML specifications. By extending the derivation of UML to Bof preceding works realised in the Dedale research group, we propose an approachof the derivation to B of the UML meta-models, the static diagrams and the dynamicdiagrams. The aim of this proposition is to check semantics and coherence betweendifferent diagrams of UML specification. Our thesis brings also a contribution to thedevelopment of objects oriented specifications using B. The first proposition concernsthe taking into account some types of association between classes during the derivationto B. The second relates the validation of object-oriented specifications described byUML2.0 sequence diagrams. [Traverson-PhD] Souâd Taouil-Traverson. Stratégie d’intération de la méthode B dans la construction de logicielcritique. Thèse de doctorat, Ecole Nationale Supèrieure des Télécommunications, 1997. [Traverson97] Souad Traverson and Sylvie Vignes. Intégration de la méthode B dans la construction de logicielscritiques. In Le Génie Logiciel est ses Applications – 1o eme Journées Internatinales ACTES,number 46 in Génie Logiciel, pages 100–106, December 1997. [Treharne99a] Helen Treharne and Steve Schneider. Using a process algebra to control B OPERATIONS. Tech-nical Report CSD-TR-99-01, Royal Holloway, Department of Computer Science, University ofLondon, Egham, Surrey TW20 0EX, England, June 1999. [Treharne99b] Helen Treharne and Steve Schneider. Capturing timing requirements formally in AMN. TechnicalReport CSD-TR-99-06, Royal Holloway, Department of Computer Science, University of London,Egham, Surrey TW20 0EX, England, June 1999. [Treharne :IFM99] Helen Treharne and Steve Schneider. Using a process algebra to control B OPERATIONS. InIFM’99 1st International Conference on Integrated Formal Methods, pages 437–457, York, June1999. Springer-Verlag.Abstract : The B-Method is a state-based formal method that describes system be-haviour in terms of MACHINES whose state changes under OPERATIONS. The pro-cess algebra CSP is an event-based formalism that enables descriptions of patterns ofsystem behaviour. This paper is concerned with the combination of these complemen-tary views, in which CSP is used to describe the control executive for a B Abstract [email protected] c©1999–2007 INRETS-ESTAS46/59 B Method BibliographyGeorges MarianoSystem. We discuss consistency between the two views and how it can be formallyestablished. A typical avionics system motivates the work. Its specification and con-trol executive are presented in the paper. The relationship with other approaches is alsodiscussed.[UMLB] Jean P. Mermet, editor. UML-B Specification for Proven Embedded Systems Design. ChDL.Kluwer Academic Publishers, 2004. [UMLB-Kronlof] Klaus Kronlof and Ian Oliver. Formally Unified System Specification Environment with UML,B and SystemC., chapter 2, pages 21–36. Kluwer Academic Publishers, 2004. [UMLB-Voros] Nikolaos S. Voros, Colin Snook, Stefan Hallerstede, and Thierry Lecomte. Embedded SystemDesign Using the PUSSEE Method, chapter 3, pages 37–51. Kluwer Academic Publishers, 2004. [VDM88] R. Bloomfield, L. Marshall, and R. Jones, editors. VDM 88. VDM The Way Ahead. 2nd VDM-Europe Symposium. Proceedings. Springer-Verlag, Berlin, West Germany, September 1988.Abstract : The following topics were dealt with : Vienna Development Method ; spec-ification languages ; formal specification ; program verification ; standardisation ; com-puter graphics ; B tool ; compiler prototyping ; NUSL ; formal reasoning ; Flagship ;Modula-2 ; VIP ; SAMPLE ; three-valued logic and predicates ; MetaSoft ; algebraicdomain equations ; proof rules ; Muffin ; RAISE ; term rewriting ; software support ;and Chinese characters.[VDM91] S. Prehn and W. J. Toetenel, editors. VDM91. Formal Software Development Methods. 4th In-ternational Symposium of VDM Europe Proceedings. Vol.2 : Tutorials. Springer-Verlag, Berlin,Germany, October 1991.Abstract : The following topics were dealt with : VDM (Vienna Development Method-ology) ; formal software development ; Larch and LCL specification languages ; RAISEspecification language ; ABEL formal development ; PROSPECTRA methodology ; re-finement calculus ; the B method ; and mathematical methods for reliable systems de-velopment.[VoisinetTJ05] Jean-Christophe Voisinet, Bruno Tatibouët, and Isabelle Jacques. Generation of OCL constraintsfrom B abstract machines. In Software Engineering Research and Practice, pages 260–266, 2005. [WB95] Hélène Waëselynck and Jean-Louis Boulanger. The role of testing in the B formal developmentprocess. In Proceedings of 6th International Symposium on software Reliability Engineering (IS-SRE’95), pages 205–28. Toulouse, IEEE Comput. Soc. Press, Los Alamitos, CA, USA, October1995.Abstract : The B method is a formal approach covering all the software developmentprocess, through a series of proved refinement steps. An on-going debate in the B com-munity is the removal of some classical verification steps of the design, e.g. unit andintegration testing : this paper is aimed to support the maintaining stringent testingpolicies. We first recall previous work that addresses the general question of the limitsof formal methods for ultra-high dependability. Then, the discussion is focused on thecase of the B method. Although the method significantly contributes to fault avoidance,it is shown that additional verifications are still required throughout the developmentprocess, whether inspections or tests. (20 Refs)[Waeselynck97a] Hélène Waeselynck and Salimeh Behnia. B model animation for external verification. TechnicalReport 97392, LAAS (TSF) – INRETS (ESTAS), 1997. [Waeselynck97b] Hélène Waeselynck and Salimeh Behnia. Towards a framework for testing B models. TechnicalReport 97225, LAAS (TSF) – INRETS (ESTAS), 1997. [email protected] c©1999–2007 INRETS-ESTAS47/59 B Method BibliographyGeorges Mariano[Watrin01] David Watrin. Formalisation des modèles d’information d’administration de réseaux à l’aide dela méthode B : Application au langage GDMO. Thèse de doctorat, Ecole nationale supérieure destélécommunications (Paris), 2001. Abstract : Suite à la libéralisation des marchés de télécommunications et à la mul-tiplication de l’offre de services, l’Administration de Réseaux de Télécommunicationsconnaît un réel essor. A l’exception de SNMP, les différentes technologies qui adressentcette activité ont fait le choix de langages orientés objets afin de décrire leurs modèlesd’information. Ce choix est motivé par des considérations d’évolutivité bien connues.Cependant une constante se dégage à travers ces langages : I’utilisation du langage na-turel pour décrire les contraintes et les comportements des objets gérés, des attributset autres "templates". Ce choix induit l’introduction d’ambigu ̈ıtés dans la spécificationet n’autorise pas de traitement automatique afin de simuler ou tester le comportement,de vérifier la cohérence du modèle ou de produire un code exécutable. Enfin les mod-èles sont difficiles à appréhender en raison d’une distribution anarchique de l’inforrna-tion. Ce travail de thèse propose une solution basée sur la formalisation des modèlesà l’aide de la méthode B. Cette dernière offre en effet un langage rigoureux et au-tomatise les concepts de preuve formelle et de raffinement. Afin de définir une solutiongénérique, les propriétés communes aux modèles d’information de gestion de réseauxont été isolées. Un ensemble de règles de traduction vers le formalisme B couvrant lesstructures de données et les modèles statique et dynamique est proposé. Des variantessont avancées et analysées lorsque aucune règle n’est pleinement satisfaisante. Ces rè-gles ont été appliquées avec succès à un modèle GDMO. La spécification B obtenuepermet de prouver la cohérence interne du modèle et d’amorcer le processus de raffine-ment. En outre, un traducteur automatique depuis un modèle GDMO vers une spécifi-cation B a été développé. Il offre une large couverture du langage et permet de saisirdes propriétés formelles via une interface graphique. Il contribue à un enrichissementdu modèle d’information. Suite à la libéralisation des marchés de télécommunications et à la mul-tiplication de l’offre de services, l’Administration de Réseaux de Télécommunicationsconnaît un réel essor. A l’exception de SNMP, les différentes technologies qui adressentcette activité ont fait le choix de langages orientés objets afin de décrire leurs modèlesd’information. Ce choix est motivé par des considérations d’évolutivité bien connues.Cependant une constante se dégage à travers ces langages : I’utilisation du langage na-turel pour décrire les contraintes et les comportements des objets gérés, des attributset autres "templates". Ce choix induit l’introduction d’ambigu ̈ıtés dans la spécificationet n’autorise pas de traitement automatique afin de simuler ou tester le comportement,de vérifier la cohérence du modèle ou de produire un code exécutable. Enfin les mod-èles sont difficiles à appréhender en raison d’une distribution anarchique de l’inforrna-tion. Ce travail de thèse propose une solution basée sur la formalisation des modèlesà l’aide de la méthode B. Cette dernière offre en effet un langage rigoureux et au-tomatise les concepts de preuve formelle et de raffinement. Afin de définir une solutiongénérique, les propriétés communes aux modèles d’information de gestion de réseauxont été isolées. Un ensemble de règles de traduction vers le formalisme B couvrant lesstructures de données et les modèles statique et dynamique est proposé. Des variantessont avancées et analysées lorsque aucune règle n’est pleinement satisfaisante. Ces rè-gles ont été appliquées avec succès à un modèle GDMO. La spécification B obtenuepermet de prouver la cohérence interne du modèle et d’amorcer le processus de raffine-ment. En outre, un traducteur automatique depuis un modèle GDMO vers une spécifi-cation B a été développé. Il offre une large couverture du langage et permet de saisirdes propriétés formelles via une interface graphique. Il contribue à un enrichissementdu modèle d’information. [Watson97] Geoffrey Norman Watson. A comparison of modularity in B and Cogito. In S. Reeves andL. Groves, editors, Formal Methods Pacific, pages 263–286, 1997. [Wordsworth96] John Wordsworth. Software Engineering with B. Addison-Wesley, September 1996. [Z2B-BDW95] Juan Bicarregui, Jeremy Dick, and Eoin Woods. Supporting the length of formal development :from diagrams to VDM to B to C. In Henri Habrias, editor, Proc. Z Twenty Years on What is itsFuture, pages 63–75. IRIN-IUT de Nantes, October 1995. Abstract : This paper reports on the experience gained in the MaFMeth project whichis undertaking a formal development with tool support for several parts of the life cyclefrom requirements capture through to C code generation. A number of issues arise fromthe limitations of different notations and tools and from their combination when appliedto the development of software components destined to be integrated into a broadersystem context. We describe the problems we encountered, the mistake we made, andthe solutions we adopted, for the benefit of both these applying formal methods to realproduct development, and for the creators and designers of methods and tools. This paper reports on the experience gained in the MaFMeth project whichis undertaking a formal development with tool support for several parts of the life cyclefrom requirements capture through to C code generation. A number of issues arise fromthe limitations of different notations and tools and from their combination when appliedto the development of software components destined to be integrated into a broadersystem context. We describe the problems we encountered, the mistake we made, andthe solutions we adopted, for the benefit of both these applying formal methods to realproduct development, and for the creators and designers of methods and tools. [Z2B-Chauvet95] J. Y. Chauvet. Le cas "legislation vieillesse". In Henri Habrias, editor, Proc. Z Twenty Years onWhat is its Future, pages 242–264. IRIN-IUT de Nantes, October 1995. [Z2B-Docherty95] Rosemary F. Docherty. Translation from Z to AMN. In Habrias [B96-Habrias], pages 205–228. [email protected] c©1999–2007 INRETS-ESTAS48/59 B Method BibliographyGeorges MarianoAbstract : This paper gives details of a B-rulebase which I have written to translateZ specifications into Abstract Machine Notation (AMN). Although some Z constructstranslate easily, others cause problems and the theory behind the conversion rules isgiven. The rulebase cannot translate certain Z constructs and the reasons for this are ex-plained. The paper ends with some conclusions on the different manner and advantagesspecification in the two languages. [Z2B-Pratten95] C. H. Pratten. An introduction to proving AMN specifications with PVS and the AMN-PROOFtool. In Henri Habrias, editor, Proc. Z Twenty Years on What is its Future, pages 149–165.IRIN-IUT de Nantes, October 1995. Abstract : The AMN-PROOF Tool generates proof obligations for AMN specificationconsistency and refinement validity in a form suitable for consideration by the PVS andHOL theorem provers. In this paper, we discuss our PVS representation of AMN proofobligations and introduce the PVS facilities of the AMN-PROOF Tool. We consider anexample refinement, for which the proof obligations have been generated by the Tooland proved by PVS. The AMN-PROOF Tool generates proof obligations for AMN specificationconsistency and refinement validity in a form suitable for consideration by the PVS andHOL theorem provers. In this paper, we discuss our PVS representation of AMN proofobligations and introduce the PVS facilities of the AMN-PROOF Tool. We consider anexample refinement, for which the proof obligations have been generated by the Tooland proved by PVS. [ZB00] ZB’2000 – International Conference of B and Z Users, volume 1878 of Lecture Notes in ComputerScience (Springer-Verlag), Helsington, York, UK YO10 5DD, August 2000. [ZB00-Banach] R. Banach and M. Poppleton. Retrenchment, refinement and simulation. In ZB’2000 – Interna-tional Conference of B and Z Users [ZB00], pages 304–323. [ZB00-Bellegarde] Françoise Bellegarde, C. Darlot, Jacques Julliand, and O. Kouchnarenko. Reformulate dy-namic properties during B refinement and forget variants and loop invariants. In ZB’2000 – Inter-national Conference of B and Z Users [ZB00], pages 230–249. [ZB00-Bontron] Pierre Bontron and Marie-Laure Potet. Automatic construction of validated B components fromstructured developments. In ZB’2000 – International Conference of B and Z Users [ZB00], pages127–147. [ZB00-Butler] Michael J. Butler and Mairead Meagher. Performing algorithmic refinement before data refinementin B. In ZB’2000 – International Conference of B and Z Users [ZB00], pages 324–343. [ZB00-Cansell] Dominique Cansell and Dominique Méry. Playing with abstraction and refinement for managingfeatures interactions. A methodological approach to feature interaction problem. In ZB’2000 –International Conference of B and Z Users [ZB00], pages 148–167. [ZB00-Dimitrakos] Theo Dimitrakos, Juan Bicarregui, Brian Matthews, Tom Maibaum, and Ken Robinson. Com-positional structuring in the B method : A logical viewpoint of the static context. In ZB’2000 –International Conference of B and Z Users [ZB00], pages 107–126. [ZB00-Laleau] Regine Laleau and Amel Mammar. A generic process to refine a B specification into a relationaldatabase implementation. In ZB’2000 – International Conference of B and Z Users [ZB00], pages22–41. [ZB00-Lanet] Jean-Louis Lanet. Are smart cards the ideal domain for applying formal methods ? In ZB’2000 –International Conference of B and Z Users, pages 363–374, 2000. Abstract : The need of formal methods in the smart card domain has three origins :mastering the complexity of the new operating systems (fault avoidance), certifying ata high level a part of the smart card and reducing the cost of the test. In a first part, afterpresenting the smart card and its security requirements, we explain the certificationprocess that appears to be the most important vector for introducing formal methods inthe software development cycle. Then we present some attempts to formalise complex The need of formal methods in the smart card domain has three origins :mastering the complexity of the new operating systems (fault avoidance), certifying ata high level a part of the smart card and reducing the cost of the test. In a first part, afterpresenting the smart card and its security requirements, we explain the certificationprocess that appears to be the most important vector for introducing formal methods inthe software development cycle. Then we present some attempts to formalise complex [email protected] c©1999–2007 INRETS-ESTAS49/59 B Method BibliographyGeorges Marianosoftware elements of smart cards. The use of model checkers in order to automaticallygenerate the test suites can notably increase the productivity of applet development.The second part of this paper explains why smart cards are not currently the expectedsuccess story of formal methods. Then we present some clues to help integration ofthese methods in the software development cycle. [ZB00-Lopez] Nestor Lopez, Marianne Simonot, and Veronique Viguie Donzeau-Gouge. Deriving software spec-ifications from event based models. In ZB’2000 – International Conference of B and Z Users[ZB00], pages 209–229. [ZB00-Robinson] Ken Robinson. Reconciling axomatic and modelbased specifications using the B method. InZB’2000 – International Conference of B and Z Users [ZB00], pages 95–106. [ZB00-Stoddart] Bill Stoddart. An execution architecture for GSL. In ZB’2000 – International Conference of Band Z Users [ZB00], pages 394–413. [ZB00-Treharne] Helen Treharne and Steve Schneider. How to drive a B machine. In ZB’2000 – InternationalConference of B and Z Users [ZB00], pages 188–208. [ZB02] LSR-IMAG. ZB’2002 – Formal Specification and Development in Z and B, volume 2272 of Lec-ture Notes in Computer Science (Springer-Verlag), Grenoble, France, January 2002. [ZB02-Abrial] Jean-Raymond Abrial and Louis Mussat. On using conditional definitions in formal theories. InZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 242–269. [ZB02-Abrial2] Jean-Raymond Abrial, Dominique Cansell, and Guy Lafitte. "higher-order" mathematics in B.In ZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 370–393. [ZB02-Bellegarde] Françoise Bellegarde, Jacques Julliand, and Olga Kouchnarenko. Synchronised parallel com-position of events systems in B. In ZB’2002 – Formal Specification and Development in Z and B[ZB02], pages 436–457. [ZB02-Bellegarde2] Françoise Bellegarde, Samir Chouali, and Jacques Julliand. Vérification of dynamic con-straints for B event systems under fairness assumptions. In ZB’2002 – Formal Specification andDevelopment in Z and B [ZB02], pages 477–496. [ZB02-Blow] James Blow and Andy Galloway. Generalised subtitution language and differentials. In ZB’2002– Formal Specification and Development in Z and B [ZB02], pages 396–415. [ZB02-Bodeveix] Jean-Paul Bodeveix and Mamoun Filali. Type synthesis in B and the translation of B to PVS.In ZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 350–369. [ZB02-Cansell] Dominique Cansell, Ganesh Gopalakrishnan, Mike Jones, and Dominique Mery. Incrementalproof of the producer/consumer property for the PCI protocol. In ZB’2002 – Formal Specificationand Development in Z and B [ZB02], pages 22–41. [ZB02-Chartier] Pierre Chartier. ABS project, merging the best practices in software design from railway andaicraft industries. In ZB’2002 – Formal Specification and Development in Z and B [ZB02]. [ZB02-Doche] Marielle Doche and Andrew Gravell. Extraction of abstraction invariants for data refinement. InZB’2002 – Formal Specification and Development in Z and B [ZB02], pages 120–139. [ZB02-Dunne] Steve Dunne. A theory of generalised substitutions. In ZB’2002 – Formal Specification andDevelopment in Z and B [ZB02], pages 270–290. [ZB02-Laleau] Régine Laleau and Fiona Polack. Coming and going from UML to B : A proposal to supporttraceability in rigorous IS development. In ZB’2002 – Formal Specification and Development in Zand B [ZB02], pages 517–534. [email protected] c©1999–2007 INRETS-ESTAS50/59 B Method BibliographyGeorges Mariano[ZB02-Legeard] Bruno Legeard, Fabien Peureux, and Mark Utting. A comparison of the BTT and TTF test-generation methods. In ZB’2002 – Formal Specification and Development in Z and B [ZB02],pages 309–329. [ZB02-Mikhailov] Leonid Mikhailov and Michael J. Butler. An approach to combining B and Alloy. In ZB’2002– Formal Specification and Development in Z and B [ZB02], pages 140–161. [ZB02-Papatsaras] Antonis Papatsaras and Bill Stoddart. Global and communicating state machine models inevent driven B : A simple railway case study. In ZB’2002 – Formal Specification and Developmentin Z and B [ZB02], pages 458–476. [ZB02-Poppleton] Michael Poppleton and Richard Banach. Controlling control systems : An application of evolv-ing retranchement. In ZB’2002 – Formal Specification and Development in Z and B [ZB02], pages42–61. [ZB02-Schneider] Steve Schneider and Helen Treharne. Communicating B MAchines. In ZB’2002 – FormalSpecification and Development in Z and B [ZB02], pages 416–435. [ZB03] Didier Bert, Jonathan P. Bowen, S. King, and M. Waldén, editors. ZB’2003 – Formal Specificationand Development in Z and B,International Conference of B and Z Users, Turku, Finland, June 4-6,2003, Proceedings, volume 2651 of Lecture Notes in Computer Science (Springer-Verlag), Turku,Finland, June 2003. Springer. [ZB03-Abrial] Jean-Raymond Abrial. B# : Toward a synthesis between Z and B. In Bert et al. [ZB03], pages168–177.Abstract : In this paper, I present some ideas and principles underlying the realizationof a new project called B#. This project follows the main ideas and principles alreadyat work in B, but it also follows a number of older concepts developed in Z. In B#, theintent is to have a formal system to be used to model complex system in general, notonly software systems. [ZB03-Abrial2] Jean-Raymond Abrial, Dominique Cansell, and Dominique Méry. Formal derivation of spanningtrees algorithms. In Bert et al. [ZB03], pages 457–476.Abstract : Graphs algorithms and graph-theoretical problems provide a challengingbattle field for the incremental development of proved models. The B event-based ap-proach implements the incremental and proved development of abstract models whichare translated into algorithms ; we focus our methodology on the minimum spanningtree problem and on Prim’s algorithm. The correctness of the resulting solution is basedon properties over trees and we show how the greedy strategy is efficient in this case.We compare properties proven mechanically to the properties found in a classical algo-rithms textbook. [ZB03-Aguirre] Nazareno Aguirre, Juan Bicarregui, and Theo Dimitrakos. Towards dynamic population man-agement of abstract machines in the B Method. In Bert et al. [ZB03], pages 528–545.Abstract : We study some restrictions associated with the mechanisms for structur-ing and modularising specifications in the B abstract machine notation. We proposean extension of the language that allows one to specify machines whose constituentmodules (other abstract machines) may change dynamically, i.e., at run time. In thisway, we increase the expressiveness of B by adding support for a common activity ofthe current systems design practice. The extensions were made without having to makeconsiderable changes in the semantics of standard B. We provide some examples toshow the increased expressive power, and argue that our proposed extensions respectthe methodological principles of the B method. [email protected] c©1999–2007 INRETS-ESTAS51/59 B Method BibliographyGeorges Mariano[ZB03-Blazy] Sandrine Blazy, Frédéric Gervais, and Régine Laleau. Reuse of specification patterns with the BMethod. In Bert et al. [ZB03], pages 40–57. Abstract : This paper describes an approach for reusing specification patterns. Specifi-cation patterns are design patterns that are expressed in a formal specification language.Reusing a specification pattern means instantiating it or composing it with other spec-ification patterns. Three levels of composition are defined : juxtaposition, compositionwith inter-patterns links and unification. This paper shows through examples how to de-fine specification patterns in B, how to reuse them directly in B, and also how to reusethe proofs associated with specification patterns. This paper describes an approach for reusing specification patterns. Specifi-cation patterns are design patterns that are expressed in a formal specification language.Reusing a specification pattern means instantiating it or composing it with other spec-ification patterns. Three levels of composition are defined : juxtaposition, compositionwith inter-patterns links and unification. This paper shows through examples how to de-fine specification patterns in B, how to reuse them directly in B, and also how to reusethe proofs associated with specification patterns. [ZB03-Burdy] Lilian Burdy and Antoine Requet. Extending B with control flow breaks. In Bert et al. [ZB03],pages 513–527. Abstract : This paper describes extensions of the B language concerning control flowbreaks in implementations and specification of operations with exceptional behaviors. Itdoes not claim to define those extensions in a pure formal and complete way. It is rathera presentation of what could be done and how it could be done. A syntax is proposedand proof obligations are defined using a weakest precondition calculus extended todeal with abrupt termination. Examples emphasizing the advantages of these extensionsare also given. This paper describes extensions of the B language concerning control flowbreaks in implementations and specification of operations with exceptional behaviors. Itdoes not claim to define those extensions in a pure formal and complete way. It is rathera presentation of what could be done and how it could be done. A syntax is proposedand proof obligations are defined using a weakest precondition calculus extended todeal with abrupt termination. Examples emphasizing the advantages of these extensionsare also given. [ZB03-Dunne] Steve Dunne. Introducing backward refinement into B. In Bert et al. [ZB03], pages 178–196. Abstract : The B Method exploits a direct first-order wp predicate-transformer for-mulation of downward simulation to generate its proof obligations for a refinement,so B’s notion of refinement is restricted to that of forward refinement. Therefore somerefinements we would intuitively recognise as valid cannot be proved so in B. Whilerelational formulations of upward simulation abound in the refinement literature, theonly predicate-transformer formulations proposed hitherto have been higher-order onesquantified over all postconditions, which cannot be conveniently exploited by the BMethod. Here, we propose a new first-order predicate-transformer formulation of up-ward simulation suitable to be adopted by B for backward refinement. The B Method exploits a direct first-order wp predicate-transformer for-mulation of downward simulation to generate its proof obligations for a refinement,so B’s notion of refinement is restricted to that of forward refinement. Therefore somerefinements we would intuitively recognise as valid cannot be proved so in B. Whilerelational formulations of upward simulation abound in the refinement literature, theonly predicate-transformer formulations proposed hitherto have been higher-order onesquantified over all postconditions, which cannot be conveniently exploited by the BMethod. Here, we propose a new first-order predicate-transformer formulation of up-ward simulation suitable to be adopted by B for backward refinement. [ZB03-Ferreira] Carla Ferreira and Michael J. Butler. Using B refinement to analyse compensating businessprocesses. In Bert et al. [ZB03], pages 477–496. Abstract : This paper explores the refinement of compensating business processes,which are modelled in a heterogeneous notation that combines StAC and B. In our re-finement approach, the StAC behavioural and compensation information are explicitlyembedded in a B machine. As the resulting machine is standard B one can use the Bnotion of refinement to prove the refinement of business processes. We also show howthe Atelier-B prover can help in constructing the gluing invariant. This paper explores the refinement of compensating business processes,which are modelled in a heterogeneous notation that combines StAC and B. In our re-finement approach, the StAC behavioural and compensation information are explicitlyembedded in a B machine. As the resulting machine is standard B one can use the Bnotion of refinement to prove the refinement of business processes. We also show howthe Atelier-B prover can help in constructing the gluing invariant. [ZB03-Frappier] Marc Frappier and Régine Laleau. Proving event ordering properties for information systems.In Bert et al. [ZB03], pages 421–436. Abstract : This paper presents an approach to prove event ordering properties for Bspecifications of information systems. The properties are expressed using the E3 nota-tion, where input event ordering properties are defined using a process algebra similarto CSP and output events are specified by recursive functions on the input traces as-sociated to the process expression. By proving that the E3 specification is refined bythe B specification, using the B theory of refinement, we ensure that both specificationsaccept and refuse exactly the same event traces. The proof relies on an extended labeled This paper presents an approach to prove event ordering properties for Bspecifications of information systems. The properties are expressed using the E3 nota-tion, where input event ordering properties are defined using a process algebra similarto CSP and output events are specified by recursive functions on the input traces as-sociated to the process expression. By proving that the E3 specification is refined bythe B specification, using the B theory of refinement, we ensure that both specificationsaccept and refuse exactly the same event traces. The proof relies on an extended labeled [email protected] c©1999–2007 INRETS-ESTAS52/59 B Method BibliographyGeorges Marianotransition system, generated using the operational semantics of the process algebra, inorder to deal with unbounded systems. The gluing invariant is generated from the E3recursive functions. [ZB03-Hallerstede] Stefan Hallerstede. Parallel hardware design in B. In Bert et al. [ZB03], pages 101–102. Abstract : We present the design of a parallel synchronous hardware component froma purely functional description of its behaviour. Starting from an abstract specificationof a linear time-invariant (LTI) system in Event-B a pipelined implementation is devel-oped. The presented approach is applicable to LTI systems that can be represented aslinear constant-coefficient difference equations. In the development of embedded sys-tems space requirements and performance of used circuits are often the two most im-portant constraints. To achieve high performance a high degree of parallelism is needed.At the same time, space requirements demand the use of as few components as possi-ble. In this study we show how the B method may be used to design systems that meetthese requirements. We use a variant of the B method called Event-B. Event-B has beenconceived particularly for the modelling of abstract systems. Such systems are closed inthe sense that they do not interact with some kind of environment. The environment ispart of the specification. Event-B has been used to construct proved circuits. We followa similar approach in this study. We present the design of a parallel synchronous hardware component froma purely functional description of its behaviour. Starting from an abstract specificationof a linear time-invariant (LTI) system in Event-B a pipelined implementation is devel-oped. The presented approach is applicable to LTI systems that can be represented aslinear constant-coefficient difference equations. In the development of embedded sys-tems space requirements and performance of used circuits are often the two most im-portant constraints. To achieve high performance a high degree of parallelism is needed.At the same time, space requirements demand the use of as few components as possi-ble. In this study we show how the B method may be used to design systems that meetthese requirements. We use a variant of the B method called Event-B. Event-B has beenconceived particularly for the modelling of abstract systems. Such systems are closed inthe sense that they do not interact with some kind of environment. The environment ispart of the specification. Event-B has been used to construct proved circuits. We followa similar approach in this study. [ZB03-MacIver] Annabelle McIver, Carroll Morgan, and Thai Son Hoang. Probabilistic termination in B. In Bertet al. [ZB03], pages 216–239. Abstract : The B Method does not currently handle probability. We add it in a limitedform, concentrating on "almost-certain" properties which hold with probability one ;and we address briefly the implied modifications to the programs that support B. TheGeneralised Substitution Language is extended with a binary operator ⊕ representing"abstract probabilistic choice", so that the substitution prog1 ⊕ prog2 means roughly"choose between prog1 and prog2 with some probability neither one nor zero". We thenadjust B’s proof rule for loops – specifically, the variant rule – so that in many casesit is possible to prove "probability-one" correctness of programs containing the newoperator, which was not possible in B before, while remaining almost entirely withinthe original Boolean logic. Applications include probabilistic algorithms such as theIEEE 1394 Root Contention Protocol ("FireWire") in which a probabilistic "symmetry-breaking" strategy forms a key component of the design. The B Method does not currently handle probability. We add it in a limitedform, concentrating on "almost-certain" properties which hold with probability one ;and we address briefly the implied modifications to the programs that support B. TheGeneralised Substitution Language is extended with a binary operator ⊕ representing"abstract probabilistic choice", so that the substitution prog1 ⊕ prog2 means roughly"choose between prog1 and prog2 with some probability neither one nor zero". We thenadjust B’s proof rule for loops – specifically, the variant rule – so that in many casesit is possible to prove "probability-one" correctness of programs containing the newoperator, which was not possible in B before, while remaining almost entirely withinthe original Boolean logic. Applications include probabilistic algorithms such as theIEEE 1394 Root Contention Protocol ("FireWire") in which a probabilistic "symmetry-breaking" strategy forms a key component of the design. [ZB03-Morgan] Thai Son Hoang, Zhendong Jin, Ken Robinson, Annabelle McIver, and Carroll Morgan. Proba-bilistic invariants for probabilistic machines. In Bert et al. [ZB03], pages 240–259. Abstract : Abrial’s Generalised Substitution Language [4] can be modified to operateon arithmetic expressions, rather than Boolean predicates, which allows it to be ap-plied to probabilistic programs [13]. We add a new operatorp⊗ to GSL, for probabilis-tic choice, and we get the probabilistic Generalised Substitution Language (pGSL) : asmooth extension of GSL that includes random algorithms within its scope. In this paperwe begin to examine the effect of pGSL on B’s larger-scale structures : its machines. Inparticular, we suggest a notion of probabilistic machine invariant. We show how theseinvariants interact with pGSL, at a fine-grained level ; and at the other extreme we inves-tigate how they affect our general understanding "in the large" of probabilistic machinesand their behaviour. Overall, we aim to initiate the development of probabilistic B (pB),complete with a suitable probabilistic AMN. We discuss the practical extension of the Abrial’s Generalised Substitution Language [4] can be modified to operateon arithmetic expressions, rather than Boolean predicates, which allows it to be ap-plied to probabilistic programs [13]. We add a new operatorp⊗ to GSL, for probabilis-tic choice, and we get the probabilistic Generalised Substitution Language (pGSL) : asmooth extension of GSL that includes random algorithms within its scope. In this paperwe begin to examine the effect of pGSL on B’s larger-scale structures : its machines. Inparticular, we suggest a notion of probabilistic machine invariant. We show how theseinvariants interact with pGSL, at a fine-grained level ; and at the other extreme we inves-tigate how they affect our general understanding "in the large" of probabilistic machinesand their behaviour. Overall, we aim to initiate the development of probabilistic B (pB),complete with a suitable probabilistic AMN. We discuss the practical extension of the [email protected] c©1999–2007 INRETS-ESTAS53/59 B Method BibliographyGeorges MarianoB-Toolkit [5] to support pB, and we give examples to show how pAMN can be used toexpress and reason about probabilistic properties of a system. [ZB03-Poerschke] Christine Poerschke, David E. Lightfoot, and John L. Nealon. A formal specification in B ofa medical decision support system. In Bert et al. [ZB03], pages 497–512. Abstract : We have used the B notation to formally specify an existing medical deci-sion support system. The system runs on a palmtop computer and helps patients withinsulin-dependent diabetes decide on a dose of insulin to inject. Using extracts we bothqualitatively and quantitatively describe the formal specification and compare it withthe existing C/C++ implementation of the system. We also report our experience of thespecification process, the benefits derived from and the challenges presented by it. Weconclude that the use of an abstract machine notation such as B for the formal speci-fication and documentation of a knowledge-based medical decision support system isboth feasible and viable. We have used the B notation to formally specify an existing medical deci-sion support system. The system runs on a palmtop computer and helps patients withinsulin-dependent diabetes decide on a dose of insulin to inject. Using extracts we bothqualitatively and quantitatively describe the formal specification and compare it withthe existing C/C++ implementation of the system. We also report our experience of thespecification process, the benefits derived from and the challenges presented by it. Weconclude that the use of an abstract machine notation such as B for the formal speci-fication and documentation of a knowledge-based medical decision support system isboth feasible and viable. [ZB03-Pouzancre] Guilhem Pouzancre. How to diagnose a modern car with a formal B model ? In Bert et al.[ZB03], pages 98–100. Abstract : We introduce a modern method to diagnose vehicles. The method has beenstudied for Automobiles Peugeot. The classical methods to diagnose a car are basedon technician’s experience and failure knowledge (e.g., diagnostic trees). However carsbecome more and more complex and failures less and less predictable. The moderncars are increasingly complex due to electronic components and services : lights andwipers turn on automatically, engine controller manages efficiently the torque and carradio manages the sound depending on the car speed. Therefore, diagnostic of deficientcomponents is complex, because of the car complexity and distributed functionalities :for example wheel sensors deficiency can induce effects on the car radio. On the otherhand, deficiencies are mostly unpredictable, due to a wide variety of suppliers, car op-tions and the short component life-cycle. Furthermore, garage mechanics have to diag-nose bugs, which are, by definition, unpredictable. However, all failures have a similarcharacteristic : a functional component does not respect its nominal specification. In ourdiagnosis method, event B models formalize the nominal functional specification and aB model interpreter (BI) checks which component does not match its specification. Todiagnose a car with this method we need : Correct and complete description of everyvehicle component (vehicle B model) A rigourous link between the concrete car andthe B models (dictionaries) A method to compare the components behaviour with theirspecification (record analysis) We introduce a modern method to diagnose vehicles. The method has beenstudied for Automobiles Peugeot. The classical methods to diagnose a car are basedon technician’s experience and failure knowledge (e.g., diagnostic trees). However carsbecome more and more complex and failures less and less predictable. The moderncars are increasingly complex due to electronic components and services : lights andwipers turn on automatically, engine controller manages efficiently the torque and carradio manages the sound depending on the car speed. Therefore, diagnostic of deficientcomponents is complex, because of the car complexity and distributed functionalities :for example wheel sensors deficiency can induce effects on the car radio. On the otherhand, deficiencies are mostly unpredictable, due to a wide variety of suppliers, car op-tions and the short component life-cycle. Furthermore, garage mechanics have to diag-nose bugs, which are, by definition, unpredictable. However, all failures have a similarcharacteristic : a functional component does not respect its nominal specification. In ourdiagnosis method, event B models formalize the nominal functional specification and aB model interpreter (BI) checks which component does not match its specification. Todiagnose a car with this method we need : Correct and complete description of everyvehicle component (vehicle B model) A rigourous link between the concrete car andthe B models (dictionaries) A method to compare the components behaviour with theirspecification (record analysis) [ZB03-Stoddart] Bill Stoddart and Frank Zeyda. Expression transformers in B-GSL. In Bert et al. [ZB03], pages197–215. Abstract : The B concept of generalised substitutions is applied to expressions as wellas predicates to obtain "expression transformers", which formalise the idea of specu-lative computation and form part of the executable subset of our language. We defineexpression transformers over the syntactic constructs of B-GSL, and show this defini-tion is equivalent to an alternative based on before-after predicates. The use of expres-sion transformers is illustrated by example programs which combine functional andimperative programming styles and exploit backtracking. The B concept of generalised substitutions is applied to expressions as wellas predicates to obtain "expression transformers", which formalise the idea of specu-lative computation and form part of the executable subset of our language. We defineexpression transformers over the syntactic constructs of B-GSL, and show this defini-tion is equivalent to an alternative based on before-after predicates. The use of expres-sion transformers is illustrated by example programs which combine functional andimperative programming styles and exploit backtracking. [ZB03-Treharne] Helen Treharne, Steve Schneider, and Marchia Bramble. Composing specifications using com-munication. In Bert et al. [ZB03], pages 58–78. [email protected] c©1999–2007 INRETS-ESTAS54/59 B Method BibliographyGeorges MarianoAbstract : This paper develops a case study using the process algebra CSP to enablecontrolled interaction between B machines. This illustrates how B machines are es-sential components within a combined communicating system. The development stepsused to build the case study are new : they are applications of theoretical results whichallow us to focus on the external interface of a combined communicating system, com-positionally verify it, and show that it is a refinement of a more abstract specificationdescribed in CSP. This allows safety and liveness properties to be established for com-binations of communicating B machines. [ZB05] Helen Treharne, Steve King, Martin C. Henson, and Steve Schneider, editors. ZB’2005 : FormalSpecification and Development in Z and B, 4th International Conference of B and Z Users, Guild-ford, UK, April 13-15, 2005, Proceedings, volume 3455 of Lecture Notes in Computer Science.Springer, 2005. [ZB05-Abrial] Jean-Raymond Abrial, Dominique Cansell, and Dominique Méry. Refinement and reachability inEvent B. In Treharne et al. [ZB05], pages 222–241. Abstract : Since the early 90’s (after the seminal article of R. Back [4]), the refinementof stuttering steps [5] are performed by means of new actions (called here events) refin-ing skip. It is shown in this article that such a refinement method is not always possiblein the development of large systems. We shall instead use events refining some kind ofnon-deterministic actions maintaining the invariant (sometimes called keep). We showthat such new refinements are completely safe. In a second part, we explain how such amechanism can be used to express some reachability conditions that were otherwise ex-pressed using some special temporal logic statements à la TLA [5] in a previous article[2]. Examples will be used to illustrate our proposals. Since the early 90’s (after the seminal article of R. Back [4]), the refinementof stuttering steps [5] are performed by means of new actions (called here events) refin-ing skip. It is shown in this article that such a refinement method is not always possiblein the development of large systems. We shall instead use events refining some kind ofnon-deterministic actions maintaining the invariant (sometimes called keep). We showthat such new refinements are completely safe. In a second part, we explain how such amechanism can be used to express some reachability conditions that were otherwise ex-pressed using some special temporal logic statements à la TLA [5] in a previous article[2]. Examples will be used to illustrate our proposals. [ZB05-Attiogbe] Christian Attiogbé. A stepwise development of the Peterson’s mutual exclusion algorithm usingB Abstract Systems. In Treharne et al. [ZB05], pages 124–141. Abstract : We present a stepwise formal development of the Petersonrsquos mutualexclusion algorithm using Event B. We use a bottom-up approach where we introducethe parallel composition of subsystems which are separately specified. First, we specifysubsystems as B abstract systems ; then we compose the subsystems to get a first ab-stract solution for the mutual exclusion. This solution is improved to obtain the Peter-son’s algorithm. This is achieved by refinement and composition of the former abstractsubsystems. Therefore the result is formally proved on the basis of correctness (safety)properties added to the invariant. Atelier B (a B prover) is used to check completely thedevelopment. We present a stepwise formal development of the Petersonrsquos mutualexclusion algorithm using Event B. We use a bottom-up approach where we introducethe parallel composition of subsystems which are separately specified. First, we specifysubsystems as B abstract systems ; then we compose the subsystems to get a first ab-stract solution for the mutual exclusion. This solution is improved to obtain the Peter-son’s algorithm. This is achieved by refinement and composition of the former abstractsubsystems. Therefore the result is formally proved on the basis of correctness (safety)properties added to the invariant. Atelier B (a B prover) is used to check completely thedevelopment. [ZB05-Badeau] Frédéric Badeau and Arnaud Amelot. Using B as a high level programming language in anindustrial project : Roissy VAL. In Treharne et al. [ZB05], pages 334–354. Abstract : In this article we would like to go back on B used to design software, bypresenting the industrial process established through years by Siemens TransportationSystems on a real project : the VAL shuttle for Roissy Charles de Gaulle airport. In thisproject, the logical core of an equipment located along the tracks and driving the shut-tles is designed with B. By confronting this B software development, with the historicalcontext, we show that B can be used as a high-level programming language offering thefeature of proving properties. We show how this process is used to build, by construc-tion, a large size software with very few design errors ever since its first release, and fora predefined cost. In this article we would like to go back on B used to design software, bypresenting the industrial process established through years by Siemens TransportationSystems on a real project : the VAL shuttle for Roissy Charles de Gaulle airport. In thisproject, the logical core of an equipment located along the tracks and driving the shut-tles is designed with B. By confronting this B software development, with the historicalcontext, we show that B can be used as a high-level programming language offering thefeature of proving properties. We show how this process is used to build, by construc-tion, a large size software with very few design errors ever since its first release, and fora predefined cost. [email protected] c©1999–2007 INRETS-ESTAS55/59 B Method BibliographyGeorges Mariano[ZB05-Banach] Richard Banach and Simon Fraser. Retrenchment and the B-Toolkit. In Treharne et al. [ZB05],pages 203–221. Abstract : An experiment to incorporate retrenchment into the B-Toolkit is described.The syntax of a retrenchment construct is given, as is the proof obligation which givesretrenchment its semantics. The practical aspects of incorporating these into the existingB-Toolkit are then investigated. It transpires that the B-Toolkit’s internal architecture isheavily committed to monolithic refinement, because of B-Method philosophy, and thisrestricts what can be done without a complete rebuild of the toolkit. Experience withcase studies is outlined. An experiment to incorporate retrenchment into the B-Toolkit is described.The syntax of a retrenchment construct is given, as is the proof obligation which givesretrenchment its semantics. The practical aspects of incorporating these into the existingB-Toolkit are then investigated. It transpires that the B-Toolkit’s internal architecture isheavily committed to monolithic refinement, because of B-Method philosophy, and thisrestricts what can be done without a complete rebuild of the toolkit. Experience withcase studies is outlined. [ZB05-Bert] Didier Bert, Marie-Laure Potet, and Nicolas Stouls. GeneSyst : A tool to reason about behavioralaspects of B Event specifications. application to security properties. In Treharne et al. [ZB05],pages 299–318. Abstract : In this paper, we present a method and a tool to build symbolic labelled tran-sition systems from B specifications. The tool, called GeneSyst, can take into accountrefinement levels and can visualize the decomposition of abstract states in concrete hi-erarchical states. The resulting symbolic transition system represents all the behaviorsof the initial B event system. So, it can be used to reason about them. We illustrate theuse of GeneSyst to check security properties on a model of electronic purse. This workwas done in the GECCOO project of program "ACI : Sécurité Informatique" supportedby the French Ministry of Research and New Technologies. It is also suported by CNRSand ST-Microelectronics by the way of a doctoral grant. In this paper, we present a method and a tool to build symbolic labelled tran-sition systems from B specifications. The tool, called GeneSyst, can take into accountrefinement levels and can visualize the decomposition of abstract states in concrete hi-erarchical states. The resulting symbolic transition system represents all the behaviorsof the initial B event system. So, it can be used to reason about them. We illustrate theuse of GeneSyst to check security properties on a model of electronic purse. This workwas done in the GECCOO project of program "ACI : Sécurité Informatique" supportedby the French Ministry of Research and New Technologies. It is also suported by CNRSand ST-Microelectronics by the way of a doctoral grant. [ZB05-Bostrom] Pontus Boström and Marina A. Waldén. An extension of Event B for developing grid systems.In ZB05, pages 142–161, 2005. Abstract : Computational grids have become widespread in organizations for handlingtheir need for computational resources and the vast amount of available information.Grid systems, and other distributed systems, are often complex and formal reasoningabout them is needed, in order to ensure their correctness and to structure their de-velopment. Event B is a formal method with tool support that is meant for stepwisedevelopment of distributed systems. To facilitate the implementation of grid systemswe here propose extensions to Event B that take grid specific features into account. Weadd new constructs to model the client-server architecture of grid systems, as well asimportant features like communication and synchronisation. We introduce the exten-sions in such a manner that the necessary proof obligations are automatically generatedand the system can be implemented in a straightforward manner. Computational grids have become widespread in organizations for handlingtheir need for computational resources and the vast amount of available information.Grid systems, and other distributed systems, are often complex and formal reasoningabout them is needed, in order to ensure their correctness and to structure their de-velopment. Event B is a formal method with tool support that is meant for stepwisedevelopment of distributed systems. To facilitate the implementation of grid systemswe here propose extensions to Event B that take grid specific features into account. Weadd new constructs to model the client-server architecture of grid systems, as well asimportant features like communication and synchronisation. We introduce the exten-sions in such a manner that the necessary proof obligations are automatically generatedand the system can be implemented in a straightforward manner. [ZB05-Bouquet] Fabrice Bouquet, Frédéric Dadeau, and Julien Groslambert. Checking JML specifications withB machines. In Treharne et al. [ZB05], pages 434–453. Abstract : This paper presents a solution to the lack of tool-support for the JML mod-els verification. We propose an approach for expressing JML specifications within theB abstract machines notation. The B machines generated from the JML can then bechecked to ensure their correctness. Thus, we deduce the correctness of the originalJML specification, ensured by rewriting rules which give the semantical equivalenceof the two models. More generally, this translation can be applied to object-orientedspecification languages using before-after predicates. This paper presents a solution to the lack of tool-support for the JML mod-els verification. We propose an approach for expressing JML specifications within theB abstract machines notation. The B machines generated from the JML can then bechecked to ensure their correctness. Thus, we deduce the correctness of the originalJML specification, ensured by rewriting rules which give the semantical equivalenceof the two models. More generally, this translation can be applied to object-orientedspecification languages using before-after predicates. [ZB05-Dunne] Steve Dunne and Stacey Conroy. Process refinement in B. In Treharne et al. [ZB05], pages 45–64. [email protected] c©1999–2007 INRETS-ESTAS56/59 B Method BibliographyGeorges MarianoAbstract : We describe various necessary and sufficient conditions with which to aug-ment B existing refinement proof obligations for forward and backward refinement inorder to capture within the B Method a variety of CSP process refinement relations,including most significantly that of failures-divergences which provides the standarddenotational semantics of CSP processes. [ZB05-Hoang] Thai Son Hoang, Zhendong Jin, Ken Robinson, Annabelle McIver, and Carroll Morgan. Devel-opment via refinement in Probabilistic B foundation and case study. In Treharne et al. [ZB05],pages 355–373. Abstract : In earlier work, we introduced probability to the B by providing a probabilis-tic choice substitution and by extending Brsquos semantics to incorporate its meaning[8]. This, a first step, allowed probabilistic programs to be written and reasoned aboutwithin B. This paper extends the previous work into refinement within B. To allowprobabilistic specification and development within B, we must add a probabilistic spec-ification substitution ; and we must determine the rules and techniques for its rigorousrefinement into probabilistic code. Implementation in B frequently contains loops. Wegeneralise the standard proof obligation rules for loops giving a set of rules for reason-ing about the correctness of probabilistic loops. We present a small case-study that usesthose rules, the randomised Min-Cut algorithm. In earlier work, we introduced probability to the B by providing a probabilis-tic choice substitution and by extending Brsquos semantics to incorporate its meaning[8]. This, a first step, allowed probabilistic programs to be written and reasoned aboutwithin B. This paper extends the previous work into refinement within B. To allowprobabilistic specification and development within B, we must add a probabilistic spec-ification substitution ; and we must determine the rules and techniques for its rigorousrefinement into probabilistic code. Implementation in B frequently contains loops. Wegeneralise the standard proof obligation rules for loops giving a set of rules for reason-ing about the correctness of probabilistic loops. We present a small case-study that usesthose rules, the randomised Min-Cut algorithm. [ZB05-Leuschel] Michael Leuschel and Edd Turner. Visualising larger state spaces in Pro B. In Treharne et al.[ZB05], pages 6–23. Abstract : ProB is an animator and model checker for the B method. It also allows tovisualise the state space of a B machine in graphical way. This is often very useful andallows users to quickly spot whether the machine behaves as expected. However, forlarger state spaces the visualisation quickly becomes difficult to grasp by users (and thecomputation of the graph layout takes considerable time). In this paper we present tworelatively simple algorithms to often considerably reduce the complexity of the graphs,while still keeping relevant information. This makes it possible to visualise much largerstate spaces and gives the user immediate feedback about the overall behaviour of a ma-chine. The algorithms have been implemented within the ProB toolset and we highlighttheir potential on several examples. We also conduct a thorough experimentation of thealgorithm on 47 B machines and analyse the results. ProB is an animator and model checker for the B method. It also allows tovisualise the state space of a B machine in graphical way. This is often very useful andallows users to quickly spot whether the machine behaves as expected. However, forlarger state spaces the visualisation quickly becomes difficult to grasp by users (and thecomputation of the graph layout takes considerable time). In this paper we present tworelatively simple algorithms to often considerably reduce the complexity of the graphs,while still keeping relevant information. This makes it possible to visualise much largerstate spaces and gives the user immediate feedback about the overall behaviour of a ma-chine. The algorithms have been implemented within the ProB toolset and we highlighttheir potential on several examples. We also conduct a thorough experimentation of thealgorithm on 47 B machines and analyse the results. [ZB05-Morgan] Carroll Morgan, Thai Son Hoang, and Jean-Raymond Abrial. The challenge of probabilisticEvent B extended abstract. In ZB05, pages 162–171, 2005. Abstract : Among the many opportunities offered by computational semantics forprobability, the challenge of probabilistic Event B (pEB) is one of the most attrac-tive. The B method itself is now almost 20 years old, and has been much improved andadapted over that time by the many projects to which it has been applied, and by itsphilosophy – right from the start – that it must be practical, effective and amenable totool support. ; more recently, Event B has extended it and altered its style of use. Theprobabilistic-program semantics we appeal to is even older (in Kozen’s original form),but has only recently been ldquorevivedrdquo in the context of B-style abstraction andrefinement. The especial attraction of putting the two together is the likely interplaybetween the probabilistic theory, on the one hand, and the decades of practical experi-ence that have by now been built-in to the B approach, on the other. In particular, thereare areas where a full theoretical treatment of probability, concurrency, abstraction and Among the many opportunities offered by computational semantics forprobability, the challenge of probabilistic Event B (pEB) is one of the most attrac-tive. The B method itself is now almost 20 years old, and has been much improved andadapted over that time by the many projects to which it has been applied, and by itsphilosophy – right from the start – that it must be practical, effective and amenable totool support. ; more recently, Event B has extended it and altered its style of use. Theprobabilistic-program semantics we appeal to is even older (in Kozen’s original form),but has only recently been ldquorevivedrdquo in the context of B-style abstraction andrefinement. The especial attraction of putting the two together is the likely interplaybetween the probabilistic theory, on the one hand, and the decades of practical experi-ence that have by now been built-in to the B approach, on the other. In particular, thereare areas where a full theoretical treatment of probability, concurrency, abstraction and [email protected] c©1999–2007 INRETS-ESTAS57/59 B Method BibliographyGeorges Marianorefinement – all at once – seems prohibitively complex ; and yet in practice either thecomplexities seldom occur, or the exigencies of Brsquos having been so-often appliedto real, non-toy problems has forced it to evolve styles for avoiding such complexities.In short, we want to use (event) B to guide us towards the issues that truly are important.Rabin’s randomized mutual-exclusion algorithm is used as a motivating case study. [ZB05-Rezazadeh] Abdolbaghi Rezazadeh and Michael Butler. Some guidelines for formal development of web-based applications in B-method. In Treharne et al. [ZB05], pages 472–492. Abstract : Web-based applications are the most common form of distributed systemsthat have gained a lot of attention in the past ten years. Today many of us are relyingon scores of mission-critical Web-based systems in different areas such as banking, fi-nance, e-commerce and government. The development process of these systems needs asound methodology, which ensures quality, consistency and integrity. Formal Methodsprovide systematic and quantifiable approaches to create coherent systems. Despite thisthere has been limited work on the formal modelling of Web-based applications. In thispaper our aim is to provide researchers with some guidelines based on results from on-going work to model a Web-based system using the B-Method. Session and state man-agement, developing formal models for complex data types, abstraction of distributeddatabase systems and formal representation of communication links between differentcomponents of a web-based system are the main issues that we have examined. Web-based applications are the most common form of distributed systemsthat have gained a lot of attention in the past ten years. Today many of us are relyingon scores of mission-critical Web-based systems in different areas such as banking, fi-nance, e-commerce and government. The development process of these systems needs asound methodology, which ensures quality, consistency and integrity. Formal Methodsprovide systematic and quantifiable approaches to create coherent systems. Despite thisthere has been limited work on the formal modelling of Web-based applications. In thispaper our aim is to provide researchers with some guidelines based on results from on-going work to model a Web-based system using the B-Method. Session and state man-agement, developing formal models for complex data types, abstraction of distributeddatabase systems and formal representation of communication links between differentcomponents of a web-based system are the main issues that we have examined. [ZB05-Zeyda] Frank Zeyda, Bill Stoddart, and Steve Dunne. A prospective-value semantics for the GSL. InTreharne et al. [ZB05], pages 187–202. Abstract : We present a prospective-value (pv) semantics for the Generalised Substitu-tion Language. Whereas wp semantics captures the meaning of a computation in termsof the weakest precondition that must be fulfilled for a generalised substitution S toestablish any given postcondition Q, pv semantics expresses the meaning of a compu-tation in terms of the value any expression E would take were the computation to becarried out. To integrate non-termination we formulate improper bunch theory, an ex-tended version of Hehnerrsquos bunch theory where each type is augmented with animproper bunch. Algebraic simplification laws for the pv expression transformer arepresented, and proved to be sound. Iteration is treated as a fixed-point in expressions,and a corresponding theorem is presented allowing us to infer the pv effect of the while-loop construct. We present a prospective-value (pv) semantics for the Generalised Substitu-tion Language. Whereas wp semantics captures the meaning of a computation in termsof the weakest precondition that must be fulfilled for a generalised substitution S toestablish any given postcondition Q, pv semantics expresses the meaning of a compu-tation in terms of the value any expression E would take were the computation to becarried out. To integrate non-termination we formulate improper bunch theory, an ex-tended version of Hehnerrsquos bunch theory where each type is augmented with animproper bunch. Algebraic simplification laws for the pv expression transformer arepresented, and proved to be sound. Iteration is treated as a fixed-point in expressions,and a corresponding theorem is presented allowing us to infer the pv effect of the while-loop construct. [ZB05-Zimmermann] Yann Zimmermann and Diana Toma. Component reuse in B using ACL2. In Treharneet al. [ZB05], pages 279–298. Abstract : We present a new methodology that permits to reuse an existing hardwarecomponent that has not been developed within the B framework while maintaining acorrect design flow. It consists of writing a specification of the component in B andproving that the VHDL description of the component implements the specification us-ing the ACL2 system. This paper focuses on the translation of the B specification intoACL2. We present a new methodology that permits to reuse an existing hardwarecomponent that has not been developed within the B framework while maintaining acorrect design flow. It consists of writing a specification of the component in B andproving that the VHDL description of the component implements the specification us-ing the ACL2 system. This paper focuses on the translation of the B specification intoACL2. [arago20] OFTA, editor. Application des techniques formelles au logiciel. Observatoire Français des Tech-niques Avancéees & Lavoisier TEC & DOC, 1997. [eventb-reference-manual] ClearSy. Event B reference manual, June 2001. [matisse-cir] Jean-Raymond Abrial. Event driven circuit construction. MATISSE project, August 2000. [email protected] c©1999–2007 INRETS-ESTAS58/59 B Method BibliographyGeorges Mariano[matisse-dis] Jean-Raymond Abrial. Event driven distributed program construction. MATISSE project, August2001. [matisse-fg] Jean-Raymond Abrial. Guidelines to formal system studies. MATISSE project, November 2000. [matisse-pap] Jean-Raymond Abrial. Event driven sequential program construction. MATISSE project, October2000. [reactive-B] Kevin Lano. Specifying reactive systems in B AMN. Lecture Notes in Computer Science(Springer-Verlag), 1212 :242–275, 1997. [zum94 :Diller] A. Diller and R. Docherty. Z and Abstract Machine Notation : a comparison. In Proceedings of8th Z User Meeting ZUM’94, pages 250–263, 1994. Abstract : Compares the formal specification languages Z and Abstract Machine No-tation (AMN) ; the latter of which is due to Abrial. The strategy adopted is that ofpresenting the same specification both in Z and AMN and of commenting on salientdifferences as they arise. The specification chosen is a slightly revised version of thespecification of an Internal Telephone Number Database found in chapter 4 of A.Z.Diller (1994). At the end of the paper some general conclusions are drawn. (11 Refs) Compares the formal specification languages Z and Abstract Machine No-tation (AMN) ; the latter of which is due to Abrial. The strategy adopted is that ofpresenting the same specification both in Z and AMN and of commenting on salientdifferences as they arise. The specification chosen is a slightly revised version of thespecification of an Internal Telephone Number Database found in chapter 4 of A.Z.Diller (1994). At the end of the paper some general conclusions are drawn. (11 Refs) [email protected] c©1999–2007 INRETS-ESTAS59/59

