The Meaning of Promela Programs

1
The Meaning of Promela Programs

• process automata/Kripke structure
• program/system asynchronous interleaving
  
• 
  product of automata
• proctype A()
  
• x1y2
• proctype B()
• x3

init
x1 y?
x1 y2
init
x3 y?
init
x3 y?
x1 y?
x1 y2
x3 y?
x1 y?
x1 y2
x3 y2
2

• proctype A()
  
• bit count 0
• do
• (count 0) -gt countcount1
• (count!0) -gt countcount-1
• od
• init run A()

Count0
Count1
3

• chan ch 2 of bit
• proctype A()
  
• bit x0
• do
• ch!x
• ch?x
• od
• init run A()
• OR
• proctype A()

0
0,0
4
Message Passing

• Channels
• allow transfer of data from one process to
  another
• chan one 16 of int
• chan two 1 of bool, int, int
• writing a message
• one!154
• queue!x
• two!false,19393,2
• only executable when the channel is not full
• reading a message
• one?var1
• two?on,num1,num2

5
Message Passing

• prefefined operations
• len(channel) - returns no. of messages
• len of empty channel blocks
• full - returns status (i.e. is channel full)
• empty - returns status (i.e. is channel
  empty)
• Also, nfull and nempty.

6
Message Passing

• channels can also be passed as messages!
• Proctype A(chan q1)
• chan q2
• q1?q2
• q2!123
• Proctype B(chan q3)
• int x
• q3?x
• printf(x d\n, x)
• init
• chan qname 1 of chan
• chan qforb 1 of int
• run A(qname) run B(qforb)

7
Message Passing

• non-destructive read
• q1?message
• message somethinggood -gt something else
• q1?m returns 1if q1?m is executable, 0
  otherwise.
• No side-effects, receive is evaluated, not
  executed.
• race conditions - BE CAREFUL!
• (len (channelA) lt Max) -gt channelA!message
• concurrently with
• channelA! Message
• (len (channelA) gt 0) -gt channelA?x
• concurrently with
• channelA? x