Download presentation
Presentation is loading. Please wait.
1
A Refinement Calculus for Promela
Asankhaya Sharma Department of Computer Science National University of Singapore ICECCS 2013
2
Formal Development Model Checking Informal Informal
Software Requirements Formal Model Executable Code Model Checking Informal Informal Generate Executable Code from Formal Model of System Code Synthesis 27/2/2019 A Refinement Calculus for Promela
3
A Refinement Calculus for Promela
The SPIN Model Checker Uses Promela as a modeling language Message passing with Channels Non-deterministic choice operator Express temporal properties in LTL Check for validity of properties Exhaustive search of state space for violation Formal Development in SPIN End to End Verification and Validation with SPIN [CoRR 2013] 27/2/2019 A Refinement Calculus for Promela
4
A Refinement Calculus for Promela
Promela Refinement Other modeling languages have well defined refinement schemes (Event-B, Z) Existing refinement (translation) systems for Promela do not preserve LTL properties Challenges for Refinement of Promela Lack of Formal Semantics Non-determinism Synchronous communication (Rendezvous channels) 27/2/2019 A Refinement Calculus for Promela
5
A Refinement Calculus for Promela
Key Contributions A restricted subset of Promela called Featherweight Promela (FP) A novel Dual Action Semantics for FP Refinement calculus from FP to a Core language Soundness of Calculus ensures that temporal properties (LTL) are preserved by refinement 27/2/2019 A Refinement Calculus for Promela
6
A Refinement Calculus for Promela
Outline Featherweight Promela (FP) Dual Action Semantics Refinement Calculus Implementation Case Studies Conclusions and Future Work 27/2/2019 A Refinement Calculus for Promela
7
Featherweight Promela (FP)
Restrictions for easy formalization Minimal syntax Only asynchronous message passing with channels Existing Promela models can be written in FP 27/2/2019 A Refinement Calculus for Promela
8
A Refinement Calculus for Promela
Syntax of FP Process prog ::= p* p ::= t id (t x)* { e } e ::= x | t x ; e | x := e | e1 ; e2 | :: be -> e | if e fi | do e od | e1 ! e2 | e1 ? e2 | run p | atomic e t ::= int | chan | mtype | bit x ::= true | false | v | () where id is an identifier, be is a boolean expression and v is an integer value Expression Control Flow Channels 27/2/2019 A Refinement Calculus for Promela
9
A Refinement Calculus for Promela
Dual Action Semantics A small step operational semantics in which each step has two actions Local Action (sequential) Global Action (concurrent) Dual Action Semantics is useful for Isolating concurrency Supporting non-determinism 27/2/2019 A Refinement Calculus for Promela
10
Operational Semantics
Small Step <e , s> <e’, s’> Dual Actions <e , G , s> <e’ , G’ , s’> Local <e , s> <e’’ , s’> Global choose e’ from G’ G’ = G U {e’’} Non Deterministic Round Robin LIFO FIFO Scheduler 27/2/2019 A Refinement Calculus for Promela
11
A Refinement Calculus for Promela
Example proctype A() { f0 = 1; do :: f1 -> if :: turn != 0 -> f0 = 0; turn == 0 -> skip; f0 = 1; :: else -> skip; fi :: else -> break; od; t0_incrit = 1; t0_incrit = 0; turn = 1; f0 = 0; } proctype B() { f1 = 1; do :: f0 -> if :: turn != 1 -> f1 = 0; turn == 1 -> skip; :: else -> skip; fi :: else -> break; od; t1_incrit = 1; t1_incrit = 0; turn = 0; f1 = 0; } < () , G , si > * < () , {} , sf > si G = A B s1 G = A B s2 G = A B s3 G = A B s4 G = A B s5 G = A B … … … … … … … sf G = {} 27/2/2019 A Refinement Calculus for Promela
12
Semantics and Refinement
Captures all possible process interleaving explicitly Semantics of SPIN correspond to the global action with Non-deterministic choice Refinement applies local transformation rules that preserve state invariants Process interleaving of the refined program are subset of the original FP model 27/2/2019 A Refinement Calculus for Promela
13
A Refinement Calculus for Promela
Data Refinement (8 rules) Translates data structures Control Refinement (8 rules) Translates control flow Handles non-deterministic choice Synchronization Refinement (3 rules) Translates channels Handles message passing 27/2/2019 A Refinement Calculus for Promela
14
Data Refinement skip bool byte mtype x id [const] = e typedef t {decl_list} mtype = {x1,x2, … xn} chan id = [n] of {t1,t2 …} 1 bit uchar int x id [const] = e struct t {decl_list} #define x1 n ; #define x2 n-1 … struct chan {t1 x1 ,t2 x2, …} ; chan id [n] Data Structure for Channels 27/2/2019 A Refinement Calculus for Promela
15
A Refinement Calculus for Promela
Control Refinement Channel Read and Write if :: e_list fi do :: e_list do x ! v1,v2, ... vn x ? v1,v2, ... vn id (args) {e_list} init { run id (args) …} e_list while(1) { e_list } for(int i =1 ; i <= n ; i++) { enqueue(x,vi) ; } for(int i =1 ; i <= n ; i++) { vi = dequeue(x) ; } void id (args) {e_list} void main() { thread id ; … create(id,args) ; … … join(id,args) ; …} Thread Create and Join 27/2/2019 A Refinement Calculus for Promela
16
Non-deterministic Choice
Benign Race :: be1 -> e1 :: be2 -> e2 … id1() { lock(m); if (turn == 0 ) { e1; turn = 1; } unlock(m); } id2() { lock(m); if (turn == 0 ) { e2; turn = 1; } unlock(m); } … if(be1) create(id1,()); if(be2) create(id2,()); … e1 e2 27/2/2019 A Refinement Calculus for Promela
17
Synchronization Refinement
atomic { e } xw ! v xw ? xr Atomic Step lock(m) ; e ; unlock(m) ; xw = v ; barrier(b) ; barrier(b) ; xr = xw ; Rendezvous Channels P P P1 P2 P1 P2 xw ! v xw ? xr e e xw= v xr = xw 27/2/2019 A Refinement Calculus for Promela
18
Features for Core Language
Target language for refinement needs Concurrency primitive like threads Locks Barriers Supported by concurrency models for many existing languages like Java C# C with POSIX 27/2/2019 A Refinement Calculus for Promela
19
A Refinement Calculus for Promela
More in the Paper Extension for Real Time Systems Based on RT Promela Generates code using Real Time POSIX Soundness Proofs using Dual Action Semantics Preservation of temporal properties (LTL) 27/2/2019 A Refinement Calculus for Promela
20
A Refinement Calculus for Promela
Implementation Syntax directed translation based on refinement rules SpinR Tool Written in Objective Caml Generates C code from Promela models Available at github.com/codelion/SpinR 27/2/2019 A Refinement Calculus for Promela
21
A Refinement Calculus for Promela
Experiments Evaluate the refinement calculus to generate C code from Existing set of Promela models from literature Principles of the Spin Model Checker [Book] A larger case study in formal development of a cardiac pacemaker Towards A Verified Cardiac Pacemaker [NUS TR 2010] 27/2/2019 A Refinement Calculus for Promela
22
Results Promela Model LoC LoC (C) States States (C) Spare Channels 86
119 106 14 8-Queens Problem 50 65 41525 39225 Rate Scheduler 87 93 27 Fisher’s Algorithm 60 74 494729 4337 Chandy Lamport’s Algorithm 168 214 Pacemaker Challenge 389 431 392716 Increase in Size Reduction in Behaviors 27/2/2019 A Refinement Calculus for Promela
23
A Refinement Calculus for Promela
Limitations Refinement does not handle Non functional properties (performance) Properties that cannot be expressed in LTL Reduction in behaviors does not ensure That the refined program is always the desired program Simplest (or best) implementation of the model 27/2/2019 A Refinement Calculus for Promela
24
A Refinement Calculus for Promela
Conclusions Formalized a core subset of Promela (FP) with Dual Action Semantics Refinement rules that preserve temporal properties (LTL) Future Work Dual Action Semantics for other languages Refinement guidance for desired behavior Code generation for more languages (C#, Java) 27/2/2019 A Refinement Calculus for Promela
25
A Refinement Calculus for Promela
Thank You SpinR Tool github.com/codelion/SpinR Formal Development Methodology End to End Verification and Validation with SPIN [CoRR 2013] Cardiac Pacemaker Model Towards A Verified Cardiac Pacemaker [NUS TR 2010] 27/2/2019 A Refinement Calculus for Promela
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.