/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics

/ PSWLAB Contents Introduction Transition Relation Operational Model Semantics Engine Interpreting P ROMELA models Further study 08:02PROMELA Semantics2

/ PSWLAB Introduction 1/3 A S PIN model can be used to specify the behavior of collections of asynchronously executing processes in a distributed system. From a S PIN model, we can generate a large directed graph of all reachable system state, called global reachability graph. Correctness claims in P ROMELA can be interpreted as statements about the presence or absence of specific types of nodes or edges in the global reachability graph. 08:02PROMELA Semantics3

/ PSWLAB Introduction 2/3 The P ROMELA semantics defines the behavior of a P ROMEL model. The P ROMELA semantics rules define how the global reachability graph for any given P ROMELA model is to be generated. 08:02PROMELA Semantics4 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x?0 unless y!0 } active proctype B() { y?0 unless x!0 }

/ PSWLAB Introduction 3/3 The operational semantics of P ROMELA should allow us to derive what the structure of the global reachability graph is for any given S PIN model in detail. - Global reachability graph’s state  Operational model - Global reachability graph’s transition  Transition relation 08:02PROMELA Semantics5

/ PSWLAB Transition Relation 1/2 Every P ROMELA proctype defines a finite state automaton (S, s 0, L, T, F ). - Transition relation T defines the flow of control. - Transition label set L links each transition in T with a specific basic statement that defines the executability and the effect of that transition. 08:02PROMELA Semantics6 active proctype not_euclid(int x, int y) { if :: (x > y) -> L: x = x – y :: (x y = y – x :: (x == y) -> assert(x != y) ; goto L fi ; printf(“%d\n”, x) ; }

/ PSWLAB Transition Relation 2/2 If, goto, semicolon, arrow, do, break … do not appear as labels on transitions. basic statements – assignments, assertions, print statements, send or receive statements, P ROMELA ’s expression statements. 08:02PROMELA Semantics7 active proctype not_euclid(int x, int y) { if :: (x > y) -> L: x = x – y :: (x y = y – x :: (x == y) -> assert(x != y) ; goto L fi ; printf(“%d\n”, x) ; } x < y y = y - x x == y print x=x-y assert(x!=y) x > y

/ PSWLAB Operational Model 1/5 Semantics engine - determines how a given P ROMELA model defines system executions. - operates on abstract objects that correspond to processes, variables, and message channels. Def. Variable (name, scope, domain, inival, curval) scope : global or local to a specific process. domain : a finite set of integers. 08:02PROMELA Semantics8

/ PSWLAB Operational Model 2/5 Def. Message A message is an ordered set of variables. Def. Message Channel (ch_id, nslots, contents) nslots : maximum number of messages. contents : an ordered set of messages. 08:02PROMELA Semantics9

/ PSWLAB Operational Model 3/5 Def. Process (pid, lvars, lstates, initial, curstate, trans) lvars : a finite set of local variables lstates : a finite set of integer initial : an element of lstates trans : a finite set of transitions on lstates. 08:02PROMELA Semantics10

/ PSWLAB Operational Model 4/5 Def. Transition A transition in process P is defined by a tuple (tr_id, source, target, cond, effect, prty, rv) source, target 2 P.lstates cond : a boolean condition on global system state effect : a function that modifies the global system state prty, rv are integers. 08:02PROMELA Semantics11

/ PSWLAB Operational Model 5/5 Def. System State (gvars, procs, chans, exclusive, handshake, timeout, else, stutter) gvars : a finite set of variables with global scope procs : a finite set of processes chans : a finite set of message channels exclusive, handshake are integers timeout, else, stutter are booleans 08:02PROMELA Semantics12

/ PSWLAB Semantics Engine 1/4 The semantics engine selects one executable basic statement. For selected statement, the effect clause from the statement is applied. And the control state of the process that executes the statement is updated. The semantics engine continues executing statements until no executable statements remain. 08:02PROMELA Semantics13

/ PSWLAB Semantics Engine 2/4 while ( (E = executable(s)) != {} ) { for some (p, t) from E { s’ = apply(t.effect, s) if (handshake == 0) { s = s’ p.curstate = t.target } else { E’ = executable(s’) for some (p’, t’) from E’ { s = apply(t’.effect, s’) ; p.curstate = t.target p’.curstate = t’.target } handshake = 0 ; }}} while(stutter) {s = s} 08:02PROMELA Semantics14 PROMELA Semantics Engine executable(s) returns a set of pairs of executable transitions in system state s. apply() applies the effect of the transition to the system state. handshake is not 0, if rendezvous offer was made with the message channel whose ch_id is the value of handshake stutter extension stutter is used to determine if the stuttering rule is in effect

/ PSWLAB Semantics Engine 3/4 Set executable(State s) {new Set E = {} ; new Set e ; timeout = false ; AllProcs: for each active process p { if (exclusive == 0 or exclusive == p.pid) { for u from high to low { e = {} ; else = false ; OneProc: for each t in p.trans { if (t.source == p.curstate and t.prty == u and (handshake==0 or handshake==t.rv) and eval(t.cond) == true) { add (p,t) to set e ; } } 08:02PROMELA Semantics15 Any transition that is part of an atomic sequence sets exclusive to the value of p.pid. checks priority level. Priorities are defined in P ROMELA with the unless construct. check whether executability condition for the transition is satisfied.

/ PSWLAB Semantics Engine 4/4 if (e != {}) { add all elements of e to E ; break ; } else if (else == false){ else = true ; goto OneProc ; } } } } if (E == {} and exclusive != 0) { exclusive = 0 ; goto AllProcs ; } if (E == {} and timeout == false) { timeout = true ; goto AllProcs ; } return E ; } 08:02PROMELA Semantics16 Select the transition whose cond is else. If atomic sequence itself blocks, select another process’s transtion Execute timeout sequence if no transition is selected.

/ PSWLAB Interpreting P ROMELA models 1/5 Basic objects of a P ROMELA model correspond to the basic objects that are manipulated by the semantics engine. The control-flow constructs provide convenient high-level means for defining transition relations on processes. P ROMELA basic statements (e.g. assignments, message passing operations, etc) directly correspond to the transitions of the semantic model. All details are in MANUAL PAGES of P ROMELA. – EXECUTABILITY, EFFECT 08:02PROMELA Semantics17

/ PSWLAB Interpreting P ROMELA models 2/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x?0 unless y!0 } active proctype B() { y?0 unless x!0 } 08:02PROMELA Semantics18 cond: true effect: y!0 priority : high cond: first message in x matches 0 effect: none priority : low cond: true effect: x!0 priority : high cond: first message in y matches 0 effect: none priority : low

/ PSWLAB Interpreting P ROMELA models 3/5 08:02PROMELA Semantics19 cond: true effect: y!0 priority : high cond: first message in x matches 0 effect: x?0 priority : low cond: true effect: x!0 priority : high cond: first message in y matches 0 effect: none priority : low x!0y!0 x?0 y?0

/ PSWLAB Interpreting P ROMELA models 4/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x!0 unless y!0 } active proctype B() { y?0 unless x?0 } 08:02PROMELA Semantics20 cond: true effect: y!0 priority : high cond: true effect: x!0 priority : low cond: first message in y is 0 effect: none priority :low cond: first message in x is 0 effect: none priority : high y!0y?0

/ PSWLAB Interpreting P ROMELA models 5/5 chan x = [0] of { bit } ; chan y = [0] of { bit } ; active proctype A() { x!0 unless y?0 } active proctype B() { y!0 unless x?0 } 08:02PROMELA Semantics21 cond: first message in y is 0 effect: none priority : high cond: true effect: x!0 priority : low cond: first message in x is 0 effect: none priority : high cond: true effect: y!0 priority : low x!0y!0 x?0 y?0

/ PSWLAB Verification 1/2 The semantics engine does not include any special mention or interpretation of valid end state, accepting state, assertion, etc. Operational semantics define only behavior of a model. It does not define what kind of behavior is good or bad. Assertion statements, never claims, trace assertion, etc are used for making meta statements about the semantics of a model. Verification engine defines this meta-semantics for verification. 08:02PROMELA Semantics22

/ PSWLAB Verification 2/2 System variable stutter set to be false when an assertion statement can fail or in the presence of executions that violate the requirements for proper termination Never claim – the purpose of the claim is to suppress the inspection of executions that could not possibly lead to a counterexample. 08:02PROMELA Semantics23 while( (E = executable(s) != {} ) { if (check_fails()) Stop ; : } while (stutter) { s = s ; if (check_fails()) Stop ; }

/ PSWLAB Further study Search Algorithms (Ch. 8) - Checking Safety properties - Checking Liveness properties Search Optimization (Ch. 9) 08:02PROMELA Semantics24

/ PSWLAB Reference Gerard J. Holzmann, “THE SPIN MODEL CHECKER- PRIMER AND REFERENCE MANUAL ” 08:02PROMELA Semantics25