VIP: A Visual Editor and Compiler for v-Promela

Stefan LeueAlbert-Ludwigs-University Freiburg

leue@uni-freiburg.de

http://www.informatik.uni-freiburg.de/~leue

March 31, 2000

Stefan Leue - 2 -

Joint work with

Moataz Kamel

Stefan Leue - 3 -

Outline

Introduction

Modeling with VIP structure behaviour

Compilation of Promela code structure behaviour

Property Validation using SPIN POTS CORBA GIOP

Conclusions

Stefan Leue - 4 -

Visual Interface for Promela (VIP)

Based on v-Promela visual notation for describing structure and behaviour of

concurrent, object-based systems syntax based on UML-RT (ROOM in UML’s clothes) incorporates Promela features supports hierarchical modeling of structure and

behaviour can be compiled into Promela code transparent use

of SPIN

Stefan Leue - 5 -

Visual Interface for Promela (VIP)

VIP GUI-based tool for editing and maintaining v-Promela

models v-Promela to Promela compiler

Stefan Leue - 6 -

Modeling Steps Supported by VIP

Structure concurrent objects: capsules message passing interfaces: ports data classes data objects signal lists: protocols

Behaviour states transitions transition code

Stefan Leue - 7 -

Running Example: POTS

Simple Plain Old Telephony Call Processing two user objects each one controlled by a phone handler object phone handlers communicate to set up and tear down

calls

Stefan Leue - 8 -

Structure Definition in VIP

Stefan Leue - 9 -

Protocols

Stefan Leue - 10 -

Data Classes

Stefan Leue - 11 -

Data Classes

Stefan Leue - 12 -

Message Types

Stefan Leue - 13 -

Data Objects

Stefan Leue - 14 -

Ports

Stefan Leue - 15 -

Internal Capsule Structure

Stefan Leue - 16 -

Connectors

Stefan Leue - 17 -

State Machines

Stefan Leue - 18 -

Substate Refinement

Stefan Leue - 19 -

State Entry/Exit Code

Stefan Leue - 20 -

Transition Code

Stefan Leue - 21 -

Transition Code

Stefan Leue - 22 -

Transition Code

Stefan Leue - 23 -

Transition Code

Stefan Leue - 24 -

Buffers and Synchronizers

Buffers queue variables buffer access points producer-consumer system

Synchronizers enable Promela-style synchronous communication

amongst arbitrary sets of capsule instances example: semaphores

Stefan Leue - 25 -

Semaphore

Stefan Leue - 26 -

Buffers and Synchronizers in GIOP

Stefan Leue - 27 -

Structure Implementation

Capsules as proctypes

Ports as proctype parameters

proctype User(chan fromSwitch, toSwitch ){...}

proctype PhoneHandler(chan fromUser, toUser, toOtherHandler, fromOtherHandler ){...}

proctype POTS( ){ chan toUser1435267635 = [1] of { SwitchToUser };

chan fromUser590843343 = [1] of { UserToSwitch }; ...

run User( toUser1435267635, fromUser590843343 );run User( toUser986680783, fromUser849317327 );run PhoneHandler( fromUser590843343, toUser1435267635,

leftToRight1222086095, rightToLeft1089179087 );run PhoneHandler( fromUser849317327, toUser986680783,

rightToLeft1089179087, leftToRight1222086095 );}init{atomic {run POTS();}}

Stefan Leue - 28 -

Behaviour - Implementation

States: Promela labels

Transitions: Promela code + gotos Entry and exit code inlined Transition code atomic

General state code format:

state-name: entry-code;atomic {if:: transition-code_i; exit-code; goto state-namefi }

Stefan Leue - 29 -

Transition Code

if/* correct_connectreq_audiblering */:: received_ph_num.phone_number == 1 -> /* exit digit_received */ /* action correct_connectreq_audiblering */ toOtherHandler!connectreq; toUser!audiblering; /* exit await_digit */ /* action connectreq */ /* entry originator */ /* action untitled */ /* entry party_ringing */ goto party_ringing1956295048

ifidle1723158139::: fromUser?[offhook] && true -> fromUser?UserToSwitch_msg; /* exit idle */ /* action offhook_ */ /* entry await_digit */ toUser!dialtone; /* entry wait */ goto wait2091208315...fi

Stefan Leue - 30 -

Group Transitions

ringing62399654:{if:: fromUser?[offhook] ...fi } unless {if:: fromUser?[onhook]...:: fromOtherHandler?[disconnect] ...fi}

ringing62399654:{if:: fromUser?[onhook] ...:: fromOtherHandler?[disconnect] ...fi } unless {if:: fromUser?[offhook] ...fi}

ringing2063158907:if:: fromUser?[offhook] ...:: fromUser?[onhook] ...:: fromOtherHandler?[disconnect] ...fi

Stefan Leue - 31 -

Property Validation - POTS

Is the model capable of establishing a phone call between parties?

! <> (s && r && p && q)

#define p (PhoneHandler[4]@conversation_orig1702392370)#define q (PhoneHandler[5]@conversation_term163607093)#define r (User[2]@conversation1450209847)#define s (User[3]@conversation1450209847)

Counterexample found:• trail of 872 steps• state-vector 188 bytes• 1 million states, 1.5 million transition• 43 Mbytes of memory

Stefan Leue - 32 -

Property Validation - CORBA GIOP

Comparison with previous, hand-coded model

Some differences: VIP model uses goto, hand-coded model uses control

state variables VIP model uses channels as local variables, hand-

coded model uses global channel variables

Stefan Leue - 33 -

VIP

Implemented in JAVA, using SDK 1.2, and XML

Approximately 1 man-year

Approximately 20000 loc

Class structure documented in UML diagrams, at least initially...

Stefan Leue - 34 -

Conclusions

VIP - based modeling

Compilation of Promela code

Property Validation POTS CORBA GIOP

Expected Benefits increased acceptance of formal modeling and analysis

in practicioner’s circles improved documentation and maintenance of Promela

models facilitated use in education

Stefan Leue - 35 -

To Do ...

Simulation Capability inside VIP

Interpretation of Spin results in VIP model context

Facilitated requirement specification better hooks more suitable requirements languages

– (life) MSCs– graphical interval logics– automata-based observer

Addition of features replication dynamic construction and destruction inheritance

Stefan Leue - 36 -

Public Availability?

Hope to be able to make tool available shortly

Contact:leue@uni-freiburg.de

m2kamel@uwaterloo.ca