An Overview of PROMELA - PowerPoint PPT Presentation

About This Presentation

Title:

An Overview of PROMELA

Description:

bit, bool, byte, short, int, chan. ... chan qname = [16] of { byte, int, chan, byte } ... proctype fact(int n; chan p) { int result; if ::(n = 1) - p!1 ::(n = 2) ... – PowerPoint PPT presentation

Number of Views:127

Avg rating:3.0/5.0

Slides: 50

Provided by: ShmuelRot1

Learn more at: https://www2.seas.gwu.edu

Category:

more less

Transcript and Presenter's Notes

Title: An Overview of PROMELA

1
An Overview of PROMELA
2
A protocol Validation Language

A notation for the specification and verification
of procedure rules.
A partial description of a protocol called
validation model.
The language PROMELA
Model succinctly as possible to study protocol
structure and to verify completeness and logical
consistency.

3
Goal

Abstract from other issues of protocol design,
such as message format.
A validation model defines the interactions of
processes in a distributed system.
It does not resolve implementation details
It does not say how a message is to be
transmitted or stored.
Concentrate on
the design of a complete and consistent set of
rules to govern the interactions in a distributed
system

4
Processes, Channels, Variables

A validation model is defined in terms of
processes
message channels
state variables
Each object can be translated into a finite state
machine
Processes are global objects

5
Variables, Statements

Variables and channels represent data that can be
either global or local to a process.
Excitability of Statements

6
Conditions Statements

Execution of a statement is conditional on it
executability.
Statement executable or blocked.
Excitability basic means of synchronization.
A process can wait for an event to happen by
waiting for a statement to become executable

7
No Busy Wait

In C
while(a ! b) skip
Becomes in PROMELA
(a b)
If the condition does not hold, execution blocks
until it does.

Variables and Data Types
A variable can be one of the following six
predefined data types
bit, bool, byte, short, int, chan.
The sixth type specifies message channels - an
object that can store a number of values, grouped
in user-defined structures.

The declarations
bool flag
int state
byte msg
define variables that can store integer values in
three different ranges.

10
Arrays

byte stateN
state0 state3 5 state32/n
Where n is a constant or variable defined
elsewhere.

11
Process Types

A process must have a name.
All types of processes that can be instantiated
are defined in proctype declarations.
proctype A() byte state state3
PROMELA defines two statement separators
an arrow -gt
a semicolon
The two separators are equivalent.

12
The Initial Process

A proctype definition only declares process
behavior, it does not execute it.
Initially, only one process is executed a
process of type init which must be declared
explicitly.
The smallest possible PROMELA specification is
init skip
skip is a null statement.

13
init

The initial process can initialize global
variables, create message channels, and
instantiate processes.
init run A() run B()
Processes A and B will run concurrently with
init.
The run statement is executable and returns a
positive result only if the process can
effectively be instantiated.

14
pid

It is non-executable and returns zero if this
cannot be done.
The value returned by run is a run-time process
number, or pid.
I run A() (run B() run C() )

15
run A

run can pass parameter values to the process
proctype A(byte stateshort set)
(state1)-gtstateset
init run A(1, 3)

16
run

An executing process disappear when it terminates
Not before all the processes it instantiated have
terminated first.
byte state 1
proctype A() (state 1) -gt state state 1
proctype B() (state 1) -gt state state - 1
init run A() run B()

17
Termination

If one process terminates before the other
starts, the latter will block forever.
If both pass the condition checks at the same
time, the value of state may be 0, 1, or 2.

define true 1
define false 0
define Aturn 1
define Bturn 0
bool x, y, t
proctype A()
x true t Bturn
(y false t Aturn)
/ critical section /
x false
proctype B() y true t Aturn
(x false t Bturn)
/ critical section /
y false
init run A() run B()

19
Atomic Sequences

A sequence of statements in parentheses prefixed
with atomic indicates that the sequence be
executed as one indivisible unit.
byte state 1
proctype A() atomic(state1)-gt state state
1
proctype B() atomic(state1)-gt state state -
1
init run A() run B()

In this case the final value of state is
either 0 or 2.
Atomic sequences can be an important tool in
reducing the complexity of a validation model.

proctype nr(short pid, a, b)
int res
atomic res (aab)/2a
printf(result d d\n, pid, res)
init run nr(1,1,1)run nr(1,2,2) run nr(1,3,2)

The use of atomic sequences reduces the
complexity of the outcome due to the avoidance of
interleaved behavior.

23
Message Channels

Used to transfer data from one process to
another.
chan a, b chan c3
or
chan c3 4 of byte
Initializes an array of 3 channels, each with a
capacity of 4 message slots, each slot consisting
of one message field of type byte.

chan qname 16 of byte, int, chan, byte
Channel qname can store up to 16 messages each of
which has 4 fields as above.

25
The statement

qname!expr
sends the value expression expr to the channel
qname.
It appends expr to the tail of the implied queue.
qname?msg
retrieves a message from the head of channel
qname and stores it in msg.

26
Channels are FIFO

Multiple values are specified
qname!expr1,expr2,expr3
If more parameters are sent than the channel can
store, the redundant parameters are lost.
If fewer parameters are sent than the channel can
store, the value of the remaining parameters is
undefined.

By convention, the first message field is often
used to specify the message type.
qname!expr1(expr2,expr3)
The send operation is executable only when the
channel addressed is not full.
The receive operation is executable only when the
channel is non-empty.

Some of the arguments in the receive can be
constant
qname?cons1,var2,cons2
In this case, the receive is executable only when
the value of all message fields specified as
constants match the value of the corresponding
fields in the message at the head of the channel.

proctype A(chan q1)
chan q2
q1?q2
q2!123
proctype B(chan qforb)
int x
qforb?x
printf(x d\n, x)
Init
chan qname2 1 of chan
chan qforb 1 of int
run A(qname0)run B(qforb)
qname!qforb

The channel qforb is not declared as an array and
therefore the send and the end of the initial
process do not need an index.
The value printed by B will be 123.
Send and receive may have side-effects
(qname?var 0)
or
(a gt b qname!123)
are invalid in PROMELA.

qname?ack,var
is evaluated as condition and can be combined
with other Boolean expressions.
It returns a positive result if the corresponding
receive statement
qname?ack,var
would be executable.

32
Rendezvous Communication

So far we have discussed asynchronous
communications.
Using a channel size of zero
chan port 0 of byte
defines a rendezvous port that can pass only a
single-byte messages.

define msgtype 33
chan name 0 of byte, byte
proctype A()
name!msgtype(124)
name!msgtype(121)
proctype B()
byte state
name?msgtype(state)
init
atomic run A() run B()

The two processes synchronously execute a
handshake on message msgtype and transfer of 124
to variable state.
The second statement in process A is
non-executable.

35
Control Flow

We have seen three types of control flows
concatenation of statements within a
process
parallel execution of processes
atomic sequences
Three other control flow constructs in PROMELA
case selection
repetition
unconditional jumps

36
Case Selection

Using the relative values of two variables a and
b to choose between two options.
if
( a ! b ) -gt option1
( a b ) -gt option2
fi
The first statement is called a guard.
If all guards are non-executable, the process
blocks until at least one can be selected.