P ROMELA Semantics

/ 25Hong,Shin @ PSWLAB

PROMELA Semantics

from “THE SPIN MODEL CHECKER” by G. J. HolzmannPresented by Hong,Shin

5th Oct 2007

4시 15분 1PROMELA Semantics


Contents• Introduction• Transition Relation• Operational Model• Semantics Engine• Interpreting PROMELA models• Further study

4시 15분 PROMELA Semantics 2


Introduction 1/3

• A SPIN model can be used to specify the behavior of collections of asynchronously executing processes in a distributed system.

• From a SPIN model, we can generate a large directed graph of all reachable system state, called global reachability graph.

• Correctness claims in PROMELA can be interpreted as statements about the presence or absence of specific types of nodes or edges in the global reachability graph.



Introduction 2/3

• The PROMELA semantics defines the behavior of a PROMEL model.

• The PROMELA semantics rules define how the global reachability graph for any given PROMELA model is to be generated.


chan x = [0] of { bit } ;

chan y = [0] of { bit } ;

active proctype A() { x?0 unless y!0 }

active proctype B() { y?0 unless x!0 }


Introduction 3/3

• The operational semantics of PROMELA should allow us to derive what the structure of the global reachability graph is for any given SPIN model in detail.- Global reachability graph’s state

Operational model

- Global reachability graph’s transition Transition relation



Transition Relation 1/2

• Every PROMELA proctype defines a finite state automaton (S, s0, L, T, F ).- Transition relation T defines the flow of control.- Transition label set L links each transition in T with a specific

basic statement that defines the executability and the effect of that transition.


active proctype not_euclid(int x, int y){

if:: (x > y) -> L: x = x – y:: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ; goto Lfi ;printf(“%d\n”, x) ;

}


Transition Relation 2/2

• If, goto, semicolon, arrow, do, break … do not appear as labels on transitions.

• basic statements– assignments, assertions, print statements,

send or receive statements, PROMELA’s expression statements.


active proctype not_euclid(int x, int y){ if :: (x > y) -> L: x = x – y :: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ;

goto L fi ; printf(“%d\n”, x) ;}

x < y

y = y - x

x == y

print

x=x-y

assert(x!=y)

x > y


Operational Model 1/5

• Semantics engine- determines how a given PROMELA model defines system

executions.- operates on abstract objects that correspond to processes,

variables, and message channels.

• Def. Variable

(name, scope, domain, inival, curval)

scope: global or local to a specific process.domain: a finite set of integers.




• Def. MessageA message is an ordered set of variables.

• Def. Message Channel

(ch_id, nslots, contents)

nslots: maximum number of messages.contents: an ordered set of messages.




• Def. Process

(pid, lvars, lstates, initial, curstate, trans)

lvars: a finite set of local variableslstates: a finite set of integerinitial: an element of lstatestrans: a finite set of transitions on lstates.




• Def. Transition

A transition in process P is defined by a tuple

(tr_id, source, target, cond, effect, prty, rv)

source, target 2 P.lstatescond: a boolean condition on global system

stateeffect: a function that modifies the global

system stateprty, rv are integers.




• Def. System State

(gvars, procs, chans, exclusive, handshake,

timeout, else, stutter)

gvars: a finite set of variables with global scopeprocs: a finite set of processeschans: a finite set of message channelsexclusive, handshake are integerstimeout, else, stutter are booleans



Semantics Engine 1/4

• The semantics engine selects one executable basic statement.

• For selected statement, the effect clause from the statement is applied. And the control state of the process that executes the statement is updated.

• The semantics engine continues executing statements until no executable statements remain.




while ( (E = executable(s)) != {} ) {

for some (p, t) from E {

s’ = apply(t.effect, s)

if (handshake == 0) {

s = s’

p.curstate = t.target

}

else {

E’ = executable(s’)

for some (p’, t’) from E’ {

s = apply(t’.effect, s’) ;

p.curstate = t.target

p’.curstate = t’.target

}

handshake = 0 ;

} } }

while(stutter) {s = s}


•PROMELA Semantics Engineexecutable(s) returns a set of pairs of executable transitions in system state s.apply() applies the effect of the transition to the system state.

handshake is not 0, if rendezvous offer was made with the message channel whose ch_id is the value of handshake

stutter extensionstutter is used to determine if the stuttering rule is in effect



Set executable(State s)

{ new Set E = {} ;

new Set e ;

timeout = false ;

AllProcs:

for each active process p {

if (exclusive == 0 or exclusive == p.pid) {

for u from high to low {

e = {} ; else = false ;

OneProc:

for each t in p.trans {

if (t.source == p.curstate and

t.prty == u and

(handshake==0 or handshake==t.rv) and

eval(t.cond) == true) {

add (p,t) to set e ; }

}4시 15분 PROMELA Semantics 15

Any transition that is part of an atomic sequence sets exclusive to the value of p.pid.

checks priority level. Priorities are defined in PROMELA with the unless construct.

check whether executability condition for the transition is satisfied.



if (e != {}) {

add all elements of e to E ; break ;

}

else if (else == false){

else = true ; goto OneProc ;

}

} } }

if (E == {} and exclusive != 0) {

exclusive = 0 ; goto AllProcs ;

}

if (E == {} and timeout == false) {

timeout = true ; goto AllProcs ;

}

return E ;

}


Select the transition whose cond is else.

If atomic sequence itself blocks, select another process’s transtion

Execute timeout sequence if no transition is selected.


Interpreting PROMELA models 1/5

• Basic objects of a PROMELA model correspond to the basic objects that are manipulated by the semantics engine.

• The control-flow constructs provide convenient high-level means for defining transition relations on processes.

• PROMELA basic statements (e.g. assignments, message passing operations, etc) directly correspond to the transitions of the semantic model.

• All details are in MANUAL PAGES of PROMELA.– EXECUTABILITY, EFFECT






active proctype A() { x?0 unless y!0 }

active proctype B() { y?0 unless x!0 }


cond: trueeffect: y!0priority : highcond: first

message in x matches 0effect: nonepriority : low

cond: trueeffect: x!0priority : high

cond: first message in y matches 0effect: nonepriority : low




cond: trueeffect: y!0priority : highcond: first

message in x matches 0effect: x?0priority : low

cond: trueeffect: x!0priority : high

cond: first message in y matches 0effect: nonepriority : low

x!0 y!0

x?0

y?0





active proctype A() { x!0 unless y!0 }

active proctype B() { y?0 unless x?0 }


cond: true effect: y!0priority : high

cond: trueeffect: x!0priority : low

cond: first message in y is 0effect: nonepriority :low

cond: first message in x is 0effect: nonepriority : high

y!0 y?0





active proctype A() { x!0 unless y?0 }

active proctype B() { y!0 unless x?0 }


cond: first message in y is 0effect: nonepriority : high

cond: trueeffect: x!0priority : low

cond: first message in x is 0effect: nonepriority : high

cond: trueeffect: y!0priority : low

x!0

y!0

x?0

y?0


Verification 1/2

• The semantics engine does not include any special mention or interpretation of valid end state, accepting state, assertion, etc.

• Operational semantics define only behavior of a model. It does not define what kind of behavior is good or bad.

• Assertion statements, never claims, trace assertion, etc are used for making meta statements about the semantics of a model.

• Verification engine defines this meta-semantics for verification.



Verification 2/2

• System variable stutter set to be false when an assertion statement can fail or in the presence of executions that violate the requirements for proper termination

• Never claim– the purpose of the claim is to suppress the

inspection of executions that could not possibly lead to a counterexample.


while( (E = executable(s) != {} ) {if (check_fails()) Stop ;

:}while (stutter) { s = s ; if (check_fails()) Stop ; }


Further study• Search Algorithms (Ch. 8)

- Checking Safety properties- Checking Liveness properties

• Search Optimization (Ch. 9)



Reference

Gerard J. Holzmann,“THE SPIN MODEL CHECKER-PRIMER AND REFERENCE

MANUAL”


Documents

P ROMELA Semantics