Formal Domain Engineering: From Specification to Validation Atif Mashkoor To cite this version: Atif Mashkoor. Formal Domain Engineering: From Specification to Validation. Software Engineering [cs.SE]. Université Nancy II, 2011. English. tel-00614269v2 HAL Id: tel-00614269 https://tel.archives-ouvertes.fr/tel-00614269v2 Submitted on 25 Oct 2011 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Université Nancy 2 ———————————————————————————————————– DOCTORAL SCHOOL IAEM Department of Doctoral Formation in Informatics Formal Domain Engineering: From Specification to Validation Ph.D. Thesis presented and defended publicly on July 12, 2011 in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Informatics by Atif Mashkoor Prepared at LORIA in team Dedale Jury President : Prof. Patrick Heymans -UniversitédeNamur(Belgium) Examiner : Prof. Maritta Heisel - Universität Duisburg-Essen (Germany) Reviewers : Prof. Marc Frappier - Université de Sherbrooke (Canada) Prof. Marie-Laure Potet -UniversitéJosephFourier(France) Advisors: Prof. Jeanine Souquières -UniversitéNancy2(France) Dr. Jean-Pierre Jacquot -UniversitéHenriPoincaré(France) ——————————————————————————————————— Laboratoire Lorrain de Recherche en Informatique et ses Applications Abstract The main theme of this research is to study and develop techniques for modeling of software-controlled safety-critical systems. The area we focus in this thesis is the specification of a domain, where such systems are supposed to operate, and its validation. The contribution of this thesis is twofold: First, we model the land transport domain, a good candidate for this study because of its safety-critical nature, in the formal framework of Event-B and propose some guidelines for it. Second, we present an approach, based on the technique of animation and low-cost transformations, for stepwise validation of formal specifications. Keywords: Domain engineering, Requirements engineering, Formal methods, Soft- ware testing, Event-B, Brama Le thème principal de cette recherche est d’étudier et développer des techniques pour la modélisation des systèmes où la sécurité est critique. Cette thèse est focalisé sur l’étape de la spécification du domaine où de tels systèmes vont fonctionner, et de sa validation. La contribution de cette thèse est double. D’abord, nous modélisons le domaine des transports terrestres, un bon candidat pour cette étude en raison de sa nature critique vis-à-vis de la sécurité, dans le cadre formel de B événementiel et proposent quelques directives pour cette activité. Ensuite, nous présentons une approche, basée sur les techniques de l’animation et des transformations, pour la validation par étapes des spécifications formelles. Mots-clés: Ingénierie de domaine, Ingénierie des besoins, Méthodes formelles, Testing de logiciel, B événementiel, Brama i In the sweet memories of my loving parents who sacrificed their present for the future of their children. Acknowledgments All praise belongs to ALLAH, the almighty, on whom ultimately we depend for sustenance and guidance. Foremost, I would like to express my sincere gratitude to my co-advisor Dr. Jean- Pierre Jacquot for the continuous support during my Ph.D. study and research. I appreciate his patience, motivation, enthusiasm, and immense knowledge. His guidance helped me to shape my goals, both in my research and life. I would always remember him as the best advisor and the mentor for the lifetime. I would also like to thank Prof. Jeanine Souquières, my main advisor, for supporting me financially, administratively and technically. Besides my advisors, I would like to thank the rest of my thesis committee: Prof. Marc Frappier, Prof. Marie-Laure Potet, Prof. Patrick Heymans and Prof. Maritta Heisel, for their encouragement, insightful comments, and positive criticism. I would also like to extend my gratitude to Prof. Dominique Méry and Dr. John Fitzgerald for their advices and time. I owe my deepest gratitude to my friends, Sarah, Ehtesham, Dawood, Bilal, Us- man and Mumtaz for being there for me physically, spiritually and morally whenever I needed them. Lastly, and most importantly, I wish to thank my family: My eldest brother Kashif, my sister Rabia, my three nieces, Aliza, Mouniza and Arisha, and notably my beloved brother Rashid. They have supported me unconditionally and unprece- dentedly. They gave me the choices I wanted, the time I needed, the strength I required, the support I wished; they gave me everything I demanded. Thank you guys for all of your support! Atif Mashkoor August 8, 2011 Vandœuvre lès Nancy v Contents 1Prologue 1 1.1 Introduction ................................ 1 1.2 Motivation ................................. 2 1.3 Contributions ............................... 2 1.3.1 Specification level ......................... 2 1.3.2 Validation level .......................... 3 1.4 Publications ................................ 3 1.5 Structure of the thesis .......................... 4 I BACKGROUND 7 2Domainengineering,requirementsengineering&formalmethods 9 2.1 Introduction ................................ 9 2.2 Domain engineering ........................... 10 2.2.1 Domain .............................. 10 2.2.2 Domain engineering ....................... 10 2.2.3 Domain engineering methods .................. 11 2.3 Requirements engineering ........................ 14 2.3.1 Requirement ........................... 14 2.3.2 Requirements engineering .................... 14 2.3.3 Classification of requirements .................. 15 2.3.4 Phases of requirements engineering ............... 16 2.3.5 Requirements engineering methods ............... 20 2.4 Formal methods .............................. 21 2.4.1 Advantages of formal methods ................. 22 2.4.2 Disadvantages of formal methods ................ 22 2.4.3 Myths of formal methods .................... 23 2.4.4 Guidelines for formal methods .................. 24 2.5 Summary ................................. 25 3Domainspecification,verification&validation 27 3.1 Introduction ................................ 27 3.2 Domain specification ........................... 28 3.3 Domain verification ............................ 29 3.3.1 Model checking .......................... 30 3.3.2 Theorem proving ......................... 30 3.4 Domain validation ............................ 31 3.4.1 Prototyping ............................ 31 3.4.2 Animation ............................. 32 Contents 3.4.3 Reviews .............................. 33 3.4.4 Structured walkthroughs ..................... 33 3.5 Summary ................................. 34 II SPECIFICATION 35 4Event-B 37 4.1 Introduction ................................ 37 4.2 Structuring mechanism .......................... 38 4.3 Refinement ................................ 39 4.4 Proofs ................................... 39 4.4.1 Proof of invariant preservation ................. 40 4.4.2 Proof of event refinement .................... 40 4.4.3 Proof to introduce new events .................. 40 4.5 Decomposition .............................. 41 4.6 Tool .................................... 42 4.7 Related work ............................... 43 4.7.1 Event-B versus RAISE ...................... 43 4.7.2 Event-B & goal models ...................... 44 4.7.3 Modeling of transportation domain in Event-B ........ 44 4.7.4 Refinement mechanisms in Event-B ............... 45 4.7.5 Specification of timing & temporal properties in Event-B ... 45 4.8 Summary ................................. 46 5Engineeringofadomain 47 5.1 Introduction ................................ 47 5.2 Domain overview ............................. 48 5.2.1 Locations ............................. 49 5.2.2 Nets, hubs & connections .................... 49 5.2.3 Junctions & stations ....................... 49 5.2.4 Paths & routes .......................... 49 5.2.5 Properties ............................. 49 5.3 Stepwise Event-B specification ...................... 50 5.3.1 Initial model ........................... 52 5.3.2 First refinement .......................... 54 5.3.3 Second refinement ........................ 54 5.3.4 Third refinement ......................... 55 5.3.5 Fourth refinement ........................ 56 5.3.6 Fifth refinement ......................... 58 5.3.7 Sixth refinement ......................... 60 5.3.8 Seventh refinement ........................ 61 5.4 Hierarchy of the model .......................... 65 5.5 Verification of the model ......................... 68 viii Contents 5.6 Summary ................................. 69 6GuidelinesfordomainengineeringwithEvent-B 71 6.1 Introduction ................................ 71 6.2 What to specify? ............................. 72 6.2.1 Model assumptions ........................ 72 6.2.2 Define protocols ......................... 73 6.2.3 Specify time ............................ 74 6.2.4 Express temporal properties ................... 75 6.3 How to refine? .............................. 77 6.3.1 Refine slowly ........................... 78 6.3.2 Refine unconventionally ..................... 79 6.4