## An open extensible tool environment for Event-B (2006)

### Cached

### Download Links

- [eprints.ecs.soton.ac.uk]
- [eprints.soton.ac.uk]
- DBLP

### Other Repositories/Bibliography

Venue: | ICFEM 2006, LNCS |

Citations: | 37 - 14 self |

### BibTeX

@INPROCEEDINGS{Abrial06anopen,

author = {Jean-raymond Abrial and Michael Butler and Stefan Hallerstede and Laurent Voisin},

title = {An open extensible tool environment for Event-B},

booktitle = {ICFEM 2006, LNCS},

year = {2006},

pages = {588--605},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and get more powerful, modelling will remain difficult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and proving similar to what is offered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods. 1

### Citations

813 |
The B-Book: Assigning Programs to Meanings
- Abrial
- 1996
(Show Context)
Citation Context ... must explicitly start tools to type-check a model, or generate proof obligations for it. Because the proof obligation generator has been developed for models of sequential programs with the B-Method =-=[1]-=-, some proof obligations have variables renamed or are rewritten to a point where they are difficult to relate to the model. This violates our requirement for transparency. Following the experience wi... |

508 |
Interactive Theorem Proving and Program Development
- Bertot, Casteran
- 2004
(Show Context)
Citation Context ...ood interface for entering models graphically but less so for reasoning about them. The approach of embedding a modelling notation into a general purpose theorem prover [10] like Isabelle [23] or Coq =-=[8]-=- provides a strong logical foundation. This is very satisfactory from a logicians point of view. From an industrial point of view, logical soundness is only one design consideration. We also need reac... |

380 | SIMPLIFY: A theorem prover for program checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context ...ware tool support for Event-B should not be just another theorem prover. It should be a modelling tool that constrains modelling activity as little as possible. Powerful theorem provers are available =-=[8, 12, 16, 23]-=- but not enough attention has been paid in formal methods to tool support for the modelling activity per se. Traditionally, it is assumed that one begins a formal development with a specification and ... |

236 | Abstract State Machines. A Method for HighLevel System Design and Analysis
- Börger, Stärk
- 2003
(Show Context)
Citation Context ...ry to overcome with the Event-B tool described in this article. The use of general purpose theorem provers with modelling notations like Z [10, 29], Action Systems [4, 19], or Abstract State Machines =-=[6, 9]-=- usually requires a lot of expert knowledge in order to make efficient use of them when reasoning about formal models. This is not a problem of bad design of the theorem prover, but more a problem of ... |

230 | Boogie: A modular reusable verifier for object-oriented programs
- Barnett, Chang, et al.
- 2006
(Show Context)
Citation Context ...of is not restricted to modelling. It has a long tradition in programming methodology, too, e.g. [17]. Software tools that support formal verification methods in programming have been developed, e.g. =-=[7, 14]-=-. We mention [7], in particular, because the Boogie architecture presented in the article provides characteristics similar to the Event-B tool. We quote two points from [7] about Boogie and present ou... |

175 |
Isabelle: a generic theorem prover, volume 828 of LNCS
- Paulson
- 1994
(Show Context)
Citation Context ...e with a general purpose theorem prover because proof obligation generation is manual anyway. In the Event-B tool we ensure that proof obligation generation remains extensible and adaptable. Isabelle =-=[23, 30]-=- has been used with Z [10]. Although well-integrated the main problem remains that the user must explicitly specify proof obligations and is responsible for maintaining them. Another problem is that t... |

173 |
Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers
- Lamport
- 2002
(Show Context)
Citation Context ...duce the abstract syntax tree (AST) package. The grammar has not been specified in Event-B, although, in principle this should be possible similarly to the technique proposed by Lamport based on TLA+ =-=[18]-=-. The sequent prover (SEQP) library provides the proof engine. It contains the necessary data types, notably the sequent data type, some inference rules and support for tactics. The inference rules ha... |

118 |
Refinement calculus, part II: Parallel and reactive systems
- Back
- 1990
(Show Context)
Citation Context ...plain the kind of problems that we try to overcome with the Event-B tool described in this article. The use of general purpose theorem provers with modelling notations like Z [10, 29], Action Systems =-=[4, 19]-=-, or Abstract State Machines [6, 9] usually requires a lot of expert knowledge in order to make efficient use of them when reasoning about formal models. This is not a problem of bad design of the the... |

109 | An industrial strength theorem prover for a logic based on Common Lisp
- Kaufmann, Moore
- 1997
(Show Context)
Citation Context ...ware tool support for Event-B should not be just another theorem prover. It should be a modelling tool that constrains modelling activity as little as possible. Powerful theorem provers are available =-=[8, 12, 16, 23]-=- but not enough attention has been paid in formal methods to tool support for the modelling activity per se. Traditionally, it is assumed that one begins a formal development with a specification and ... |

100 | ProB: A model checker for B
- Leuschel, Butler
- 2003
(Show Context)
Citation Context ...nge of functionalities. This section outlines our initial effort at providing a collection of plug-in tools. 5.1 Animation and Model-Checking The ProB animator and model checker has been presented in =-=[20]-=-. Based on Prolog, the ProB tool supports automated consistency checking of B machines via model checking. For exhaustive model checking, the given sets must be restricted to small finite sets, and in... |

57 | Verication of Non-Functional Programs using Interpretations in Type Theory
- Filliâtre
- 2003
(Show Context)
Citation Context ...of is not restricted to modelling. It has a long tradition in programming methodology, too, e.g. [17]. Software tools that support formal verification methods in programming have been developed, e.g. =-=[7, 14]-=-. We mention [7], in particular, because the Boogie architecture presented in the article provides characteristics similar to the Event-B tool. We quote two points from [7] about Boogie and present ou... |

54 | Formal system development with KIV
- Balser, Reif, et al.
- 2000
(Show Context)
Citation Context ...ry to overcome with the Event-B tool described in this article. The use of general purpose theorem provers with modelling notations like Z [10, 29], Action Systems [4, 19], or Abstract State Machines =-=[6, 9]-=- usually requires a lot of expert knowledge in order to make efficient use of them when reasoning about formal models. This is not a problem of bad design of the theorem prover, but more a problem of ... |

50 |
Contributing to Eclipse
- Gamma, Beck
- 2003
(Show Context)
Citation Context ...l for Event-B (see Figure 1) is incorporated into the RODIN platform which is an extension of the Eclipse platform. We do not explain Eclipse in this article but only refer to the existing literature =-=[15]-=-. Rodin Platform Event−B Event−B MUI PUI Event−B SC Event−B POG Event−B POM Event−B SEQP Rodin Event−B Core AST Eclipse Platform Fig. 1. Architectural Overview of the Event-B Tool Event−B UI Event−B C... |

41 |
Refinement, Decomposition and Instantiation of Discrete Models: Application to Event-B. Fundamentae Informatica
- Abrial, Hallerstede
- 2006
(Show Context)
Citation Context ... to a program text. In particular, there is no need for the user to start processes like compilation. A program is written and then run or debugged without compiling it. We present a tool for Event-B =-=[3]-=- that applies these techniques used in programming to formal modelling. Instead of compilation, we are interested in proof obligation generation and automatically discharging trivial proof obligations... |

39 | Structured Proofs in Isar/HOL
- Nipkow
(Show Context)
Citation Context ...f obligations and is responsible for maintaining them. Another problem is that the user must understand the Isabelle logic as well as that of Z. To some degree this is alleviated by the Isar language =-=[22]-=- that extends Isabelle with more legible proofs. Similarly, abstract state machines (ASM) have been used with the KIV theorem prover [6]. The refinement theory used with ASM is stated in KIV and the u... |

32 |
A new approach to program testing
- King
- 1975
(Show Context)
Citation Context ...f obligations. Instead of running a program we reason about models or analyse them. Verification by proof is not restricted to modelling. It has a long tradition in programming methodology, too, e.g. =-=[17]-=-. Software tools that support formal verification methods in programming have been developed, e.g. [7, 14]. We mention [7], in particular, because the Boogie architecture presented in the article prov... |

25 |
Using B as a high level programming language in an industrial project: Roissy val
- Badeau, Amelot
- 2005
(Show Context)
Citation Context ... is stated in KIV and the user has to state the relevant theorems (proof obligations). When dealing with large models the amount of proof obligations is simply to high to load the user with this task =-=[5]-=-. Our tool overcomes these problems by maintaining proof obligations and by providing a prover that is tailored for first-order logic and set theory (which are the basic mathematical theories of Event... |

14 |
Click’n’Prove : Interactive Proofs Within Set Theory
- Abrial, Cansell
- 2003
(Show Context)
Citation Context ...o been designed to appear as natural as possible to the user. Itsgives a graphical representation of a sequent calculus for classical logic that has been further developed from the Click’n’Prove tool =-=[2]-=-. The major shortcoming of Click’n’Prove is that it is built on top of a theorem prover that executes proof scripts. As a consequence, feedback to the user is slow. In addition, the user must explicit... |

14 |
2.0: A proof environment for Z-specifications
- HOL-Z
(Show Context)
Citation Context ... to be complete but to explain the kind of problems that we try to overcome with the Event-B tool described in this article. The use of general purpose theorem provers with modelling notations like Z =-=[10, 29]-=-, Action Systems [4, 19], or Abstract State Machines [6, 9] usually requires a lot of expert knowledge in order to make efficient use of them when reasoning about formal models. This is not a problem ... |

5 |
The challenge of probabilistic event B - extended abstract
- Morgan, Hoang, et al.
(Show Context)
Citation Context ...o make the textual representation more readable. Introduction of a syntax in the definition of the notation would make it much more difficult to extend the notation, e.g. by introducing probabilities =-=[21]-=-. An Event-B model consists of contexts and machines. In this description we focus on machines. A complete description of Event-B can be found in [3]. Contexts contain the static parts of a model. The... |

3 |
Eclipse platform homepage. http://www.eclipse.org
- Eclipse
- 2009
(Show Context)
Citation Context ...effectively in engineering practice, good tool support is necessary. Present day integrated development environments used for programming do carry out many tasks automatically in the background, e.g. =-=[13]-=-, and provide fast feedback when changes are made to a program text. In particular, there is no need for the user to start processes like compilation. A program is written and then run or debugged wit... |

3 | Refining reactive systems in HOL using action systems
- L˚angbacka, Wright
- 1997
(Show Context)
Citation Context ...plain the kind of problems that we try to overcome with the Event-B tool described in this article. The use of general purpose theorem provers with modelling notations like Z [10, 29], Action Systems =-=[4, 19]-=-, or Abstract State Machines [6, 9] usually requires a lot of expert knowledge in order to make efficient use of them when reasoning about formal models. This is not a problem of bad design of the the... |

2 |
Atelier B tool homepage. http://www.atelierb.societe.com
- Clearsy
(Show Context)
Citation Context ...ol. This is very difficult to achieve in embedded designs. In the area of safety-critical embedded software, the approach of directly implementing provers has been proved fruitful. The Atelier B tool =-=[11]-=- has been used in large scale industrial projects, e.g. [5]. 1.2 The Significance of Extensibility and Configurability We take the view that no one tool can solve all our development problems and that... |