CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed (KFUPM) Spring 2004 (Term 032)
Validation Models
Topics (Ch. 5) Processes, channels, and variables Communicating sequential processes (CSP) Control flow Modeling timeouts Term 032 3-1-3
Validation Models There are five main elements of a protocol definition: A service specification Explicit assumptions about environment Protocol vocabulary Format definitions Procedure rules Procedure rules are hardest to specify and design Should be complete Should be consistent PROMELA language used to specify and verify procedure rules Procedure rules provide a partial description of a protocol This partial description is called validation model Term 032 3-1-4
PROMELA for Describing Validation Models Goal is to model protocols: To study their structure To verify their completeness and logical consistency Simplifications are needed for description at an abstract level Avoid implementation details No need to describe how a message is encoded, transmitted, or stored Focus on the design of a complete and consistent set of rules for interactions in a distributed system PROMELA (PROtocol Meta Language) A language for specifying system behavior in formal validation models A validation model defines interactions of processes in a distributed system Term 032 3-1-5
Processes, Channels, and Variables Procedure rules described as formal programs for an abstract model of a distributed system Model has to be: Simple Powerful to represent all types of coordination problems in distributed systems A validation model can be described in terms of processes, message channels, and state variables For the purpose of analysis, each of these objects may be translated into a FSM. Process These are global objects Channel A message passing abstraction Represent data that can be global or local to a process Variable Term 032 3-1-6
Executability of Statements Not all PROMELA statements are executable This is unlike programming languages Statements are same as conditionals Statements are either in blocked state or executable state Statements are executable only when the conditions they represent hold A process can wait for an event by waiting for a statement’s executability Assignment statements to variables are always executable Executability is the basic means of synchronization Example: Instead of writing: while (a!=b); We can write in PROMELA: (a==b) Term 032 3-1-7
Variables and Data Types Variables have one of two levels of scope: Global Local to a process Within each level, objects must be declared before they can be referenced Example: When simulated this model produces the output: Term 032 3-1-8
Variables and Data Types (Cont.) Variables can be one of 6 data types: bit, bool, byte, short, int, unsigned, chan, mtype, pid unsigned : can be used to declare a quantity that is stored in a user-defined number of bits n, with 1 ≤ n ≤ 32. With the exception of short and int, these data types can store only unsigned values. The precise value ranges of the various types is implementation dependent. For short, int, and unsigned, the effective range matches those of the same types in C programs when compiled on the same hardware. For byte, chan, mtype, and pid, the range matches that of the type unsigned char in C programs. The value ranges for bit and bool are always restricted to two values. Term 032 3-1-9
Variables and Data Types (Cont.) All variables (global or local), including arrays, are by default initialized to 0. Variables always have a strictly bounded range of possible values. E.g., variable w in the last example can only contain values from 0 to 7. If a value is assigned to a variable that lies outside its declared domain, the assigned value is automatically truncated. E.g., byte a = 300; results in the assignment of the value 44 (300%256). Note: When such an assignment is performed during random or guided simulations, SPIN prints an error message to alert the user to the truncation. The warning is not generated during verification runs, to avoid generating large volumes of repetitive output. Multiple variables of the same type can be grouped behind a single type name. E.g., byte a, b[3] = 1, c = 4; Term 032 3-1-10
mtype Variables Variables of type mtype can hold symbolic values. An mtype declaration is typically placed at the start of the specification, and merely enumerates the names. There can be multiple mtype declarations in a model, but distinct declarations do not declare distinct types. None of the names specified in an mtype declaration can match reserved words from PROMELA, such as init, or short. printm can be used to print the symbolic name of an mtype variable. No more than 255 symbolic names can be declared in all mtype declarations combined. The SPIN parser flags an error if this limit is exceeded. Term 032 3-1-11
Arrays Variables can be declared as arrays Index of an array Example: byte state[N] It declares an array of N bytes, accessed as for example: state[0] = state[3] + 5*state[3*2/n] where n can be a constant or a variable Index of an array Any expression that determines a unique integer value Valid range of an index will be from 0 to N-1 An index outside of this range will cause a runtime error Only one-dimensional arrays of variables are supported Possible to define multidimensional arrays by using structure definitions Term 032 3-1-12
Data Structures PROMELA has a mechanism for introducing new types of record structures of variables. E.g., Field and Record This mechanism allows for an indirect way of declaring multidimensional arrays. A two-dimensional array can be created. E.g., Array This creates a data structure of sixteen elements, that can be referenced as a[i].el[j] Term 032 3-1-13
Process Types A process has: A type name (i.e., process type) - declaration Instantiations (i.e., processes) - executions All processes are defined through proctype declaration Example: a process with one local variable named state proctype A() { byte state; state = 3} The process type is named A Body may consist of local variables or channel declarations and statements Statements are separated by “;” (separator) or “->” (causal relationship) No statement terminator Example: byte state =2; /* global variable */ proctype A() { (state==1) -> state = 3} proctype B() { state = state – 1 } Processes of type B are executable and terminates without delay Processes of type A are delayed until variable state contains required value Term 032 3-1-14
The Initial Processes PROMELA needs something like main() in C A proctype definition only declares process behavior How to execute it? It uses a process of type init, which is comparable to main(); or It uses active proctype to instantiate a process once Initially only these processes are executed Process of type init It Does not have to be declared explicitly in a PROMELA specification Processes declared using active proctype Examples: PROMELA equivalent of C “hello world” program init { printf(“hello world\n”) } active proctype hello() { printf(“hello world\n”) } Output: $ spin hello.pml hello world 1 process created Term 032 3-1-15
The Initial Processes (Cont’d) The init process can: Initialize global variables Create message channels Instantiate other processes using “run” Using init process to run other processes Example: init { run A(); run B() } Two processes will run concurrently with init The run statement is executable and returns a positive result only if the process of a given type can be instantiated It is unexecutable and returns 0 if process cannot be instantiated, e.g., due to too many processes Value returned by run is a run-time process number or pid Number of processes and channels is bounded PROMELA models only finite state systems Term 032 3-1-16
proctype Process We can create multiple instantiations of a given proctype. Each running process has a unique process instantiation number (pid). A pid is always non-negative, and assigned in order of creation, starting at zero for the first created process. Each process can refer to its own pid via the predefined local variable _pid. The two processes print the value of their pid and then terminate. Process execution is asynchronous The two output lines are in numeric order here It could have been the opposite. Note: By default, during simulation runs, SPIN arranges for the output of each active process to appear in a different column: the pid number is used to set the number of tab stops used to indent each output line produced by a process. (can be suppressed by using he option –T (i.e., $ spin –T) Term 032 3-1-17
Passing Parameters to a Process Example: proctype A (byte state; short set) { (state == 1) -> state = set } init { run A(1, 3) } Parameter passing is by value Parameter values cannot be passed to the init process, or to processes that are instantiated as active proctype. If these active proctype processes have formal parameters, they are treated as local variables initialized to zero. Valid parameter types: Basic data types Message channels Invalid parameters: Arrays Process types Term 032 3-1-18
Spawning Other Processes Any running process can instantiate other PROMELA processes by using run. A disadvantage: it often creates one process more than strictly necessary (i.e., the init process). For simulation, this would not matter much. In system verification, the system descriptions are kept at a minimum: avoiding all unnecessary elements (i.e., use active proctype) Term 032 3-1-19
Spawning Other Processes (Cont.) Other processes can be spawned from any process using run Not limited to the init process Processes do not behave like functions. Each process, no matter how it is created, defines an asynchronous thread of execution that can interleave its statement executions in arbitrary ways with other processes. Term 032 3-1-20
Process Termination and Process Death Process termination and process death are two distinct events in PROMELA. A process ‘‘terminates’’ when it reaches the end of its code. A process can only ‘‘die’’ and be removed as an active process if all processes that were instantiated later than this process have died first. Processes can terminate in any order, but they can only die in the reverse order of their creation. When a process has terminated, it can no longer execute statements, but will still be counted as an active process. Its pid number remains associated with this process and cannot be reused for a new process. When a process dies, it is removed from the system and its pid can be reused for another process. Term 032 3-1-21
provided clause A process cannot take any step unless its provided clause evaluates to true. The provided clauses used in this example force the process executions to alternate, producing an infinite stream of output. An absent provided clause defaults to the expression true. The use of provided clauses can disable some of SPIN’s most powerful search optimization algorithms. Term 032 3-1-22
Synchronization Problems Potential synchronization problems due to concurrent processes: Deadlocks Races Term 032 3-1-23
Example of Synchronization Problems Consider the following system of two processes sharing access to the global variable state: byte state = 1 proctype A() { (state == 1) -> state = state + 1 } proctype B() { (state == 1) -> state = state – 1 } init { run A(); run B() } Case # 1: One of the two processes terminates before the other Other process blocks forever on the state==1 condition Case # 2: Both processes pass condition simultaneously Both processes terminate but the final value of variable state is unpredictable Could be 0, 1, or 2 Term 032 3-1-24
How To Solve Synchronization Problems Many possible solutions have been proposed: Do not use global variables Use of special instructions Guarantee indivisible (atomic) sequence of test and set instructions on a shared variables Dekker’s mutual exclusion algorithm (1962) Peterson’s mutual exclusion algorithm (1981) Dekker’s algorithm grants mutually exclusive access to a shared variable using 3 global state variables Exclusive access to an arbitrary critical section in the code Term 032 3-1-25
Dekker’s Algorithm in PROMELA Three global variables: x, y, t Synchronize conditions: Line # 11 and # 18 This algorithm can be executed repeatedly Algorithm is independent of the speeds of the two processes PROMELA can avoid atomic test-and-set sequence using atomic sequences Term 032 3-1-26
Atomic Sequences A sequence of statements enclosed in parenthesis can be prefixed with keyword atomic An atomic sequence is one that is executed as: One indivisible unit Non-interleaved with any other processes An error occurs if any statement other than the first in an atomic sequence blocks Executing process aborts in that case Term 032 3-1-27
Atomic Sequences: An Example Example re-written with atomic sequences: byte state = 1 proctype A() { atomic {(state == 1) -> state = state + 1 } } proctype B() { atomic {(state == 1) -> state = state – 1 } } init { run A(); run B() } Final value of state is either 0 or 2 Depending on which process is executed first Term 032 3-1-28
Atomic Sequences: Another Example Atomic sequences can be used to restrict the amount of interleaving among processes Reduces complexity of the validation model Does not alter the behavior in any way Body of a process can be re-written as atomic Usually easy to identify such statements that can be re-written as atomic sequences Example: proctype nr(short pid, a, b) { int res; atomic { res = (a*a+b)/2*a; printf(“result %d: %d\n”, pid, res) } init { run nr(1,1,1); run nr(1,2,2); run nr(1,3,2) } Term 032 3-1-29