David Déharbe

• Docteur en Informatique
• Engineer at CLEARSY

Formal development in Event-B generally requires the validation of a large number of proof obligations. Some automatic tools exist to automatically discharge a significant part of them, thus augmenting the efficiency of the formal development. We here investigate the use of SMT (Satisfiability Modulo Theories) solvers in addition to the tradi- tion...

This paper gives operational semantics for a subset of VHDL in terms of abstract machines. Restrictions to the VHDL source code are the finiteness of data types, and the absence of quantitative timing informations. The abstract machine of a design unit is built by composition of the abstract machines for its embedded processes and blocks. The kerne...

This article describes the first public version of the satisfiability modulo theory (SMT) solver veriT. It is open-source, proof-producing, and complete for quantifier-free formulas with uninterpreted functions and difference logic on real numbers and integers.

The B method is a formal method to design software components and to prove that they are compliant with some formalized requirements, giving a way to build safety-critical programs. However, the correctness of the obtained programs obviously rely on the correctness of those formalized software requirements. Using the CLEARSY Safety Platform, a vita...

The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a...

Proof obligations of the B method and of Event B use predicates in the Constraints, Sets, Properties and Invariant clauses as hypotheses in proof obligations. A contradiction in these predicates results in trivially valid proof obligations and essentially voids the development. A textbook on the B method [3] presents three “existence proof obligati...

Developing safety critical applications often require rare human resources to complete successfully while off-the-shelf block solutions appear difficult to adapt especially during short-term projects. The CLEARSY Safety Platform fulfils a need for a technical solution to overcome the difficulties to develop SIL3/SIL4 system with its technology base...

Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Hence the feedback provided by industry to ac...

The CLEARSY Safety Platform (CSSP) was designed to ease the development of safety critical systems and to reduce the overall costs (development, deployment, and certification) under the pressure of the worldwide market. A smart combination of hardware features (double processor) and formal method (B method and code generators) was used to produce a...

A Revolution for developing of safety critical application Developing safety critical applications often requires rare human resources to complete successfully while off-the-shelf block solutions appear difficult to adapt especially during short-term projects. Developed during the R&D project FUI LCHIP[5], the CLEARSY Safety Platform fulfills a nee...

Software in industrial products, such as in the railway industry, constantly evolves to meet new or changing requirements. For projects with a lifetime spanning decades (such as the control software for energy plants, for railway lines, etc.), keeping track of the original design rationale through time is a significant challenge.

The argument of correctness in refinement-based formal software design often disregards source code analysis and code generation. To mitigate the risk of errors in these phases, certifications issued by regulation entities demand or recommend testing the generated software using a code coverage criteria. We propose improvements for the BTestBox, a...

Industrial applications involving formal methods are still exceptions to the general rule. Lack of understanding, employees without proper education, difficulty to integrate existing development cycles, no explicit requirement from the market, etc. are explanations often heard for not being more formal. Hence the feedback provided by industry to ac...

This paper describes a safety analysis effort on RATP’s communication-based train control (CBTC) system Octys. This CBTC is designed for multi-sourcing and brownfield deployment on an existing interlocking infrastructure. Octys is already in operation on several metro lines in Paris, and RATP plans its deployment on several other lines in the forth...

The application of automatic theorem provers to discharge proof obligations is necessary to apply formal methods in an efficient manner. Tools supporting formal methods, such as Atelier~B, generate proof obligations fully automatically. Consequently, such proof obligations are often cluttered with information that is irrelevant to establish their v...

The application of automatic theorem provers to discharge proof obligations is necessary to apply formal methods in an efficient manner. Tools supporting formal methods, such as Atelier~B, generate proof obligations fully automatically. Consequently, such proof obligations are often cluttered with information that is irrelevant to establish their v...

This paper presents BTestBox, a model-based testing tool that gen- erates test cases for code generated from B Method specifications. BTestBox receives as input a B implementation and then generates test cases to compare the execution of the generated code and the B model. Our tool uses an anima- tion history of the B implementation to get the expe...

Batcave is an open source tool that aims to provides support for formal verification on the B method and on the substitution calculus. It automates the process of generation of proof obligations for software specified in B and allows the verification of these obligations through interaction with theorems provers, increasing the system reliability....

This paper presents a formal development of an Isabelle/HOL theory for the behavioral aspects of artifacts produced in the design of software components with the B method. We first provide a formalization of semantic objects such as labelled transition systems and notions of behavior and simulation. We define an interpretation of the B method using...

In this paper, we present a case study where two code generators for the B-Method were validated using software testing techniques. Our testing strategy is a combination of Grammar-Based Testing (GBT) and Model-Based Testing (MBT) techniques. The strategy consists of two steps. In the first step, grammar-based coverage criteria are used to generate...

Formal development in Event-B generally requires the validation of a large number of proof obligations. Some tools automatically discharge a significant part of them, thus augmenting the efficiency of the formal development. We here investigate the use of SMT (Satisfiability Modulo Theories) solvers in addition to the traditional tools, and detail...

This paper investigates the application of the B method,beyond the classical algorithmic level provided by the B0 sub-language, and presents re- finements of B models at a level of precision equivalent to assembly language. We claim and justify that this extension provides a more reliable software de- velopment process as it bypasses two of the les...

In this talk we describe a multi-platform code generator for the B method. In particular, we present a translation procedure from a large subset of the B language for implementations towards LLVM source code. This translation is defined formally as a set of rules defined recursively on the abstract syntax for B implementations. It already handles m...

This paper presents BEval, an extension of Atelier B to improve automation in the verification activities in the B method or Event-B. It combines a tool for managing and verifying software projects (Atelier B) and a model checker/animator (ProB) so that the verification conditions generated in the former are evaluated with the latter. In our experi...

Model checking and counter-example guided abstraction refinement are examples of applications of SAT solving requiring the production of models for satisfiable formulas. Better than giving a truth value to every variable, one can provide an implicant, i.e. a partial assignment of the variables such that every full extension is a model for the formu...

The QF UF category of the SMT-LIB test set contains many formulas with symmetries, and breaking these symmetries results in an important speedup [8]. This paper presents SyMT, a tool to find and report symmetries in SMT formulas. SyMT is based on the reduction of the problem of detecting symmetries in formulas to finding automorphisms in a graph re...

Software development in B and Event-B generates proof obligations that have to be discharged using theorem provers. The cost of such developments depends directly on the degree of automation and efficiency of theorem proving techniques for the logics in which these lemmas are expressed. This paper presents and formalizes an approach to transform a...

To safely evolve a software product line, it is important to have a notion of product line refinement that assures behavior preservation of the original product line products. So in this article we present a language independent theory of product line ...

This paper presents an approach to verify PLCs, a common platform to control systems in the industry. We automatically translate PLC programs written in the languages of the IEC 61131-3 standard to B models, amenable to formal analysis of safety constraints and general structural properties of the application. This approach thus integrates formal m...

In this paper we propose an approach to verify PLC programs, a common platform to control systems in the industry. Programs written in the languages of the IEC 61131-3 standard are automatically translated to B machines and are then amenable to formal analysis of safety constraints and general structural properties of the application. This approach...

This paper presents a migration approach from a class of hierarchical B models to CSP. The B models follow a so-called polling pattern, suitable for reactive systems, and are automatically translated into a set of communicating CSP processes with the same behaviour. The structure of the CSP model matches that of the B model and may be formally anal...

This paper discusses advantages and disadvantages of some possible alternatives for inference rules that handle quantifiers in the proof format of the SMT-solver veriT. The quantifier-handling modules in veriT being fairly standard, we hope this will motivate the discussion among the PxTP audience around proof production for quantifier handling. Th...

Methods exploiting problem symmetries have been very successful in several areas including constraint programming and SAT solving. We here recast a technique to enhance the performance of SMT-solvers by detecting symmetries in the input formulas and use them to prune the search space of the SMT algorithm. This technique is based on the concept of (...

Model checking is gaining importance in verifying the partial specifications of complex synchronous systems modelled by means of a finite state machine. In this paper, we present the principles and a tool for checking their properties in a temporal logic that allows both past and future oriented modalities. After a revision of the basic concepts of...

Programming provers is a complex task; completeness or even soundness may often be broken by apparently harmless bugs. A good testing platform can contribute in detecting problems early and helping development. This paper presents the distributed platform for testing the veriT SMT solver. Its features are fairly standard, but it allows to easily di...

Smart Card applications usually require reliability and security to avoid incorrect operation or access violation in transactions and corruption or undue access to stored information. A way of reaching these requirements is improving the quality of the development process of these applications. BSmart is a method and a corresponding tool designed t...

Software development in B and Event-B generates proof obligations that have to be discharged using theorem provers. The cost of such developments therefore depends directly on the degree of automation and efficiency of theorem proving techniques for the logics in which these lemmas are expressed. This paper presents and formalizes an approach to tr...

An important frequent task in both Z and B is the proof of verification conditions (VCs). In Z and B, VCs can be predicates to be discharged as a result of refinement steps, some proof about initialization properties or domain checking. Ideally, a tool that supports any Z and B technique should automatically discharge as many VCs as possible. Here,...

This paper presents the current state of the formal development of FreeRTOS, a real-time operating system. The goal of this effort is to address a scientific challenge and is realized within the scope of the Grand Challenge on Verified Software. The development is realized with the B method. A model of the main functionalities of the FreeRTOS is no...

This paper describes an approach to model the functional aspects of the instruction set of microcontroller platforms using the no- tation of the B method. The paper presents specifically the case of the Z80 platform. This work is a contribution towards the extension of the B method to handle developments up to assembly level code.

Model-driven design of software for safety-critical applications often relies on mathematically grounded techniques such as the B method. Such techniques consist in the successive applications of refinements to derive a concrete implementation from an abstract specification. Refinement theory defines verification conditions to guarantee that such o...

SMT (Satisfiability Modulo Theories) solvers are automatic verification engines suitable to discharge important classes of proof obligations generated in applying formal construction of software and hardware designs. In this paper, we present a new approach to combine decision procedures and propositional solvers into an SMT-solver. This approach i...

Abstract Many approaches to software verification require to check the satisfiability of first-order formulae. For such techniques, it is of crucial importance to have satisfiability solvers which are both scalable, predictable and flexible. We describe our approach to build solvers satisfying such requirements by combining equational theorem provi...

This paper investigates the application of the B method beyond the classical algorithmic level provided by the B0 sub-language, and presents refinements of B models at a level of precision equivalent to assembly language. We claim and justify that this extension provides a more reliable software development process as it bypasses two of the less tr...

A smart card is a portable computer device able to store data and execute commands. Java Card [1] is a specialization of Java, providing vendor inter-operability for smart cards, and has now reached a de facto standard status in this industry. The strategic importance of this market and the requirement for a high reliability motivate the use of rig...

This work describes a model-driven approach to design and develop software from the functional specification level down to assembly. The proposed approach builds upon the B method and provides a methodology to craft assembly-level software components in a rigorous way. While the B method is conventionally applied to produce algorithmic level softwa...

Batcave is an open source tool that aims to provides support for formal verification on the B method and on the substitution calculus. It automates the process of generation of proof obligations for software specified in B and allows the verification of these obligations through interaction with theorems provers, increasing the system reliability....

An increasing number of verification tools (e.g., software model-checkers) require the use of Satisfiability Modulo Theories (SMT) solvers to implement the back-ends for the automatic analysis of specifications and properties. The most prominent approach to build SMT solvers consists in integrating an efficient Boolean solver with decision procedur...

This work proposes a methodology for the rigorous development of Java Card smart card applications, using the B Method. Its main feature is to abstract the particularities of Java Card and smart card aware applications from the specifier as much as possible. In the proposed approach, the specification of the aplication logic needs not be preoccupie...

Automated theorem proving consists in automatically (i.e. without any user interaction) discharging proof obligations which arise when applying rigorous methodologies for designing critical software systems. Recent developements in the so-called lazy approach in the integration of Boolean satisfiability with decision procedures for decidable theori...

URL : http://www.info.fundp.ac.be/~pys/AFADL07/Actes_AFADL_2007.pdf

Agraphs are a graph-based language representation, transformation and exchange format. In the same vein as XML, Agraphs form a general data representation mechanism that needs to be instantiated in different specific applications. In this paper, we present the Agraphs data structure, programming interface and related tools, identify their main feat...

Catching bugs in programs is difficult and time-consuming. The effort of debugging and proving correct even small units of code can surpass the effort of programming. Bugs inserted while “programming in the small” can have dramatic consequences for the consistency of a whole software system as shown, e.g., by viruses which can spread by exploiting...

We present the architecture of the oncoming version of the SMT (Satisfiability Modulo Theories) solver haRVey [5]. haRVey checks the satisfiability of a formula written in a first-order language with interpreted symbols from various theories. Its new architecture is original, first in the sense that it is a combination of reasoners, rather than the...

ABSTRACT New programming,languages paradigms,have commonly been,evaluated and,eventually incorporated into hard- ware description languages. Aspect-oriented programming (AOP) is a new paradigm that provides new modularity con- structs on top of object-oriented and structured languages such as Java,C++ and C. This paper presents and assesses possibl...

AGraphs are a graph-based language representation, transformation and exchange format. In the same vein as XML, AGraphs form a general data represen- tation mechanism that needs to be instantiated in different specific applications. In this paper, we present the AGraphsdata structure, programming interface and related tools, identify their main fea...

This paper presents a method for the rigorous development of Java Card smart card applications, using the B Method. Its main feature is to abstract the particularities of Java Card and smart card aware applications from the specifier as much as possible. In the proposed approach, the specification of the application logic does not need to take into...

This paper presents a method for the rigorous development of Java Card smart card applications, using the B method. Its main feature is to abstract the particularities of Java Card and smart card aware applications from the specifier as much as possible. In the proposed approach, the specification of the application logic does not need to take into...

We propose a model that combines explicit and symbolic representations in an explicit-symbolic formal verification model. Both explicit and symbolic models have been successfully used in the verification of finite state concurrent systems, such as complex sequential circuits and communica- tion protocols. The proposed model aims to use explicit and...

We present a technique to prove invariants of model-based specications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by their...

We describe a refutation-based theorem proving algorithm capable of checking the satisfiability of non-ground formulae modulo (a combination of) theories. The key idea is the use of abstraction to drive the application of (i) ground satisfiability checking modulo theories ax- iomatized by equational clauses, (ii) Presburger arithmetic, and (iii) qu...

Résumé L'outil Barvey présenté ici vérifie automatiquement la consistance de machines abstraites B ne contenant que des opérateurs ensemblistes. Il intègre pour cela un outil générant les obligations de preuve à partir de la machine abstraite fournie en entrée, un outil traitant les formules avec quantificateurs et le prouveur haRVey décidant de la...

We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by thei...

We present a technique to prove invariants of model-based specifications in a fragment of set theory. Proof obligations containing set theory constructs are translated to first-order logic with equality augmented with (an extension of) the theory of arrays with extensionality. The idea underlying the translation is that sets are represented by thei...

In an environment of continuous and rapid evolution, software design methodologies must incorporate techniques and tools that support changes in software artifacts. In the FERUS project, we are developing a tool targeted at software designers that integrates a collection of operations on algebraic specifications written in the CASL language. The sc...

Model checking is a set of formal verification techniques that aim to show that a structure representing a computational system (for instance, a protocol, or a hardware or a software component, among others) is a model for a property that represents a requirement for this system. Many model-checking approaches have been proposed, depending on the f...

Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capable of automatically discharging the resulting proo...

Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capable of automatically discharging the resulting proo...

We describe a combination of BDDs and superposition theorem proving, called light-weight theorem proving, and its application to the flexible and efficient automation of the reasoning activity required to debug and verify pointer manipulating programs. This class of programs is notoriously challenging to reason about and it is also interesting from...

We present an open environment for the integration of formal methods applied to HDL descriptions of circuits. The system currently accepts SMAX[4] and VHDL, and provides equivalence checking, model checking, theorem proving, and automatic diagnosis of simple design errors. After an overview of the system, we discuss the salient features of the comm...

Binary Decision Diagrams (BDDs) have proved to be a powerful representation for Boolean functions.

Symbolic model checking is a powerful formal verification technique that, contrarily to theorem proving, requires no user assistance. It is able to verify that an implementation, modelled as a labelled finite-state transition graph, satisfies its specification, given as a set of terms in some temporal logic. This chapter introduces the basics of sy...

Providing a high degree of automation to discharge proof obligations in (fragments of) rst-order logic is a crucial activity in many verication eorts. Unfortunately, this is quite a dicult task. On the one hand, reasoning modulo ubiquitous theories (such as lists, arrays, and Presburger arithmetic) is essential. On the other hand, to eectively inco...

Este artigo apresenta FERUS (Apoio Formal à Especificação e Re-Utilização de Software), um ambiente desenvolvido no Departamento de Informática e Matemática Aplicada da UFRN em parceria com o LORIA (França), que permite a criação, manipulação e prototipação de especificações na linguagem CASL. Para otimizar as diferentes possibilidades de trabalho...

Binary decision diagrams (BDDs) are used for au- tomatic synthesis and formal verication of combi- national and sequential circuits. However, a larger adoption of these technologies for sequential de- signs still depends on a more ecient use of BDDs. One important factor is the order of the variables in the BDD, which has a direct impact on the spa...

A factor in the complexity of conventional algorithms for model checking Computation Tree Logic (CTL) is the size of the formu- lae, and, more precisely, the number of fixpoint operators. This paper addresses the following questions: given a CTL formula f, is there an equivalent formula with fewer fixpoint operators? and how term rewriting techniqu...

Binary decision diagrams (BDDs) are used for automatic synthesis and formal verification of combinational and sequential circuits. However, a larger adoption of these technologies for sequential designs still depends on a more ecient use of BDDs. One important factor is the order of the variables in the BDD, which has a direct impact on the space (...

Providing a high degree of automation to discharge proof obligations in (fragments of) first-order logic is a crucial activity in many verification efforts. Unfortunately, this is quite a difficult task. On the one hand, reasoning modulo ubiquitous theories (such as lists, arrays, and Presburger arithmetic) is essential. On the other hand, to effec...

BDDs formam uma família de estruturas de dados utilizadas em diversos tipos de ferramentas de apoio à engenharia de sistemas computacionais como a verificação formal de software. BDDmeter é uma extensão gráfica para bibliotecas de BDDs a partir da qual é possível monitorar o comportamento de BDDs com o decorrer do tempo. BDDmeter possibilita em par...

Binary Decision Diagrams (BDDs) have proved to be a powerful representation for Boolean functions. Particularly, they are a very useful data structure for the symbolic model checking of digital circuits and other finite state systems, as well as other problems. Nevertheless, the size of the BDD representation of these functions is highly dependent...

. This article describes a prototype formal verification system for a subset of VHDL. The behavior of a VHDL design can be specified with temporal logic formulas and be verified with an algorithm called symbolic model checking. The model checker applies a number of new techniques to handle larger designs, thus allowing for efficient verification of...

Binary Decision Diagrams (BDDs) have proved to be a powerful representation for Boolean functions. Particularly, they are a very useful data structure for the symbolic model checking of digital circuits and other finite state systems, as well as other problems. Nevertheless, the size of the BDD representation of these functions is highly dependent...

Automatic verification of sequential designs has been made possible by the use of efficient representations for propositional logic such as Binary Decision Diagrams (BDDs). However, the efficient use of BDDs is only, possible provided a good ordering of the state variables of the design. This paper presents a novel heuristics, called variable weigh...

. We present an open environment for the integration of formal methods applied to HDL descriptions of circuits. The system currently accepts SMAX[4] and VHDL, and provides equivalence checking, model checking, theorem proving, and automatic diagnosis of simple design errors. After an overview of the system, we discuss the salient features of the co...

Este tutorial apresenta uma visão geral de métodos formais para a especificação, semântica e verificação de sistemas concorrentes. Um método de especificação formal dá uma descrição precisa de um sistema em uma notação com uma sintaxe e semântica bem definidas. Esta semântica associa um modelo matemático ao sistema que pode então ser analisado usan...

Symbolic model checking, smc, is a decision procedure that verifies that some finite-state structure is a model for a formula of Computation Tree Logic (CTL). smc is based on fixpoint computations. Unfortunately, as the size of a structure grows exponentially with the number of state components, smc is not always powerful enough to handle realistic...

This article describes a prototype implementation of a symbolic model checker for asubset of VHDL. The model checker applies a number of techniques to reduce the search space, thusallowing for ecient verication of real circuits. We have completed an initial release of the VHDLmodel checker and have used it to verify complex circuits, including the...

This article describes a prototype formal verification system for a subset of VHDL. The behavior of a VHDL design can be specified with temporal logic formulas and be verified with an algorithm called symbolic model checking. The model checker applies a number of new techniques to handle larger designs, thus allowing for efficient verification of r...