<latexit sha1_base64="P4jUJHo6g1yopyZBD74hiv3LdI=">AIZHicjVRb9NIFD6kXEKW6l4QEhoCBalIa4JYJqVcTSF14QRaIFqanQ2D5xRpnYZjxpG6L8Cn7d/oH9EfvEmWPnRgy7juw5/ubMd75zif1Uq8w2m39fqKxcvHT5SvVq7Y9r12/cvLV6+yhLBibAwyDRifnsywy1ivHQKqvxc2pQ9n2Nn/zevtv/dIomU0n80Q5TPOnLKFYdFUhL0JfVyve2j5GKR1b1vqUqsAOD41o7TkI8zqy0WO8orfd8PcAH2826ULGySuoTsfHV2xSjtsVz63fyNeuM9t+/OxiPx38uMxgMmUD6ySkKo6KuFUln76tHVHqnhGqnOdUJRotU/mok7OfqXZLqHbLqSKDGJeJ0ruOqSw/r5xpiJqkMNWMhOW0Skha5STBUMZzeTmKVl0GAaZWxRGX6fzXdQqNPMubgmGEXIgydGeGuqoXqDeH7paiM4bWHNqa8Z5vFikJacWGV9/yGtNWkMq/dJQYZbt9FYgjNMJZO0Yhwvz9+XWerPR5EsG15hrENxHSrlTa0IYQEAhAHxBisGRrkJDR7xg8aEJK2AmMCDNkKd5HGEONzg7IC8lDEtqjZ0RvxwUa07vjzPh0QFE03YZOCnhc+IRkdxjNVxdfzPn+KsaIuZ3GIa1+wdkn1EKX0P86N/H8v+dcTpYUvuRcFOlMGXFZBgsZdWjV9G5Jv3sOyRPJCumUISsgTBOaIy6GoTWvq8u8y3W7Idk/S4Xd6oH3zj+xGeCaVp9ZjIUzeU9YE15rhLqdCal96yI7mrv8op4x50yhJ3Rvu0zBhzqOMyGsLXrH3K9gj1OmVFNdV8gnj+l28Xo8BYJ3cIFdMCKpFm7f5767majRvfyLaT+cVjPjPFz9keJ70IAW2f1p5IwrH5Bnh+5FBX3OVdHq5n6Zz2lxWZ7R0/VYsJ3MacgonoB97lfM/RAcyXkgc7jpzKvfWMoI4ZS7O2SdlnuC8Iw8M54ZzTmNWK/intf5H6JoR9NOxJ0dwgPKuUkdmuXsVM9nmnKlU45mp3WY/OeQJ6oLQtyd6SB7vtaLyvO6WZ7dfM4Rzum5B4/o7dFvlEw8c0SyJUlZyioM+yZFrfMTuSJTeM5mpgbuW+f9/GVbNo62G97zxvMP2+uv3xRfvSrcg4ewQfPyAl7DWziAQwgq/6Ilc2Vp1f+qV6rlXv5K6VC8WZNVi4qvd/AB3w9Tw=</latexit> Promela Synchronisation Model Checking with SPIN Channels 3 COMP 1 5 9 3 Algorithmic Verification SPIN and Promela Dr. Liam O’Connor CSE, UNSW (for now) Term 1 2020 1
Promela Synchronisation Model Checking with SPIN Channels SPIN http://www.spinroot.com Programs are modelled in the Promela language. 2
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. 3
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . 4
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . Supports structured control using special if and do blocks, as well as goto . 5
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . Supports structured control using special if and do blocks, as well as goto . Variables are either global or process-local. No other scopes exist. 6
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . Supports structured control using special if and do blocks, as well as goto . Variables are either global or process-local. No other scopes exist. Variables can be of several types: bit , byte , int and so on, as well as channels . 7
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . Supports structured control using special if and do blocks, as well as goto . Variables are either global or process-local. No other scopes exist. Variables can be of several types: bit , byte , int and so on, as well as channels . Enumerations can be approximated with mtype keyword. 8
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . Supports structured control using special if and do blocks, as well as goto . Variables are either global or process-local. No other scopes exist. Variables can be of several types: bit , byte , int and so on, as well as channels . Enumerations can be approximated with mtype keyword. Correctness claims can be expressed in many different ways. 9
Promela Synchronisation Model Checking with SPIN Channels Promela in brief A kind of weird hybrid of C and Guarded Command Language. Models consist of multiple processes which may be non-deterministic , and may include guards . Supports structured control using special if and do blocks, as well as goto . Variables are either global or process-local. No other scopes exist. Variables can be of several types: bit , byte , int and so on, as well as channels . Enumerations can be approximated with mtype keyword. Correctness claims can be expressed in many different ways. Warning Variables of non-fixed size like int are of machine determined size, like C. 10
Promela Synchronisation Model Checking with SPIN Channels Example 1: Hello World Liam will demonstrate the basics of proctype and run using some simple examples. 11
Promela Synchronisation Model Checking with SPIN Channels Example 1: Hello World Liam will demonstrate the basics of proctype and run using some simple examples. Take-away You can use SPIN to randomly simulate Promela programs as well as model check them. 12
Promela Synchronisation Model Checking with SPIN Channels Sequential vs Concurrent We could consider a sequential program as a sequence (or total order ) of actions : • • • • • • · · · 13
Promela Synchronisation Model Checking with SPIN Channels Sequential vs Concurrent We could consider a sequential program as a sequence (or total order ) of actions : • • • • • • · · · The ordering here is “happens before”. For example, processor instructions: LD R0,X LDI R1,5 ADD R0,R1 ST X,R0 14
Promela Synchronisation Model Checking with SPIN Channels Sequential vs Concurrent We could consider a sequential program as a sequence (or total order ) of actions : • • • • • • · · · The ordering here is “happens before”. For example, processor instructions: LD R0,X LDI R1,5 ADD R0,R1 ST X,R0 A concurrent program is not a total order but a partial order. ◦ ◦ ◦ ◦ ◦ ◦ · · · • • • • • • · · · This means that there are now multiple possible interleavings of these actions — our program is non-deterministic where the interleaving is selected by the scheduler. 15
Promela Synchronisation Model Checking with SPIN Channels Example 2: Counters Liam will demonstrate a program that exhibits non-deterministic behaviour due to scheduling. 16
Promela Synchronisation Model Checking with SPIN Channels Example 2: Counters Liam will demonstrate a program that exhibits non-deterministic behaviour due to scheduling. Explicit non-determinism You can also add explicit non-determinism using if and do blocks: if :: (n % 2 != 0) -> n = 1; :: (n >= 0) -> n = n - 2; :: (n % 3 == 0) -> n = 3; :: else -> skip; fi 17
Promela Synchronisation Model Checking with SPIN Channels Example 2: Counters Liam will demonstrate a program that exhibits non-deterministic behaviour due to scheduling. Explicit non-determinism You can also add explicit non-determinism using if and do blocks: if :: (n % 2 != 0) -> n = 1; :: (n >= 0) -> n = n - 2; :: (n % 3 == 0) -> n = 3; :: else -> skip; fi What would happen without the else line? 18
Promela Synchronisation Model Checking with SPIN Channels Guards The arrows in the previous slide are just sugar for semicolons: if :: (n % 2 != 0); n = 1; :: (n >= 0); n = n - 2; :: (n % 3 == 0); n = 3; fi A boolean expression by itself forms a guard . Execution can only progress past a guard if the boolean expression evaluates to true (non-zero). Recall a state with no outgoing transitions is called deadlock. SPIN can detect deadlock in Promela programs. 19
Promela Synchronisation Model Checking with SPIN Channels mtype and Looping mtype = {RED, YELLOW, GREEN}; active proctype TrafficLight() { mtype state = GREEN; do :: (state == GREEN) -> state = YELLOW; :: (state == YELLOW) -> state = RED; :: (state == RED) -> state = GREEN; od } Non-determinism can be avoided by making guards mutually exclusive. Exit loops with break . 20
Promela Synchronisation Model Checking with SPIN Channels State Space Explosion a 1 b 1 a 1 b 1 a 2 b 2 a 2 b 2 The number of concurrent interleavings gets very large the more processes we add. 21
Promela Synchronisation Model Checking with SPIN Channels Synchronisation In order to reduce the number of possible interleavings, we must allow processes to synchronise their behaviour, ensuring more orderings (and thus fewer interleavings). ◦ ◦ ◦ ◦ ◦ ◦ · · · • • • • • • · · · The red arrows are synchronisations. The most common synchronisation problem is the critical section problem , which we will discuss later. Promela includes some synchronisation primitives, however. 22
Promela Synchronisation Model Checking with SPIN Channels atomic and d step Grouping statements in Promela with atomic prevents them from being interrupted. a 1 b 1 a 1 b 1 atomic a 2 a 2 b 2 If a statement in an atomic block is blocked, atomicity is temporarily suspended and another process may run. 23
Recommend
More recommend
