VIP: A Visual Editor and Compiler for v-Promela
Stefan LeueAlbert-Ludwigs-University Freiburg
http://www.informatik.uni-freiburg.de/~leue
March 31, 2000
Stefan Leue - 2 -
Joint work with
Moataz Kamel
Stefan Leue - 3 -
Outline
Introduction
Modeling with VIP structure behaviour
Compilation of Promela code structure behaviour
Property Validation using SPIN POTS CORBA GIOP
Conclusions
Stefan Leue - 4 -
Visual Interface for Promela (VIP)
Based on v-Promela visual notation for describing structure and behaviour of
concurrent, object-based systems syntax based on UML-RT (ROOM in UML’s clothes) incorporates Promela features supports hierarchical modeling of structure and
behaviour can be compiled into Promela code transparent use
of SPIN
Stefan Leue - 5 -
Visual Interface for Promela (VIP)
VIP GUI-based tool for editing and maintaining v-Promela
models v-Promela to Promela compiler
Stefan Leue - 6 -
Modeling Steps Supported by VIP
Structure concurrent objects: capsules message passing interfaces: ports data classes data objects signal lists: protocols
Behaviour states transitions transition code
Stefan Leue - 7 -
Running Example: POTS
Simple Plain Old Telephony Call Processing two user objects each one controlled by a phone handler object phone handlers communicate to set up and tear down
calls
Stefan Leue - 8 -
Structure Definition in VIP
Stefan Leue - 9 -
Protocols
Stefan Leue - 10 -
Data Classes
Stefan Leue - 11 -
Data Classes
Stefan Leue - 12 -
Message Types
Stefan Leue - 13 -
Data Objects
Stefan Leue - 14 -
Ports
Stefan Leue - 15 -
Internal Capsule Structure
Stefan Leue - 16 -
Connectors
Stefan Leue - 17 -
State Machines
Stefan Leue - 18 -
Substate Refinement
Stefan Leue - 19 -
State Entry/Exit Code
Stefan Leue - 20 -
Transition Code
Stefan Leue - 21 -
Transition Code
Stefan Leue - 22 -
Transition Code
Stefan Leue - 23 -
Transition Code
Stefan Leue - 24 -
Buffers and Synchronizers
Buffers queue variables buffer access points producer-consumer system
Synchronizers enable Promela-style synchronous communication
amongst arbitrary sets of capsule instances example: semaphores
Stefan Leue - 25 -
Semaphore
Stefan Leue - 26 -
Buffers and Synchronizers in GIOP
Stefan Leue - 27 -
Structure Implementation
Capsules as proctypes
Ports as proctype parameters
proctype User(chan fromSwitch, toSwitch ){...}
proctype PhoneHandler(chan fromUser, toUser, toOtherHandler, fromOtherHandler ){...}
proctype POTS( ){ chan toUser1435267635 = [1] of { SwitchToUser };
chan fromUser590843343 = [1] of { UserToSwitch }; ...
run User( toUser1435267635, fromUser590843343 );run User( toUser986680783, fromUser849317327 );run PhoneHandler( fromUser590843343, toUser1435267635,
leftToRight1222086095, rightToLeft1089179087 );run PhoneHandler( fromUser849317327, toUser986680783,
rightToLeft1089179087, leftToRight1222086095 );}init{atomic {run POTS();}}
Stefan Leue - 28 -
Behaviour - Implementation
States: Promela labels
Transitions: Promela code + gotos Entry and exit code inlined Transition code atomic
General state code format:
state-name: entry-code;atomic {if:: transition-code_i; exit-code; goto state-namefi }
Stefan Leue - 29 -
Transition Code
if/* correct_connectreq_audiblering */:: received_ph_num.phone_number == 1 -> /* exit digit_received */ /* action correct_connectreq_audiblering */ toOtherHandler!connectreq; toUser!audiblering; /* exit await_digit */ /* action connectreq */ /* entry originator */ /* action untitled */ /* entry party_ringing */ goto party_ringing1956295048
ifidle1723158139::: fromUser?[offhook] && true -> fromUser?UserToSwitch_msg; /* exit idle */ /* action offhook_ */ /* entry await_digit */ toUser!dialtone; /* entry wait */ goto wait2091208315...fi
Stefan Leue - 30 -
Group Transitions
ringing62399654:{if:: fromUser?[offhook] ...fi } unless {if:: fromUser?[onhook]...:: fromOtherHandler?[disconnect] ...fi}
ringing62399654:{if:: fromUser?[onhook] ...:: fromOtherHandler?[disconnect] ...fi } unless {if:: fromUser?[offhook] ...fi}
ringing2063158907:if:: fromUser?[offhook] ...:: fromUser?[onhook] ...:: fromOtherHandler?[disconnect] ...fi
Stefan Leue - 31 -
Property Validation - POTS
Is the model capable of establishing a phone call between parties?
! <> (s && r && p && q)
#define p (PhoneHandler[4]@conversation_orig1702392370)#define q (PhoneHandler[5]@conversation_term163607093)#define r (User[2]@conversation1450209847)#define s (User[3]@conversation1450209847)
Counterexample found:• trail of 872 steps• state-vector 188 bytes• 1 million states, 1.5 million transition• 43 Mbytes of memory
Stefan Leue - 32 -
Property Validation - CORBA GIOP
Comparison with previous, hand-coded model
Some differences: VIP model uses goto, hand-coded model uses control
state variables VIP model uses channels as local variables, hand-
coded model uses global channel variables
Stefan Leue - 33 -
VIP
Implemented in JAVA, using SDK 1.2, and XML
Approximately 1 man-year
Approximately 20000 loc
Class structure documented in UML diagrams, at least initially...
Stefan Leue - 34 -
Conclusions
VIP - based modeling
Compilation of Promela code
Property Validation POTS CORBA GIOP
Expected Benefits increased acceptance of formal modeling and analysis
in practicioner’s circles improved documentation and maintenance of Promela
models facilitated use in education
Stefan Leue - 35 -
To Do ...
Simulation Capability inside VIP
Interpretation of Spin results in VIP model context
Facilitated requirement specification better hooks more suitable requirements languages
– (life) MSCs– graphical interval logics– automata-based observer
Addition of features replication dynamic construction and destruction inheritance
Stefan Leue - 36 -
Public Availability?
Hope to be able to make tool available shortly
Contact:[email protected]
Top Related