1 / 25

P ROMELA Semantics

P ROMELA Semantics. from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007. Contents. Introduction Transition Relation Operational Model Semantics Engine Interpreting P ROMELA models Further study. Introduction 1/3.

bonita
Download Presentation

P ROMELA Semantics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5th Oct 2007 PROMELA Semantics

  2. Contents • Introduction • Transition Relation • Operational Model • Semantics Engine • Interpreting PROMELA models • Further study PROMELA Semantics

  3. Introduction 1/3 • A SPIN model can be used to specify the behavior of collections of asynchronously executing processes in a distributed system. • From a SPIN model, we can generate a large directed graph of all reachable system state, called global reachability graph. • Correctness claims in PROMELA can be interpreted as statements about the presence or absence of specific types of nodes or edges in the global reachability graph. PROMELA Semantics

  4. Introduction 2/3 • The PROMELA semantics defines the behavior of a PROMEL model. • The PROMELA semantics rules define how the global reachability graph for any given PROMELA model is to be generated. chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x?0 unless y!0 } active proctype B() { y?0 unless x!0 } PROMELA Semantics

  5. Introduction 3/3 • The operational semanticsof PROMELA should allow us to derive what the structure of the global reachability graph is for any given SPIN model in detail. - Global reachability graph’s state  Operational model • Global reachability graph’s transition  Transition relation PROMELA Semantics

  6. Transition Relation 1/2 • Every PROMELAproctype defines a finite state automaton (S, s0, L, T, F ). • Transition relation T defines the flow of control. • Transition label set L links each transition in T with a specific basic statement that defines the executability and the effect of that transition. active proctype not_euclid(int x, int y) { if :: (x > y) -> L: x = x – y :: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ; goto L fi ; printf(“%d\n”, x) ; } PROMELA Semantics

  7. Transition Relation 2/2 • If, goto, semicolon, arrow, do, break … do not appear as labels on transitions. • basic statements • assignments, assertions, print statements, send or receive statements, PROMELA’s expression statements. active proctype not_euclid(int x, int y) { if :: (x > y) -> L: x = x – y :: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ; goto L fi ; printf(“%d\n”, x) ; } x < y x == y x > y assert(x!=y) y = y - x x=x-y print PROMELA Semantics

  8. Operational Model 1/5 • Semantics engine • determines how a given PROMELA model defines system executions. • operates on abstract objects that correspond to processes, variables, and message channels. • Def. Variable (name, scope, domain, inival, curval) scope: global or local to a specific process. domain: a finite set of integers. PROMELA Semantics

  9. Operational Model 2/5 • Def. Message A message is an ordered set of variables. • Def. Message Channel (ch_id, nslots, contents) nslots: maximum number of messages. contents: an ordered set of messages. PROMELA Semantics

  10. Operational Model 3/5 • Def. Process (pid, lvars, lstates, initial, curstate, trans) lvars: a finite set of local variables lstates: a finite set of integer initial: an element of lstates trans: a finite set of transitions on lstates. PROMELA Semantics

  11. Operational Model 4/5 • Def. Transition A transition in processP is defined by a tuple (tr_id, source, target, cond, effect, prty, rv) source, target2P.lstates cond: a boolean condition on global system state effect: a function that modifies the global system state prty, rv are integers. PROMELA Semantics

  12. Operational Model 5/5 • Def. System State (gvars, procs, chans, exclusive, handshake, timeout, else, stutter) gvars: a finite set of variables with global scope procs: a finite set of processes chans: a finite set of message channels exclusive, handshake are integers timeout, else, stutter are booleans PROMELA Semantics

  13. Semantics Engine 1/4 • The semantics engine selects one executable basic statement. • For selected statement, the effect clause from the statement is applied. And the control state of the process that executes the statement is updated. • The semantics engine continues executing statements until no executable statements remain. PROMELA Semantics

  14. Semantics Engine 2/4 while ( (E = executable(s)) != {} ) { for some (p, t) from E { s’ = apply(t.effect, s) if (handshake == 0) { s = s’ p.curstate = t.target } else { E’ = executable(s’) for some (p’, t’) from E’ { s = apply(t’.effect, s’) ; p.curstate = t.target p’.curstate = t’.target } handshake = 0 ; } } } while(stutter) {s = s} • PROMELA Semantics Engine executable(s) returns a set of pairs of executable transitions in system state s. apply() applies the effect of the transition to the system state. handshake is not 0, if rendezvous offer was made with the message channel whose ch_id is the value of handshake stutter extension stutter is used to determine if the stuttering rule is in effect PROMELA Semantics

  15. Semantics Engine 3/4 Set executable(State s) { new Set E = {} ; new Set e ; timeout = false ; AllProcs: for each active process p { if (exclusive == 0 or exclusive == p.pid) { for u from high to low { e = {} ; else = false ; OneProc: for each t in p.trans { if (t.source == p.curstate and t.prty == u and (handshake==0 or handshake==t.rv) and eval(t.cond) == true) { add (p,t) to set e ; } } Any transition that is part of an atomic sequence sets exclusive to the value of p.pid. checks priority level. Priorities are defined in PROMELA with the unless construct. check whether executability condition for the transition is satisfied. PROMELA Semantics

  16. Semantics Engine 4/4 if (e != {}) { add all elements of e to E ; break ; } else if (else == false){ else = true ; goto OneProc ; } } } } if (E == {} and exclusive != 0) { exclusive = 0 ; goto AllProcs ; } if (E == {} and timeout == false) { timeout = true ; goto AllProcs ; } return E ; } Select the transition whose cond is else. If atomic sequence itself blocks, select another process’s transtion Execute timeout sequence if no transition is selected. PROMELA Semantics

  17. Interpreting PROMELA models 1/5 • Basic objects of a PROMELA model correspond to the basic objects that are manipulated by the semantics engine. • The control-flow constructs provide convenient high-level means for defining transition relations on processes. • PROMELA basic statements (e.g. assignments, message passing operations, etc) directly correspond to the transitions of the semantic model. • All details are in MANUAL PAGES of PROMELA. • EXECUTABILITY, EFFECT PROMELA Semantics

  18. Interpreting PROMELA models 2/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x?0 unless y!0 } active proctype B() { y?0 unless x!0 } cond: true effect: y!0 priority : high cond: true effect: x!0 priority : high cond: first message in y matches 0 effect: none priority : low cond: first message in x matches 0 effect: none priority : low PROMELA Semantics

  19. Interpreting PROMELA models 3/5 cond: true effect: y!0 priority : high cond: true effect: x!0 priority : high cond: first message in y matches 0 effect: none priority : low cond: first message in x matches 0 effect: x?0 priority : low x!0 y!0 y?0 x?0 PROMELA Semantics

  20. Interpreting PROMELA models 4/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x!0 unless y!0 } active proctype B() { y?0 unless x?0 } cond: first message in x is 0 effect: none priority : high cond: true effect: y!0 priority : high cond: true effect: x!0 priority : low cond: first message in y is 0 effect: none priority :low y!0 y?0 PROMELA Semantics

  21. Interpreting PROMELA models 5/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x!0 unless y?0 } active proctype B() { y!0 unless x?0 } cond: first message in y is 0 effect: none priority : high cond: first message in x is 0 effect: none priority : high cond: true effect: y!0 priority : low cond: true effect: x!0 priority : low x!0 y!0 y?0 x?0 PROMELA Semantics

  22. Verification 1/2 • The semantics engine does not include any special mention or interpretation of valid end state, accepting state, assertion, etc. • Operational semantics define only behavior of a model. It does not define what kind of behavior is good or bad. • Assertion statements, never claims, trace assertion, etc are used for making meta statements about the semantics of a model. • Verification engine defines this meta-semantics for verification. PROMELA Semantics

  23. Verification 2/2 • System variable stutter set to be false when an assertion statement can fail or in the presence of executions that violate the requirements for proper termination • Never claim • the purpose of the claim is to suppress the inspection of executions that could not possibly lead to a counterexample. while( (E = executable(s) != {} ) { if (check_fails()) Stop ; : } while (stutter) { s = s ; if (check_fails()) Stop ; } PROMELA Semantics

  24. Further study • Search Algorithms (Ch. 8) - Checking Safety properties - Checking Liveness properties • Search Optimization (Ch. 9) PROMELA Semantics

  25. Reference Gerard J. Holzmann, “THE SPIN MODEL CHECKER-PRIMER AND REFERENCE MANUAL” PROMELA Semantics

More Related