1 / 25

A Refinement Calculus for Promela

A Refinement Calculus for Promela. Asankhaya Sharma Department of Computer Science National University of Singapore ICECCS 2013. Formal Development. Model Checking. Informal. Informal. Generate Executable Code from Formal Model of System. Code Synthesis. The SPIN Model Checker.

hilary-crawford
Download Presentation

A Refinement Calculus for Promela

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Refinement Calculus for Promela Asankhaya SharmaDepartment of Computer ScienceNational University of SingaporeICECCS 2013

  2. Formal Development Model Checking Informal Informal Generate Executable Code from Formal Model of System Code Synthesis A Refinement Calculus for Promela

  3. The SPIN Model Checker • Uses Promela as a modeling language • Message passing with Channels • Non-deterministic choice operator • Express temporal properties in LTL • Check for validity of properties • Exhaustive search of state space for violation • Formal Development in SPIN • End to End Verification and Validation with SPIN[CoRR 2013] A Refinement Calculus for Promela

  4. Promela Refinement • Other modeling languages have well defined refinement schemes (Event-B, Z) • Existing refinement(translation) systems for Promela do not preserve LTL properties • Challenges for Refinement of Promela • Lack of Formal Semantics • Non-determinism • Synchronous communication (Rendezvous channels) A Refinement Calculus for Promela

  5. Key Contributions • A restricted subset of Promela called Featherweight Promela (FP) • A novel Dual Action Semantics for FP • Refinement calculus from FP to a Core language • Soundness of Calculus ensures that temporal properties (LTL) are preserved by refinement A Refinement Calculus for Promela

  6. Outline • Featherweight Promela (FP) • Dual Action Semantics • Refinement Calculus • Implementation • Case Studies • Conclusions and Future Work A Refinement Calculus for Promela

  7. Featherweight Promela (FP) • Restrictions for easy formalization • Minimal syntax • Only asynchronous message passing with channels • Existing Promela models can be written in FP A Refinement Calculus for Promela

  8. Syntax of FP Process prog ::= p* p ::= t id (t x)* { e } e ::= x | t x ; e | x := e | e1 ; e2 | :: be -> e | if e fi | do e od | e1 ! e2 | e1 ? e2 | run p | atomic e t ::= int | chan | mtype | bit x ::= true | false | v | () whereid is an identifier, beis a booleanexpression and v is an integer value Expression Control Flow Channels A Refinement Calculus for Promela

  9. Dual Action Semantics • A small step operational semantics in which each step has two actions • Local Action (sequential) • Global Action (concurrent) • Dual Action Semantics is useful for • Isolating concurrency • Supporting non-determinism A Refinement Calculus for Promela

  10. Operational Semantics Small Step <e , s>  <e’, s’> Dual Actions <e , G , s>  <e’ , G’ , s’> Local <e , s>  <e’’ , s’> Global choose e’ from G’ G’ = G U {e’’} NonDeterministic Round Robin LIFO FIFO Scheduler A Refinement Calculus for Promela

  11. Example < () , G , si> * < () , {} , sf > proctype B() { f1 = 1; do :: f0 -> if :: turn != 1 -> f1 = 0; turn == 1 -> skip; f1 = 1; :: else -> skip; fi :: else -> break; od; t1_incrit = 1; t1_incrit = 0; turn = 0; f1 = 0; } proctypeA() { f0 = 1;do:: f1 -> if :: turn != 0 -> f0 = 0; turn == 0 -> skip; f0 = 1; :: else -> skip; fi:: else -> break;od;t0_incrit = 1;t0_incrit = 0;turn = 1;f0 = 0; } si G = A B s1 G = B A s2 G = B A s3 B G = A s4 B G = A s5 G = A B … … … … … … … sf {} G = A Refinement Calculus for Promela

  12. Semantics and Refinement • Captures all possible process interleaving explicitly • Semantics of SPIN correspond to the global action with Non-deterministic choice • Refinement applies local transformation rules that preserve state invariants • Process interleaving of the refined program are subset of the original FP model A Refinement Calculus for Promela

  13. Refinement Calculus • Data Refinement (8 rules) • Translates data structures • Control Refinement (8 rules) • Translates control flow • Handles non-deterministic choice • Synchronization Refinement (3 rules) • Translates channels • Handles message passing A Refinement Calculus for Promela

  14. Data Refinement 1 bit uchar int x id [const] = e struct t {decl_list} #define x1 n ; #define x2 n-1 … structchan {t1 x1 ,t2 x2, …} ;chan id [n] skip bool byte mtype x id [const] = e typedef t {decl_list} mtype = {x1,x2, … xn} chan id = [n] of {t1,t2 …} Data Structure for Channels A Refinement Calculus for Promela

  15. Control Refinement Channel Read and Write e_list while(1) { e_list } for(inti =1 ; i <= n ; i++) {enqueue(x,vi) ; } for(inti =1 ; i <= n ; i++) {vi = dequeue(x) ; } void id (args) {e_list} void main() {thread id ; … create(id,args) ; …… join(id,args) ; …} if :: e_listfi do :: e_listdo x ! v1,v2, ... vn x? v1,v2, ... vn id (args) {e_list} init{ run id (args) …} Thread Create and Join A Refinement Calculus for Promela

  16. Non-deterministic Choice Benign Race id1() { lock(m);if (turn == 0 ) { e1; turn = 1; }unlock(m); } id2() { lock(m);if (turn == 0 ) { e2; turn = 1; }unlock(m); } … if(be1) create(id1,());if(be2) create(id2,()); … :: be1 -> e1:: be2-> e2… e1 e2 A Refinement Calculus for Promela

  17. Synchronization Refinement Atomic Step lock(m) ; e ; unlock(m) ; xw = v ; barrier(b) ; barrier(b) ; xr = xw ; atomic { e } xw ! v xw ? xr Rendezvous Channels P P P1 P2 P2 P1 xw ! v xw ? xr e xw= v e xr = xw A Refinement Calculus for Promela

  18. Features for Core Language • Target language for refinement needs • Concurrency primitive like threads • Locks • Barriers • Supported by concurrency models for many existing languages like • Java • C# • C with POSIX A Refinement Calculus for Promela

  19. More in the Paper • Extension for Real Time Systems • Based on RT Promela • Generates code using Real Time POSIX • Soundness Proofs using Dual Action Semantics • Preservation of temporal properties (LTL) A Refinement Calculus for Promela

  20. Implementation • Syntax directed translation based on refinement rules • SpinR Tool • Written in Objective Caml • Generates C code from Promela models • Available at github.com/codelion/SpinR A Refinement Calculus for Promela

  21. Experiments • Evaluate the refinement calculus to generate C code from • Existing set of Promela models from literature • Principles of the Spin Model Checker [Book] • A larger case study in formal development of a cardiac pacemaker • Towards A Verified Cardiac Pacemaker [NUS TR 2010] A Refinement Calculus for Promela

  22. Results Increase in Size Reduction in Behaviors A Refinement Calculus for Promela

  23. Limitations • Refinement does not handle • Non functional properties (performance) • Properties that cannot be expressed in LTL • Reduction in behaviors does not ensure • That the refined program is always the desired program • Simplest (or best) implementation of the model A Refinement Calculus for Promela

  24. Conclusions • Formalized a core subset of Promela (FP) with Dual Action Semantics • Refinement rules that preserve temporal properties (LTL) • Future Work • Dual Action Semantics for other languages • Refinement guidance for desired behavior • Code generation for more languages (C#, Java) A Refinement Calculus for Promela

  25. Thank You • SpinR Tool • github.com/codelion/SpinR • Formal Development Methodology • End to End Verification and Validation with SPIN[CoRR 2013] • Cardiac Pacemaker Model • Towards A Verified Cardiac Pacemaker[NUS TR 2010] A Refinement Calculus for Promela

More Related