The SAL Tool Julien Schmaltz Institute for Computing and - - PowerPoint PPT Presentation

Introduction Expression Language Transition Language Modules and Contexts

The SAL Tool

Julien Schmaltz

Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands julien@cs.ru.nl

April 8, 2009

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts

Agenda

Overview of “The SAL language manual”

Goal: highlight key aspects Help for future references to the manual

Examples/tutorials Documents to be used (by students too :-)

“The SAL language manual”. L. de Moura, S. Owre, and N. Shankar “SAL: tutorial” L. de Moura SAL website: http://sal.csl.sri.com/ Wiki: http://sal-wiki.csl.sri.com/index.php/Main Page Help-list: SAL-HELP

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts

1

Introduction

2

Expression Language Types Expressions

3

Transition Language Definitions Guarded Commands

4

Modules and Contexts Base Modules Module Composition Contexts

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts

Introduction

SAL = Symbolic Analysis Laboratory Combination of tools to analyze transition systems

abstraction program analysis theorem proving model checking

Language common to all these tools

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts

Applications of SAL

Timed systems

k-induction technique proposed by B. Dutertre and M. Sorea Time-triggered protocol (NASA, Lee Pike) Physical layer: Biphase-mark, 8N1 Indirect encoding (vs. direct encoding in UPPAAL) but quite efficient

Interrupt driven software Combination of SAL and the Z notation SAL is NEW, so few applications, but all are promising

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts

The SAL environment

SAL on different platforms

Windows (cygwin) Linux/Mac OS Sun/Solaris

Simulator (sal-sim) Path-finder (sal-path-finder)

Random trace generator based on SAT

Model Checking

Symbolic model checker (sal-smc) Bounded model checker (sal-bmc)

More advanced technique (not covered today)

k-induction infinite state model checker (sal-inf-bmc) HybridSAL

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts

High-level requirements on the SAL language

Generality

Capture semantics of many other languages (Esterel, Java, StateCharts, ...) Wide applicability

Minimality

Simple language/Easy to understand and to use

Semantic regularity

Correctness of different translations Semantics can be formalized in logic (like PVS)

Language modularity/structure

Type/expression Transition Modules

Compositionality (synchronous and asynchronous)

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

1

Introduction

2

Expression Language Types Expressions

3

Transition Language Definitions Guarded Commands

4

Modules and Contexts Base Modules Module Composition Contexts

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

Types

Built-in basic types

Booleans, naturals, integers, reals

User defined data types

subtype, subrange, array, function, tuple, record

Example TIME : TYPE = REAL; PHASE: TYPE = { Stable, Settle };

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

Types as sets

Types are modeled as sets Types must be checked to be non empty Type equivalence = set inclusion (both ways) Example Let consider the following record types : [# a: INTEGER, b : { x : INTEGER | x < a } #] [# b: INTEGER, a : { x : INTEGER | b < x } #] Each is equivalent to the type: { r: [# a: INTEGER, b : INTEGER #] | r’b < r’a }

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

Recursive datatypes

Use to introduce list- and tree-like types Constructor/destructor + accessors Recognizers automatically added (cons?, nil?) Example intlist: TYPE = DATATYPE cons(car: INTEGER, cdr: intlist), nil END

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

Recursive functions

Example length: [intlist -> NATURAL] = LAMBDA (lst: intlist): IF nil?(lst) THEN 0 ELSE 1 + length(cdr(lst)) ENDIF

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

Expressions

Usual constructions

constants, variables; Boolean, arithmetic, bit-vector operators; update of arrays, tuples, records ...; conditional expressions

LET is parallel, sequential via nested LETs LET a = f(b) IN LET b = f(a) IN e Type correctness conditions (TCCs) Next variables are primed State predicates (INIT and TRANS)

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Types Expressions

Expressions: some examples

Example Array selection: expression [ expression ] (myarr[0]) Record selection: expression . identifier (myrec.field) Tuple selection: expression . numeral (mytup.2) Array declaration: [ [ i : [0 ... 4] ] 0 ]

• r [[ i : [0 ... 4] ] IF i mod 2 = 0 THEN 0 ELSE 1]
• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Definitions Guarded Commands

1

Introduction

2

Expression Language Types Expressions

3

Transition Language Definitions Guarded Commands

4

Modules and Contexts Base Modules Module Composition Contexts

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Definitions Guarded Commands

Definitions

Basic constructs in modules (transitions, invariants, initializations) Specify updates of variables Example x’ = x + 1 y’[i] = 3 z.recfield.1[0] = y

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Definitions Guarded Commands

Non-determinism

Non-deterministic assignment with some value of a set Example x IN {0,1};

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Definitions Guarded Commands

Guarded commands

Used to specify transition rules and initial conditions

At activation of a module one command is chosen If no command is active, then deadlock

Practical for case structure (better than definitions) Example State = 1 --> data’ = read; State = 2 --> data’ = IF data < 1 THEN 0 ELSE data + 1 ENDIF;

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

1

Introduction

2

Expression Language Types Expressions

3

Transition Language Definitions Guarded Commands

4

Modules and Contexts Base Modules Module Composition Contexts

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

Modules

Self-contained specification of a transition system Example m : MODULE = BEGIN INPUT temp : INTEGER LOCAL high : BOOLEAN, ctr : NATURAL OUTPUT danger : BOOLEAN DEFINITION high = temp > 100 INITIALIZATION ctr = 0; danger = FALSE TRANSITION [ ctr > 3 - -> danger’ = danger OR high [] ctr <= 3 AND high - -> ctr’ = ctr + 1 [] ELSE - -> ctr’ = 0 ] END

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

Definition section

Define invariants of the module Example m = MODULE = BEGIN INPUT temp : INTEGER LOCAL high : BOOLEAN, ctr : NATURAL OUTPUT danger : BOOLEAN DEFINITION high = temp > 100 INITIALIZATION ctr = 0; danger = FALSE TRANSITION [ ctr > 3 - -> danger’ = danger OR high [] ctr <= 3 AND high - -> ctr’ = ctr + 1 [] ELSE - -> ctr’ = 0 ] END

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

Transition section

Define next values + determine predicate TRANS No input on left hand side Example m = MODULE = BEGIN INPUT temp : INTEGER LOCAL high : BOOLEAN, ctr : NATURAL OUTPUT danger : BOOLEAN DEFINITION high = temp > 100 INITIALIZATION ctr = 0; danger = FALSE TRANSITION [ ctr > 3 - -> danger’ = danger OR high [] ctr <= 3 AND high - -> ctr’ = ctr + 1 [] ELSE - -> ctr’ = 0 ] END

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

Module composition

Synchronous composition

s : MODULE = c1 || c2

Asynchronous composition

s : MODULE = c1 [] c2 [] c3

Restrictions

Same identifier – same type Outputs of one modules are not globals or outputs of an another (0i ∩ (Oj ∪ Gj) = ∅) Locals may not be disjoint between two modules But, locals are not inputs, globals, or outputs (L ∩ (I ∪ O ∪ G) = ∅)

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

Context

Top-level structure

Modules + properties + constants + types + ...

Can be parameterized

number of processes, types ...

Constants may provide a definition

Lambda expressions Can be recursive (provided termination can be proven)

Example n: INTEGER = 3 f (x: INTEGER) : [INTEGER -> INTEGER] = LAMBDA (y: INTEGER) : x + n * y fact(n:NATURAL) : NATURAL = IF n = 0 THEN 1 ELSE n * fact(n - 1)

• J. Schmaltz

Bounded Model Checking

Introduction Expression Language Transition Language Modules and Contexts Base Modules Module Composition Contexts

Your TODO list

Visit SAL web-pages Read language manual + tutorials Choose your favorite puzzle: model and solve it using SAL-smc ... Comparison with UPPAAL ?

• J. Schmaltz

Bounded Model Checking