Concurrent Programs as State Space Automata

The notions we've seen of states, traces, and state spaces aren't specific to Promela, but are useful in any formalization of concurrent systems. In fact, we are ready to give one precise definition of a ``concurrent system'' in terms states and traces. It is similar to many conventional automata definitions, but includes a way to relate the current state to propositions, which we can later construct formulas out of.

Definition 1: State Space Automaton

A State Space Automaton AA is a tuple S s0 T Prop P S s0 T Prop P where:

• SS is a set of states. As before, a state is an assignment to all program variables (both local an global), including the program counter (line number) for each process.
• s0∈S s0 S is the initial state or start state.
• T⊆S×S T S S is the transition relation. Equivalently, this is the edge relation of the state space.
• PropProp, a set of propositions.
• P : S→2Prop P : S→2Prop is a mapping which, given a state, indicates all the properties that are true in that state.

It is the set PropProp which will allow us to talk about our program variables in our logic formulas. The elements of PropProp are simple propositions involving program variables. For example,

Definition 2: Trace

Given a state space automaton, a trace σσ (sometimes called an ωω-trace) is a (possibly infinite) sequence of states σ0σ0, σ1σ1, σ2σ2, … which respects the automaton's transtion relation TT.

Thus a trace is a path through the state space (as we have already seen). Now that we have logic propositions associated with each state, we can see that during a trace, those propositions will change their truth value over time. We'll illustrate this with diagrams like the following.

Figure 1: A timing diagram for a trace σσ, and propositions pp and qq. Each propositional variable's value during the trace is depicted as a line. When the line is high, the proposition is true; when low, false.

In this example, pp and qq are propositions from PropProp. Since in the trace σσ, we have pp being true at (for example) index 2, we write σ2 ⊧ pσ2 ⊧ p. In this diagram, it is also the case that σ0 ⊧ (p∨q)σ0 ⊧ (p∨q). 1

Although a bit unintuitive at first, it will be convenient to convert all finite traces into infinite ones. To do the conversion, we simply envision that once the automaton reaches its ostensibly last (nnth) state, it languishes furiously in that state over and over:

Definition 3: Stutter-Extend

The finite trace σ0,…,σnσ0,…,σn can be stutter-extended to the infinite trace σ0, …, σn, σn, σn, … σ0, …, σn, σn, σn, … .

To ensure this still satisfies the definition of a trace (where successive states must obey the automaton's transition relation), it is often assumed that every state has a transition to itself. Note that this convention precludes assuming that something must change between one state and the next, which is plausible since we are modeling asynchronous systems. This will be reflected in our formal logic below, which will have no built-in primitive for ``the-next-state''.

State Formulas

Now that we have a formal model of what a trace is, we can start to make formal statements about what happens in a trace. The simplest statements are state formulas, i.e., propositional formulas built out of PropProp. For a given trace σσ and state formula ψψ, we can immediately decide whether a particular state σiσi satisifes ψψ (notationally, ``σi ⊧ ψσi ⊧ ψ'').

Example 2

Consider the trace σσ we saw previously and is repeated here.

Figure 2: A timing diagram for a trace σσ, and propositions pp and qq.

For which ii does σi ⊧ (p∧q)σi ⊧ (p∧q)? For which ii does σi ⊧ (p∨q)σi ⊧ (p∨q)? How about σi ⊧ (p→q)σi ⊧ (p→q)?

However it doesn't make sense a priori to ask whether an entire trace satisfies some particular state formula; unlike regular propositional logic, the truth of state formulas changes over time, as the trace σσ progresses.

Introducing Temporal Connectives

So, how do we talk about formulas holding (or not) over time? In addition to making formulas out of ∧∧,∨∨,¬¬ and propositions from the set PropProp, we'll allow the use of temporal connectives.

As a mnemonic for the symbols ``□□'' and ``◇◇'', we can imagine a square block of wood sitting on a table. Orienting it like □□, it will always sit there; orienting it like ◇◇, it will eventually teeter.

More formally, we define these connectives as follows.

Definition 4: Always

σi ⊧ □φσi ⊧ □φ iff ∀j≥i. σj ⊧ φ∀j≥i.σj ⊧ φ

Example

Figure 3: A generic trace σσ satisfying σi ⊧ □pσi ⊧ □p. pp is true in state ii and all later states.

Exercise 1

Decide whether each is true or false for following trace σσ (the same one seen earlier).

Figure 4: A timing diagram for a trace σσ, and propositions pp and qq

1. σ9 ⊧ □qσ9 ⊧ □q
2. σ9 ⊧ □¬pσ9 ⊧ □¬p
3. σ0 ⊧ □qσ0 ⊧ □q
4. σ0 ⊧ □(p→q)σ0 ⊧ □(p→q)

Solution

1. True; from σ9σ9 onwards, qq stays true.
2. True. Even stronger, σ7 ⊧ □¬pσ7 ⊧ □¬p.
3. False, since σ3 ⊭ qσ3 ⊭ q.
4. True, since at each individual index ii (from 0 on up), σi ⊧ (p→q)σi ⊧ (p→q).

[ Show Solution ] [ Hide Solution ]

Definition 5: Eventually

σi ⊧ ◇φσi ⊧ ◇φ iff ∃k≥i. σk ⊧ φ∃k≥i.σk ⊧ φ

Example

Figure 5: A generic trace σσ satisfying σi ⊧ ◇qσi ⊧ ◇q. qq is true in some state kk after state ii.

Before continuing on with our two other connectives (strong- and weak-until), let's pull back a bit and look at our notation.

Definition 6: Strong Until

σi ⊧ (φUψ)σi ⊧ (φUψ) iff ∃k≥i. (σk ⊧ ψ∧∀j. ( i ≤ j < k →σj ⊧ φ) )∃ki.(σk ⊧ ψ∧∀j. ( i ≤ j < k →σj ⊧ φ) ) .

Example

Figure 6: A generic trace σσ satisfying σi ⊧ (rUs)σi ⊧ (rUs). rr is true in states ii through (k−1)(k1).

Exercise 3

Decide whether each is true or false for following trace σσ: (This is the same trace seen earlier.)

Figure 7: A timing diagram for a trace σσ, and propositions pp and qq.

1. σ0 ⊧ (qUp)σ0 ⊧ (qUp)
2. σ2 ⊧ (qUp)σ2 ⊧ (qUp)
3. σ5 ⊧ (qUp)σ5 ⊧ (qUp)
4. σ9 ⊧ (qUp)σ9 ⊧ (qUp)

Solution

1. True. qq is true in σ0σ0, and it doesn't take long before pp becomes true in σ1σ1.
2. False. Starting at σ2σ2, we see that pp doesn't become true until σ5σ5, yet qq doesn't stay true that long.
3. Very true, since pp is already true in σ5σ5. (In the definition, take kk=5; then there are not any jj to even need to worry about.)
4. False. Since pp is false from σ9σ9 onward, we can't even find a (k≥9)(k9) such that σk ⊧ pσk ⊧ p. However, it is true that σ9 ⊧ (qWp)σ9 ⊧ (qWp).

[ Show Solution ] [ Hide Solution ]

Any logic that includes temporal connectives is a temporal logic. More specifically, this is Linear Temporal Logic (LTL). The ``linear'' part of this name means that we are looking only at individual traces, rather than making formulas that discuss all possible traces of a program. After all, a single program can result in many possible traces. An LTL formula does not allow us to say, for example, that a property holds in all possible executions of the program. However, SPIN overcomes some limitations by essentially testing an LTL formula against all possible traces. Will will return to SPIN in the next section.

In summary, the syntax used in SPIN is given by the following grammar.

Do we really need a whole new logic?

We could use regular ol' first-order logic as our formal language for specifying temporal properties. We'd do this by adding an explicit time index to each proposition in PropProp, turning it into a unary relation. For example, instead of considering Philosopher_B_has_forkPhilosopher_B_has_fork in state 17, we'd instead write Philosopher_B_has_fork⁡(17)Philosopher_B_has_fork⁡(17), and so on.

This approach, though, quickly becomes cumbersome. Consider the everyday concept ``Someday, X will happen''. We have to go through some contortions to shoehorn this concept into first-order logic: ``There exists a day dd, such that dd is today or later, and X will happen on dd''. Quite a mouthful for what is about the simplest temporal concept possible!

The awkwardness stems from the fact that in English, ``eventually'', ``always'', and ``until'' are primitives. When we design a formal language to capture with these concepts, shouldn't we too include them as primitives? Having our formal representations reflect our natural conceptions of problems is the first law of programming!

This is why we have decided to incur the overhead of defining a new language, LTL. Still, you have noticed that the semantics we've given are phrased in terms of ``∀i.∀i.…''. From a language designer's perspective, we might say that LTL is a high-level language, and we give an interpreter for it written in first-order logic (over the domain of trace-indices).

Translating between English and LTL: Examples

Let's look at how to turn a natural-English specification into temporal logic, and vice versa.

From these examples and the ones following, we can see that English is typically too ambiguous. To get the appropriate logic formula, we need to go back to the original problem and determine what was truly meant. Formalizing your specifications into temporal logic gives you the opportunity to closely examine what those specifications really should be.

Given a formula, try to understand it by translating it into English. Providing sample timelines that satisfy the formula is also quite helpful.

Exercise 6

Describe the meaning of □◇p□◇p in words and a timeline.

Solution

Literally, we can simply say ``always, eventually pp''. While that phrase is fairly common among logicians, it's not very natural or meaningful to most people. A clearer, but more long-winded, equivalent is ``at any point in time, pp will happen in the future''.

More concise, though, is ``pp happens infinitely often''. To understand that, consider a timeline. In words, at any time t0t0, pp will happen sometime in the future; call that time t1t1. And at moment t1t1+1, pp will happen sometime in the future; call that t2t2. Repeat forever.

Figure 10: The beginning of a trace where pp happens infinitely often.

[ Show Solution ] [ Hide Solution ]

Exercise 7

Describe the meaning of □(q→□¬p)□(q→□¬p) in words and a timeline.

Solution

Again, a literal translation is ``always, if q then always not p''. Correct, but a bit more idiomatic-English would be ``whenever q, then forever not p'' or ``Once q, p is forever false''.

Figure 11: The beginning of a trace satisfying the property.

[ Show Solution ] [ Hide Solution ]

Note that we want to include the possibility that nothing is ever produced — we don't always want to enforce weak fairness. Consider an operating system's code for a print server — it is truly important that not owning a printer doesn't mean the OS always crashes!

Through this section, we've seen some of the common patterns that can arise in the formulas. Following upon the idea of Design Patterns as describing common programming idioms, ``Specification Patterns'' describe common logic specification idioms. For a list of LTL specification patterns, see Property Pattern Mappings for LTL.

In addition, there are also algebraic equivalences for LTL, just as there are for propositional logic. We have already seen a DeMorgan-like example; there are also less obvious equivalences, such as distributing □◇□◇ over ∨∨: □◇(φ∨ψ)≡(□◇φ∨□◇ψ)□◇(φ∨ψ)≡(□◇φ∨□◇ψ) and the redundancy of □□-over-∨∨: (□φ∨□ψ)≡□ (□φ∨□ψ) (□φ∨□ψ)≡□ (□φ∨□ψ) It can be fun to dabble in rewriting LTL formulas, but (alas) we won't visit that topic further here.

Using Temporal Logic in SPIN

So, we have a Promela program and an LTL formula to verify. How do we use the tool? In SPIN, in the "Run" menu, select "LTL Property Manager". This opens a new window. The top half contains several subparts for entering an LTL formula, while the bottom half is for using it.

In the "Formula" textbox, you can type an LTL formula. If you prefer, you can enter the operators using the buttons below, rather than typing. Also, you can use the "Load" button to restore a previously-saved LTL formula from a file. For a formula, the next checkboxes allow you to either verify that the formula always holds or never holds. The "Notes" textbox is simply descriptive text. If you plan on saving the formula, it is helpful to remind yourself what this formula means and is used for. The "Symbol Definitions" textbox is where the LTL variables (typically p, q, etc.) are related to the Promela code. This is done through #defines which are temporarily added to your Promela code.

 1  /* Number of copies of the process to run. */
 2  #define NUM_PROCS 3
 3
 4  show bool locked = false;
 5  show int  num_crit = 0;
 6
 7  active[NUM_PROCS] proctype loop()
 8  {
 9    do
10    :: true ->
11
12       atomic {
13         !locked ->
14         locked = true;
15       }
16            
17       /* Critical section of code. */
18       /* Something interesting would go here. */
19            
20       num_crit++;
21       /* assert(num_crit == 1); */
22       num_crit--;
23            
24       locked = false;
25       /* End critical section of code. */
26    od;
27  }
          

#define p ((num_crit == 0) || (num_crit == 1))
          

prompt>  spin -f '[] (p ->  <> (q || !r))'
            

never {    /* !([]p) */
T0_init:
        if
        :: (! ((p))) -> goto accept_all
        :: (1) -> goto T0_init
        fi;
accept_all
        skip
}
        

Full statespace search for:
        …
        invalid end states      - (disabled by never claim)
          

unreached in proctype loop
        line 27, "pan.___", state 11, "-end-"
        (1 of 11 states)
          

#define p (num_crit == 0)
#define q (num_crit == 1)
            

([]<>p) && ([]<>q)
            

([]<>(_pid == 0)) && ([]<>(_pid == 1)) && ([]<>(_pid == 2))
            

pid running;
            

running = _pid;
            

#define p (running == 0)
#define q (running == 1)
#define r (running == 2)
            

([]<>p) && ([]<>q) && ([]<>r)
            

#define p (loop[0]@crit)   /* 0th 'loop' process is at crit. */
#define q (loop[1]@crit)   /* 1st 'loop' process is at crit. */
#define r (loop[2]@crit)   /* 2nd 'loop' process is at crit. */