verification with lola: 2 the lola input language
TRANSCRIPT
2. The LoLA Input Language
Plan
• Place/Transition nets
• Verification task
• High-Level nets
• Demo
Place/Transition Nets
N = [P,T,F,W,m0]
PLACE p1, p2, p3, p4;
MARKING p1:2, p3:1, p1:1;
{ this is a comment }
TRANSITION t1 CONSUME p1:3, p2: 1; PRODUCE p3: 2, p1 : 2;
TRANSITION t2 CONSUME p3 : 1; PRODUCE ;
can be replaced as a wholecompatible with computed
markings
only one reference per arc
treated as variables
treated as procedures
Identifiers
Many special characters permitted, eg.
p4 23 message[x=13,from=”bla”]
Reason: easier for tools to generate such names
Storage directives
If bounds for some places are known:
PLACE
p0;
SAFE 3: p1, p2;
SAFE 7: p3, p4;
SAFE: p5;
Only for internal memory allocation, no capacity!
default, #CAPACITY in userconfig.H
= SAFE 1
Fairness Constraintsneeded for the LTL properties only
(fair CTL is not supported so far)
TRANSITION t1 STRONG FAIR
...
TRANSITION t2 WEAK FAIR
...
TRANSITION t3
...
Verification Task Input
• Can be specified inline or as separate file
• For boundedness of places: ANALYSE PLACE p1
• For dead transitions: ANALYSE TRANSITION t2
• For all properties involving state predicate:FORMULA (p1 > 3 OR p2 <= 7) AND NOT p6 = 1
• For CTL model checking:
• FORMULA EXPATH ALWAYS ALLPATH EVENTUALLY p1 > 3
• FORMULA EXPATH (p1 > 7 UNTIL p2 < 3)
High Level Net Input
• Main purpose: To obtain scalable sequences of models
• Deprecated for translation from other formalisms (problem: semantic conformance)
• Will be unfolded into place/transition net anyway
• Experience: Parsing from UNIX pipe no time issue
• Style: algebraic Petri nets with explicit interpretation
Algebraic Petri Nets• Signature: sorts + sorted operation symbols
• Interpretation: sets of values, n-ary functions
• Places: annotated with sort (type) symbol
• interpretation: set of values (colors)
• Transitions: annotated with set of variables, guard expression
• interpretation: every valid assignment is firing mode
• Arcs: annotated with terms over the transition variables
• interpretation: map from firing mode of transition into color set of place
• Marking: written as multiset of terms
Signature: Sorts and their interpretation
SORT a = [ 1 , 5 ]; { 1,2,3,4,5 } b = BOOLEAN; { TRUE, FALSE } c = ENUMERATE red blue green END; { red, blue, green }
d = ARRAY [1,3] OF BOOLEAN;
{ [FALSE|FALSE|FALSE], ... , [TRUE|TRUE|TRUE] }
e = RECORD receiver : a; sender : b; END ; { <1|FALSE>, ...., <3|TRUE> }
scalar arbitrary each value has unique text
representation
“successor” canonically defined on each value set
Signature: operations and their interpretation
SORT phils = [1 , 5 ]; forks = [1 , 5];
FUNCTION leftfork (x : phils) : forksBEGIN RETURN xEND
FUNCTION rightfork(x : phils): forksBEGIN RETURN x + 1END
FUNCTION allthinking () : philsVAR x : phils;BEGIN FOR ALL x DO RETURN x ENDEND
signature
interpretation
result is multiset
expressions evaluate on all integers,
assignments align to value set (modulo
arithmetic)
Statements in function bodyEXIT leave function
RETURN E add value of E to return multiset, continue
L = E assignment
S1 ; S2 sequential composition
WHILE E DO S END while loop
REPEAT S UNTIL E END until loop
FOR x := E1 TO E2 DO S END for loop in canonical order of values
FOR ALL x DO S END for loop through all elements of sort of x
IF E THEN s1 [ELSE S2] END branch statement
SWITCH E CASE E1: S1 ... CASE En: Sn ELSE SEND multibranch statement
no modulo before
assignment
Expressions in function body
X X[a + b] X.c[a + b]
645 TRUE FALSE
A <-> B A -> B A AND B A OR B NOT A
A < B A <= B A > B A >= B A = B A <> B A # B
A + B A * B A - B A / B A MOD B
( E )
[ E1 | E2 | .... | En ]
bla ( E1, ...., En)
pointwise for arrays and records
function must return exactly
one value
Example: NetworkSORT dimensions = [ 1 , 3 ]; row = [ 1 , 3 ]; agent = ARRAY dimensions OF row ;
message = RECORD receiver : agent; sender : agent; END;
FUNCTION X (a:agent;b:agent):message
VAR m : message;
BEGIN
m . receiver = a; m . sender = b; RETURN m
END
FUNCTION N(z:agent):agent
VAR l : dimensions; low : row; high : row;
BEGIN
low = 1; high = low - 1; { remind canonical order }
FOR ALL l DO
IF z [ l ] > 1ow THEN z [ l ] = z [ l ] - 1; RETURN z; z [ l ] = z [ l ] + 1 END;
IF z [ l ] < high THEN z [ l ] = z [ l ] + 1; RETURN z; z [ l ] = z [ l ] - 1 END
END
END
HL PlacesPLACE
SAFE p1 : phils, p2 : forks , p3 ;...
unfolded to:
PLACE SAFE p1.1, p1.2, p1.3, p1.4, p1.5, p2.1, p2.2, p2.3, p2.4, p2.5, p3;
per value
tokens of sort phils
tokens of sort forks
low level place
HL Initial Marking
MARKING th : allphilosophers(), fo : L(allphilosophers()),
th.2 : 3, p3 : 5;
multiterm without variablesorts must fit
unfolded name
low level place
HL TransitionsTRANSITION receive WEAK FAIRVAR sender , receiver : agent;GUARD is_neighbour( sender , receiver)CONSUME channe1 : X ( sender, receiver ) PRODUCE channel : X (N(sender),sender), internal : receiver
unfolded to
TRANSITION receive.[sender=1,receiver=2] WEAK FAIRCONSUME ....
Only instances with satisfied guards are generatedIsolated places are finally removed
valid for all instances
multiterms
firing mode
HL Verification tasks
EXISTS x : phils : ( eating . ( x ) > 0 ) AND thinking.1 = 0ALL y : phils : ( [y = 1] OR fo . ( L(y) ) = 0 )
parenthesescompulsory
any expression