+++ /dev/null
-An appendix to Chapter 6 of the book: some extra explanation on pid's
-and on temporal claims. Updated for Spin Version 2.0 - January 1995.
-
-PROCESS IDs
-
-In Spin 2.0 and later the never claim can refer to the control state
-of any process, but not to their local variables.
-This functionality is meant to be used for building correctness assertions
-with never claims. It should never be used for anything else.
-An example is
- Receiver[pid]@place
-where `place' the name of a label within `proctype Receiver,' and
-`pid' is the value returned by the run statement that instantiated the
-copy of the Receiver proctype that we are interested in.
-
-There is a misleading suggestion in the book that says that you can
-usually guess the `pid's. Wiser is to always use the explicit value
-returned by the `run()' statement that instantiated the proces.
-Processes started with the `active' prefix obtain instantiation
-numbers starting at value 1, in the order in which they appear in the
-specification. Each process also has a local variable _pid that
-holds its own instantiation number.
-
-SPECIFYING TEMPORAL CLAIMS
-
-The body of a temporal claim is defined just like PROMELA proctype bodies.
-This means that all control flow structures, such as if-fi selections,
-do-od repetitions, and goto jumps, are allowed.
-There is, however, one important difference:
-
- Every statement inside a temporal claim is (interpreted as) a condition.
- A never claim should therefore never contain statements that can
- have side-effects (assignments, communications, run-statements, etc.)
-
-Temporal claims are used to express behaviors that are considered undesirable
-or illegal. We say that a temporal claim is `matched' if the undesirable
-behavior can be realized, and thus the claim violated.
-
-The recommended use of a temporal claim is in combination with acceptance labels.
-There are two ways to `match' a temporal claim, depending on whether the
-undesirable behavior defines a terminating or a cyclic execution sequence.
-
-o A temporal claim is matched when it terminates (reaches its closing curly brace).
- That is, the claim can be violated if the closing curly brace of the PROMELA
- body of the claim is reachable for at least one execution sequence.
-
-o For a cyclic execution sequence, the claim is matched only when an explicit
- acceptance cycle exists. The acceptance labels within temporal claims
- are user defined, there are no defaults. This means that in the absence of
- acceptance labels no cyclic behavior can be matched by a temporal claim.
- It also means that to check a cyclic temporal claim, acceptance labels should
- only occur within the claim and not elsewhere in the PROMELA code.
-
-
-SEMANTICS
-
-The normal system behavior of a PROMELA system is defined as the
-`asynchronous product' of the behaviors of the individual processes.
-Given an arbitrary system state, its successor states are obtained
-in two steps. In the first step all the executable (atomic) statements in the
-individual processes are identified. In the second step, each one of these
-statements is executed.
-Each single execution produces a successor state in the asynchronous product.
-The complete system behavior is thus defined recursively and
-represents all possible interleavings of the individual process behaviors.
-Call this asynchronous product machine the `global machine'.
-
-The addition of a temporal claim defines an additional `synchronous product'
-of this global machine with the state machine that defines the temporal
-claim. Call the latter machine the `claim machine', and call the new
-synchronous product the `labeled machine'.
-
-Every state in the labeled machine is a pair (p,q) with p a state in the global
-machine and q a state in the claim machine. Every transition in the labeled
-machine is similarly defined by a pair (r,s) with r a transition in the global
-machine and s a transition in the claim machine.
-In other words, every transition in the `synchronous' product is a joint move
-of the global machine and the claim machine.
-(By contrast, every transition in an `asynchronous' product would correspond
-to a single transition in either the global machine or the claim machine, thus
-interleaving transitions instead of combining them.)
-
-Since all statements in the claim machine are boolean propositions, the second
-half of the transition pair (r,s) is either true or false.
-Call all transitions where this proposition is true `matching transitions'.
-In a matching transition proposition s evaluates to true in state system state r.
-Notice that the claim machine has at least one stop state E, the state
-at the closing curly brace of the claim body.
-
-The semantics of temporal claims can now be summed up as follows.
-
-o If the labeled machine contains any sequence of matching transitions only,
- that connects its initial state with a state (p,E) for any p, the temporal
- claim can be matched by a terminating sequence (a correctness violation).
-
-o If the labeled machine contains any cycle of matching transitions only, that
- passes through an acceptance state, the temporal claim can be matched by a
- cyclic sequence.
-
-
-EXAMPLES
-
-Listed below are the equivalent PROMELA definitions for the three basic
-temporal properties defined by Zohar Manna & Amir Pnueli in
-``Tools and Rules for the Practicing Verifier'' Stanford University,
-Report STAN-CS-90-1321, July 1990, 34 pgs.
-
-The following descriptions are quoted from Manna & Pnueli:
-
- ``There are three classes of properties we [...] believe to cover
- the majority of properties one would ever wish to verify.''
-
- 1. Invariance
- ``An invariance property refers to an assertion p, and requires that p
- is an invariant over all the computations of a program P, i.e. all
- the states arising in a computation of P satisfy p. In temporal
- logic notation, such properties are expressed by [] p, for a state
- formula p.''
-
- Corresponding Temporal Claim in PROMELA:
- never {
- do
- :: p
- :: !p -> break
- od
- }
-
- 2. Response
- ``A response property refers to two assertions p and q, and
- requires that every p-state (a state satisfying p) arising in
- a computation is eventually followed by a q-state.
- In temporal logic notation this is written as p -> <> q.''
-
- Corresponding Temporal Claim in PROMELA:
- never {
- do
- :: true
- :: p && !q -> break
- od;
- accept:
- do
- :: !q
- od
- }
-
- Note that using (!p || q) instead of `skip' would check only the
- first occurrence of p becoming true while q is false.
- The above formalization checks for all occurrences, also future ones.
- Strictly seen, therefore, the claim above uses a common interpretation
- of the formula, requiring it to hold always, or: [] { p -> <> q }
-
- 3. Precedence
- ``A simple precedence property refers to three assertions p, q, and r.
- It requires that any p-state initiates a q-interval (i.e. an interval
- all of whose states satisfy q) which, either runs to the end of the
- computation, or is terminated by an r-state.
- Such a property is useful to express the restriction that, following
- a certain condition, one future event will always be preceded by
- another future event.
- For example, it may express the property that, from the time a certain
- input has arrived, there will be an output before the next input.
- Note that this does not guarantee [require] that the output will actually
- be produced. It only guarantees [requires] that the next input (if any)
- will be preceded by an output. In temporal logic, this property is
- expressed by p -> (q U r), using the unless operator (weak until) U.
-
- Corresponding Temporal Claim in PROMELA:
-
- never {
- do
- :: true /* to match any occurrence */
- :: p && q && !r -> break
- :: p && !q && !r -> goto error
- od;
- do
- :: q && !r
- :: !q && !r -> break
- od;
- error: skip
- }
-
- Strictly again, this encodes: [] { p -> (q U r) }
- To match just the first occurence, replace 'true' with (!p || r).