A Refinement Calculus for Promela Asankhaya Sharma Department of Computer Science National University of Singapore ICECCS 2013

Formal Development Model Checking Informal Informal Software Requirements Formal Model Executable Code Model Checking Informal Informal Generate Executable Code from Formal Model of System Code Synthesis 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela The SPIN Model Checker Uses Promela as a modeling language Message passing with Channels Non-deterministic choice operator Express temporal properties in LTL Check for validity of properties Exhaustive search of state space for violation Formal Development in SPIN End to End Verification and Validation with SPIN [CoRR 2013] 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Promela Refinement Other modeling languages have well defined refinement schemes (Event-B, Z) Existing refinement (translation) systems for Promela do not preserve LTL properties Challenges for Refinement of Promela Lack of Formal Semantics Non-determinism Synchronous communication (Rendezvous channels) 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Key Contributions A restricted subset of Promela called Featherweight Promela (FP) A novel Dual Action Semantics for FP Refinement calculus from FP to a Core language Soundness of Calculus ensures that temporal properties (LTL) are preserved by refinement 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Outline Featherweight Promela (FP) Dual Action Semantics Refinement Calculus Implementation Case Studies Conclusions and Future Work 27/2/2019 A Refinement Calculus for Promela

Featherweight Promela (FP) Restrictions for easy formalization Minimal syntax Only asynchronous message passing with channels Existing Promela models can be written in FP 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Syntax of FP Process prog ::= p* p ::= t id (t x)* { e } e ::= x | t x ; e | x := e | e1 ; e2 | :: be -> e | if e fi | do e od | e1 ! e2 | e1 ? e2 | run p | atomic e t ::= int | chan | mtype | bit x ::= true | false | v | () where id is an identifier, be is a boolean expression and v is an integer value Expression Control Flow Channels 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Dual Action Semantics A small step operational semantics in which each step has two actions Local Action (sequential) Global Action (concurrent) Dual Action Semantics is useful for Isolating concurrency Supporting non-determinism 27/2/2019 A Refinement Calculus for Promela

Operational Semantics Small Step <e , s>  <e’, s’> Dual Actions <e , G , s>  <e’ , G’ , s’> Local <e , s>  <e’’ , s’> Global choose e’ from G’ G’ = G U {e’’} Non Deterministic Round Robin LIFO FIFO Scheduler 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Example proctype A() { f0 = 1; do :: f1 -> if :: turn != 0 -> f0 = 0; turn == 0 -> skip; f0 = 1; :: else -> skip; fi :: else -> break; od; t0_incrit = 1; t0_incrit = 0; turn = 1; f0 = 0; } proctype B() { f1 = 1; do :: f0 -> if :: turn != 1 -> f1 = 0; turn == 1 -> skip; :: else -> skip; fi :: else -> break; od; t1_incrit = 1; t1_incrit = 0; turn = 0; f1 = 0; } < () , G , si > * < () , {} , sf > si G = A B s1 G = A B s2 G = A B s3 G = A B s4 G = A B s5 G = A B … … … … … … … sf G = {} 27/2/2019 A Refinement Calculus for Promela

Semantics and Refinement Captures all possible process interleaving explicitly Semantics of SPIN correspond to the global action with Non-deterministic choice Refinement applies local transformation rules that preserve state invariants Process interleaving of the refined program are subset of the original FP model 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Data Refinement (8 rules) Translates data structures Control Refinement (8 rules) Translates control flow Handles non-deterministic choice Synchronization Refinement (3 rules) Translates channels Handles message passing 27/2/2019 A Refinement Calculus for Promela

Data Refinement skip bool byte mtype x id [const] = e typedef t {decl_list} mtype = {x1,x2, … xn} chan id = [n] of {t1,t2 …} 1 bit uchar int x id [const] = e struct t {decl_list} #define x1 n ; #define x2 n-1 … struct chan {t1 x1 ,t2 x2, …} ; chan id [n] Data Structure for Channels 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Control Refinement Channel Read and Write if :: e_list fi do :: e_list do x ! v1,v2, ... vn x ? v1,v2, ... vn id (args) {e_list} init { run id (args) …} e_list while(1) { e_list } for(int i =1 ; i <= n ; i++) { enqueue(x,vi) ; } for(int i =1 ; i <= n ; i++) { vi = dequeue(x) ; } void id (args) {e_list} void main() { thread id ; … create(id,args) ; … … join(id,args) ; …} Thread Create and Join 27/2/2019 A Refinement Calculus for Promela

Non-deterministic Choice Benign Race :: be1 -> e1 :: be2 -> e2 … id1() { lock(m); if (turn == 0 ) { e1; turn = 1; } unlock(m); } id2() { lock(m); if (turn == 0 ) { e2; turn = 1; } unlock(m); } … if(be1) create(id1,()); if(be2) create(id2,()); … e1 e2 27/2/2019 A Refinement Calculus for Promela

Synchronization Refinement atomic { e } xw ! v xw ? xr Atomic Step lock(m) ; e ; unlock(m) ; xw = v ; barrier(b) ; barrier(b) ; xr = xw ; Rendezvous Channels P P P1 P2 P1 P2 xw ! v xw ? xr e e xw= v xr = xw 27/2/2019 A Refinement Calculus for Promela

Features for Core Language Target language for refinement needs Concurrency primitive like threads Locks Barriers Supported by concurrency models for many existing languages like Java C# C with POSIX 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela More in the Paper Extension for Real Time Systems Based on RT Promela Generates code using Real Time POSIX Soundness Proofs using Dual Action Semantics Preservation of temporal properties (LTL) 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Implementation Syntax directed translation based on refinement rules SpinR Tool Written in Objective Caml Generates C code from Promela models Available at github.com/codelion/SpinR 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Experiments Evaluate the refinement calculus to generate C code from Existing set of Promela models from literature Principles of the Spin Model Checker [Book] A larger case study in formal development of a cardiac pacemaker Towards A Verified Cardiac Pacemaker [NUS TR 2010] 27/2/2019 A Refinement Calculus for Promela

Results Promela Model LoC LoC (C) States States (C) Spare Channels 86 119 106 14 8-Queens Problem 50 65 41525 39225 Rate Scheduler 87 93 27 Fisher’s Algorithm 60 74 494729 4337 Chandy Lamport’s Algorithm 168 214 14632233 13063946 Pacemaker Challenge 389 431 35684919 392716 Increase in Size Reduction in Behaviors 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Limitations Refinement does not handle Non functional properties (performance) Properties that cannot be expressed in LTL Reduction in behaviors does not ensure That the refined program is always the desired program Simplest (or best) implementation of the model 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Conclusions Formalized a core subset of Promela (FP) with Dual Action Semantics Refinement rules that preserve temporal properties (LTL) Future Work Dual Action Semantics for other languages Refinement guidance for desired behavior Code generation for more languages (C#, Java) 27/2/2019 A Refinement Calculus for Promela

A Refinement Calculus for Promela Thank You SpinR Tool github.com/codelion/SpinR Formal Development Methodology End to End Verification and Validation with SPIN [CoRR 2013] Cardiac Pacemaker Model Towards A Verified Cardiac Pacemaker [NUS TR 2010] 27/2/2019 A Refinement Calculus for Promela