verification with lola: 2 the lola input language

2. The LoLA Input Language

Plan

• Place/Transition nets

• Verification task

• High-Level nets

• Demo

Place/Transition Nets

N = [P,T,F,W,m0]

PLACE p1, p2, p3, p4;

MARKING p1:2, p3:1, p1:1;

{ this is a comment }

TRANSITION t1 CONSUME p1:3, p2: 1; PRODUCE p3: 2, p1 : 2;

TRANSITION t2 CONSUME p3 : 1; PRODUCE ;

can be replaced as a wholecompatible with computed

markings

only one reference per arc

treated as variables

treated as procedures

Identifiers

Many special characters permitted, eg.

p4 23 message[x=13,from=”bla”]

Reason: easier for tools to generate such names

Storage directives

If bounds for some places are known:

PLACE

p0;

SAFE 3: p1, p2;

SAFE 7: p3, p4;

SAFE: p5;

Only for internal memory allocation, no capacity!

default, #CAPACITY in userconfig.H

= SAFE 1

Fairness Constraintsneeded for the LTL properties only

(fair CTL is not supported so far)

TRANSITION t1 STRONG FAIR

...

TRANSITION t2 WEAK FAIR

...

TRANSITION t3

...

Verification Task Input

• Can be specified inline or as separate file

• For boundedness of places: ANALYSE PLACE p1

• For dead transitions: ANALYSE TRANSITION t2

• For all properties involving state predicate:FORMULA (p1 > 3 OR p2 <= 7) AND NOT p6 = 1

• For CTL model checking:

• FORMULA EXPATH ALWAYS ALLPATH EVENTUALLY p1 > 3

• FORMULA EXPATH (p1 > 7 UNTIL p2 < 3)

High Level Net Input

• Main purpose: To obtain scalable sequences of models

• Deprecated for translation from other formalisms (problem: semantic conformance)

• Will be unfolded into place/transition net anyway

• Experience: Parsing from UNIX pipe no time issue

• Style: algebraic Petri nets with explicit interpretation

Algebraic Petri Nets• Signature: sorts + sorted operation symbols

• Interpretation: sets of values, n-ary functions

• Places: annotated with sort (type) symbol

• interpretation: set of values (colors)

• Transitions: annotated with set of variables, guard expression

• interpretation: every valid assignment is firing mode

• Arcs: annotated with terms over the transition variables

• interpretation: map from firing mode of transition into color set of place

• Marking: written as multiset of terms

Signature: Sorts and their interpretation

SORT a = [ 1 , 5 ]; { 1,2,3,4,5 } b = BOOLEAN; { TRUE, FALSE } c = ENUMERATE red blue green END; { red, blue, green }

d = ARRAY [1,3] OF BOOLEAN;

{ [FALSE|FALSE|FALSE], ... , [TRUE|TRUE|TRUE] }

e = RECORD receiver : a; sender : b; END ; { <1|FALSE>, ...., <3|TRUE> }

scalar arbitrary each value has unique text

representation

“successor” canonically defined on each value set

Signature: operations and their interpretation

SORT phils = [1 , 5 ]; forks = [1 , 5];

FUNCTION leftfork (x : phils) : forksBEGIN RETURN xEND

FUNCTION rightfork(x : phils): forksBEGIN RETURN x + 1END

FUNCTION allthinking () : philsVAR x : phils;BEGIN FOR ALL x DO RETURN x ENDEND

signature

interpretation

result is multiset

expressions evaluate on all integers,

assignments align to value set (modulo

arithmetic)

Statements in function bodyEXIT leave function

RETURN E add value of E to return multiset, continue

L = E assignment

S1 ; S2 sequential composition

WHILE E DO S END while loop

REPEAT S UNTIL E END until loop

FOR x := E1 TO E2 DO S END for loop in canonical order of values

FOR ALL x DO S END for loop through all elements of sort of x

IF E THEN s1 [ELSE S2] END branch statement

SWITCH E CASE E1: S1 ... CASE En: Sn ELSE SEND multibranch statement

no modulo before

assignment

Expressions in function body

X X[a + b] X.c[a + b]

645 TRUE FALSE

A <-> B A -> B A AND B A OR B NOT A

A < B A <= B A > B A >= B A = B A <> B A # B

A + B A * B A - B A / B A MOD B

( E )

[ E1 | E2 | .... | En ]

bla ( E1, ...., En)

pointwise for arrays and records

function must return exactly

one value

Example: NetworkSORT dimensions = [ 1 , 3 ]; row = [ 1 , 3 ]; agent = ARRAY dimensions OF row ;

message = RECORD receiver : agent; sender : agent; END;

FUNCTION X (a:agent;b:agent):message

VAR m : message;

BEGIN

m . receiver = a; m . sender = b; RETURN m

END

FUNCTION N(z:agent):agent

VAR l : dimensions; low : row; high : row;

BEGIN

low = 1; high = low - 1; { remind canonical order }

FOR ALL l DO

IF z [ l ] > 1ow THEN z [ l ] = z [ l ] - 1; RETURN z; z [ l ] = z [ l ] + 1 END;

IF z [ l ] < high THEN z [ l ] = z [ l ] + 1; RETURN z; z [ l ] = z [ l ] - 1 END

END

END

HL PlacesPLACE

SAFE p1 : phils, p2 : forks , p3 ;...

unfolded to:

PLACE SAFE p1.1, p1.2, p1.3, p1.4, p1.5, p2.1, p2.2, p2.3, p2.4, p2.5, p3;

per value

tokens of sort phils

tokens of sort forks

low level place

HL Initial Marking

MARKING th : allphilosophers(), fo : L(allphilosophers()),

th.2 : 3, p3 : 5;

multiterm without variablesorts must fit

unfolded name

low level place

HL TransitionsTRANSITION receive WEAK FAIRVAR sender , receiver : agent;GUARD is_neighbour( sender , receiver)CONSUME channe1 : X ( sender, receiver ) PRODUCE channel : X (N(sender),sender), internal : receiver

unfolded to

TRANSITION receive.[sender=1,receiver=2] WEAK FAIRCONSUME ....

Only instances with satisfied guards are generatedIsolated places are finally removed

valid for all instances

multiterms

firing mode

HL Verification tasks

EXISTS x : phils : ( eating . ( x ) > 0 ) AND thinking.1 = 0ALL y : phils : ( [y = 1] OR fo . ( L(y) ) = 0 )

parenthesescompulsory

any expression