Embed Size (px)
Citation preview
Temporal Logic Model-checking with SPIN
COMP6004
Stéphane Lo [email protected]
Part 2: The PROMELA Language
Last LectureXspin
PROMELA parserLTL parser
and translator
Simulation Verifier (analyzer) generator
C Pre-processor/Compilation
ExecutionCounter-example
Introduction
PROMELA is the input language of SPIN
Inspired by: C, Guarded Command/CSP
Describes the model and part of the specification (other part: correctness claim as LTL formula)
What is a model?
FOLDOC (Free Online Directory of Computing, wombat.doc.ic.ac.uk/foldoc):
A description of observed behaviour, simplified by ignoring certain details. Models allow complex systems to be understood and their behaviour predicted within the scope of the model, but may give incorrect descriptions and predictions for situations outside the realm of their intended use.
PROMELA Basic Elements
Process Types and instances Local scope
Variables Data types Arrays
Statements/Conditions Channels
FIFO queue (array)
Macro definitions
#define name value
ex: #define red 2 x = x+red
Processes (1)
Process typeproctype myprocess(parameters)
{ ... }
Process instantiationrun myprocess(param_values)
Processes (2)
Data arrays or process types are the only types that cannot be passed as parameters
Process state defined by the values of its variables
Special process: init
Data types
Name Range Typically
bit / bool
0 .. 1 false .. true
byte 0 .. CHAR_BIT 0 .. 255
short SHRT_MIN .. SHRT_MAX -215-1 .. 215-1
int INT_MIN .. INT_MAX -232-1 .. -215-1
Symbolic values
Message typesmtype = {value_names}
ex: mtype = {red, green, blue}
Special
0 is false
Any non-0 value is true
Records
C structTypedef name
{ fieldtype1 fieldname1;
fieldtype2 fieldname2;}
Ex: Typedef picture{
int numcolors;
int vert_resolution;
int horz_resolution:}
Variables
Declarationdatatype variable_nameex: int counter
Assignmentvariable_name = valueex: counter = 1
Testvariable_name == valueex: counter == 0
Arrays
Declarationelem_type array_name[size]
ex: int vector[10]
Element valuearray_name[index]
ex: vector[0]
Statements (1)
Statements and conditions are not differentiated: both are either executable or blocked
Conditions areexecutable when trueblocked when false
Statements areexecutable when eligible for executionblocked when waiting for synchronization
Statements (2)
Always executable Variable declarations, Assignments, printf Assertions true / non-0 values skip, goto, break
Always blocked false and 0 (a.k.a. block, hang) values
Statements (3)
Special caserun is executable if a process of the specified type can be instantiated (memory limit, too many processes)
Statement separators (where interleaving may occur)
; or ->
Atomic sequences
Indivisible unit (no interleaving)atomic { statements }
First example
byte state = 1;
proctype A(){byte tmp;(state==1) -> tmp=state; tmp=tmp+1; state=tmp}
proctype B(){byte tmp;(state==1)->tmp=state; tmp=tmp-1; state=tmp}
init { run A(); run B() }
Process communication (1)
Via (buffered) channels
Declaration
chan channame = [size] of {msgtype}
ex: chan com1 = [16] of {byte,int}
Global or local
Process communication (2)
Sending a value on a channelchanname!value
Receiving a value on a channelchanname?varname
Process communication (3)
More than one value
channame?value1,value2,...
Convention: first value is message type (mtype)
channame!mtype(value2,...)
Test a receive statement
channame?[values]
Process communication (4)
Size of the channel buffer
len(channame)
Rendez-vous communication (synchronous): channel of buffer size 0
Second example
proctype A(chan q1){ chan q2; q1?q2; q2!123 }
proctype B(chan qforb){ int x; qforb?x; printf(“x= %d\n”,x) }
init {chan qname = [1] of {chan};chan qforb = [1] of {int};run A(qname);run B(qforb);qname!qforb}
Control flow (1)
Case selectionif:: statement1:: statement2fi
ex: if:: (a==b) -> option1:: (a!=b) -> option2fi
Control flow (2)
Repetitiondo
:: statement1
:: statement2
od
Terminating the repetition: break
Control flow (3)
Unconditional jump Declare a label
mylabel: ... Jump to that label
goto mylabel
Three special kinds of labelsend, progress, accept
Control flow (4)
Unless{statement1} unless
{statement2;statement3}
Pseudo-statements
Timeoutdo:: statement1:: timeout -> statement2Od
Elseif:: statement1:: else -> statement2fi
Assertions
assert(condition)
Combined with labels to express the specification
Semantics of PROMELA
http://www.spinroot.com/spin/Man/Intro.html
Operational model based on: Processes (Labelled transition Systems) Variables Channels Semantics engine
