Abstract
Most state-based formal methods, like B, Event-B or Z, provide support for static typing. However, these methods and the associated tools lack support for annotating variables with (physical) units of measurement. There is thus no obvious way to reason about correct or incorrect usage of such units. We present a technique that analyzes the usage of physical units throughout B and Event-B machines infers missing units and notifies the user of incorrectly handled units. The technique combines abstract interpretation with classical animation, constraint solving and model checking and has been integrated into the ProB validation tool, both for classical B and for Event-B. It provides source-level feedback about errors detected in the models. We also describe how to extend our approach to TLA \(^+\), an untyped formal language. We provide an in-depth empirical evaluation and demonstrate that our technique scales up to real-life industrial models.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
See, however, [24].
We return to this example in Sect. 7.1 and provide further details there.
Note that this set includes not just functions but all relations between integers. In B and ProB functions and relations have the same type; operators for relations can be applied to functions and vice versa. The fact that a relation is indeed a function is encoded as an invariant and verified for each state, i.e., it is a safety property of the system.
Note that for Event-B, the Rodin tool will produce an error message if a variable or expression’s type contains \(\top \).
For convenience, some SI derived units and units accepted for use with the SI standard (see [35]) are stored on their own rather than converting them.
Basically, which means adding the exponents of the leading 10 of each SI unit.
In contrast to TLA \(^+\), B does not support \(n < 0\) as the first argument to the modulo operator. This is taken into account by the translation from TLA \(^+\) to B.
Note that there is only experimental support for floating point numbers in B and Event-B. Hence, we currently do not support conversions like the one from seconds to minutes using \(\frac{1}{60}\) as a conversion factor. It would, however, be possible to implement this as an extension of our approach, and we will do so once real/float support stabilizes. TLA \(^+\) supports real numbers. However, at the moment, our translation does not.
Both were counted on the internal representation of the machines. Thus, the metrics include code from imported machines. Comments are not counted, as they are not in the internal representation. However, new lines used for pretty printing are counted.
The tutorial including the machines can be found at http://www.tools.clearsy.com/wp1/?page_id=161.
The exception being variables and sets belonging to the system’s status. Here, no unit of measurement applies, and no unit was inferred.
Upon request of our industrial customers, we since added several custom units to the units included by default. Conversion rules were added as well.
A relation constructed as the set union of the two lambda expressions. Depending on the condition of the if expression, one of the lambda expressions is empty, while the other one contains exactly one element: the result of the if expression. We apply the relation to 1 to extract this element.
References
Abrial, J.R.: The B-book. Cambridge University Press, Cambridge (1996). doi:10.1017/CBO9780511624162
Abrial, J.R.: Modeling in Event-B: system and software engineering. Cambridge University Press, Cambridge (2010)
Abrial, J.R., Butler, M., Hallerstede, S.: An open extensible tool environment for Event-B. In: Liu, Z., He, J. (eds.) Proceedings ICFEM’06, LNCS 4260, pp. 588–605. Springer, Berlin (2006). doi:10.1007/s10009-010-0145-y
Abrial, J.R., Su, W., Zhu, H.: Formalizing hybrid systems with Event-B. In: Proceedings ABZ’12, LNCS 7316, pp. 178–193. Springer, Berlin (2012)
Anand, M., Lee, I., Pappas, G., Sokolsky, O.: Unit & dynamic typing in hybrid systems modeling with CHARON. In: Computer Aided Control System Design, pp. 56–61. IEEE (2006)
Baader, F., Snyder, W.: Unification theory. In: Robinson, J.A., Voronkov, A. (eds.) Handbook of Automated Reasoning, vol. 1, pp. 447–533. Elsevier Science Publishers (2001)
Back, R.J., Seceleanu, C.C., Westerholm, J.: Symbolic simulation of hybrid systems. In: Proceedings APSEC’02, pp. 147–155. IEEE Computer Society (2002)
Barrett, C., Stump, A., Tinelli, C.: The SMT-LIB standard: Version 2.0. Technical report, Department of Computer Science, University of Iowa (2010). www.SMT-LIB.org
Boute, R.T.: The Euclidean definition of the functions div and mod. ACM Trans. Program. Lang. Syst. 14(2), 127–144 (1992)
Bridgman, P.: Dimensional analysis. Yale University Press (1922). http://books.google.de/books?id=vehfnkmJIlkC
ClearSy: Atelier B 4.1 Release Notes. Aix-en-Provence, France (2009). http://www.atelierb.eu/
Collins, J.B.: A mathematical type for physical variables. In: Autexier, S., Campbell, J., Rubio, J., Sorge, V., Suzuki, M., Wiedijk, F. (eds.) Intelligent Computer Mathematics. Lecture Notes in Computer Science, vol. 5144, pp. 370–381. Springer, Berlin Heidelberg (2008)
Cousot, P.: Types as abstract interpretations. In: Conference Record of the Twentyfourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 316–331. ACM Press, New York, NY, Paris, France (1997)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings POPL’77, pp. 238–252. ACM, New York (1977)
Cunis, R.: A package for handling units of measure in Lisp. ACM SIGPLAN Lisp Pointers 5, 21–25 (1992)
Gibbings, J.: Dimensional analysis. Springer, London (2011)
Hansen, D., Leuschel, M.: Translating TLA+ to B for validation with ProB. In: Proceedings iFM’2012, LNCS 7321, pp. 24–38. Springer, Berlin (2012)
Hayes, I.J., Mahony, B.P.: Using units of measurement in formal specifications. Form. Aspects Comput 7(3), 329–347 (1995)
Jiang, L., Su, Z.: Osprey: a practical type system for validating dimensional unit correctness of C programs. In: Proceedings ICSE’06, pp. 262–271. ACM (2006)
Kennedy, A.: Types for units-of-measure: theory and practice. In: Horváth, Z., Plasmeijer, R., Zsók, V. (eds.) Central European Functional Programming School. Lecture Notes in Computer Science, vol. 6299, pp. 268–305. Springer, Berlin Heidelberg (2010)
Knuth, D.E.: The art of computer programming, Volume 1: fundamental algorithms. Addison Wesley Longman Publishing Co., Inc, Redwood City (1997)
Krings, S., Leuschel, M.: Inferring physical units in B models. In: Proceedings SEFM’2013, LNCS 8137. Springer, Berlin (2013)
Lamport, L.: Specifying systems: the TLA+ language and tools for hardware and software engineers. Addison-Wesley, Boston (2002)
Lamport, L., Paulson, L.C.: Should your specification language be typed. ACM Trans. Program. Lang. Syst. 21(3), 502–526 (1999)
Leuschel, M., Butler, M.: ProB: a model checker for B. In: Proceedings FME’03, LNCS 2805, pp. 855–874. Springer, Berlin (2003)
Leuschel, M., Butler, M.: ProB: an automated analysis toolset for the B method. Int. J. Softw. Tools Technol. Transf. 10(2), 185–203 (2008)
Lockwood, G.: Final Report of the Board of Injury: Investigating the Circumstances of an Accident Involving the Air Canada Boeing 767 Aircraft C-GAUN that Effected an Emergency Landing at Gimli, Manitoba on the 23rd Day of July, 1983. Minister of Supply and Services Canada (1985). https://books.google.de/books?id=Ej5PAAAAMAAJ
Modelica Association: The Modelica language specification version 3.0 (2007). http://www.modelica.org/
Owre, S., Saha, I., Shankar, N.: Automatic dimensional analysis of cyber-physical systems. In: Proceedings FM’12, LNCS 7436, pp. 356–371. Springer, Berlin (2012)
Platzer, A.: Logical analysis of hybrid systems: proving theorems for complex dynamics. Springer, Berlin (2010)
Reps, T.W.: Program analysis via graph reachability. Inf. Softw. Technol. 40(11–12), 701–726 (1998). doi:10.1016/S0950-5849(98)00093-7
Reps, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: Conference Record of POPL’95: 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Francisco, California, USA, January 23–25, 1995, pp. 49–61 (1995). doi:10.1145/199448.199462
Roy, P., Shankar, N.: SimCheck: an expressive type system for Simulink. In: Proceedings NFM’10, pp. 149–160. NASA (2010)
Stephenson, A., LaPiana, L., Mulville, D., Rutledge, P., Bauer, F., Folta, D., Dukeman, G., Sackheim, R., Norvig, P.: Mars climate orbiter—mishap investigation report—phase i report (1999)
Thompson, A., Taylor, B.N.: The international system of units (SI). National Institute of Standards and Technology / U.S. Department of Commerce, Gaithersburg (2008)
Umrigar, Z.: Fully static dimensional analysis with C++. ACM SIGPLAN Not. 29, 135–139 (1994)
van Delft, A.: A Java extension with support for dimensions. Softw. Pract. Exp. 29(7), 605–616 (1999)
Wand, M., O’Keefe, P.: Automatic dimensional inference. In: Lassez, J.L., Plotkin, G. (eds.) Computational Logic: Essays in Honor of Alan Robinson, pp. 479–483. MIT Press, Cambridge, MA (1991)
Acknowledgments
We are grateful to reviewers of SEFM and SoSyM for their useful feedback, which helped to improve the paper. Our thanks also go to Luis-Fernando Mejia for providing us with interesting industrial case studies.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Prof. Hierons, Prof. Merayo, and Prof. Bravetti.
Part of this research has been sponsored by the EU funded FP7 project 287563 (ADVANCE) and the DFG funded research project GEPAVAS II.
Rights and permissions
About this article
Cite this article
Krings, S., Leuschel, M. Inferring physical units in formal models. Softw Syst Model 16, 25–47 (2017). https://doi.org/10.1007/s10270-015-0458-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-015-0458-0