Abstract. SPIN is a tool to simulate and validate Protocols. PROMELA, its source language, is a formal description technique like SDL and Estelle that is based on communicating state machines. Unlike most other tools, SPIN is in the public domain and therefore is one of the most widely used formal veri cation tools today. PROMELA allows to specify distributed automata which can communicate using either message channels or shared memory. This contribution consists of an extension to SPIN which allows the creation of implementations from PROMELA speci cations. This can be used for the creation of test scenarios and the rapid prototyping of validated protocol implementations.
Introduction
Formal Description Techniques FDTs are used in many elds of software engineering. One main application eld is the validation of software designs, especially telecommunication protocols, but they are equally applicable to other elds such as avionics, nuclear power control, medicine, railway control etc. 8 9 10 11 . Usually the FDTs are used for the validation of a design concept. This validation can be achieved either by simulations of the design or with special validation algorithms. After the concept has shown to ful ll the requirements, the formal speci cation usually is used as a guideline for the programmer for the creation of an implementation. However it can also be imagined that the formal speci cation is automatically translated into an implementation. This has the advantage of reducing the probability t o i n troduce new faults when translating it. 2 . PROMELA SPIN The idea to automatically generate executable code from a formal speci cation is not new. Many e orts have been dedicated to this task in the past 4 . The advantage of the PROMELA SPIN 1 system as basis for an automated generation of implementations is the high data consistency when using SPIN. There is only one tool which is used for the simulation and the generation of the validator. By using the same tool, it is less likely that there are inconsistencies between the 1991 Mathematics Subject Classi cation. Primary 54C40, 14E20; Secondary 46E25, 20C20. lation is quite di erent from the code which is generated as C source code for the validator. In most other systems, independent tools are used for simulation, validation and creation of the implementation. Those tools take the formal speci cation as a starting point and use an abstract tree like the one shown in gure 1, i.e. a di erent abstraction is used for simulation, validation and nal implementation. For the simulation and validation, this aspect is not too important. However, for the generation of an an implementation from PROMELA source code the goal obviously is to produce a validated implementation which has certain provable characteristics. To a c hieve this it is necessary to keep as close as possible to the validated code. This means that it is necessary to stay as close to the validated abstraction in the tree in gure 1. This was our starting point for the generation of the implementation. By modifying the tool SPIN, isolating the code for the generation of the state machine | the motor" of the validator | and extending it with additional new code mainly a scheduler, we a c hieve an implementation which has a very high delity to the validated code. The two branches of the abstract tree melt together into one as shown in gure 2 since the same abstraction is used for validation and implementation.
This is the originality of our contribution that distinguishes it from most other tools for the generation of implementations, which are usually implemented as separate, stand alone tools see 6 for a stand alone PROMELA to C compiler. As we already mentioned, the validator which SPIN produces when called with the option -a" is generated as C code. This code is structured in ve les, as depicted in gure 3.
In order to re use the state machine which SPIN generates corresponding to the PROMELA source we need the les pan.m" the forward moves and pan.t" the transition matrix. In addition to those we use parts from pan.c" the main validator code and pan.h". Figure 4 shows an overview over the data dependencies with our extended SPIN tool. The shaded regions in the gure represent the extensions we made for the generation of implementations. This is mainly the scheduler but also some code that allows us to de ne real time timers and to communicate with other UNIX processes.
Scheduling in the Implementation
The state machine plus the additional C code for the implementation are compiled into a UNIX program. Thus multiple proctypes which are designed to run in parallel are executed in one single UNIX process. For the switching between the proctypes a scheduler which selects the next active proctype and takes care of external communications and of timers is needed.
Non Determinism. The most interesting feature of PROMELA as a language is the possibility to describe non determinism. If non deterministic choices are to be translated into executables implementations, there are several possibilities for dealing with it.
In if..fi" and do..od" statements, all executable branches from the current state of the state machine can be chosen in an arbitrary manner. Before choosing Called With The Option "-a" a branch, the scheduler therefore has to test if it is executable. The following three strategies for the choice of the next transition can be imagined:
1. It must be allowed to simplify the implementation b y just choosing always the rst executable branch. The scheduler starts with the rst transition, checks if it is executable, if it isn't, it tests the second one, and so on. This makes it very compact and usually quite performant. The behavior of the implementation will be the same each time it is started because there is no random element i n s c heduling except possible external events. 2. Another possibility is to use a random number generator to choose between the branches. The disadvantage of this method is that the same transition branch m a y b e c hosen more than once. The scheduler has to keep track o f all branches that it already tried to execute because an else" statement that might be one of the branches is only executable if there are no other possible transitions. Since else" is only executable if all other statements in the proctypes state aren't, the scheduler has to do the random branch selections until it has reached all other branches. If a completely random choice is used, some unexecutable branches are probably chosen more than once. Therefore, the scheduler uses more CPU time than necessary. Since we w anted to have at least some random in our implementations, we decided to implement the third algorithm. This also allows us to use implementations for random simulations of the model. Blocking Proctypes. If there are no possibilities to execute any of the branches in a certain state of a proctype, this proctype should block. If this is true for all proctypes in a UNIX process or if the current sequence of transitions is atomic" then it is not necessary to check continuously whether a transition has become executable. The only types of events that could change this state of the UNIX process are external messages from other processes or timeouts. So it is possible to block the UNIX process until an external message event occurs or a timer expires. This reduces the CPU load of the machine on which the implementation runs.
Atomic Sequences. In PROMELA, sequences of statements may be de ned as atomic" sequences. An atomic sequence should, from the point of view of the other proctypes, be seen as one single instruction that is not interruptible. During the execution of an atomic sequence, the scheduler must not switch to another proctype. However, starting with Version 2.0 of SPIN it is legitimate for an atomic sequence to block 2 3 . In this case it should | since Version 2.0 | be allowed to switch to another proctype. This is implemented di erently in our scheduler. If an atomic sequence in the implementation blocks, the scheduler will stay in this proctype until it unblocks, even if this will never happen.
SIEGFRIED L OFFLER AND AHMED SERHROUCHNI
The reason why w e decided to interpret the semantics of the atomic" statement di erently is that we w anted to add external events to implementations. However, if an implementation blocks in a certain state because it would have t o w ait for an external event, one can never know if this event will ever occur or not, because it is not speci ed in the same model. Therefore we can not know if it is necessary to leave the atomic sequence in order to avoid a deadlock.
A solution to this problem could be to prohibit the use of external channels inside atomic sequences. An easier solution is, in our opinion, to interpret the semantics as they were interpreted by older versions of SPIN, i.e. not allowing the change of proctypes inside atomic sequences at all. If a designer wants to allow a proctype change in a certain state, he should specify this explicitly by breaking the atomic sequence into multiple sequences which are separated by the operation in which the proctype change is to be allowed.
This example shows that although we are using the same abstraction, treat it with the same tool and even use the same internal data structures as in validation, it is still possible to interpret the semantics of PROMELA di erently.
Priorities. In Version 2.5 of SPIN, Holzmann added a mechanism to de ne process priorities for use during random simulations 3 . Those priorities could be easily implemented in the scheduler, however they aren't yet. The priorities were implemented to improve the debugging facilities. For validation they are not used at all.
Timer Mechanisms PROMELA was designed as a validation language. For the implementation of a protocol, there are some important requirements that are not yet covered by the language. For example it is absolutely necessary that one can de ne a timeout.
Since the timeout statement i n PROMELA has initially been designed to avoid the blocking of a proctype, in PROMELA it is not possible to specify any v alue for a timeout. For the validation it is su cient to know that a timeout can occur in a certain state. If it can occur, it does not matter how long it may take u n til this happens since time is an element which does not exist in the validation.
The original timeout statement therefore is not supported for the implementation.
A solution to this problem could be to introduce a parameter that can be given to the timeout statement. This would have the advantage that existing PROMELA models could be modi ed very easily. On the other hand, it would have the disadvantage that a change to the language syntax would be necessary.
Since we did not want t o c hange the syntax of PROMELA, w e searched for another possibility. As a replacement, a timeout mechanism which uses message queues was implemented. This mechanism is close to the implementation of timers in SDL where timers basically are modeled as messages.
For the communication with this timeout mechanism that is implemented in the runtime scheduler, the following three message channel names, whose names are reserved, were de ned:
1. set timer" This channel can be used to set a timer. The channel de nition chan set timer= 1 of f byte, byte g;" has to be used to de ne the channel in the model. Afterwards, a message consisting of a timer identi er CREATING IMPLEMENTATIONS FROM PROMELA MODELS 7 and a value in seconds for the timer can be transmitted in a message to the implementation s c heduler. 2. timer" This queue is used by the implementation scheduler to send a message if the timer expires. The channel de nition chan timer = 1 of f byte g;" has to be added to the PROMELA model. The message consists of the timer identi er that was sent through the set timer channel. 3. del timer" This queue can be used to delete a timer before it expires. The de nition for the channel is chan del timer = 1 of f byte g;" The message should be the timer identi er that was used when setting the timer. In recursive proctypes, it is advisable to use the pid" V ariable to compute a unique timer identi er.
To v alidate a model which uses those timer queues, an additional PROMELA proctype has to be added to the speci cation which describes the timer mechanism in the scheduler, i.e. reads and writes the timer queues.
External Communications We already mentioned that we added external events to the PROMELA models. For the design of the implementations, this results in the necessity to nd a way to specify such e v ents in PROMELA. Since we did not want t o c hange the PROMELA syntax by i n troducing new language constructs, we decided to implement such external events using channels. These external" channels are speci ed exactly like normal PROMELA channels, the only di erence is that we pre x their names with ext " in the speci cation. This allows us to use the existing tools for simulation and validation.
In order to simulate or validate a model which communicates with other systems via external channels, it su ces to include proctypes describing those external events into one single le used for simulation and validation.
The external channels also allow us to divide one PROMELA speci cation into implementations which run in multiple UNIX processes and communicate with each other via external channels. For this we h a ve to create a PROMELA source code for each UNIX process to be generated. Using include" preprocessor directives all proctypes can then be included either in the source le which is used for simulation or in the source les which are used for the compilation of the implementation.
The connection of the UNIX processes is realized in a client server architecture. The server always keeps track of the queue contents of the external channels in all connected UNIX processes. If a client w ants to read from an external channel, it has to send a request to the server. On the other hand, the server noti es all clients if the contents of any of the external channels changes. To a void having access problems with two clients reading from the same channel we limited read access to an external channel to one UNIX process per channel. If a UNIX process has read from a channel, thereafter no other UNIX process is granted read access to the same channel. This reduces the communication between the UNIX processes and makes them much faster. Nevertheless, multiple proctypes are allowed to write into the same channel queue.
For the inter process communication between the UNIX processes, AF UNIX domain sockets are used. This makes it easy to distribute the processes over multiple machines by c hanging the AF UNIX domain into the AF INET internet domain. Upon compilation of a PROMELA model, one can specify whether the compiled UNIX process should be the server or a client b y setting the appropriate switch. Since all channel queues are kept within the server, it is advisable to make the UNIX process the server which uses the external channels the most. 4 . Future Work
The most important drawback in our extended SPIN environment is that it
is not yet possible to use synchronous channels for the communication between UNIX processes. Almost as important is the missing capability for sorted send" and random receive" operations between UNIX processes, which w ere added to PROMELA with version 2.0 of SPIN. It has to be mentioned that the compiler itself is not validated and most probably still contains quite a lot of bugs. Therefore the resulting implementations are not 100 validated.
Another thing which is left to do is a validation of the protocol that we use for the connection of clients and servers. A basic description of this protocol can be found in 7 .
Conclusions
With PROMELA SPIN, Holzmann has attacked two of the main factors inhibiting more widespread use of speci cation or validation tools, namely di culty of use and the inherent limitations of the nite state reachability methods.
However, for the step to the nal implementation, some di culties remain. The major drawback o f PROMELA in its current state is that the semantics are still not exactly speci ed, therefore allowing interpretations which m a y lead to problems when implementing the design. Another problem is the missing capability of the language to re ne the speci cation in a way that su ces to describe details like timeouts of an implementation.
Our extended SPIN tool is usable for the rapid prototyping of validated implementations of communication protocols. Because of our di erent i n terpretation of the atomic" statement, it is possible for the implementation to behave not exactly as expected. The generated implementation is not 100 validated because we had to add code for a scheduler and for external communications which has not been exhaustively veri ed.
The main application eld we see for the implementations generated with the current v ersion of our extended SPIN tool is the rapid prototyping of testing scenarios.
