Outline for an Operational-Semantics Definition of PROMELA

q0 q1 q2 q3 q4 q5 q6 q7 q8 q9 q10 q11 q12 Figure 1: Sample Symbolic Labeled Transition System Data structures. Channels with more than one message eld. Run statements with more than one argument. The semantics of the run statement, furthermore, is somewhat diierent from that presented in Page 95 of 1]. In the semantics given here, the run statement cannot be used in composite arithmetic expressions. The semantics deenitions can be modiied fairly straightforwardly to overcome these restrictions. In this section, we illustrate by means of an example how a process declaration in textual form is represented as a symbolic labeled transition system. Consider the following process type which is some arbitrary collection of PROMELA statements. Example 6.1 active proctype foo(int x) f chan c1,c22 chan c3 = 10] of fchang int x1 = 1 int x22 x1 = 2 atomic f (x1 == 2)-> x1 = x1 + 1 g do :: (x 1 > 5)-> x 1 = x 1-5 :: else-> x1 = x1 + 5 odd skipp c1?x1 unless c2?x2 g The symbolic labeled transition system corresponding to this program is hfooo Structure q 0 locals ChansOwned 1 x i where Structure is given in Figure 1. locals is the partial function which t a k es values 0 0 1 a t xx x2 x 1 respectively and undeened at all other arguments. ChansOwned is the nite sequence hc1 i hc2 i hc3 10 chani. The priority of the transition from state q 8 to q 11 is higher than the one from q 8 to q 9. The else statement is translated into the negation of the conjunction of the other guards of the same if or do statement. It is an error to have send or receive statements as alternatives to an else in a if or do statement. Statements that transfer control out of an atomic into a non-atomic region are executed in normal mode. 7 Summary This report gives an outline for an operational-semantics deenition of the veriication language PROMELA. W e s h o wed how a given PROMELA program, represented as sequence of symbolic labeled transition systems, can be translated into a Kripke structure. This was done by deening primitive statements as conditional state transformers. Not deened here is the conversion algorithm, part of SPIN, that translates PROMELA proctype deenitions into symbolic labeled transition systems. Features …