A Refinement Calculus for Promela Asankhaya Sharma Department

A Refinement Calculus for Promela Asankhaya Sharma Department of Computer Science National University of Singapore ICECCS 2013

Formal Development Model Checking Software Requirements Formal Model Informal Generate Executable Code from Formal Model of System 27/10/2021 Executable Code Synthesis A Refinement Calculus for Promela 2

The SPIN Model Checker • Uses Promela as a modeling language – Message passing with Channels – Non-deterministic choice operator • Express temporal properties in LTL • Check for validity of properties – Exhaustive search of state space for violation • Formal Development in SPIN – End to End Verification and Validation with SPIN [Co. RR 2013] 27/10/2021 A Refinement Calculus for Promela 3

Promela Refinement • Other modeling languages have well defined refinement schemes (Event-B, Z) • Existing refinement (translation) systems for Promela do not preserve LTL properties • Challenges for Refinement of Promela – Lack of Formal Semantics – Non-determinism – Synchronous communication (Rendezvous channels) 27/10/2021 A Refinement Calculus for Promela 4

Key Contributions • A restricted subset of Promela called Featherweight Promela (FP) • A novel Dual Action Semantics for FP • Refinement calculus from FP to a Core language – Soundness of Calculus ensures that temporal properties (LTL) are preserved by refinement 27/10/2021 A Refinement Calculus for Promela 5

Outline • • • Featherweight Promela (FP) Dual Action Semantics Refinement Calculus Implementation Case Studies Conclusions and Future Work 27/10/2021 A Refinement Calculus for Promela 6

Featherweight Promela (FP) • Restrictions for easy formalization – Minimal syntax – Only asynchronous message passing with channels • Existing Promela models can be written in FP 27/10/2021 A Refinement Calculus for Promela 7

Syntax of FP Process prog : : = p* Expression p : : = t id (t x)* { e } Control Flow e : : = x | t x ; e | x : = e | e 1 ; e 2 Channels | : : be -> e | if e fi | do e od | e 1 ! e 2 | e 1 ? e 2 | run p | atomic e t : : = int | chan | mtype | bit x : : = true | false | v | () where id is an identifier, be is a boolean expression and v is an integer value 27/10/2021 A Refinement Calculus for Promela 8

Dual Action Semantics • A small step operational semantics in which each step has two actions – Local Action (sequential) – Global Action (concurrent) • Dual Action Semantics is useful for – Isolating concurrency – Supporting non-determinism 27/10/2021 A Refinement Calculus for Promela 9

Operational Semantics Small Step <e , s> <e’, s’> Dual Actions <e , G , s> <e’ , G’ , s’> Local <e , s> <e’’ , s’> Global choose e’ from G’ G’ = G U {e’’} Scheduler 27/10/2021 Non Deterministic Round Robin A Refinement Calculus for Promela LIFO FIFO 10

Example proctype A() { f 0 = 1; do : : f 1 -> if : : turn != 0 -> f 0 = 0; turn == 0 -> skip; f 0 = 1; : : else -> skip; fi : : else -> break; od; t 0_incrit = 1; t 0_incrit = 0; turn = 1; f 0 = 0; } 27/10/2021 proctype B() { f 1 = 1; do : : f 0 -> if : : turn != 1 -> f 1 = 0; turn == 1 -> skip; f 1 = 1; : : else -> skip; fi : : else -> break; od; t 1_incrit = 1; t 1_incrit = 0; turn = 0; f 1 = 0; } < () , G , si > * < () , {} , sf > si G= s 1 G= A s 2 G= A s 3 G= s 4 G= s 5 G= … sf … A Refinement Calculus for Promela … G = {} B A B B B A A … … B … … 11

Semantics and Refinement • Captures all possible process interleaving explicitly – Semantics of SPIN correspond to the global action with Non-deterministic choice • Refinement applies local transformation rules that preserve state invariants – Process interleaving of the refined program are subset of the original FP model 27/10/2021 A Refinement Calculus for Promela 12

Refinement Calculus • Data Refinement (8 rules) – Translates data structures • Control Refinement (8 rules) – Translates control flow – Handles non-deterministic choice • Synchronization Refinement (3 rules) – Translates channels – Handles message passing 27/10/2021 A Refinement Calculus for Promela 13

Data Refinement skip bool Data Structure for Channels byte mtype x id [const] = e typedef t {decl_list} mtype = {x 1, x 2, … xn} chan id = [n] of {t 1, t 2 …} 27/10/2021 1 bit uchar int x id [const] = e struct t {decl_list} #define x 1 n ; #define x 2 n-1 … struct chan {t 1 x 1 , t 2 x 2, …} ; chan id [n] A Refinement Calculus for Promela 14

Control Refinement Channel Read and Write Thread Create and Join 27/10/2021 if : : e_list fi do : : e_list do x ! v 1, v 2, . . . vn x ? v 1, v 2, . . . vn id (args) {e_list} init { run id (args) …} e_list while(1) { e_list } for(int i =1 ; i <= n ; i++) { enqueue(x, vi) ; } for(int i =1 ; i <= n ; i++) { vi = dequeue(x) ; } void id (args) {e_list} void main() { thread id ; … create(id, args) ; … … join(id, args) ; …} A Refinement Calculus for Promela 15

Non-deterministic Choice : : be 1 -> e 1 : : be 2 -> e 2 Benign Race … e 1 27/10/2021 e 2 id 1() { lock(m); if (turn == 0 ) { e 1; turn = 1; } unlock(m); } id 2() { lock(m); if (turn == 0 ) { e 2; turn = 1; } unlock(m); } … if(be 1) create(id 1, ()); if(be 2) create(id 2, ()); … A Refinement Calculus for Promela 16

Synchronization Refinement atomic { e } xw ! v xw ? x r Atomic Step Rendezvous Channels P P e 27/10/2021 P 1 e P 2 lock(m) ; e ; unlock(m) ; xw = v ; barrier(b) ; xr = xw ; P 2 P 1 xw ! v xw ? x r A Refinement Calculus for Promela xw = v xr = x w 17

Features for Core Language • Target language for refinement needs – Concurrency primitive like threads – Locks – Barriers • Supported by concurrency models for many existing languages like – Java – C# – C with POSIX 27/10/2021 A Refinement Calculus for Promela 18

More in the Paper • Extension for Real Time Systems – Based on RT Promela – Generates code using Real Time POSIX • Soundness Proofs using Dual Action Semantics – Preservation of temporal properties (LTL) 27/10/2021 A Refinement Calculus for Promela 19

Implementation • Syntax directed translation based on refinement rules • Spin. R Tool – Written in Objective Caml – Generates C code from Promela models – Available at github. com/codelion/Spin. R 27/10/2021 A Refinement Calculus for Promela 20

Experiments • Evaluate the refinement calculus to generate C code from – Existing set of Promela models from literature • Principles of the Spin Model Checker [Book] – A larger case study in formal development of a cardiac pacemaker • Towards A Verified Cardiac Pacemaker [NUS TR 2010] 27/10/2021 A Refinement Calculus for Promela 21

Results Promela Model Lo. C (C) States (C) Spare Channels 86 119 106 14 8 -Queens Problem 50 65 41525 39225 Rate Scheduler 87 93 27 27 Fisher’s Algorithm 60 74 494729 4337 Chandy Lamport’s Algorithm 168 214 14632233 13063946 Pacemaker Challenge 389 431 35684919 392716 Increase in Size 27/10/2021 A Refinement Calculus for Promela Reduction in Behaviors 22

Limitations • Refinement does not handle – Non functional properties (performance) – Properties that cannot be expressed in LTL • Reduction in behaviors does not ensure – That the refined program is always the desired program – Simplest (or best) implementation of the model 27/10/2021 A Refinement Calculus for Promela 23

Conclusions • Formalized a core subset of Promela (FP) with Dual Action Semantics • Refinement rules that preserve temporal properties (LTL) • Future Work – Dual Action Semantics for other languages – Refinement guidance for desired behavior – Code generation for more languages (C#, Java) 27/10/2021 A Refinement Calculus for Promela 24

Thank You • Spin. R Tool – github. com/codelion/Spin. R • Formal Development Methodology – End to End Verification and Validation with SPIN [Co. RR 2013] • Cardiac Pacemaker Model – Towards A Verified Cardiac Pacemaker [NUS TR 2010] 27/10/2021 A Refinement Calculus for Promela 25