Lecture 4 Introduction to Promela

Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic creation of concurrent processes communication via message channels synchronous communication (rendez-vous) asynchronous communication (buffered) Spin -tool for analysing Promela programs for simulation, random or interactive for verification of state space e.g. absence of deadlock unexecutable code non-progress execution cycles linear time temporal properties model-checker

3 Promela Programs Consist of processes (global) which specify behaviour message channels variables channels and variables are global or local and only updated by processes. Processes process declaration proctype A (byte state; short foo) { (state == 1) -> state = foo } instantiation A(1,3) creation run A(1,3) run A(1,3); run A(1,4) (; is separator) init - must be declared in every Promela program init { run A(1,3); run A(1,4)}

4 Executability Processes contain statements conditions No difference between conditions and statements: either executable or blocked. 1 represents True; 0 represents False. So, if a statement evaluates to 0, then it is blocked. If it evaluates to 1, then it is executable. (a == b) This is busy waiting: while (a ~=b) do skip A process terminates (and disappears) when it reaches the end of its body and all the processes it started have terminated.

5 Basic Data Types Numbers bit byte short- (2^15)-1.. (2^15)-1 int - (2^31)-1.. (2^31)-1 bool is a synonym for bit. Initialisation upon declaration e.g. bit x=1;

6 Concurrency byte state = 1; proctype A{} {(state == 1) -> state = state + 1 } proctype B{} {state == 1) -> state = state - 1 } init {run A{}; run B{} } Behaviour if A completes before B has started, B will block forever. Final value of state will be 2. if A completes before B has started, B will block forever. Final value of state will be 0. if A and B pass the condition at the same time, then final value of state is 1.

7 An Example: Critical Section Grant processes A and B mutually exclusive access to portions of code. Requires 3 additional variables (Dekker).

8 An Example: Critical Section #define true 1 #define false 0 #define Aturn false #define Bturn true bool x=false; bool y=false; bool t; proctype A{} { x = true; t= Bturn; (y == false | t == Aturn); /*critical section */ x = false } proctype B{} {y = true; t= Aturn; (x == false | t == Bturn); /*critical section */ y = false } init {run A{}; run B{} }

9 Atomic Sequences byte state = 1; proctype A{} {atomic {(state == 1) -> state = state + 1} } proctype B{} {atomic {state == 1) -> state = state - 1} } init {run A{}; run B{} } Behaviour Final value of state will be 2. or Final value of state will be 0. Atomicity reduces interleaving reduces complexity only first statement can be blocking, no others good for dealing with local variable updates

10 Control Flow Case Selection if :: (a != b) -> state = 1 :: (a == b) -> state = 0 fi first statement in each choice is guard choice is selected if its guard is executable if more than one guard is exectable then choice is nondeterminstic Processes can be labelled: loop: x=x+1; goto loop

11 Control Flow Repetition byte count; proctype counter() {do :: count = count + 1 :: count = count - 1 :: count == 0 -> break od} one choice selected, per repetition possibility to break, but could loop infinitely often To force a break: byte count; proctype counter() {do :: (count != 0) -> if :: count = count + 1 :: count = count - 1 fi :: (count == 0) -> break od}