25Hong,Shin @ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann...
-
Upload
sydnie-whirley -
Category
Documents
-
view
215 -
download
1
Transcript of 25Hong,Shin @ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann...
/ 25Hong,Shin @ PSWLAB
PROMELA Semantics
from “THE SPIN MODEL CHECKER” by G. J. HolzmannPresented by Hong,Shin
5th Oct 2007
13시 7분 1PROMELA Semantics
/ 25Hong,Shin @ PSWLAB
Contents• Introduction• Transition Relation• Operational Model• Semantics Engine• Interpreting PROMELA models• Further study
13시 7분 PROMELA Semantics 2
/ 25Hong,Shin @ PSWLAB
Introduction 1/3
• A SPIN model can be used to specify the behavior of collections of asynchronously executing processes in a distributed system.
• From a SPIN model, we can generate a large directed graph of all reachable system state, called global reachability graph.
• Correctness claims in PROMELA can be interpreted as statements about the presence or absence of specific types of nodes or edges in the global reachability graph.
13시 7분 PROMELA Semantics 3
/ 25Hong,Shin @ PSWLAB
Introduction 2/3
• The PROMELA semantics defines the behavior of a PROMEL model.
• The PROMELA semantics rules define how the global reachability graph for any given PROMELA model is to be generated.
13시 7분 PROMELA Semantics 4
chan x = [0] of { bit } ;
chan y = [0] of { bit } ;
active proctype A() { x?0 unless y!0 }
active proctype B() { y?0 unless x!0 }
/ 25Hong,Shin @ PSWLAB
Introduction 3/3
• The operational semantics of PROMELA should allow us to derive what the structure of the global reachability graph is for any given SPIN model in detail.- Global reachability graph’s state
Operational model
- Global reachability graph’s transition Transition relation
13시 7분 PROMELA Semantics 5
/ 25Hong,Shin @ PSWLAB
Transition Relation 1/2
• Every PROMELA proctype defines a finite state automaton (S, s0, L, T, F ).- Transition relation T defines the flow of control.- Transition label set L links each transition in T with a specific
basic statement that defines the executability and the effect of that transition.
13시 7분 PROMELA Semantics 6
active proctype not_euclid(int x, int y){
if:: (x > y) -> L: x = x – y:: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ; goto Lfi ;printf(“%d\n”, x) ;
}
/ 25Hong,Shin @ PSWLAB
Transition Relation 2/2
• If, goto, semicolon, arrow, do, break … do not appear as labels on transitions.
• basic statements– assignments, assertions, print statements,
send or receive statements, PROMELA’s expression statements.
13시 7분 PROMELA Semantics 7
active proctype not_euclid(int x, int y){ if :: (x > y) -> L: x = x – y :: (x < y) -> y = y – x :: (x == y) -> assert(x != y) ;
goto L fi ; printf(“%d\n”, x) ;}
x < y
y = y - x
x == y
x=x-y
assert(x!=y)
x > y
/ 25Hong,Shin @ PSWLAB
Operational Model 1/5
• Semantics engine- determines how a given PROMELA model defines system
executions.- operates on abstract objects that correspond to processes,
variables, and message channels.
• Def. Variable
(name, scope, domain, inival, curval)
scope: global or local to a specific process.domain: a finite set of integers.
13시 7분 PROMELA Semantics 8
/ 25Hong,Shin @ PSWLAB
Operational Model 2/5
• Def. MessageA message is an ordered set of variables.
• Def. Message Channel
(ch_id, nslots, contents)
nslots: maximum number of messages.contents: an ordered set of messages.
13시 7분 PROMELA Semantics 9
/ 25Hong,Shin @ PSWLAB
Operational Model 3/5
• Def. Process
(pid, lvars, lstates, initial, curstate, trans)
lvars: a finite set of local variableslstates: a finite set of integerinitial: an element of lstatestrans: a finite set of transitions on lstates.
13시 7분 PROMELA Semantics 10
/ 25Hong,Shin @ PSWLAB
Operational Model 4/5
• Def. Transition
A transition in process P is defined by a tuple
(tr_id, source, target, cond, effect, prty, rv)
source, target 2 P.lstatescond: a boolean condition on global system
stateeffect: a function that modifies the global
system stateprty, rv are integers.
13시 7분 PROMELA Semantics 11
/ 25Hong,Shin @ PSWLAB
Operational Model 5/5
• Def. System State
(gvars, procs, chans, exclusive, handshake,
timeout, else, stutter)
gvars: a finite set of variables with global scopeprocs: a finite set of processeschans: a finite set of message channelsexclusive, handshake are integerstimeout, else, stutter are booleans
13시 7분 PROMELA Semantics 12
/ 25Hong,Shin @ PSWLAB
Semantics Engine 1/4
• The semantics engine selects one executable basic statement.
• For selected statement, the effect clause from the statement is applied. And the control state of the process that executes the statement is updated.
• The semantics engine continues executing statements until no executable statements remain.
13시 7분 PROMELA Semantics 13
/ 25Hong,Shin @ PSWLAB
Semantics Engine 2/4
while ( (E = executable(s)) != {} ) {
for some (p, t) from E {
s’ = apply(t.effect, s)
if (handshake == 0) {
s = s’
p.curstate = t.target
}
else {
E’ = executable(s’)
for some (p’, t’) from E’ {
s = apply(t’.effect, s’) ;
p.curstate = t.target
p’.curstate = t’.target
}
handshake = 0 ;
} } }
while(stutter) {s = s}
13시 7분 PROMELA Semantics 14
•PROMELA Semantics Engineexecutable(s) returns a set of pairs of executable transitions in system state s.apply() applies the effect of the transition to the system state.
handshake is not 0, if rendezvous offer was made with the message channel whose ch_id is the value of handshake
stutter extensionstutter is used to determine if the stuttering rule is in effect
/ 25Hong,Shin @ PSWLAB
Semantics Engine 3/4
Set executable(State s)
{ new Set E = {} ;
new Set e ;
timeout = false ;
AllProcs:
for each active process p {
if (exclusive == 0 or exclusive == p.pid) {
for u from high to low {
e = {} ; else = false ;
OneProc:
for each t in p.trans {
if (t.source == p.curstate and
t.prty == u and
(handshake==0 or handshake==t.rv) and
eval(t.cond) == true) {
add (p,t) to set e ; }
}13시 7분 PROMELA Semantics 15
Any transition that is part of an atomic sequence sets exclusive to the value of p.pid.
checks priority level. Priorities are defined in PROMELA with the unless construct.
check whether executability condition for the transition is satisfied.
/ 25Hong,Shin @ PSWLAB
Semantics Engine 4/4
if (e != {}) {
add all elements of e to E ; break ;
}
else if (else == false){
else = true ; goto OneProc ;
}
} } }
if (E == {} and exclusive != 0) {
exclusive = 0 ; goto AllProcs ;
}
if (E == {} and timeout == false) {
timeout = true ; goto AllProcs ;
}
return E ;
}
13시 7분 PROMELA Semantics 16
Select the transition whose cond is else.
If atomic sequence itself blocks, select another process’s transtion
Execute timeout sequence if no transition is selected.
/ 25Hong,Shin @ PSWLAB
Interpreting PROMELA models 1/5
• Basic objects of a PROMELA model correspond to the basic objects that are manipulated by the semantics engine.
• The control-flow constructs provide convenient high-level means for defining transition relations on processes.
• PROMELA basic statements (e.g. assignments, message passing operations, etc) directly correspond to the transitions of the semantic model.
• All details are in MANUAL PAGES of PROMELA.– EXECUTABILITY, EFFECT
13시 7분 PROMELA Semantics 17
/ 25Hong,Shin @ PSWLAB
Interpreting PROMELA models 2/5
chan x = [0] of { bit } ;
chan y = [0] of { bit } ;
active proctype A() { x?0 unless y!0 }
active proctype B() { y?0 unless x!0 }
13시 7분 PROMELA Semantics 18
cond: trueeffect: y!0priority : highcond: first
message in x matches 0effect: nonepriority : low
cond: trueeffect: x!0priority : high
cond: first message in y matches 0effect: nonepriority : low
/ 25Hong,Shin @ PSWLAB
Interpreting PROMELA models 3/5
13시 7분 PROMELA Semantics 19
cond: trueeffect: y!0priority : highcond: first
message in x matches 0effect: x?0priority : low
cond: trueeffect: x!0priority : high
cond: first message in y matches 0effect: nonepriority : low
x!0 y!0
x?0
y?0
/ 25Hong,Shin @ PSWLAB
Interpreting PROMELA models 4/5
chan x = [0] of { bit } ;
chan y = [0] of { bit } ;
active proctype A() { x!0 unless y!0 }
active proctype B() { y?0 unless x?0 }
13시 7분 PROMELA Semantics 20
cond: true effect: y!0priority : high
cond: trueeffect: x!0priority : low
cond: first message in y is 0effect: nonepriority :low
cond: first message in x is 0effect: nonepriority : high
y!0 y?0
/ 25Hong,Shin @ PSWLAB
Interpreting PROMELA models 5/5
chan x = [0] of { bit } ;
chan y = [0] of { bit } ;
active proctype A() { x!0 unless y?0 }
active proctype B() { y!0 unless x?0 }
13시 7분 PROMELA Semantics 21
cond: first message in y is 0effect: nonepriority : high
cond: trueeffect: x!0priority : low
cond: first message in x is 0effect: nonepriority : high
cond: trueeffect: y!0priority : low
x!0
y!0
x?0
y?0
/ 25Hong,Shin @ PSWLAB
Verification 1/2
• The semantics engine does not include any special mention or interpretation of valid end state, accepting state, assertion, etc.
• Operational semantics define only behavior of a model. It does not define what kind of behavior is good or bad.
• Assertion statements, never claims, trace assertion, etc are used for making meta statements about the semantics of a model.
• Verification engine defines this meta-semantics for verification.
13시 7분 PROMELA Semantics 22
/ 25Hong,Shin @ PSWLAB
Verification 2/2
• System variable stutter set to be false when an assertion statement can fail or in the presence of executions that violate the requirements for proper termination
• Never claim– the purpose of the claim is to suppress the
inspection of executions that could not possibly lead to a counterexample.
13시 7분 PROMELA Semantics 23
while( (E = executable(s) != {} ) {if (check_fails()) Stop ;
:}while (stutter) { s = s ; if (check_fails()) Stop ; }
/ 25Hong,Shin @ PSWLAB
Further study• Search Algorithms (Ch. 8)
- Checking Safety properties- Checking Liveness properties
• Search Optimization (Ch. 9)
13시 7분 PROMELA Semantics 24