Download
1 / 25
250 likes | 356 Vues
This document presents a novel refinement calculus specifically designed for Promela, the modeling language used with the SPIN model checker. It introduces Featherweight Promela (FP)—a simplified subset of Promela—and establishes a dual action semantics that facilitates a sound refinement process. The calculus guarantees the preservation of temporal properties expressed in LTL during transformations. Key contributions include a formal semantics for asynchronous message passing and methods to handle non-determinism, enhancing both verification and validation within formal development workflows.
E N D
A Refinement Calculus for Promela Asankhaya SharmaDepartment of Computer ScienceNational University of SingaporeICECCS 2013
Formal Development Model Checking Informal Informal Generate Executable Code from Formal Model of System Code Synthesis A Refinement Calculus for Promela
The SPIN Model Checker • Uses Promela as a modeling language • Message passing with Channels • Non-deterministic choice operator • Express temporal properties in LTL • Check for validity of properties • Exhaustive search of state space for violation • Formal Development in SPIN • End to End Verification and Validation with SPIN[CoRR 2013] A Refinement Calculus for Promela
Promela Refinement • Other modeling languages have well defined refinement schemes (Event-B, Z) • Existing refinement(translation) systems for Promela do not preserve LTL properties • Challenges for Refinement of Promela • Lack of Formal Semantics • Non-determinism • Synchronous communication (Rendezvous channels) A Refinement Calculus for Promela
Key Contributions • A restricted subset of Promela called Featherweight Promela (FP) • A novel Dual Action Semantics for FP • Refinement calculus from FP to a Core language • Soundness of Calculus ensures that temporal properties (LTL) are preserved by refinement A Refinement Calculus for Promela
Outline • Featherweight Promela (FP) • Dual Action Semantics • Refinement Calculus • Implementation • Case Studies • Conclusions and Future Work A Refinement Calculus for Promela
Featherweight Promela (FP) • Restrictions for easy formalization • Minimal syntax • Only asynchronous message passing with channels • Existing Promela models can be written in FP A Refinement Calculus for Promela
Syntax of FP Process prog ::= p* p ::= t id (t x)* { e } e ::= x | t x ; e | x := e | e1 ; e2 | :: be -> e | if e fi | do e od | e1 ! e2 | e1 ? e2 | run p | atomic e t ::= int | chan | mtype | bit x ::= true | false | v | () whereid is an identifier, beis a booleanexpression and v is an integer value Expression Control Flow Channels A Refinement Calculus for Promela
Dual Action Semantics • A small step operational semantics in which each step has two actions • Local Action (sequential) • Global Action (concurrent) • Dual Action Semantics is useful for • Isolating concurrency • Supporting non-determinism A Refinement Calculus for Promela
Operational Semantics Small Step <e , s> <e’, s’> Dual Actions <e , G , s> <e’ , G’ , s’> Local <e , s> <e’’ , s’> Global choose e’ from G’ G’ = G U {e’’} NonDeterministic Round Robin LIFO FIFO Scheduler A Refinement Calculus for Promela
Example < () , G , si> * < () , {} , sf > proctype B() { f1 = 1; do :: f0 -> if :: turn != 1 -> f1 = 0; turn == 1 -> skip; f1 = 1; :: else -> skip; fi :: else -> break; od; t1_incrit = 1; t1_incrit = 0; turn = 0; f1 = 0; } proctypeA() { f0 = 1;do:: f1 -> if :: turn != 0 -> f0 = 0; turn == 0 -> skip; f0 = 1; :: else -> skip; fi:: else -> break;od;t0_incrit = 1;t0_incrit = 0;turn = 1;f0 = 0; } si G = A B s1 G = B A s2 G = B A s3 B G = A s4 B G = A s5 G = A B … … … … … … … sf {} G = A Refinement Calculus for Promela
Semantics and Refinement • Captures all possible process interleaving explicitly • Semantics of SPIN correspond to the global action with Non-deterministic choice • Refinement applies local transformation rules that preserve state invariants • Process interleaving of the refined program are subset of the original FP model A Refinement Calculus for Promela
Refinement Calculus • Data Refinement (8 rules) • Translates data structures • Control Refinement (8 rules) • Translates control flow • Handles non-deterministic choice • Synchronization Refinement (3 rules) • Translates channels • Handles message passing A Refinement Calculus for Promela
Data Refinement 1 bit uchar int x id [const] = e struct t {decl_list} #define x1 n ; #define x2 n-1 … structchan {t1 x1 ,t2 x2, …} ;chan id [n] skip bool byte mtype x id [const] = e typedef t {decl_list} mtype = {x1,x2, … xn} chan id = [n] of {t1,t2 …} Data Structure for Channels A Refinement Calculus for Promela
Control Refinement Channel Read and Write e_list while(1) { e_list } for(inti =1 ; i <= n ; i++) {enqueue(x,vi) ; } for(inti =1 ; i <= n ; i++) {vi = dequeue(x) ; } void id (args) {e_list} void main() {thread id ; … create(id,args) ; …… join(id,args) ; …} if :: e_listfi do :: e_listdo x ! v1,v2, ... vn x? v1,v2, ... vn id (args) {e_list} init{ run id (args) …} Thread Create and Join A Refinement Calculus for Promela
Non-deterministic Choice Benign Race id1() { lock(m);if (turn == 0 ) { e1; turn = 1; }unlock(m); } id2() { lock(m);if (turn == 0 ) { e2; turn = 1; }unlock(m); } … if(be1) create(id1,());if(be2) create(id2,()); … :: be1 -> e1:: be2-> e2… e1 e2 A Refinement Calculus for Promela
Synchronization Refinement Atomic Step lock(m) ; e ; unlock(m) ; xw = v ; barrier(b) ; barrier(b) ; xr = xw ; atomic { e } xw ! v xw ? xr Rendezvous Channels P P P1 P2 P2 P1 xw ! v xw ? xr e xw= v e xr = xw A Refinement Calculus for Promela
Features for Core Language • Target language for refinement needs • Concurrency primitive like threads • Locks • Barriers • Supported by concurrency models for many existing languages like • Java • C# • C with POSIX A Refinement Calculus for Promela
More in the Paper • Extension for Real Time Systems • Based on RT Promela • Generates code using Real Time POSIX • Soundness Proofs using Dual Action Semantics • Preservation of temporal properties (LTL) A Refinement Calculus for Promela
Implementation • Syntax directed translation based on refinement rules • SpinR Tool • Written in Objective Caml • Generates C code from Promela models • Available at github.com/codelion/SpinR A Refinement Calculus for Promela
Experiments • Evaluate the refinement calculus to generate C code from • Existing set of Promela models from literature • Principles of the Spin Model Checker [Book] • A larger case study in formal development of a cardiac pacemaker • Towards A Verified Cardiac Pacemaker [NUS TR 2010] A Refinement Calculus for Promela
Results Increase in Size Reduction in Behaviors A Refinement Calculus for Promela
Limitations • Refinement does not handle • Non functional properties (performance) • Properties that cannot be expressed in LTL • Reduction in behaviors does not ensure • That the refined program is always the desired program • Simplest (or best) implementation of the model A Refinement Calculus for Promela
Conclusions • Formalized a core subset of Promela (FP) with Dual Action Semantics • Refinement rules that preserve temporal properties (LTL) • Future Work • Dual Action Semantics for other languages • Refinement guidance for desired behavior • Code generation for more languages (C#, Java) A Refinement Calculus for Promela
Thank You • SpinR Tool • github.com/codelion/SpinR • Formal Development Methodology • End to End Verification and Validation with SPIN[CoRR 2013] • Cardiac Pacemaker Model • Towards A Verified Cardiac Pacemaker[NUS TR 2010] A Refinement Calculus for Promela
