Tool-Assisted Multi-Facet Analysis of Formal Specifications (Using Alelier-B and ProB)

Tool-assisted analysis of software systems and convenient guides to practise the formal methods are still motivating challenges. This article addresses these challenges. We ex periment on analysing a formal specification from multiple aspects. The B method and the Atelier-B tool are used for formal specifications, for safety property analysis and for refinements. The ProB tool is used to supplement the study with model checking; it helps to discover errors and there fore to improve the former specifications.

💡 Research Summary

The paper addresses two persistent challenges in the adoption of formal methods: the scarcity of tool‑supported, multi‑aspect analysis and the lack of practical guidance for engineers. To meet these challenges, the authors propose a combined verification framework that leverages the strengths of Atelier‑B and ProB. First, a formal specification is written in the B method using Atelier‑B, which provides facilities for theorem proving, invariant checking, and stepwise refinement. The specification is then automatically translated into a format compatible with ProB, a model‑checking and animation tool that explores the state space of the B machine. This translation is performed by a custom script that maps variable declarations, operations, and initialization clauses while preserving meta‑information such as proof obligations.

The experimental case study focuses on a classic bank account management system. The B model defines operations for opening accounts, depositing, withdrawing, and querying balances, together with a safety invariant that balances must never become negative. Using Atelier‑B, most proof obligations are discharged automatically; however, a few complex operations remain unproved, indicating potential gaps in the specification. ProB is then employed to perform exhaustive state‑space exploration. During this phase, ProB discovers a counter‑example where a withdrawal operation can be invoked without a prior check on the available balance, violating the safety invariant. The authors trace this anomaly back to a missing pre‑condition in the B model.

After adding the missing pre‑condition to the Atelier‑B specification, the proof obligations are re‑run, and all are successfully discharged. A subsequent ProB run confirms that the counter‑example no longer exists and that the invariant holds for all reachable states. This iterative feedback loop demonstrates how model checking can uncover execution‑path errors that theorem proving alone may miss, while theorem proving can prune the state space explored by the model checker, mitigating state‑explosion problems.

The discussion highlights the complementary nature of the two tools. Atelier‑B excels at deep, mathematically rigorous verification but relies on the user to anticipate all relevant pre‑conditions. ProB, by contrast, automatically generates execution traces and can reveal hidden defects, yet its exhaustive search is limited by scalability concerns. By alternating between the tools, the framework achieves higher error detection rates, reduces manual proof effort, and provides a practical workflow for engineers unfamiliar with formal methods.

In conclusion, the authors validate that a multi‑facet analysis using Atelier‑B and ProB improves specification quality, accelerates the refinement process, and offers a reproducible methodology for real‑world software development. Future work includes extending the automated translation pipeline to larger B models, optimizing ProB’s exploration strategies based on refinement information, and investigating integration with other formal languages such as Event‑B and TLA+.