Software Engineering using Formal Methods

Similar documents
Software Engineering using Formal Methods

Formal Specification and Verification

Applications of Formal Verification

Applications of Formal Verification

Applications of Formal Verification

Formal Specification and Verification

Spin: Overview of PROMELA

Computer Aided Verification 2015 The SPIN model checker

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Formal Methods for Software Development

Tool demonstration: Spin

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

Spin: Overview of PROMELA

Design and Analysis of Distributed Interacting Systems

Network Protocol Design and Evaluation

Lecture 3 SPIN and Promela

CS477 Formal Software Development Methods / 39

Formal Methods for Software Development

The SPIN Model Checker

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

T Parallel and Distributed Systems (4 ECTS)

Patrick Trentin Formal Methods Lab Class, March 03, 2017

The Spin Model Checker : Part I/II

SPIN: Introduction and Examples

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

LECTURE 18. Control Flow

The Spin Model Checker : Part I. Moonzoo Kim KAIST

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

A Tutorial on Model Checker SPIN

Mapping of UML Diagrams to Extended Petri Nets for Formal Verification

Design of Internet Protocols:

SWEN-220 Mathematical Models of Software. Concurrency in SPIN Interleaving

Iterative Statements. Iterative Statements: Examples. Counter-Controlled Loops. ICOM 4036 Programming Languages Statement-Level Control Structure

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Program Abstractions, Language Paradigms. CS152. Chris Pollett. Aug. 27, 2008.

Program Syntax; Operational Semantics

THE MODEL CHECKER SPIN

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

G52CON: Concepts of Concurrency

Logic Model Checking

PLD Semester Exam Study Guide Dec. 2018

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Automated Reasoning. Model Checking with SPIN (II)

Fundamentals of Software Engineering

Control Structures. A program can proceed: Sequentially Selectively (branch) - making a choice Repetitively (iteratively) - looping

SPIN, PETERSON AND BAKERY LOCKS

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Introduction to Programming Using Java (98-388)

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

LECTURE 17. Expressions and Assignment

Models of concurrency & synchronization algorithms

Generating Code from Event-B Using an Intermediate Specification Notation

Chapter 8. Statement-Level Control Structures

CS1622. Semantic Analysis. The Compiler So Far. Lecture 15 Semantic Analysis. How to build symbol tables How to use them to find

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Object-oriented programming. and data-structures CS/ENGRD 2110 SUMMER 2018

CGS 3066: Spring 2015 JavaScript Reference

Introduction to Model Checking

Control Structures. Outline. In Text: Chapter 8. Control structures Selection. Iteration. Gotos Guarded statements. One-way Two-way Multi-way

COP4020 Programming Languages. Functional Programming Prof. Robert van Engelen

Software Engineering using Formal Methods

Aryan College. Fundamental of C Programming. Unit I: Q1. What will be the value of the following expression? (2017) A + 9

Application: Programming Language Semantics

G Programming Languages - Fall 2012

Control Flow. COMS W1007 Introduction to Computer Science. Christopher Conway 3 June 2003

COMP322 - Introduction to C++ Lecture 02 - Basics of C++

The SPIN Model Checker

Distributed Systems Programming (F21DS1) Formal Verification

Motivation was to facilitate development of systems software, especially OS development.

C++ Programming: From Problem Analysis to Program Design, Third Edition

CSC410 Tutorial. An Introduction to NuSMV. Yi Li Nov 6, 2017

Flow Control. CSC215 Lecture

Chapter 8. Statement-Level Control Structures ISBN

BLM2031 Structured Programming. Zeyneb KURT

CMSC 330: Organization of Programming Languages. OCaml Imperative Programming

A Fast Review of C Essentials Part I

15-819M: Data, Code, Decisions

Programming, numerics and optimization

CS 314 Principles of Programming Languages. Lecture 9

Using Model Checking with Symbolic Execution for the Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software

x = 3 * y + 1; // x becomes 3 * y + 1 a = b = 0; // multiple assignment: a and b both get the value 0

Lexical Considerations

Loops! Loops! Loops! Lecture 5 COP 3014 Fall September 25, 2017

Control Structures. Lecture 4 COP 3014 Fall September 18, 2017

1 Lexical Considerations

COP4020 Programming Assignment 1 - Spring 2011

Model checking Timber program. Paweł Pietrzak

COP4020 Programming Languages. Control Flow Prof. Robert van Engelen

Formal Verification by Model Checking

G52CON: Concepts of Concurrency

Ch. 7: Control Structures

Quick Reference Guide

PROGRAMMING FUNDAMENTALS

Iteration. Side effects

SPIN s Promela to Java Compiler, with help from Stratego

Transcription:

Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt & Richard Bubel & Reiner Hähnle & Wojciech Mostowski 31 August 2011 SEFM: Promela /GU 110831 1 / 35

Towards Model Checking System Model Promela Program byte n = 0; active proctype P() { n = 1; active proctype Q() { n = 2; System Property P, Q are never in their critical section at the same time Model Checker criticalsectp = 0 1 1 criticalsectq = 1 0 1 SEFM: Promela /GU 110831 2 / 35

What is Promela? Promela is an acronym Process meta-language SEFM: Promela /GU 110831 3 / 35

What is Promela? Promela is an acronym Process meta-language Promela is a language for modeling concurrent systems multi-threaded SEFM: Promela /GU 110831 3 / 35

What is Promela? Promela is an acronym Process meta-language Promela is a language for modeling concurrent systems multi-threaded synchronisation and message passing SEFM: Promela /GU 110831 3 / 35

What is Promela? Promela is an acronym Process meta-language Promela is a language for modeling concurrent systems multi-threaded synchronisation and message passing few control structures, pure (no side-effects) expressions SEFM: Promela /GU 110831 3 / 35

What is Promela? Promela is an acronym Process meta-language Promela is a language for modeling concurrent systems multi-threaded synchronisation and message passing few control structures, pure (no side-effects) expressions data structures with finite and fixed bound SEFM: Promela /GU 110831 3 / 35

What is Promela Not? Promela is not a programming language Very small language, not intended to program real systems (we will master most of it in today s lecture!) No pointers No methods/procedures No libraries No GUI, no standard input No floating point types Fair scheduling policy (during verification) No data encapsulation Non-deterministic SEFM: Promela /GU 110831 4 / 35

A First Promela Program active proctype P() { p r i n t f (" Hello world \n") Command Line Execution Simulating (i.e., interpreting) a Promela program > spin hello. pml Hello world SEFM: Promela /GU 110831 5 / 35

A First Promela Program active proctype P() { p r i n t f (" Hello world \n") Command Line Execution Simulating (i.e., interpreting) a Promela program > spin hello. pml Hello world First observations keyword proctype declares process named P C-like command and expression syntax C-like (simplified) formatted print SEFM: Promela /GU 110831 5 / 35

Arithmetic Data Types active proctype P() { int val = 123; int rev ; rev = ( val % 10) * 100 + /* % is modulo */ (( val / 10) % 10) * 10 + ( val / 100) ; p r i n t f (" val = %d, rev = %d\n", val, rev ) SEFM: Promela /GU 110831 6 / 35

Arithmetic Data Types active proctype P() { int val = 123; int rev ; rev = ( val % 10) * 100 + /* % is modulo */ (( val / 10) % 10) * 10 + ( val / 100) ; p r i n t f (" val = %d, rev = %d\n", val, rev ) Observations Data types byte, short, int, unsigned with operations +,-,*,/,% All declarations implicitly at beginning of process (avoid to have them anywhere else!) Expressions computed as int, then converted to container type Arithmetic variables implicitly initialized to 0 No floats, no side effects, C/Java-style comments No string variables (only in print statements) SEFM: Promela /GU 110831 6 / 35

Booleans and Enumerations bit b1 = 0; bool b2 = true ; Observations bit is actually small numeric type containing 0,1 (unlike C, Java) bool, true, false syntactic sugar for bit, 1, 0 SEFM: Promela /GU 110831 7 / 35

Booleans and Enumerations bit b1 = 0; bool b2 = true ; Observations bit is actually small numeric type containing 0,1 (unlike C, Java) bool, true, false syntactic sugar for bit, 1, 0 mtype = { red, yellow, green ; mtype light = green ; p r i n t f (" the light is %e\n", light ) Observations literals represented as non-0 byte: at most 255 mtype stands for message type (first used for message names) There is at most one mtype per program SEFM: Promela /GU 110831 7 / 35

Control Statements Sequence using ; as separator; C/Java-like rules Guarded Command Selection non-deterministic choice of an alternative Repetition loop until break (or forever) Goto jump to a label SEFM: Promela /GU 110831 8 / 35

Guarded Commands: Selection active proctype P() { byte a = 5, b = 5; byte max, branch ; i f :: a >= b - > max = a; branch = 1 :: a <= b - > max = b; branch = 2 f i SEFM: Promela /GU 110831 9 / 35

Guarded Commands: Selection active proctype P() { byte a = 5, b = 5; byte max, branch ; i f :: a >= b - > max = a; branch = 1 :: a <= b - > max = b; branch = 2 f i Command Line Execution Trace of random simulation of multiple runs > spin -v max. pml > spin -v max. pml >... SEFM: Promela /GU 110831 9 / 35

Guarded Commands: Selection active proctype P() { byte a = 5, b = 5; byte max, branch ; i f :: a >= b - > max = a; branch = 1 :: a <= b - > max = b; branch = 2 f i Observations Guards may overlap (more than one can be true at the same time) Any alternative whose guard is true is randomly selected When no guard true: process blocks until one becomes true SEFM: Promela /GU 110831 9 / 35

Guarded Commands: Selection Cont d active proctype P() { bool p =...; i f :: p ->... :: true ->... f i active proctype P() { bool p =...; i f :: p ->... :: e l s e ->... f i SEFM: Promela /GU 110831 10 / 35

Guarded Commands: Selection Cont d active proctype P() { bool p =...; i f :: p ->... :: true ->... f i Second alternative can be selected anytime, regardless of whether p is true active proctype P() { bool p =...; i f :: p ->... :: e l s e ->... f i SEFM: Promela /GU 110831 10 / 35

Guarded Commands: Selection Cont d active proctype P() { bool p =...; i f :: p ->... :: true ->... f i Second alternative can be selected anytime, regardless of whether p is true active proctype P() { bool p =...; i f :: p ->... :: e l s e ->... f i Second alternative can be selected only if p is false SEFM: Promela /GU 110831 10 / 35

Guarded Commands: Selection Cont d active proctype P() { bool p =...; i f :: p ->... :: true ->... f i Second alternative can be selected anytime, regardless of whether p is true active proctype P() { bool p =...; i f :: p ->... :: e l s e ->... f i Second alternative can be selected only if p is false So far, all our programs execute each code sequence at most once: we need loops SEFM: Promela /GU 110831 10 / 35

Guarded Statement Syntax :: guard-statement - > command Observations symbol -> is overloaded in Promela first statement after :: used as guard :: guard is admissible (empty command) Can use ; instead of -> (avoid!) SEFM: Promela /GU 110831 11 / 35

Guarded Commands: Repetition active proctype P() { /* computes gcd */ int a = 15, b = 20; do :: a > b -> a = a - b :: b > a -> b = b - a :: a == b -> break od SEFM: Promela /GU 110831 12 / 35

Guarded Commands: Repetition active proctype P() { /* computes gcd */ int a = 15, b = 20; do :: a > b -> a = a - b :: b > a -> b = b - a :: a == b -> break od Command Line Execution Trace with values of local variables > spin -p -l gcd. pml > spin -- help SEFM: Promela /GU 110831 12 / 35

Guarded Commands: Repetition active proctype P() { /* computes gcd */ int a = 15, b = 20; do :: a > b -> a = a - b :: b > a -> b = b - a :: a == b -> break od Observations Any alternative whose guard is true is randomly selected Only way to exit loop is via break or goto When no guard true: loop blocks until one becomes true SEFM: Promela /GU 110831 12 / 35

Counting Loops Counting loops such as for-loops as usual in imperative programming languages are realized with break after the termination condition: #define N 10 /* C- style preprocessing */ active proctype P() { i n t sum = 0; byte i = 1; do :: i > N -> break /* test */ :: e l s e -> sum = sum + i; i++ /* body, increase */ od SEFM: Promela /GU 110831 13 / 35

Counting Loops Counting loops such as for-loops as usual in imperative programming languages are realized with break after the termination condition: #define N 10 /* C- style preprocessing */ active proctype P() { i n t sum = 0; byte i = 1; do :: i > N -> break /* test */ :: e l s e -> sum = sum + i; i++ /* body, increase */ od Observations Don t forget else, otherwise strange behaviour SEFM: Promela /GU 110831 13 / 35

Arrays #define N 5 active proctype P() { byte a[n]; a [0] = 0;a[1] = 10; a [2] = 20; a [3] = 30; a [4] = 40; byte sum = 0, i = 0; do :: i > N -1 -> break :: e l s e -> sum = sum + a[i]; i++ od; SEFM: Promela /GU 110831 14 / 35

Arrays #define N 5 active proctype P() { byte a[n]; a [0] = 0;a[1] = 10; a [2] = 20; a [3] = 30; a [4] = 40; byte sum = 0, i = 0; do :: i > N -1 -> break :: e l s e -> sum = sum + a[i]; i++ od; Observations Arrays start with 0 as in Java and C Arrays are scalar types: a b always different arrays Array bounds are constant and cannot be changed Only one-dimensional arrays (there is an (ugly) workaround) SEFM: Promela /GU 110831 14 / 35

Record Types typedef DATE { byte day, month, year ; active proctype P() { DATE D; D. day = 1; D. month = 7; D. year = 62 SEFM: Promela /GU 110831 15 / 35

Record Types typedef DATE { byte day, month, year ; active proctype P() { DATE D; D. day = 1; D. month = 7; D. year = 62 Observations may include previously declared record types, but no self-references Can be used to realize multi-dimensional arrays: typedef VECTOR { int vector [10] ; VECTOR matrix [ 5]; /* base type array in record */ matrix [3]. vector [6] = 17; SEFM: Promela /GU 110831 15 / 35

Jumps #define N 10 active proctype P() { i n t sum = 0; byte i = 1; do :: i > N - > goto exitloop; :: e l s e -> sum = sum + i; i++ od; exitloop: p r i n t f (" End of loop ") SEFM: Promela /GU 110831 16 / 35

Jumps #define N 10 active proctype P() { i n t sum = 0; byte i = 1; do :: i > N - > goto exitloop; :: e l s e -> sum = sum + i; i++ od; exitloop: p r i n t f (" End of loop ") Observations Jumps allowed only within a process Labels must be unique for a process Can t place labels in front of guards (inside alternative ok) Easy to write messy code with goto SEFM: Promela /GU 110831 16 / 35

Inlining Code Promela has no method or procedure calls SEFM: Promela /GU 110831 17 / 35

Inlining Code Promela has no method or procedure calls typedef DATE { byte day, month, year ; i n l i n e setdate (D, DD, MM, YY) { D. day = DD; D. month = MM; D. year = YY active proctype P() { DATE d; setdate (d,1,7,62) SEFM: Promela /GU 110831 17 / 35

Inlining Code Promela has no method or procedure calls typedef DATE { byte day, month, year ; i n l i n e setdate (D, DD, MM, YY) { D. day = DD; D. month = MM; D. year = YY active proctype P() { DATE d; setdate (d,1,7,62) The inline construct macro-like abbreviation mechanism for code that occurs multiply creates no new scope for locally declared variables avoid to declare variables in inline they are visible SEFM: Promela /GU 110831 17 / 35

Non-Deterministic Programs Deterministic Promela programs are trivial Assume Promela program with one process and no overlapping guards All variables are (implicitly or explictly) initialized No user input possible Each state is either blocking or has exactly one successor state Such a program has exactly one possible computation! SEFM: Promela /GU 110831 18 / 35

Non-Deterministic Programs Deterministic Promela programs are trivial Assume Promela program with one process and no overlapping guards All variables are (implicitly or explictly) initialized No user input possible Each state is either blocking or has exactly one successor state Such a program has exactly one possible computation! Non-trivial Promela programs are non-deterministic! Possible sources of non-determinism 1. Non-deterministic choice of alternatives with overlapping guards 2. Scheduling of concurrent processes SEFM: Promela /GU 110831 18 / 35

Non-Deterministic Generation of Values byte range ; i f :: range = 1 :: range = 2 :: range = 3 :: range = 4 f i Observations assignment statement used as guard assignment statement always succeeds (guard is true) side effect of guard is desired effect of this alternative could also write :: true -> range = 1, etc. selects non-deterministically a value in {1, 2, 3, 4 for range SEFM: Promela /GU 110831 19 / 35

Non-Deterministic Generation of Values Cont d Generation of values from explicit list impractical for large range SEFM: Promela /GU 110831 20 / 35

Non-Deterministic Generation of Values Cont d Generation of values from explicit list impractical for large range #define LOW 0 #define HIGH 9 byte range = LOW ; do :: range < HIGH - > range ++ :: break od Observations Increase of range and loop exit selected with equal chance Chance of generating n in random simulation is 2 (n+1) Obtain no representative test cases from random simulation! Ok for verification, because all computations are generated SEFM: Promela /GU 110831 20 / 35

Sources of Non-Determinism 1. Non-deterministic choice of alternatives with overlapping guards 2. Scheduling of concurrent processes SEFM: Promela /GU 110831 21 / 35

Concurrent Processes active proctype P() { p r i n t f (" Process P, statement 1\n"); p r i n t f (" Process P, statement 2\n") active proctype Q() { p r i n t f (" Process Q, statement 1\n"); p r i n t f (" Process Q, statement 2\n") Observations Can declare more than one process (need unique identifier) At most 255 processes SEFM: Promela /GU 110831 22 / 35

Execution of Concurrent Processes Command Line Execution Random simulation of two processes > spin interleave. pml SEFM: Promela /GU 110831 23 / 35

Execution of Concurrent Processes Command Line Execution Random simulation of two processes > spin interleave. pml Observations Scheduling of concurrent processes on one processor Scheduler selects process randomly where next statement executed Many different computations are possible: non-determinism Use -p and -g options to see more execution details SEFM: Promela /GU 110831 23 / 35

Sets of Processes active [2] proctype P() { p r i n t f (" Process %d, statement 1\n", _pid ); p r i n t f (" Process %d, statement 2\n", _pid ) Observations Can declare set of identical processes Current process identified with reserved variable _pid Each process can have its own local variables SEFM: Promela /GU 110831 24 / 35

Sets of Processes active [2] proctype P() { p r i n t f (" Process %d, statement 1\n", _pid ); p r i n t f (" Process %d, statement 2\n", _pid ) Observations Can declare set of identical processes Current process identified with reserved variable _pid Each process can have its own local variables Command Line Execution Random simulation of set of two processes > spin interleave_ set. pml SEFM: Promela /GU 110831 24 / 35

Promela Computations 1 active [2] proctype P() { 2 byte n; 3 n = 1; 4 n = 2 5 SEFM: Promela /GU 110831 25 / 35

Promela Computations 1 active [2] proctype P() { 2 byte n; 3 n = 1; 4 n = 2 5 One possible computation of this program 2, 2 3, 2 3, 3 3, 4 4, 4 0, 0 1, 0 1, 1 1, 2 2, 2 Notation Program pointer (line #) for each process in upper compartment Value of all variables in lower compartment SEFM: Promela /GU 110831 25 / 35

Promela Computations 1 active [2] proctype P() { 2 byte n; 3 n = 1; 4 n = 2 5 One possible computation of this program 2, 2 3, 2 3, 3 3, 4 4, 4 0, 0 1, 0 1, 1 1, 2 2, 2 Notation Program pointer (line #) for each process in upper compartment Value of all variables in lower compartment Computations are either infinite or terminating or blocking SEFM: Promela /GU 110831 25 / 35

Admissible Computations: Interleaving Definition (Interleaving of independent computations) Assume n independent processes P 1,..., P n and process i has computation c i = (s i 0, si 1, si 2,...). The computation (s 0, s 1, s 2,...) is an interleaving of c 1,..., c n iff for all s j = s i j and s k = s i k with j < k it is the case that j < k. The interleaved state sequence respects the execution order of each process SEFM: Promela /GU 110831 26 / 35

Admissible Computations: Interleaving Definition (Interleaving of independent computations) Assume n independent processes P 1,..., P n and process i has computation c i = (s i 0, si 1, si 2,...). The computation (s 0, s 1, s 2,...) is an interleaving of c 1,..., c n iff for all s j = s i j and s k = s i k with j < k it is the case that j < k. The interleaved state sequence respects the execution order of each process Observations Semantics of concurrent Promela program are all its interleavings Called interleaving semantics of concurrent programs Not universal: in Java certain reorderings allowed SEFM: Promela /GU 110831 26 / 35

Interleaving Cont d Can represent possible interleavings in a DAG 1 active [2] proctype P() { 2 byte n; 3 n = 1; 4 n = 2 5 4, 2 2, 0 3, 2 2, 2 0, 0 1, 0 2, 3 0, 1 3, 3 1, 1 2, 4 0, 2 4, 3 2, 1 3, 4 1, 2 4, 4 2, 2 SEFM: Promela /GU 110831 27 / 35

Atomicity At which granularity of execution can interleaving occur? Definition (Atomicity) An expression or statement of a process that is executed entirely without the possibility of interleaving is called atomic. SEFM: Promela /GU 110831 28 / 35

Atomicity At which granularity of execution can interleaving occur? Definition (Atomicity) An expression or statement of a process that is executed entirely without the possibility of interleaving is called atomic. Atomicity in Promela Assignments, jumps, skip, and expressions are atomic In particular, conditional expressions are atomic: (p -> q : r), C-style syntax, brackets required Guarded commands are not atomic SEFM: Promela /GU 110831 28 / 35

Atomicity Cont d int a,b,c; active proctype P() { a = 1; b = 1; c = 1; i f :: a!= 0 -> c = b / a :: e l s e -> c = b f i active proctype Q() { a = 0 SEFM: Promela /GU 110831 29 / 35

Atomicity Cont d int a,b,c; active proctype P() { a = 1; b = 1; c = 1; i f :: a!= 0 -> c = b / a :: e l s e -> c = b f i active proctype Q() { a = 0 Command Line Execution Interleaving into selection statement forced by interactive simulation > spin -p -g -i zero. pml SEFM: Promela /GU 110831 29 / 35

Atomicity Cont d How to prevent interleaving? 1. Consider to use expression instead of selection statement: c = (a!= 0 -> (b / a): b) SEFM: Promela /GU 110831 30 / 35

Atomicity Cont d How to prevent interleaving? 1. Consider to use expression instead of selection statement: c = (a!= 0 -> (b / a): b) 2. Put code inside scope of atomic: active proctype P() { a = 1; b = 1; c = 1; atomic { i f :: a!= 0 -> c = b / a :: e l s e -> c = b f i SEFM: Promela /GU 110831 30 / 35

Atomicity Cont d How to prevent interleaving? 1. Consider to use expression instead of selection statement: c = (a!= 0 -> (b / a): b) 2. Put code inside scope of atomic: active proctype P() { a = 1; b = 1; c = 1; atomic { i f :: a!= 0 -> c = b / a :: e l s e -> c = b f i SEFM: Promela /GU 110831 30 / 35

Atomicity Cont d How to prevent interleaving? 1. Consider to use expression instead of selection statement: c = (a!= 0 -> (b / a): b) 2. Put code inside scope of atomic: active proctype P() { a = 1; b = 1; c = 1; atomic { i f :: a!= 0 -> c = b / a :: e l s e -> c = b f i Remark: Blocking statement in atomic may lead to interleaving (Lect. Concurrency ) SEFM: Promela /GU 110831 30 / 35

Usage Scenario of Promela 1. Model the essential features of a system in Promela abstract away from complex (numerical) computations make usage of non-deterministic choice of outcome replace unbounded data structures with finite approximations assume fair process scheduler 2. Select properties that the Promela model must satisfy Generic Properties (discussed in later lectures) Mutal exclusion for access to critical resources Absence of deadlock Absence of starvation System-specific properties Event sequences (e.g., system responsiveness) SEFM: Promela /GU 110831 31 / 35

Formalisation with Promela System Requirements Formal Execution Model Formal Requirements Specification SEFM: Promela /GU 110831 32 / 35

Formalisation with Promela System Requirements Promela Model Formal Properties SEFM: Promela /GU 110831 32 / 35

Formalisation with Promela System Design System Requirements SEFM: Promela /GU 110831 32 / 35

Formalisation with Promela Abstraction System Design Promela Model System Requirements SEFM: Promela /GU 110831 32 / 35

Formalisation with Promela Abstraction System Design Promela Model System Requirements direct modeling (SEFM course) SEFM: Promela /GU 110831 32 / 35

Formalisation with Promela System Design Promela Model System Requirements direct modeling (SEFM course) Generic Properties SEFM: Promela /GU 110831 32 / 35

Formalisation with Promela System Design Promela Model System Requirements direct modeling (SEFM course) Generic Properties System Properties SEFM: Promela /GU 110831 32 / 35

Usage Scenario of Promela Cont d 1. Model the essential features of a system in Promela abstract away from complex (numerical) computations make usage of non-deterministic choice of outcome replace unbounded datastructures with finite approximations assume fair process scheduler 2. Select properties that the Promela model must satisfy Mutal exclusion for access to critical resources Absence of deadlock Absence of starvation Event sequences (e.g., system responsiveness) 3. Verify that all possible runs of Promela model satisfy properties Typically, need many iterations to get model and properties right Failed verification attempts provide feedback via counter examples Topic of next week s lecture SEFM: Promela /GU 110831 33 / 35

Verification: Work Flow (Simplified) Promela Program Properties [ ](!csp!csq) byte n = 0; active proctype P() { n = 1 active proctype Q() { n = 2 Spin csp = 0 1 1 csq = 1 0 1 SEFM: Promela /GU 110831 34 / 35

Literature for this Lecture Ben-Ari Chapter 1, Sections 3.1 3.3, 3.5, 4.6, Chapter 6 Spin Reference card (linked from Links, Papers, and Software section of course homepage) jspin User manual, file doc/jspin-user.pdf in distribution SEFM: Promela /GU 110831 35 / 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback