250 likes | 389 Views
P ROMELA Semantics. from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007. Contents. Introduction Transition Relation Operational Model Semantics Engine Interpreting P ROMELA models Further study. Introduction 1/3.
E N D
PROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5th Oct 2007 PROMELA Semantics
Contents • Introduction • Transition Relation • Operational Model • Semantics Engine • Interpreting PROMELA models • Further study PROMELA Semantics
Introduction 1/3 • A SPIN model can be used to specify the behavior of collections of asynchronously executing processes in a distributed system. • From a SPIN model, we can generate a large directed graph of all reachable system state, called global reachability graph. • Correctness claims in PROMELA can be interpreted as statements about the presence or absence of specific types of nodes or edges in the global reachability graph. PROMELA Semantics
Introduction 2/3 • The PROMELA semantics defines the behavior of a PROMEL model. • The PROMELA semantics rules define how the global reachability graph for any given PROMELA model is to be generated. chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x?0 unless y!0 } active proctype B() { y?0 unless x!0 } PROMELA Semantics
Introduction 3/3 • The operational semanticsof PROMELA should allow us to derive what the structure of the global reachability graph is for any given SPIN model in detail. - Global reachability graph’s state Operational model • Global reachability graph’s transition Transition relation PROMELA Semantics
Transition Relation 1/2 • Every PROMELAproctype defines a finite state automaton (S, s0, L, T, F ). • Transition relation T defines the flow of control. • Transition label set L links each transition in T with a specific basic statement that defines the executability and the effect of that transition. active proctype not_euclid(int x, int y) { if :: (x > y) -> L: x = x – y :: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ; goto L fi ; printf(“%d\n”, x) ; } PROMELA Semantics
Transition Relation 2/2 • If, goto, semicolon, arrow, do, break … do not appear as labels on transitions. • basic statements • assignments, assertions, print statements, send or receive statements, PROMELA’s expression statements. active proctype not_euclid(int x, int y) { if :: (x > y) -> L: x = x – y :: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ; goto L fi ; printf(“%d\n”, x) ; } x < y x == y x > y assert(x!=y) y = y - x x=x-y print PROMELA Semantics
Operational Model 1/5 • Semantics engine • determines how a given PROMELA model defines system executions. • operates on abstract objects that correspond to processes, variables, and message channels. • Def. Variable (name, scope, domain, inival, curval) scope: global or local to a specific process. domain: a finite set of integers. PROMELA Semantics
Operational Model 2/5 • Def. Message A message is an ordered set of variables. • Def. Message Channel (ch_id, nslots, contents) nslots: maximum number of messages. contents: an ordered set of messages. PROMELA Semantics
Operational Model 3/5 • Def. Process (pid, lvars, lstates, initial, curstate, trans) lvars: a finite set of local variables lstates: a finite set of integer initial: an element of lstates trans: a finite set of transitions on lstates. PROMELA Semantics
Operational Model 4/5 • Def. Transition A transition in processP is defined by a tuple (tr_id, source, target, cond, effect, prty, rv) source, target2P.lstates cond: a boolean condition on global system state effect: a function that modifies the global system state prty, rv are integers. PROMELA Semantics
Operational Model 5/5 • Def. System State (gvars, procs, chans, exclusive, handshake, timeout, else, stutter) gvars: a finite set of variables with global scope procs: a finite set of processes chans: a finite set of message channels exclusive, handshake are integers timeout, else, stutter are booleans PROMELA Semantics
Semantics Engine 1/4 • The semantics engine selects one executable basic statement. • For selected statement, the effect clause from the statement is applied. And the control state of the process that executes the statement is updated. • The semantics engine continues executing statements until no executable statements remain. PROMELA Semantics
Semantics Engine 2/4 while ( (E = executable(s)) != {} ) { for some (p, t) from E { s’ = apply(t.effect, s) if (handshake == 0) { s = s’ p.curstate = t.target } else { E’ = executable(s’) for some (p’, t’) from E’ { s = apply(t’.effect, s’) ; p.curstate = t.target p’.curstate = t’.target } handshake = 0 ; } } } while(stutter) {s = s} • PROMELA Semantics Engine executable(s) returns a set of pairs of executable transitions in system state s. apply() applies the effect of the transition to the system state. handshake is not 0, if rendezvous offer was made with the message channel whose ch_id is the value of handshake stutter extension stutter is used to determine if the stuttering rule is in effect PROMELA Semantics
Semantics Engine 3/4 Set executable(State s) { new Set E = {} ; new Set e ; timeout = false ; AllProcs: for each active process p { if (exclusive == 0 or exclusive == p.pid) { for u from high to low { e = {} ; else = false ; OneProc: for each t in p.trans { if (t.source == p.curstate and t.prty == u and (handshake==0 or handshake==t.rv) and eval(t.cond) == true) { add (p,t) to set e ; } } Any transition that is part of an atomic sequence sets exclusive to the value of p.pid. checks priority level. Priorities are defined in PROMELA with the unless construct. check whether executability condition for the transition is satisfied. PROMELA Semantics
Semantics Engine 4/4 if (e != {}) { add all elements of e to E ; break ; } else if (else == false){ else = true ; goto OneProc ; } } } } if (E == {} and exclusive != 0) { exclusive = 0 ; goto AllProcs ; } if (E == {} and timeout == false) { timeout = true ; goto AllProcs ; } return E ; } Select the transition whose cond is else. If atomic sequence itself blocks, select another process’s transtion Execute timeout sequence if no transition is selected. PROMELA Semantics
Interpreting PROMELA models 1/5 • Basic objects of a PROMELA model correspond to the basic objects that are manipulated by the semantics engine. • The control-flow constructs provide convenient high-level means for defining transition relations on processes. • PROMELA basic statements (e.g. assignments, message passing operations, etc) directly correspond to the transitions of the semantic model. • All details are in MANUAL PAGES of PROMELA. • EXECUTABILITY, EFFECT PROMELA Semantics
Interpreting PROMELA models 2/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x?0 unless y!0 } active proctype B() { y?0 unless x!0 } cond: true effect: y!0 priority : high cond: true effect: x!0 priority : high cond: first message in y matches 0 effect: none priority : low cond: first message in x matches 0 effect: none priority : low PROMELA Semantics
Interpreting PROMELA models 3/5 cond: true effect: y!0 priority : high cond: true effect: x!0 priority : high cond: first message in y matches 0 effect: none priority : low cond: first message in x matches 0 effect: x?0 priority : low x!0 y!0 y?0 x?0 PROMELA Semantics
Interpreting PROMELA models 4/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x!0 unless y!0 } active proctype B() { y?0 unless x?0 } cond: first message in x is 0 effect: none priority : high cond: true effect: y!0 priority : high cond: true effect: x!0 priority : low cond: first message in y is 0 effect: none priority :low y!0 y?0 PROMELA Semantics
Interpreting PROMELA models 5/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x!0 unless y?0 } active proctype B() { y!0 unless x?0 } cond: first message in y is 0 effect: none priority : high cond: first message in x is 0 effect: none priority : high cond: true effect: y!0 priority : low cond: true effect: x!0 priority : low x!0 y!0 y?0 x?0 PROMELA Semantics
Verification 1/2 • The semantics engine does not include any special mention or interpretation of valid end state, accepting state, assertion, etc. • Operational semantics define only behavior of a model. It does not define what kind of behavior is good or bad. • Assertion statements, never claims, trace assertion, etc are used for making meta statements about the semantics of a model. • Verification engine defines this meta-semantics for verification. PROMELA Semantics
Verification 2/2 • System variable stutter set to be false when an assertion statement can fail or in the presence of executions that violate the requirements for proper termination • Never claim • the purpose of the claim is to suppress the inspection of executions that could not possibly lead to a counterexample. while( (E = executable(s) != {} ) { if (check_fails()) Stop ; : } while (stutter) { s = s ; if (check_fails()) Stop ; } PROMELA Semantics
Further study • Search Algorithms (Ch. 8) - Checking Safety properties - Checking Liveness properties • Search Optimization (Ch. 9) PROMELA Semantics
Reference Gerard J. Holzmann, “THE SPIN MODEL CHECKER-PRIMER AND REFERENCE MANUAL” PROMELA Semantics