erlang and the mcerlang model checker
TRANSCRIPT
![Page 1: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/1.jpg)
1 / 67
Erlang and the McErlang Model Checker
Lars-Ake Fredlund, Clara Benac Earle
Babel research groupFacultad de Informatica, Universidad Politecnica de Madrid
![Page 2: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/2.jpg)
Talk Overview
2 / 67
■ TheErlangprogramming language
![Page 3: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/3.jpg)
Talk Overview
2 / 67
■ TheErlangprogramming language
■ McErlang: a tool for model checking Erlang programs(short intros to model checking and linear temporal logic)
![Page 4: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/4.jpg)
Part 1: Erlang
3 / 67
![Page 5: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/5.jpg)
Erlang/OTP History
4 / 67
■ Erlang language born in 1983 at Ericsson
■ Used inside and outside Ericsson for implementingchallenging concurrent and distributed applications
■ Application example: High-speed ATM switch developed inErlang (2 million lines of Erlang code), C code (350 000 linesof code), and 5 000 lines of Java code
■ Other examples: parts of Facebook chat written in Erlang (70million users), CouchDB (integrated in Ubuntu 9.10), usersatAmazon, Yahoo, . . .
■ In Spain: Tuenti, LambdaStream (A Coruna), . . .
■ Open-source; install fromhttp://www.erlang.org/
![Page 6: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/6.jpg)
Erlang is becoming popular
5 / 67
C and C++ job offers over the last 5 years:
Erlang job offers the last 5 years:
![Page 7: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/7.jpg)
Erlang as a source of inspiration
6 / 67
■ Ideas from Erlang are also influencing other programminglanguages and libraries like Scala, Node.js, Clojure, . . .
■ So lets see the main features. . .
![Page 8: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/8.jpg)
Erlang/OTP
7 / 67
■ Basis: a general purpose functional programming language
■ Automatic Garbage Collection
■ With lightweight processes(in terms of creation time and memory requirements)Typical software can make use of many thousands ofprocesses;smp supported on standard platforms
■ Support for fault-tolerance and distributed computation in theprogramming language!
■ Implemented using virtual machine technologyAvailable on many OS:es (Windows, Linux, Solaris, . . . )
■ Supported by extensive libraries:OTP– open telecom platform – provides design patterns,distributed database, web server, etc
![Page 9: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/9.jpg)
Erlang basis
8 / 67
A simple functional programming language:
■ Simple data constructors:integers (2), floats (2.3 ), atoms (hola ), tuples ({2,hola })and lists ([2,hola ],[2|X ]), functions, records(#process {label=hola }), bit strings (<<1:1,0:1>> )
■ Call-by-value
■ Variables can be assigned once only (Prolog heritage)
■ No static type system!That is, expect runtime errors and exceptions
■ Similar to a scripting language (python, perl) – why popular?
![Page 10: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/10.jpg)
Erlang basis, II
9 / 67
■ Example:
fac(N) ->if
N == 0 -> 1;true -> N* fac(N-1)
end.
Variables begin with a capital (N)Atoms (symbols) begin with a lowercase letter (fac , true )
![Page 11: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/11.jpg)
Erlang basis, II
9 / 67
■ Example:
fac(N) ->if
N == 0 -> 1;true -> N* fac(N-1)
end.
Variables begin with a capital (N)Atoms (symbols) begin with a lowercase letter (fac , true )
■ But this also compiles without warning:
fac(N) ->if
N == 0 -> 1;true -> "upm" * fac(N-1)
end.
![Page 12: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/12.jpg)
Erlang basis, II
9 / 67
■ Example:
fac(N) ->if
N == 0 -> 1;true -> N* fac(N-1)
end.
Variables begin with a capital (N)Atoms (symbols) begin with a lowercase letter (fac , true )
■ But this also compiles without warning:
fac(N) ->if
N == 0 -> 1;true -> "upm" * fac(N-1)
end.
■ And this call is permitted (what happens?):fac(0.5)
![Page 13: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/13.jpg)
Concurrency and Communication
10 / 67
■ Concurrency and Communication model inspired by theActormodel(and earlier Ericsson software/hardware products)
■ Processes execute Erlang functions
■ No implicit sharing of data (shared variables) betweenprocesses
■ Two interprocess communication mechanisms exists:
◆ processes can send asynchronous messages to each other(message passing)
◆ processes get notified when a related process dies(failure detectors)
![Page 14: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/14.jpg)
Erlang Processes
11 / 67
M2 M1 Pidf(Arg1,...,Argn)
■ Processes execute Erlang functions (f(Arg1, . . . , Argn))
■ A process has a unique name, aprocess identifier(Pid)
■ Messages sent to a process is stored in amailbox (M2,M1)
![Page 15: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/15.jpg)
Erlang Communication and Concurrency Primitives
12 / 67
■ Sending a message to a process:
Pid !{request, self(), a }
■ Retrieving messages from the process mailbox (queue):
receive{request, RequestPid, Resource } ->
lock(Resource), RequestPid !okend
■ Creating a new process:
spawn( fun () -> locker !{request,B } end)
■ A name server assigns symbolic names to processes:
locker !{request,a }
![Page 16: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/16.jpg)
Communication Primitives, receiving
13 / 67
Retrieving a message from the process mailbox:receive
pat1 when g1 -> expr1 ;. . .;patn when gn -> exprnafter time -> expr’
end
■ pat1
is matched against the oldest message, and checkedagainst the guardg1. If a match, it is removed from themailbox andexpr1 is executed
■ If there is no match, patternpat2 is tried, and so on. . .
■ If no pattern matches the first message, it is kept in themailbox and the second oldest message is checked, etc
■ after provides a timeout if no message matches any pattern
![Page 17: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/17.jpg)
Receive Examples
14 / 67
■ Given a receive statement:
receive{inc,X } -> X+1;Other -> error
end
and the queue isa · {inc, 5} what happens?
![Page 18: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/18.jpg)
Receive Examples
14 / 67
■ Given a receive statement:
receive{inc,X } -> X+1;Other -> error
end
and the queue isa · {inc, 5} what happens?
■ Suppose the queue isa · {inc, 5} · b what happens?
![Page 19: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/19.jpg)
Receive Examples
14 / 67
■ Given a receive statement:
receive{inc,X } -> X+1;Other -> error
end
and the queue isa · {inc, 5} what happens?
■ Suppose the queue isa · {inc, 5} · b what happens?
■ Suppose the receive statement is
receive{inc,X } -> X+1
end
and the queue isa · {inc, 5} · b what happens?
![Page 20: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/20.jpg)
Receive Examples
14 / 67
■ Given a receive statement:
receive{inc,X } -> X+1;Other -> error
end
and the queue isa · {inc, 5} what happens?
■ Suppose the queue isa · {inc, 5} · b what happens?
■ Suppose the receive statement is
receive{inc,X } -> X+1
end
and the queue isa · {inc, 5} · b what happens?
■ And if the queue isa · b?
![Page 21: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/21.jpg)
Communication Guarantees
15 / 67
Messages sent from any process P to any process Q is deliveredinorder (or P or Q crashes)
QPM2 M1
QP M2 M1
![Page 22: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/22.jpg)
A Simple Concurrent Program
16 / 67
facserver() ->receive
{request, N, Pid }when is_integer(N), N>0, pid(Pid) ->
spawn( fun () -> Pid !(fac(N)) end),facserver()
end.
![Page 23: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/23.jpg)
A Simple Concurrent Program
16 / 67
facserver() ->receive
{request, N, Pid }when is_integer(N), N>0, pid(Pid) ->
spawn( fun () -> Pid !(fac(N)) end),facserver()
end.
1> spawn( fun () -> facserver() end).
<0.33.0>
![Page 24: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/24.jpg)
A Simple Concurrent Program
16 / 67
facserver() ->receive
{request, N, Pid }when is_integer(N), N>0, pid(Pid) ->
spawn( fun () -> Pid !(fac(N)) end),facserver()
end.
1> spawn( fun () -> facserver() end).
<0.33.0>
2> X = spawn( fun () -> facserver() end).
<0.35.0>
![Page 25: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/25.jpg)
A Simple Concurrent Program
16 / 67
facserver() ->receive
{request, N, Pid }when is_integer(N), N>0, pid(Pid) ->
spawn( fun () -> Pid !(fac(N)) end),facserver()
end.
1> spawn( fun () -> facserver() end).
<0.33.0>
2> X = spawn( fun () -> facserver() end).
<0.35.0>
3> X!{request,2, self() }.
{request,2,<0.31.0> }
![Page 26: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/26.jpg)
A Simple Concurrent Program
16 / 67
facserver() ->receive
{request, N, Pid }when is_integer(N), N>0, pid(Pid) ->
spawn( fun () -> Pid !(fac(N)) end),facserver()
end.
1> spawn( fun () -> facserver() end).
<0.33.0>
2> X = spawn( fun () -> facserver() end).
<0.35.0>
3> X!{request,2, self() }.
{request,2,<0.31.0> }
4> X!{request,4, self() }, receive Y -> Y end.
2
![Page 27: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/27.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
![Page 28: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/28.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
![Page 29: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/29.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
◆ network links fail
![Page 30: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/30.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
◆ network links fail
◆ local resources (memory) runs out
![Page 31: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/31.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
◆ network links fail
◆ local resources (memory) runs out
■ Errors happen, good fault-tolerant systems cope with them
![Page 32: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/32.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
◆ network links fail
◆ local resources (memory) runs out
■ Errors happen, good fault-tolerant systems cope with them
■ Many Erlang products have high availability goals: 24/7,99.9999999% of the time for the Ericsson AXD 301 switch(31 ms downtime per year!)
![Page 33: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/33.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
◆ network links fail
◆ local resources (memory) runs out
■ Errors happen, good fault-tolerant systems cope with them
■ Many Erlang products have high availability goals: 24/7,99.9999999% of the time for the Ericsson AXD 301 switch(31 ms downtime per year!)
■ The Erlang philosophy is to do error detection and recovery,but not everywhere in the code, only in certain places
![Page 34: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/34.jpg)
Erlang and Errors
17 / 67
■ Unavoidably errors happen in distributed systems
◆ hardware (computers) fail
◆ network links fail
◆ local resources (memory) runs out
■ Errors happen, good fault-tolerant systems cope with them
■ Many Erlang products have high availability goals: 24/7,99.9999999% of the time for the Ericsson AXD 301 switch(31 ms downtime per year!)
■ The Erlang philosophy is to do error detection and recovery,but not everywhere in the code, only in certain places
■ Higher-level Erlang components offer convenient handlingoferrors
![Page 35: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/35.jpg)
Erlang and Errors, part II
18 / 67
■ Error handling example:
g(Y) ->X = f(Y),case X of
{ok, Result } -> Result;reallyBadError -> 0 % May crash because of ...
end.
![Page 36: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/36.jpg)
Erlang and Errors, part II
18 / 67
■ Error handling example:
g(Y) ->X = f(Y),case X of
{ok, Result } -> Result;reallyBadError -> 0 % May crash because of ...
end.
instead one usually writes
g(Y) ->{ok, Result } = f(Y), Result.
![Page 37: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/37.jpg)
Erlang and Errors, part II
18 / 67
■ Error handling example:
g(Y) ->X = f(Y),case X of
{ok, Result } -> Result;reallyBadError -> 0 % May crash because of ...
end.
instead one usually writes
g(Y) ->{ok, Result } = f(Y), Result.
■ The local process will crash; another process is responsiblefrom recovering (restaring the crashed process)
![Page 38: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/38.jpg)
Erlang and Errors, part II
18 / 67
■ Error handling example:
g(Y) ->X = f(Y),case X of
{ok, Result } -> Result;reallyBadError -> 0 % May crash because of ...
end.
instead one usually writes
g(Y) ->{ok, Result } = f(Y), Result.
■ The local process will crash; another process is responsiblefrom recovering (restaring the crashed process)
■ Error detection and recovery is localised to special processes,to special parts of the code (aspect oriented programming)
![Page 39: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/39.jpg)
Error Detection and Recovery: local level
19 / 67
■ Exceptions are generated at runtime due to:
◆ type mismatches (10 ∗ "upm" )
◆ failed pattern matches, processes crashing, . . .
■ Exceptions caused by an expressione may be recoveredinside a process using the constructtry e catch m end
■ Example:
tryg(Y)
catchError -> 0
end
![Page 40: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/40.jpg)
Error Detection and Recovery: process level
20 / 67
■ Within a set of processes, via bidirectional process links set upusing thelink(pid) function call
■ Example:
![Page 41: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/41.jpg)
Error Detection and Recovery: process level
20 / 67
■ Within a set of processes, via bidirectional process links set upusing thelink(pid) function call
■ Example:
Initially we have a system of 3 independent processes:
GFED@ABCP2
GFED@ABCP1GFED@ABCP3
![Page 42: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/42.jpg)
Error Detection and Recovery: process level
20 / 67
■ Within a set of processes, via bidirectional process links set upusing thelink(pid) function call
■ Example:
Result of executinglink(P1) in P2:
GFED@ABCP2>>
~~}}}}
}}}}
}
GFED@ABCP1GFED@ABCP3
![Page 43: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/43.jpg)
Error Detection and Recovery: process level
20 / 67
■ Within a set of processes, via bidirectional process links set upusing thelink(pid) function call
■ Example:
Result of executinglink(P1) andlink(P3) in P2:
GFED@ABCP2>>
~~}}}}
}}}}
} ``
AAA
AAAA
AA
GFED@ABCP1GFED@ABCP3
![Page 44: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/44.jpg)
Error Detection and Recovery: process level
20 / 67
■ Within a set of processes, via bidirectional process links set upusing thelink(pid) function call
■ Example:
Result of executinglink(P1) andlink(P3) in P2:
GFED@ABCP2>>
~~}}}}
}}}}
} ``
AAA
AAAA
AA
GFED@ABCP1GFED@ABCP3
■ If P2 dies abnormally thenP1 andP3 canchooseto dieIf P1 dies abnormally thenP2 canchooseto die as well
![Page 45: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/45.jpg)
Error Detection and Recovery: process level
20 / 67
■ Within a set of processes, via bidirectional process links set upusing thelink(pid) function call
■ Example:
Result of executinglink(P1) andlink(P3) in P2:
GFED@ABCP2>>
~~}}}}
}}}}
} ``
AAA
AAAA
AA
GFED@ABCP1GFED@ABCP3
■ If P2 dies abnormally thenP1 andP3 canchooseto dieIf P1 dies abnormally thenP2 canchooseto die as well
■ Alternatively whenP2 dies bothP1 andP3 receives a messageconcerning the termination
![Page 46: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/46.jpg)
What is Erlang suitable for?
21 / 67
■ Generally intended for long-running programs
■ Processes with state, that perform concurrent (and maybedistributed) activities
■ Typical is to have a continously running system (24/7)
■ Programs need to be fault-tolerant
■ So hardware is typically replicated as well – because hardwareinvariably fail – and thus we have a need for distributedprogramming (addressing physically isolated processors)
![Page 47: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/47.jpg)
Distributed Erlang
22 / 67
■ Processes run on nodes (computers) in a network
Node 1
Node 2
Process communication between nodes in different process
■ Distribution is (mostly) transparent
◆ No syntactic difference between inter-node or intra-nodeprocess communication
◆ Communication link failure or node failures areinterpreted as process failures (detected using linking)
![Page 48: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/48.jpg)
Distributed Erlang
22 / 67
■ Processes run on nodes (computers) in a network
Node 1
Node 2
Process communication between nodes in different process
■ Distribution is (mostly) transparent
◆ No syntactic difference between inter-node or intra-nodeprocess communication
◆ Communication link failure or node failures areinterpreted as process failures (detected using linking)
◆ Compare with Java: no references to objects which aredifficult to communicate in messages (copy?)
◆ The only references are process identifiers which havethe same meaning at both sending and receiving process
![Page 49: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/49.jpg)
Erlang Programming Styles
23 / 67
■ Using only the basic communication primitives (send/receive)makes for messy code – everybody invents their own style andrepeats lots of code for every program
■ A standard way is needed to:
◆ a standard way to handle processstart, termination andrestarts
◆ to handlecode upgrading
◆ and maybe more structured communication patterns:whocommunicates withwhom, in what role?. . .
■ For Erlang one generally uses the design patterns and theframework of theOTP library – Open Telecom Platform –as an infrastructure
![Page 50: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/50.jpg)
OTP components
24 / 67
■ Application– provides bigger building blocks like a database (Mnesia),aweb server, and interfaces to other languages and formats(Java, XML)
■ Supervisor– used to start and bring down a set of processes, and tomanage processes when errors occur
■ Generic Server– provides a client–server communication facility
■ Event Handling– for reporting system events to interested processes
■ Finite State Machine– provides a component facilitating the programming of finitestate machines in Erlang
![Page 51: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/51.jpg)
The Supervisor Component
25 / 67
■ Applications are often structured assupervision trees,consisting ofsupervisorsandworkers
Supervisor process
Worker process
■ A supervisor starts child processes, monitors them, handlestermination and stops them on request
■ The actions of the supervisor are described in a declarativefashion (as a text description)
■ A child process may itself be a supervisor
![Page 52: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/52.jpg)
Supervision Dynamics
26 / 67
Supervisor process
Worker process
S
S2 S3
C1 C2 C3
■ When a child process C1 dies (due to an error condition), itssupervisor S3 is notified and can elect to:
◆ do nothing
◆ itself die (in turn notifying its supervisor S)
◆ restart the child process (and maybe its siblings)
◆ kill all the sibling processes (C2,C3) of the dead process
![Page 53: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/53.jpg)
Supervision Dynamics
26 / 67
Supervisor process
Worker process
S
S2 S3
C1 C2 C3
■ When a child process C1 dies (due to an error condition), itssupervisor S3 is notified and can elect to:
◆ do nothing
◆ itself die (in turn notifying its supervisor S)
◆ restart the child process (and maybe its siblings)
◆ kill all the sibling processes (C2,C3) of the dead process
■ One can control the frequency of restarts, and the maximumnumber of restarts to attempt – it is no good having a processcontinuing to restart and crash
![Page 54: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/54.jpg)
The Generic Server Component
27 / 67
■ gen server is themost used component in Erlang systems
■ Provides a standard way to implement a server process,and interface code for clients to access the server
■ The client–server model has a central server, and an arbitrarynumber of clients:
Client C
Client BServer
Client A
request
reply
![Page 55: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/55.jpg)
The Generic Server Component
28 / 67
Client C
Client BServer
Client A
request
reply
■ Clients makesrequeststo the server, who optionallyreplies
■ A server has a state, which is preserved between requests
■ A generic server is implemented by providing a callbackmodule specifying the concrete actions of the server (serverstate handling, and response to messages)
![Page 56: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/56.jpg)
Part 2: Verifying Erlang Programs
29 / 67
![Page 57: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/57.jpg)
Debugging/Verifying Erlang Programs: Tools
30 / 67
■ Dialyzer– type checking by static analysis (necessary tominimize type errors at runtime)
■ Testing:QuickCheck(http://www.quiviq.com ) - atesting tool for Erlang
■ Model checking – our toolMcErlang(https://babel.ls.fi.upm.es/trac/McErlang/ )
![Page 58: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/58.jpg)
Testing Concurrent Programs
31 / 67
Why is (random) testing of concurrent programs difficult?
![Page 59: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/59.jpg)
Testing Concurrent Programs
31 / 67
Consider the state space of a small program:
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 60: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/60.jpg)
Testing Concurrent Programs
31 / 67
Random testing exploresonepath through the program:
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 61: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/61.jpg)
Testing Concurrent Programs
31 / 67
With repeated tests the coverage improves:
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 62: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/62.jpg)
Testing Concurrent Programs
31 / 67
A lot of testing later (note the states not visited):
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0
25
loc
ke
r!{r
eq
,[a
]}
34
5!o
k
4
8
3
16
4!o
k
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]}
47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 63: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/63.jpg)
Testing Concurrent Programs
31 / 67
Model checkingcan guarantee that all states are visited, withoutrevisiting states
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 64: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/64.jpg)
Model Checking: Basics
32 / 67
■ Construct an abstractmodelof the behaviour of the program,usually a finite state transition graph
1 90
2 176 13 5
4
15
3
11
7
12
8
10
18
19
14
16
◆ A node represents aProgram state(x = 0, y = 3)
◆ Graph edgesrepresent computation steps from oneprogram state to another
![Page 65: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/65.jpg)
Model Checking: Basics
32 / 67
■ Construct an abstractmodelof the behaviour of the program,usually a finite state transition graph
1 90
2 176 13 5
4
15
3
11
7
12
8
10
18
19
14
16
◆ A node represents aProgram state(x = 0, y = 3)
◆ Graph edgesrepresent computation steps from oneprogram state to another
■ Check the abstract model against some description ofdesirable/undesirable model properties usually specifiedin atemporal logic: Alwaysx ≥ 0
![Page 66: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/66.jpg)
Model Checking
33 / 67
■ Usually applied toreactive systems(systems that continously react to stimuli)
![Page 67: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/67.jpg)
Model Checking
33 / 67
■ Usually applied toreactive systems(systems that continously react to stimuli)
■ Advantages: automatic push button technology(algorithms can decide, with decent complexity, whether amodel satisfies a property)
![Page 68: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/68.jpg)
Model Checking
33 / 67
■ Usually applied toreactive systems(systems that continously react to stimuli)
■ Advantages: automatic push button technology(algorithms can decide, with decent complexity, whether amodel satisfies a property)
■ Disadvantages:
◆ Models can be difficult and time consuming to construct
◆ Doesn’t scale well to larger programs (the model of thebehaviour of the program becomes too big – the wellknownstate explosion problem)
![Page 69: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/69.jpg)
The McErlang model checker: Design Goals
34 / 67
■ Reduce the gap between program and verifiable model(the Erlang programis the model)
■ Write correctness properties in Erlang(and linear temporal logic)
■ Implement verification methods that permit partial checkingwhen state spaces are too big – on-the-fly checking and usingHolzmann’s bitspace algorithms
■ Implement the model checker in a parametric fashion (easy toplug-in new algorithms, new abstractions, . . . )
![Page 70: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/70.jpg)
Step-by-step execution of Erlang Programs
35 / 67
■ To be able to visitall the states of an Erlang program we needthe capability to take asnapshotof the Erlang system
◆ A snapshot/program state is: the contents of all processmailboxes, the state of all running processes, messages intransit (the ether), all nodes, monitors, . . .
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
process P1process P2
Node A
Node C
process P3
Node B
Ether
![Page 71: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/71.jpg)
Step-by-step execution of Erlang Programs
35 / 67
■ To be able to visitall the states of an Erlang program we needthe capability to take asnapshotof the Erlang system
◆ A snapshot/program state is: the contents of all processmailboxes, the state of all running processes, messages intransit (the ether), all nodes, monitors, . . .
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
process P1process P2
Node A
Node C
process P3
Node B
Ether
■ Save the snapshot to memory and forget about it for a while
■ Later continue the execution from the snapshot
![Page 72: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/72.jpg)
The McErlang approach to model checking
36 / 67
■ The lazy solution: just execute the Erlang program to verifyinthe normal Erlang interpreter
■ And extract the system state (processes, queues, functioncontexts) from the Erlang runtime system
![Page 73: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/73.jpg)
The McErlang approach to model checking
36 / 67
■ The lazy solution: just execute the Erlang program to verifyinthe normal Erlang interpreter
■ And extract the system state (processes, queues, functioncontexts) from the Erlang runtime system
■ Too messy! We have developed anew runtime systemforthe process part, and still use the old runtime system toexecute code with no side effects
McErlang Runtime SystemErlang Runtime System
Data computationData computation
Process coodination and communication McErlang Process coodination and communication
![Page 74: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/74.jpg)
Correctness Properties: Temporal logic
37 / 67
■ Pneuli 1977: added discrete and linear time operators topropositional logic, to be able to specify properties of reactivesystems
■ Program meaning (semantics):
◆ a program states maps the program variables to values
◆ a run of the program is an infinite sequence of programstates (s0, s1, s2, . . .) from an initial states0
◆ for a terminating system simply add a self-loop in theterminating state to yield an infinite run
◆ thesemanticsof a programp is its set of runs,‖p‖
◆ If the program isnondeterministic (or accepts input)there will be more than one run of the program
![Page 75: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/75.jpg)
Runs of concurrent programs: examples
38 / 67
Consider the following simple shared variable program:
if x>0 then x:=x-1 || if x<3 then x:=x+1
whereS1||S2 runs the atomic statementsS1 andS2 in parallel
![Page 76: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/76.jpg)
Runs of concurrent programs: examples
38 / 67
Consider the following simple shared variable program:
if x>0 then x:=x-1 || if x<3 then x:=x+1
whereS1||S2 runs the atomic statementsS1 andS2 in parallel
Its runs starting from the statex=0 is theinfinite set:
〈x = 0〉 · 〈x = 1〉 · 〈x = 0〉 · . . .〈x = 0〉 · 〈x = 1〉 · 〈x = 2〉 · 〈x = 1〉 · . . .〈x = 0〉 · 〈x = 1〉 · 〈x = 2〉 · 〈x = 3〉 · 〈x = 2〉 . . .. . .
![Page 77: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/77.jpg)
Program runs
39 / 67
We can also depict the runs
〈x = 0〉 · 〈x = 1〉 · 〈x = 0〉 · . . .〈x = 0〉 · 〈x = 1〉 · 〈x = 2〉 · 〈x = 1〉 · . . .〈x = 0〉 · 〈x = 1〉 · 〈x = 2〉 · 〈x = 3〉 · 〈x = 2〉 . . .. . .
as a state graph:
![Page 78: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/78.jpg)
Temporal logic operators
40 / 67
Classical linear temporal operators (defined over runs):
■ Alwaysφ
φ holds in all future states of the run
■ Eventuallyφ
φ holds in some future state of the run
■ Nextφ
φ holds in the next state
■ φ1 Until φ2φ1 holds in all states untilφ2 holds
■ And the normal ones: negation¬ φ, implicationφ1 ⊃ φ2, . . .
![Page 79: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/79.jpg)
Temporal logic state propositions
41 / 67
These provide basic statements about program states
■ For Pneuli’s shared variable language:x > 0, x < y, even(z),. . .
■ For Erlang:Pid! {request,a }(a request message is sent to some process)
![Page 80: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/80.jpg)
Temporal logic – meaning
42 / 67
■ A programp satisfies a formulaφ when all the runs of theprogram are satisfied by the formula
■ The logic is linear because it doesn’t talk about the branchingstructure of the state graph of the program (what is set ofpossible next states of the program)
■ So calledbranching timelogics (CTL,µ-calculus) do considerthe branching structure of the state graph of the program
![Page 81: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/81.jpg)
Temporal logic – examples
43 / 67
Consider the atomic parallel program
if x>0 then x:=x-1 || if x<3 then x:=x+1
with the starting state〈x = 3〉 and the state graph
![Page 82: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/82.jpg)
Temporal logic – examples
43 / 67
Consider the atomic parallel program
if x>0 then x:=x-1 || if x<3 then x:=x+1
with the starting state〈x = 3〉 and the state graph
■ DoesAlwaysx ≥ 0 hold?
![Page 83: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/83.jpg)
Temporal logic – examples
43 / 67
Consider the atomic parallel program
if x>0 then x:=x-1 || if x<3 then x:=x+1
with the starting state〈x = 3〉 and the state graph
■ DoesAlwaysx ≥ 0 hold?
■ Yes; if x=0 then the guard prevents further decrease
![Page 84: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/84.jpg)
Temporal logic – examples
43 / 67
Consider the atomic parallel program
if x>0 then x:=x-1 || if x<3 then x:=x+1
with the starting state〈x = 3〉 and the state graph
■ DoesAlwaysx ≥ 0 hold?
■ Yes; if x=0 then the guard prevents further decrease
■ DoesAlways (x = 3 ⊃ Eventuallyx = 0) hold?
![Page 85: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/85.jpg)
Temporal logic – examples
43 / 67
Consider the atomic parallel program
if x>0 then x:=x-1 || if x<3 then x:=x+1
with the starting state〈x = 3〉 and the state graph
■ DoesAlwaysx ≥ 0 hold?
■ Yes; if x=0 then the guard prevents further decrease
■ DoesAlways (x = 3 ⊃ Eventuallyx = 0) hold?
■ No; there is a run〈x = 3〉 · 〈x = 2〉 · 〈x = 3〉 · 〈x = 2〉 · . . .
![Page 86: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/86.jpg)
General temporal logic patterns
44 / 67
![Page 87: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/87.jpg)
General temporal logic patterns
44 / 67
■ A safety propertyexpresses that something bad –φ – neverhappens:
Always¬ φ
![Page 88: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/88.jpg)
General temporal logic patterns
44 / 67
■ A safety propertyexpresses that something bad –φ – neverhappens:
Always¬ φ
■ A liveness propertyexpresses that something good –φ –eventually happens:
Eventuallyφ
![Page 89: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/89.jpg)
General temporal logic patterns
44 / 67
■ A safety propertyexpresses that something bad –φ – neverhappens:
Always¬ φ
■ A liveness propertyexpresses that something good –φ –eventually happens:
Eventuallyφ
■ Fairness assumptionsare used to rule out abnormal programbehaviours;φ eventually holds under the assumption thatψ
doesn’t always hold:
(¬Alwaysψ) ⊃ (Eventuallyφ)
![Page 90: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/90.jpg)
How to check LTL properties on programs?
45 / 67
■ LTL formulas are translated into Buchi automata
Always(req ⊃ Next(¬ abort Until release ))
1
0
re lease
2
abor treq
■ A combined program and automaton state graph is generatedby executing the program inlock-stepwith the automaton
■ When a new program state is generated, the automatoncomputes a new automaton state (by inspecting the programstate)
![Page 91: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/91.jpg)
LTL checking: correctness condition
46 / 67
For checkingsafety properties– Always¬ φ – everyprogram stateshould be inspected once
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 92: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/92.jpg)
LTL checking: correctness condition
46 / 67
For checkingsafety properties– Always¬ φ – everyprogram stateshould be inspected once
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 93: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/93.jpg)
LTL checking: correctness condition
46 / 67
For checkingsafety properties– Always¬ φ – everyprogram stateshould be inspected once
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}To prove a programincorrect, it may not be necessary to explorethe whole state space of the program
![Page 94: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/94.jpg)
LTL checking: intuition
47 / 67
For aliveness property– Eventuallyφ – to hold, there can be noloop in the combined state graph where something bad happens
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 95: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/95.jpg)
LTL checking: intuition
47 / 67
For aliveness property– Eventuallyφ – to hold, there can be noloop in the combined state graph where something bad happens
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
![Page 96: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/96.jpg)
LTL checking: intuition
47 / 67
For aliveness property– Eventuallyφ – to hold, there can be noloop in the combined state graph where something bad happens
2
10
loc
ke
r!{r
eq
,[a
]}
15
loc
ke
r!{r
eq
,[a
]}
1
30
41lo
ck
er!
rele
as
e
0 25lo
ck
er!
{re
q,[
a]}
34
5!o
k
4
8
3
16 4
!ok
22
loc
ke
r!{r
eq
,[a
]}
5
93
1
loc
ke
r!re
lea
se
43
loc
ke
r!re
lea
se
46
4!d
on
e,5
!ok
7
21
loc
ke
r!{r
eq
,[a
]}
5!o
k
6
26
loc
ke
r!{r
eq
,[a
]} 47
4!o
k
14
13
292
!{o
k,s
tart
ed
}
12
loc
ke
r!{r
eq
,[a
]}
35
loc
ke
r!{r
eq
,[a
]}
11
4!o
k
44lo
ck
er!
{re
q,[
a]}
5!o
k
45
loc
ke
r!{r
eq
,[a
]}
39
5!o
k
20
4!o
k
19 5
!do
ne
18
4!d
on
e
17
27
loc
ke
r!{r
eq
,[a
]}
38
5!d
on
e
37
loc
ke
r!re
lea
se
42
loc
ke
r!{r
eq
,[a
]}
1!{
ok
,sta
rte
d}
28
5!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e
4!o
k
5!o
k
24
33
4!d
on
e
23
5!o
k4
!ok
loc
ke
r!re
lea
se
32
loc
ke
r!{r
eq
,[a
]}
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}
5!o
k
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
loc
ke
r!{r
eq
,[a
]}
364
!do
ne
loc
ke
r!{r
eq
,[a
]}lo
ck
er!
{re
q,[
a]}
40
4!d
on
elo
ck
er!
{re
q,[
a]}
5!d
on
e,4
!ok
loc
ke
r!re
lea
se
5!o
k
4!o
k
loc
ke
r!{r
eq
,[a
]}
loc
ke
r!re
lea
se
loc
ke
r!re
lea
se
loc
ke
r!{r
eq
,[a
]}To prove a programincorrect, it may not be necessary to explorethe whole state space of the program
![Page 97: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/97.jpg)
McErlang in Practice
48 / 67
■ Install Erlang first
■ Then download McErlang fromhttps://babel.ls.fi.upm.es/trac/McErlang/
■ Runs on Linux, Windows, . . .
![Page 98: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/98.jpg)
McErlang In Practice: A Really Small Example
49 / 67
Two processes are spawned, the first starts an “echo” server thatechoes received messages, and the second invokes the echo server:
- module(example).- export( [start/0 ]).
start() ->spawn( fun() -> register(echo, self()), echo() end),spawn( fun() ->
echo !{msg, self(),’hello world’ },receive{echo,Msg } -> Msg
endend).
echo() ->receive
{msg,Client,Msg } ->Client !{echo,Msg }, echo()
end.
![Page 99: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/99.jpg)
Example under normal Erlang
50 / 67
Let’s run the example under the standard Erlang runtime system:
> erlc example.erl> erlErlang (BEAM) emulator version 5.6.5 [source ] [smp:2 ] ...
Eshell V5.6.5 (abort with ˆG)1> example:start().<0.34.0>2>
That worked fine. Let’s try it under McErlang instead.
![Page 100: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/100.jpg)
Example under McErlang
51 / 67
First have to recompile the module using the McErlang compiler:
> mcerl_compiler -sources example.erl -output_dir .
![Page 101: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/101.jpg)
Example under McErlang
51 / 67
First have to recompile the module using the McErlang compiler:
> mcerl_compiler -sources example.erl -output_dir .
Then we run it:
> erlErlang (BEAM) emulator version 5.6.5 [source ] [smp:2 ] ...
Eshell V5.6.5 (abort with ˆG)1> mce: apply(example,start, []).Starting McErlang model checker environment version 1.0 .. ....
Process ... exited because of error: badarg
Stack trace:mcerlang:resolvePid/2mcerlang:send/2...
![Page 102: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/102.jpg)
Investigating the Error
52 / 67
An error! Let’s find out more using the McErlang debugger:
2> mce_erl_debugger:start( get(result)).Starting debugger with a stack trace; execution terminated
user program raised an uncaught exception.
stack(@2)> where().2:
1: process <node0,3>:run #Fun<example.2.125>( [])process <node0,3> died due to reason badarg
0: process <node0,1>:run function example:start( [])spawn( {#Fun<example.1.278>, []}, []) - -> <node0,2>spawn( {#Fun<example.2.125>, []}, []) - -> <node0,3>process <node0,1> was terminatedprocess <node0,1> died due to reason normal
![Page 103: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/103.jpg)
Error Cause
53 / 67
■ Apparently in one program run the second process spawned(the one calling the echo server) was run before the echoserver itself.
■ Then upon trying to send a message
echo !{msg, self(),’hello world’ }
theecho name was obviously not registered, so the programcrashed.
![Page 104: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/104.jpg)
McErlang in practise: The Elevator Example
54 / 67
■ We study the control software for a set of elevators
■ Used to be part of an Erlang/OTP training course fromEricsson
![Page 105: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/105.jpg)
Elevator Control Software
55 / 67
■ Static code complexity: around 1670 lines of code (usesseveral OTP behaviours: supervisor, genfsm, . . . )
![Page 106: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/106.jpg)
Elevator Control Software
55 / 67
■ Static code complexity: around 1670 lines of code (usesseveral OTP behaviours: supervisor, genfsm, . . . )
■ Dynamic complexity: around 10 processes (for two elevators)
node0@exodo3
1
sim_sup (supervisor)
g_sup (supervisor) system_sup (supervisor)
scheduler (gen_server)
7:e_graphic (gen_fsm)
sys_event (gen_event)
8:e_graphic (gen_fsm)
elev_sup (supervisor)
10:elevator (gen_fsm) 11:elevator (gen_fsm)
We had to modify around 10 lines to model check this example
![Page 107: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/107.jpg)
Correctness Properties for the Elevator System
56 / 67
What are good correctness properties for the Elevator system?
![Page 108: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/108.jpg)
Correctness Properties for the Elevator System
56 / 67
What are good correctness properties for the Elevator system?
■ No runtime exceptions
![Page 109: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/109.jpg)
Correctness Properties for the Elevator System
56 / 67
What are good correctness properties for the Elevator system?
■ No runtime exceptions
■ An elevator only stops at a floor after receiving an order to goto that floor
![Page 110: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/110.jpg)
Correctness Properties for the Elevator System
56 / 67
What are good correctness properties for the Elevator system?
■ No runtime exceptions
■ An elevator only stops at a floor after receiving an order to goto that floor
■ ...
![Page 111: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/111.jpg)
Formulating Correctness Properties
57 / 67
■ How to formulate a property like: “an elevator only stops at afloor after receiving an order to go to that floor”?
![Page 112: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/112.jpg)
Formulating Correctness Properties
57 / 67
■ How to formulate a property like: “an elevator only stops at afloor after receiving an order to go to that floor”?
■ We can borrow an idea from runtime monitoring: we write amonitor/safety automaton thatdetectswhen the aboveproperty is violated
![Page 113: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/113.jpg)
Formulating Correctness Properties
57 / 67
■ How to formulate a property like: “an elevator only stops at afloor after receiving an order to go to that floor”?
■ We can borrow an idea from runtime monitoring: we write amonitor/safety automaton thatdetectswhen the aboveproperty is violated
■ Seen from another viewpoint we have created amodelfor theelevator system
■ The model only describes asmall subsetof the behaviour ofthe elevator – fine, it is what models are supposed to do
■ So we have to write more monitors and properties. . .
![Page 114: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/114.jpg)
What does a safety automaton do?
58 / 67
■ It runs in parallel (lock-step) with the program
![Page 115: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/115.jpg)
What does a safety automaton do?
58 / 67
■ It runs in parallel (lock-step) with the program
■ Has an internal state, which can be updated when the programdoes asignificantaction (or something happens –a buttonpress)
![Page 116: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/116.jpg)
What does a safety automaton do?
58 / 67
■ It runs in parallel (lock-step) with the program
■ Has an internal state, which can be updated when the programdoes asignificantaction (or something happens –a buttonpress)
■ The monitor should signal an error if an action happens in anincorrect state
![Page 117: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/117.jpg)
Significant Events
59 / 67
Which elevator events do the monitor need to react to?
![Page 118: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/118.jpg)
Significant Events
59 / 67
Which elevator events do the monitor need to react to?
■ Button presses in the elevator
![Page 119: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/119.jpg)
Significant Events
59 / 67
Which elevator events do the monitor need to react to?
■ Button presses in the elevator
■ Button presses at each floor
![Page 120: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/120.jpg)
Significant Events
59 / 67
Which elevator events do the monitor need to react to?
■ Button presses in the elevator
■ Button presses at each floor
■ The arrival of the elevator at a floor
![Page 121: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/121.jpg)
State and Correctness Check
60 / 67
■ What is the state of the monitor?
![Page 122: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/122.jpg)
State and Correctness Check
60 / 67
■ What is the state of the monitor?
A data structure that remembers orders to go to a certain floor
![Page 123: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/123.jpg)
State and Correctness Check
60 / 67
■ What is the state of the monitor?
A data structure that remembers orders to go to a certain floor
■ What is the correctness check?
![Page 124: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/124.jpg)
State and Correctness Check
60 / 67
■ What is the state of the monitor?
A data structure that remembers orders to go to a certain floor
■ What is the correctness check?
When the elevator arrives at a floor, the order to do so is in themonitor state
![Page 125: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/125.jpg)
Safety Automata
61 / 67
■ Safety automata is a subclass of automata which users canprogram directly in Erlang
■ Concretely, to implement a safety automaton a McErlang usershould provide a function
stateChange(ProgramState, AutomatonState, Action) ->...{ok, NewAutomatonState }.
which is automatically called by McErlang when a programchanges its state
■ The automaton can inspect the current program state, its ownstate, and the side effects (actions) in the last computation step
■ The automaton either returns a new automaton state (success),or signals an error
![Page 126: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/126.jpg)
What can automata observe?
62 / 67
■ Program actionssuch as e.g. sending or receiving a message
■ Program statesuch as e.g. contents of process mailboxes,name of registered processes
■ Indirectly the values of some program variables(can be somewhat difficult to access)
■ Programs can be instrumented with special“probe actions” ,that are easy to detect in monitors
■ Programs can be instrumented too with special“probestates”, which are persistent (actions are transient)
![Page 127: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/127.jpg)
Model Checking the Lift Example
63 / 67
■ Correctness property spec:
stateChange(_,FloorReqs,Action) ->case Action of
{f_button,Floor } ->ordsets:add_element(Floor,FloorReqs);
{e_button,Elevator,Floor } ->ordsets:add_element(Floor,FloorReqs);
{stopped_at,Elevator,Floor } ->case ordsets:is_element(Floor,FloorReqs) of
true -> FloorReqs;false -> throw( {bad_stop,Elevator,Floor })
end;_ -> FloorReqs
end.
■ Uses ordered sets (ordsets ) to store the set of floor orders(the state of the monitor)
![Page 128: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/128.jpg)
Scenarios
64 / 67
■ Ok, so we have a program, and a correctness property, what ismissing?
![Page 129: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/129.jpg)
Scenarios
64 / 67
■ Ok, so we have a program, and a correctness property, what ismissing?
■ Hmm. . . we have to specify the environment under which wecheck the program, i.e., the sequences of buttons the elevatorusers press
![Page 130: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/130.jpg)
Scenarios
64 / 67
■ Ok, so we have a program, and a correctness property, what ismissing?
■ Hmm. . . we have to specify the environment under which wecheck the program, i.e., the sequences of buttons the elevatorusers press
■ Instead of specifying one big scenario with a really big statespace, we generate a number of smaller scenarios, similar totest cases:
◆ Floor button 1 pressed
◆ Floor button 2 pressed, Elevator button 1 pressed
◆ Elevator button 2 pressed, Floor button 2 pressed, Floorbutton 2 pressed, . . .
![Page 131: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/131.jpg)
Scenarios
64 / 67
■ Ok, so we have a program, and a correctness property, what ismissing?
■ Hmm. . . we have to specify the environment under which wecheck the program, i.e., the sequences of buttons the elevatorusers press
■ Instead of specifying one big scenario with a really big statespace, we generate a number of smaller scenarios, similar totest cases:
◆ Floor button 1 pressed
◆ Floor button 2 pressed, Elevator button 1 pressed
◆ Elevator button 2 pressed, Floor button 2 pressed, Floorbutton 2 pressed, . . .
■ But since we are model checking every scenario is fullyexplored
![Page 132: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/132.jpg)
More Correctness Properties
65 / 67
■ Refining the floor correctness property:
An elevator only stops at a floor after receiving an order to goto that floor, if no elevator has already met the request
(implemented as a monitor that keeps a set of floor requests;visited floors are removed from the set)
![Page 133: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/133.jpg)
Other Correctness Properties
66 / 67
■ The floor correctness property is a safety property(nothing bad ever happens)
![Page 134: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/134.jpg)
Other Correctness Properties
66 / 67
■ The floor correctness property is a safety property(nothing bad ever happens)
■ A Liveness property:If there is a request to go to some floor, eventually someelevator will stop there
![Page 135: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/135.jpg)
Other Correctness Properties
66 / 67
■ The floor correctness property is a safety property(nothing bad ever happens)
■ A Liveness property:If there is a request to go to some floor, eventually someelevator will stop there
■ In temporal logic:
always(fun go_to_floor/3) =>
next( eventually (fun stopped_at_floor/3))
■ The state predicatefun go_to_floor/3 is satisfied whenan elevator has received an order to go to a floor
■ The state predicatefun stopped_at_floor/3 is satisfiedwhen an elevator stops at a floor
![Page 136: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/136.jpg)
A Pragmatic Testing-Like Approach to Model Checking
67 / 67
■ We strive to reduce the effort in creating a model from aprogram (we support almost full Erlang)
■ When programs are too complex to fully verify, modelchecking becomes a form of controlled testing:
◆ The amount of memory and time available to verify aprogram can be control (a verification attempt can beinconclusive)
◆ Randomized (wrt. state space exploration order)verification algorithms are available (thus repeating averification run can explore new parts of the state space)
◆ Randomized state storage data structures are available(Holzmann’s bitspace algorithms)
■ Instead of building complex program environments a programis checked under aset ofmuch simpler program environments
![Page 137: Erlang and the McErlang Model Checker](https://reader031.vdocument.in/reader031/viewer/2022012516/6190b4f2177a2209574b9e1d/html5/thumbnails/137.jpg)
Self Study
68 / 67
■ Install McErlanghttps://babel.ls.fi.upm.es/trac/McErlang/
■ The file
https://babel.ls.fi.upm.es/trac/McErlang/attachment /wiki/midTermWorkshop/exercises.txt
contains instructions
■ See the directoryexamples in the McErlang distribution forthe lift example source code