Software & Systems Modeling

, Volume 16, Issue 4, pp 1083–1115 | Cite as

Towards an integrated formal method for verification of liveness properties in distributed systems: with application to population protocols

  • Dominique MéryEmail author
  • Michael Poppleton
Regular Paper


State-based formal methods [e.g. Event-B/RODIN (Abrial in Modeling in Event-B—system and software engineering. Cambridge University Press, Cambridge, 2010; Abrial et al. in Int J Softw Tools Technol Transf (STTT) 12(6):447–466, 2010)] for critical system development and verification are now well established, with track records including tool support and industrial applications. The focus of proof-based verification, in particular, is on safety properties. Liveness properties, which guarantee eventual, or converging computations of some requirements, are less well dealt with. Inductive reasoning about liveness is not explicitly supported. Liveness proofs are often complex and expensive, requiring high-skill levels on the part of the verification engineer. Fairness-based temporal logic approaches have been proposed to address this, e.g. TLA Lamport (ACM Trans Program Lang Syst 16(3):872–923, 1994) and that of Manna and Pnueli (Temporal verification of reactive systems—safety. Springer, New York, 1995). We contribute to this technology need by proposing a fairness-based method integrating temporal and first-order logic, proof and tools for modelling and verification of safety and liveness properties. The method is based on an integration of Event-B and TLA. Building on our previous work (Méry and Poppleton in Integrated formal methods, 10th international conference, IFM 2013, Turku, Finland, pp 208–222, 2013. doi: 10.1007/978-3-642-38613-8_15), we present the method via three example population protocols Angluin et al. (Distrib Comput 18(4):235–253, 2006). These were proposed as a theoretical framework for computability reasoning about Wireless Sensor Network and Mobile Ad-Hoc Network algorithms. Our examples present typical liveness and convergence requirements. We prove convergence results for the examples by integrated modelling and proof with Event-B/RODIN and TLA. We exploit existing proof rules, define and apply three new proof rules; soundness proofs are also provided. During the process we observe certain repeating patterns in the proofs. These are easily identified and reused because of the explicit nature of the reasoning.


Refinement Formal method Distributed sytems Verification Liveness Fairness 


  1. 1.
    Abadi, M., Lamport, L.: The existence of refinement mappings. Theor. Comput. Sci. 82(2), 253–284 (1991). doi: 10.1016/0304-3975(91)90224-P MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Abadi, M., Merz, S.: On TLA as a logic. In: Broy, M. (ed.) NATO ASI DPD, pp. 235–271 (1996)Google Scholar
  3. 3.
    Abrial, J.R.: The B-Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996)CrossRefzbMATHGoogle Scholar
  4. 4.
    Abrial, J.R.: Modeling in Event-B—System and Software Engineering. Cambridge University Press, Cambridge (2010)CrossRefzbMATHGoogle Scholar
  5. 5.
    Abrial, J.R.: Private communication (2013)Google Scholar
  6. 6.
    Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin: an open toolset for modelling and reasoning in Event-B. Int. J. Softw. Tools Technol. Transf. (STTT) 12(6), 447–466 (2010)CrossRefGoogle Scholar
  7. 7.
    Abrial, J.R., Butler, M., Hallerstede, S., Voisin, L.: An open extensible tool environment for Event-B. In: Liu, Z., He, J. (eds.) Proceedings of ICFEM 2006, LNCS, vol. 4260. Macau (2006)Google Scholar
  8. 8.
    Abrial, J.R., Mussat, L.: Introducing dynamic constraints in B. In: Bert, D. (ed.) 2nd International B Conference, LNCS, vol. 1393, pp. 83–128. Springer, Montpellier (1998)Google Scholar
  9. 9.
    Abrial, J.R., Su, W., Zhu, H.: Formalizing hybrid systems with Event-B. In: ABZ, pp. 178–193 (2012)Google Scholar
  10. 10.
    Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distrib. Comput. 2(3), 117–126 (1987)CrossRefzbMATHGoogle Scholar
  12. 12.
    Angluin, D., Aspnes, J., Diamadi, Z., Fischer, M.J., Peralta, R.: Computation in networks of passively mobile finite-state sensors. Distrib. Comput. 18(4), 235–253 (2006)CrossRefzbMATHGoogle Scholar
  13. 13.
    Angluin, D., Aspnes, J., Eisenstat, D., Ruppert, E.: The computational power of population protocols. Distrib. Comput. 20(4), 279–304 (2007)CrossRefzbMATHGoogle Scholar
  14. 14.
    Angluin, D., Aspnes, J., Fischer, M.J., Jiang, H.: Self-stabilizing population protocols. TAAS 3(4),103–117 (2008)Google Scholar
  15. 15.
    Apt, K.R., Olderog, E.R.: Proof rules and transformations dealing with fairness. Sci. Comput. Program. 3(1), 65–100 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Araki, K., Galloway, A., Taguchi, K. (eds.): Integrated Formal Methods, Proceedings of the 1st International Conference on Integrated Formal Methods, IFM 99, New York, UK, 28–29 June 1999. Springer (1999)Google Scholar
  17. 17.
    Aspnes, J., Ruppert, E.: An introduction to population protocols. Bull. EATCS 93, 98–117 (2007)MathSciNetzbMATHGoogle Scholar
  18. 18.
    Back, R.J., Kurki-Suonio, R.: Distributed cooperation with action systems. ACM Trans. Program. Lang. Syst. 10(4), 513–554 (1988)CrossRefzbMATHGoogle Scholar
  19. 19.
    Back, R.J., Kurki-Suonio, R.: Decentralization of process nets with centralized control. Distrib. Comput. 3(2), 73–87 (1989)CrossRefGoogle Scholar
  20. 20.
    Banach, R.: Pliant modalities in hybrid Event-B. In: iu, Z., Woodcock, J., Zhu, H. (eds.) Theories of Programming and Formal Methods, Lecture Notes in Computer Science, vol. 8051, pp. 37–53. Springer (2013)Google Scholar
  21. 21.
    Banach, R., Butler, M.: Cruise control in hybrid Event-B. In: Liu, Z., Woodcock, J., Zhu, H. (eds.) ICTAC, Lecture Notes in Computer Science, vol. 8049, pp. 76–93. Springer (2013)Google Scholar
  22. 22.
    Banach, R., Zhu, H., Su, W., Wu, X.: Continuous behaviour in Event-B: A sketch. In: ABZ, pp. 349–352 (2012)Google Scholar
  23. 23.
    Beauquier, J., Blanchard, P., Burman, J.: Self-stabilizing leader election in population protocols over arbitrary communication graphs. In: Baldoni, R., Nisse, N., van Steen, M. (eds.) Principles of Distributed Systems—17th International Conference, OPODIS 2013, Nice, France, December 16–18, 2013. Proceedings, Lecture Notes in Computer Science, vol. 8304, pp. 38–52. Springer (2013)Google Scholar
  24. 24.
    Bjorner, D.: Software Engineering 1 Abstraction and Modelling. Springer, Texts in Theoretical Computer Science. An EATCS Series (2006). ISBN 978-3-540-21149-5Google Scholar
  25. 25.
    Bjorner, D.: Software Engineering 2 Specification of Systems and Languages. Springer, Texts in Theoretical Computer Science. An EATCS Series (2006). ISBN 978-3-540-21150-1Google Scholar
  26. 26.
    Bjorner, D.: Software Engineering 3 Domains, Requirements, and Software Design. Springer, Texts in Theoretical Computer Science. An EATCS Series (2006). ISBN 978-3-540-21151-8Google Scholar
  27. 27.
    Bjørner, D., Henson, M.C. (eds.): Logics of Specification Languages. EATCS Textbook in Computer Science. Springer, New York (2007)Google Scholar
  28. 28.
    Butler, M.: Decomposition structures for Event-B. In: Leuschel, M., Wehrheim, H. (eds.) Integrated Formal Methods, 7th International Conference, IFM 2009, Düsseldorf, Germany, February 16–19, 2009. Proceedings, Lecture Notes in Computer Science, vol. 5423, pp. 20–38. Springer (2009)Google Scholar
  29. 29.
    Butler, M.: Towards a cookbook for modelling and refinement of control problems. ECS, University of Southampton, Technical Report (2009)Google Scholar
  30. 30.
    Cai, S., Izumi, T., Wada, K.: How to prove impossibility under global fairness: on space complexity of self-stabilizing leader election on a population protocol model. Theory Comput. Syst. 50(3), 433–445 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Cansell, D., Méry, D., Merz, S.: Predicate diagrams for the verification of reactive systems. In: Grieskamp, W., Santen, T., Stoddart, B. (eds.) IFM, Lecture Notes in Computer Science, vol. 1945, pp. 380–397. Springer (2000)Google Scholar
  32. 32.
    Chandy, K., Misra, J.: Parallel Program Design: A Foundation. Addison-Wesley, Reading (1988)zbMATHGoogle Scholar
  33. 33.
    Chatzigiannakis, I., Michail, O., Spirakis, P.: Experimental verification and performance study of extremely large sized population protocols. In: Technical Report FRONTS-TR-2009-3 (2009).
  34. 34.
    Cousineau, D., Doligez, D., Lamport, L., Merz, S., Ricketts, D., Vanzetto, H.: TLA + proofs. In: Giannakopoulou, D., Méry, D. (eds.) FM, Lecture Notes in Computer Science, vol. 7436, pp. 147–154. Springer (2012)Google Scholar
  35. 35.
    Dijkstra, R.M.: Computation calculus bridging a formalization gap. Sci. Comput. Program. 37(1–3), 3–36 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Fathabadi, A.S., Butler, M., Rezazadeh, A.: A systematic approach to atomicity decomposition in event-b. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) Software Engineering and Formal Methods—10th International Conference, SEFM 2012, Thessaloniki, Greece, October 1–5, 2012. Proceedings, Lecture Notes in Computer Science, vol. 7504, pp. 78–93. Springer (2012). doi: 10.1007/978-3-642-33826-7
  37. 37.
    Fischer, M.J., Jiang, H.: Self-stabilizing leader election in networks of finite-state anonymous agents. In: Shvartsman, A.A. (ed.) Principles of Distributed Systems, 10th International Conference, OPODIS 2006, Bordeaux, France, December 12–15, 2006, Proceedings, Lecture Notes in Computer Science, vol. 4305, pp. 395–409. Springer (2006)Google Scholar
  38. 38.
    Francez, N.: Fairness. Springer, New York (1986)CrossRefzbMATHGoogle Scholar
  39. 39.
    Gibson, J.P., Méry, D.: A unifying model for specification and design. In: Proceedings of the Workshop on Proof Theory of Concurrent Object-Oriented Programming (1996)Google Scholar
  40. 40.
    Gibson, P., Méry, D.: Fair objects. In: In OT98 COTSR, pp. 245–254 (1997)Google Scholar
  41. 41.
    Groslambert, J.: Verification of LTL on B event systems. In: Julliand, J., Kouchnarenko, O. (eds.) B 2007: Formal Specification and Development in B, 7th International Conference of B Users, Besançon, France, January 17–19, 2007, Proceedings, Lecture Notes in Computer Science, vol. 4355, pp. 109–124. Springer (2007)Google Scholar
  42. 42.
    Hallerstede, S.: On the purpose of Event-B proof obligations. In: E. Börger, M.J. Butler, J.P. Bowen, P. Boca (eds.) Abstract State Machines, B and Z, First International Conference, ABZ 2008, London, UK, September 16–18, 2008. Proceedings, Lecture Notes in Computer Science, vol. 5238, pp. 125–138. Springer (2008)Google Scholar
  43. 43.
    Hoang, T.S., Abrial, J.R.: Reasoning about liveness properties in Event-B. In: Qin, S., Qiu, Z. (eds.) ICFEM, Lecture Notes in Computer Science, vol. 6991, pp. 456–471. Springer (2011)Google Scholar
  44. 44.
    Hoare, C.: Communicating Sequential Processes. Prentice-Hall International, Upper Saddle River (1985)zbMATHGoogle Scholar
  45. 45.
    Hudon, S., Hoang, T.S.: Systems design guided by progress concerns. In: IFM, pp. 16–30 (2013)Google Scholar
  46. 46.
    Jackson, M.: System Development. Prentice-Hall, Englewood Cliffs (1983)zbMATHGoogle Scholar
  47. 47.
    Järvinen, H.M., Kurki-Suonio, R.: Disco specification language: marriage of actions and objects. In: ICDCS, pp. 142–151. IEEE Computer Society (1991)Google Scholar
  48. 48.
    Jones, C.B.: Specification and design of (parallel) programs. In: IFIP Congress, pp. 321–332 (1983)Google Scholar
  49. 49.
    Kansal, A., Hsu, J., Zahedi, S., Srivastava, M.B.: Power management in energy harvesting sensor networks. ACM Trans. Embed. Comput. Syst. (2007). doi: 10.1145/1274858.1274870
  50. 50.
    Lamport, L.: A simple approach to specifying concurrent systems. Commun. ACM 32(1), 32–45 (1989)MathSciNetCrossRefGoogle Scholar
  51. 51.
    Lamport, L.: The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16(3), 872–923 (1994)CrossRefGoogle Scholar
  52. 52.
    Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, Boston (2002)Google Scholar
  53. 53.
    Lamport, L., Matthews, J., Tuttle, M.R., Yu, Y.: Specifying and verifying systems with TLA+. In: Muller, G., Jul, E. (eds.) ACM SIGOPS European Workshop, pp. 45–48. ACM (2002)Google Scholar
  54. 54.
    Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems—Safety. Springer, New York (1995)CrossRefzbMATHGoogle Scholar
  55. 55.
    Méry, D.: A proof system to derive eventually properties under justice hypothesis. In: Gruska, J., Rovan, v, Wiedermann, J. (eds.) Mathematical Foundations of Computer Science 1986, Bratislava, Czechoslovakia, August 25–29, 1996, Proceedings, Lecture Notes in Computer Science, vol. 233, pp. 536–544. Springer (1986). doi: 10.1007/BFb0016280
  56. 56.
    Méry, D.: Requirements for a temporal B : Assigning Temporal Meaning to Abstract Machines ... and to Abstract Systems. In: Galloway, A., Taguchi, K. (eds.) IFM’99 Integrated Formal Methods 1999, Workshop on Computing Science, New York (1999)Google Scholar
  57. 57.
    Méry, D.: Refinement-based guidelines for algorithmic systems. Int. J. Softw. Inf. 3(2–3), 197–239 (2009)Google Scholar
  58. 58.
    Méry, D., Poppleton, M.: Formal modelling and verification of population protocols. In: Integrated Formal Methods, 10th International Conference, IFM 2013, Turku, Finland, June 10–14, 2013. Proceedings, pp. 208–222 (2013). doi: 10.1007/978-3-642-38613-8_15
  59. 59.
    Olderog, E.R., Apt, K.R.: Fairness in parallel programs: the transformational approach. ACM Trans. Program. Lang. Syst. 10(3), 420–455 (1988)CrossRefGoogle Scholar
  60. 60.
    Owicki, S.S., Lamport, L.: Proving liveness properties of concurrent programs. ACM Trans. Program. Lang. Syst. 4(3), 455–495 (1982)CrossRefzbMATHGoogle Scholar
  61. 61.
    Park, D.: A predicate transformer for weak fair iteration. In: Proceedings of 6th IBM Symposium on Mathematical Foundations in Computer Science, pp. 257–275. IBM, Hakone (1981)Google Scholar
  62. 62.
    Picco, G.: Software engineering and wireless sensor networks: happy marriage or consensual divorce. In: FoSER 2010 (2010)Google Scholar
  63. 63.
    Rajagopalan, R., Varshney, P.K.: Data-aggregation techniques in sensor networks: a survey. IEEE Commun. Surv. Tutor. 8(1–4), 48–63 (2006)CrossRefGoogle Scholar
  64. 64.
    Schneider, S.A., Treharne, H., Wehrheim, H., Williams, D.M.: Managing LTL properties in event-b refinement. In: Albert, E., Sekerinski, E. (eds.) Integrated Formal Methods—11th International Conference, IFM 2014, Bertinoro, Italy, September 9–11, 2014, Proceedings, Lecture Notes in Computer Science, vol. 8739, pp. 221–237. Springer (2014). doi: 10.1007/978-3-319-10181-1
  65. 65.
    Spirakis, P.: Population protocols and related models. In: Theoretical Aspects of Distributed Computing in Sensor Networks Monographs in Theoretical Computer Science. An EATCS Series 2011, pp. 109–159. Springer (2011)Google Scholar
  66. 66.
    Stavvides, A., Srivastava, M., Girod, L., Estrin, D.: Wireless Sensor Networks. Springer, New York (2004)Google Scholar
  67. 67.
    Yick, J., Mukherjee, B., Ghosal, D.: Wireless sensor network survey. Comput. Netw. 52(12), 2292–2330 (2008). doi: 10.1016/j.comnet.2008.04.002 CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.LORIAUniversité de LorraineVandoeuvre lès NancyFrance
  2. 2.School of Electronics and Computer ScienceUniversity of SouthamptonSouthamptonUK

Personalised recommendations