Week 4

Question 1

What is denotational semantics?

Answer 1

a method used to formally define the meaning of programming constructs by mapping them to mathematical objects

focuses on what a program means rather than how it is executed, providing a precise understanding of its behavior using mathematical structures like sets and functions

Question 2

What is partial correctness?

Answer 2

addresses whether a program, when it terminates, reaches the correct state according to a specified specification

verifies if the program produces the desired output when it halts, assuming it does indeed terminate

“partial” because it doesn’t consider whether the program will always terminate (which is covered by total correctness), but only concerns itself with correctness upon termination

Question 3

Three principles of the Classical View of Programs?

Answer 3

1. Denotational semantics
2. Partial correctness
3. Nontermination is bad

Question 4

What is a reactive system?

Answer 4

a system that responds to stimuli from its environment

focuses on communication and interaction

often parallel

nontermination is good

e.g., operating systems, mobile phones, vending machines

Question 5

What are the two views on reactive systems?

Answer 5

1. A process performs an action and becomes another process (Labelled Transition Systems)
2. A process changes state and becomes another process (Kripke Structure)

Question 6

What is a Kripke Structure? Formal definition

Answer 6

A tuple (S, s0, ->, AP, L) where:

S is a set of states
s0 is the initial state
-> (subset of S * S) is a total transition relation
AP is a set of atomic propositions
L:S -> 2^(AP) is a labelling function that assigns a set of atomic propositions to every state

Question 7

What is a Kripke Structure? Informal definition

Answer 7

A graph representing the behaviour of the system, where:

The nodes (circles) represent reachable states.
The edges (arrows) represent transitions between state.
The labelling function maps aech state to a set of properties that hold in that state.

Question 8

What is a path “pi” in a Kripke structure?

Answer 8

A path pi starting in state s is a sequence of states pi = s,s1,s2,s3,s4,… such that s->s1 and si-1 -> si for all i>0

“pi”[i] represents the state at position i in the path pi

“pi”[i…] represents the suffix of the path pi starting at position i

Question 9

What is PROMELA?

Answer 9

A programming language that can be used to model Kripke structures

Question 10

Main Components of a PROMELA Model

Answer 10

1. Type declarations
2. Channel declarations
3. Variable declarations
4. Process declarations
5. “init” process

Question 11

Data Types in PROMELA

Answer 11

1. Five Basic types:
   - bit (0/1)
   - bool (false/true)
   - byte (0, 255)
   - short(many more integers)
   - int (even more integers)
2. Arrays:
   - e.g., byte a[27] or bit flags[4]
3. Records:
   - e.g.,:

typedef Rectangle {
int width;
int height;
}
Rectangle rr;
rr.width = …

4. Message Types/ Enumerations:
   - e.g.,:
   mtype:fruit = {apple, pear};
   mtype:size = {small, medium};

Question 12

Defining a process body in PROMELA

Answer 12

e.g.,:

proctype Name(int parameter) {

x = 1; //assignment
skip; // no action
int y = 1; // assignment
x < 2 && y == 1; // code waits here until this is satisfied
}

Question 13

Executability of Statements in PROMELA:

Answer 13

A statement is either executable or it is blocked.

if the process arrives at a blocked statement, it will stop

statements like skip, assignments, declarations, printf are always executable

an expression is executable if it evaluates to true (or a non zero value)

Question 14

Non-deterministic choice in PROMELA

Answer 14

if statements where multiple if branches are true

if none are true, if-statement blocks

e.g.,

if
:: (true) -> skip;
:: (false) -> skip:
:: else -> skip;
fi

Question 15

Loops in PROMELA

Answer 15

Use do-statements

very similar to if-statement as it needs conditions and any of the true branches may be taken

however once this is finished, the loop returns to the beginning

break statements can be used to transfer control to the end of the do-statement

do
:: (true) -> skip;
:: (false) -> skip;
else -> skip;
od

Question 16

How can one instantiate a process in PROMELA?

Answer 16

Processes can be instantiated by using the run keyword.

E.g., for process bruh, run(bruh) instantiates this process

Question 17

When are run statements blocked?

Answer 17

when 255 procesess are already running

Question 18

What does the keyword active mean for processes? What does active[N] proctype bruh mean?

Answer 18

Means that the process is instantiated from the start.

Means that N instances of the process are instantiated from the start.

Question 19

How is control flow passed in between processes in PROMELA?

Answer 19

all processes are executed concurrently, independently of the speed of the behaviour

Question 20

How do processes communicate in between each other in PROMELA?

Answer 20

through global variables and channels

Question 21

Global variables in PROMELA

Answer 21

defined at the top-level

can be read and updated just like local variables

Question 22

Atomic Statements in PROMELA

Answer 22

can be used to group together statements into an atomic sequences

all statements in such a sequence are thus executed in a single step, i.e., with no interleaving with statements of other processes

statement is executable if stat1 is executable, where stat1 is the first action in the sequence

if any process inside the sequence is blocked, the atomicity token is lost and other processes can execute a step

can be used to reduce the nr of states of a model

Question 23

Types of Properties Able to be Checked By Spin

Answer 23

1. Deadlocks
2. Unreachable code
3. Assertions
4. Linear Time Logic (LTL) Formulas

Question 24

What are deadlocks in PROMELA?

Answer 24

bad endstates, or situations in a concurrent system where two or more processes are unable to proceed because each is waiting for the other to release a resource, leading to a standstill

Question 25

What are unreachable states in promela?

Answer 25

a segment of a program that can never be executed during the normal flow of the program due to conditional statements or other logical constraints

Question 26

What are assertions in promela?

Answer 26

statements embedded in code to express expected conditions that should always hold true, and they are used for runtime verification to detect and handle unexpected situations

Question 27

What are LTL formulas in promela?

Answer 27

formalism for specifying properties of system behaviours over time, allowing the expression of temporal logic properties such as “eventually”, “always”, and “until” to verify system correctness

Question 28

What are safety properties in PROMELA?

Answer 28

properties checking that nothing bad ever happens

e.g., the car never crashes or the system is deadlock free

Question 29

Checking Safety Properties in PROMELA

Answer 29

involves finding a path leading to the “bad” thing

if such a path does not exist, the property is satisfied

safety properties can be expressed by placing assertions in the model

Question 30

What are liveness properties in PROMELA?

Answer 30

properties specifying that something good will eventually happen

e.g., the system eventually terminates, or if X occurs, then Y eventually occurs

Question 31

Checking Liveness Properties in SPIN

Answer 31

involves finding a loop in which the good thing never happens

if such a loop does not exist, then the property is satisfied

liveness properties can be expressed as LTL formulas, which can be added to a model

Question 32

How does deadlock checking work in PROMELA?

Answer 32

SPIN reports deadlocks as invalid end states

only valid end states are at proctype’s }

other valid end states can be indicated using the keyword end

Question 33

How to perform a random simulation of the model?

Answer 33

spin -p -g -l lock.pml

Question 34

How to perform an interactive simulation of the model?

Answer 34

spin -i -p -g -l lock.pml

Question 35

How to generate a verifier for the model and execute it?

Answer 35

1. Generate verifier:

spin -a lock.pml

2. Build the verifier:

gcc -DNOREDUCE -o pan pan.c

3. Execute:

./pan

Or all in one check:

spin -run -noreduce lock.pml

Question 36

How to run a counterexample in SPIN?

Answer 36

spin -t -p -g -l lock.pml

Question 37

Channels in PROMELA

Answer 37

chan <name> = [<dim>] of {<type1>, <type2>,..., <typen>}</typen></type2></type1></dim></name>

e.g., chan c = [0] of {bit, Record}
e.g., chan c[N] = [2] of {mtype, bit}

Question 38

Synchronous Channels

Answer 38

have dimension 0

requires sender and receiver processes to be synchronised in time, blocking each other until communication occurs

Question 39

Asynchronous Communication

Answer 39

have dimension > 0

allows processes to send and receive messages independently, decoupling sender and receiver actions without immediate synchronisation

Question 40

Sending and Receiving messages

Answer 40

ch ! 1; // sends byte 1 across channel ch
ch ? 1; // receives byte 1 across channel ch

Question 41

Message passing vs Message Testing

Answer 41

Message Passing
- ch ? <var1>, <var2>, ..., <varn>, where var1, var2,..., varn represent variables that will be assigned values from the received message</varn></var2></var1>

Message Testing:
- ch ? <const1>, <constr2>, ..., <constn>, where const1, const2,..., constn represent constants that you check whether exist within the message sent</constn></constr2></const1>

eval(var1) is the equivalent of const1 but for the value inside var1