Application Domains
Bilateral Contracts and Grants with Industry
Partnerships and Cooperations
Bibliography
 PDF e-Pub

## Section: New Results

### Formal Methods for Developing and Analyzing Algorithms and Systems

Participants : Noran Azmy, Gabriel Corona, Margaux Duroeulx, Marie Duflot-Kremer, Souad Kherroubi, Dominique Méry, Stephan Merz, Nicolas Schnepf, Christoph Weidenbach.

#### Making explicit domain knowledge in formal system development

Joint work with partners of the IMPEX project.

Modeling languages are concerned with providing techniques and tool support for the design, synthesis and analysis of the models resulting from a given modeling activity, and this activity is usually part of a system development model or process. These languages quite successfully focus on the analysis of the designed system, exploiting the semantic features of the underlying modeling language. These semantics are well understood by the system designers and/or the users of the modeling language, that is why we speak of implicit semantics.

In general, modeling languages are not equipped with resources, concepts or entities handling explicitly domain engineering features and characteristics (domain knowledge) in which the modeled systems evolve.

We posit that designers should explicitly handle the knowledge resulting from an analysis of the application domain, i.e. explicit semantics. As of today, making explicit the domain knowledge inside system design models does not follow any methodological rule; instead, features of domain knowledge are introduced in an ad-hoc way through types, constraints, profiles, etc.

Our claim [11] is that ontologies are good candidates for handling explicit domain knowledge. They define domain theories and provide resources for uniquely identifying concepts of domain knowledge. Therefore, allowing models to make references to ontologies is a modular solution for models to explicitly handle domain knowledge. Overcoming the absence of explicit semantics expression in the modeling languages used to specify systems models will increase the robustness of the designed system models. Indeed, references to the axioms and theorems resulting from the ontologies can be used to strengthen the properties of the designed models. The objective is to offer rigorous mechanisms for handling domain knowledge in design models. We also show how these mechanisms are set up in the cases of formal system models, both for static and dynamic aspects.

#### Incremental Development of Systems and Algorithms

Joint work with Andriamiarina, Manamiary Bruno, with Neeraj Kumar Singh from IRIT, Toulouse, with Rosemary Monahan, NUI Maynooth, Ireland, and with Zheng Cheng, LINA, Nantes.

The development of distributed algorithms and, more generally, of distributed systems, is a complex, delicate, and challenging process. The approach based on refinement applies a design methodology that starts from the most abstract model and leads, in an incremental way, to a distributed solution. The use of a proof assistant gives a formal guarantee on the conformance of each refinement with the model preceding it.

Our main results during 2016 are:

• An extension [18] for handling the verification of concurrent programs. In a second step, we show the importance of the concept of refinement, and how it can be used to found a methodology for designing concurrent programs using the coordination paradigm.

• A fully mechanized proof [36] of correctness of self-$*$ systems along with an interesting case study related to P2P-based self-healing protocols.

• We report on our progress in implementing a software development environment that integrates two formal software engineering techniques: program refinement as supported by Event-B, and program verification as supported by the Spec# programming system. We improve the usability of formal verification tools by providing a general framework for integrating these two approaches to software verification. We show how the two approaches, based respectively on correctness by construction and on post-hoc verification, can be used in a productive way. In [32], we focus on the final steps in this process where the final concrete specification is transformed into an executable algorithm. We present EB2RC , a plug-in for the Rodin platform that reads in an Event-B model and uses the control framework introduced during its refinement to generate a graphical representation of the executable algorithm. EB2RC also generates a recursive algorithm that is easily translated into executable code. We illustrate our technique through case studies and their analysis.

#### Verification of the Pastry routing protocol

In her PhD thesis, Noran Azmy develops a formal proof in TLA+ of the routing protocol used in the Pastry protocol [51] for maintaining a distributed hash table over a peer-to-peer network. In a previous thesis [47], Tianxiang Lu had found problems with all published versions of the original protocol, introduced a variant of Pastry, and given a first correctness proof of that protocol, assuming that no node ever disconnects. Due to limitations of TLAPS at that time, Lu's proof relied on many unchecked assumptions on arithmetic and on the underlying data structures, and it was later discovered that several of these assumptions were not valid.

Noran Azmy simplified the proof by introducing intermediate abstractions that allowed her to avoid low-level arithmetic reasoning in the main proof steps, and she proved lemmas corresponding to those assumptions that were actually used in the proof. As a result, she obtained a complete machine-checked proof of Lu's variant of the Pastry protocol, still under the assumption that no node leaves the network. Moreover, a close analysis of the invariant used in her simplified proof revealed that the protocol could be simplified by leaving out the final “lease exchange” protocol. The results were published at ABZ 2016 [22], and an extended article was invited for publication in Science of Computer Programming.

#### Proof of Determinacy of PharOS

Joint work with Selma Azaiez and Matthieu Lemerre (CEA Saclay), and Damien Doligez (Inria Paris).

As the main contribution of our group to the ADN4SE project funded by PIA, in cooperation with colleagues from CEA LIST, we wrote a high-level TLA+ specification of the real-time operating system PharOS [46] and proved its executions to be deterministic. Roughly speaking, determinacy means that the sequence of local states of any process during a computation does not depend on the order in which processes are scheduled. The proof assumes that no deadlines are missed (which in practice is ensured by schedulability analysis of the particular applications). This property greatly simplifies the analysis and verification of programs that are executed within PharOS. The results were published at ABZ 2016 [21].