30/APR/08 LFM 1

Getting Somewhat Formal

with CSP and C++

Bill Gardner, Assoc. Prof.Modeling & Design Automation Group

Dept. of Computing & Information ScienceUniversity of Guelph

30/APR/08 LFM 2

Outline

• Overview of “selective formalism”– Based on CSP++ tool set:

Making CSP specifications executable in C++• Communicating Sequential Processes (Hoare)

• Case studies: focus on ATM

• Technical look:– extent of CSP support; runtime mechanism

• Current status/availability; future work

30/APR/08 LFM 3

“Spectrum” of Formality

Mature,repeatable

devpt process

Ad hoc“Gonzo”SW devpt

Full formaldevelopment

Use offormal

specifications

Selectiveformalism

Remove ambiguitiesProve properties Relies on hand- translation to code

Prove propertiesCode provably equivalent to specs Relies on gurus to write specs, pilot refinements to code

30/APR/08 LFM 4

Selective Formalism

• Formal spec (CSP) for “control backbone”– Interprocess communication/synchronization– Most vulnerable to concurrency snares:

• Deadlock, livelock, safety issues

– Prove properties– Automatic code generation C++

• Plug in non-formal C++ modules– Invoked by CSP events & channels

30/APR/08 LFM 5

Concurrent programming

• IPC = rich source of faults– Programmers choose among techniques:

mutexes, semaphores, monitors, (conditional) critical regions, condition variables

– May not appear in programming language directly→cobble together

– Must apply correctly “or else”• Lock/unlock mutexes in right order, etc.

– Faults hard to reproduce, order dependent

30/APR/08 LFM 6

Sample of CSP:Vending Machine

SYS = CUST [|{|insert,select,get|}|] VEND(0)

CUST = insert!100 → insert!25 →select!RootBeer → get.RootBeer → SKIP

VEND(dep) = insert?amt → VEND(dep+amt)[]

select?prod → get.prod → VEND(0)

30/APR/08 LFM 7

What CSP buys you

• Simple, small set of IPC elements:– CSP synchronization = rendezvous (barrier)– CSP channel characteristics:

• One-way communication

• Point-to-point (broadcast possible)

• Unbuffered

• Avoids usage errors of other IPC techniques

• Except: circular waiting (deadlock) possible

30/APR/08 LFM 8

Automated CSPm Tools

• Different ways to explore your CSP spec before you go to code:– From Formal Systems (Europe) Ltd: ProBE– Process exploration tool, expands any CSP

statement, treelike, to all reachable states– Make sure your CSP does what you thought

30/APR/08 LFM 9

Verification of properties

• Another Formal Systems tool, FDR2– “Failures Divergences Refinement”

• Checks for deadlocks automatically– Done by state-space exploration, sped up by

heuristics

• Refinement checking

• Safety properties verification

30/APR/08 LFM 10

Selective Formalism

• System designers decide:– How much of system to specify in CSP

• Control backbone

• Critical areas

– How much to write in conventional C++• Computations, I/O

• NO interprocess comm/sync (breaks formal model)

• Limits role of formal gurus:– Spec writing, verification

30/APR/08 LFM 11

Bridging the formal method vs.

implementation gap

CSP++implements CSP computation model

invokes plug-in moduleshandles interprocess sync/comm

CSPformal “backbone”

models control structureinterprocess sync/comm

verification tools

C++plug-in modules

bulk of data processingrestrictions (no IPC)

30/APR/08 LFM 12

Layered System Model

CSP++ Control Layer

Hardware Components

RTOS Facilities

Packages

User-codedFunctions

Target System

30/APR/08 LFM 13

User-codedFunctions

Target System

UserFunctions

CSP++ Design Flow

CSP Specs

VerificationTool

cspttranslator

CSP++ Control Layer

30/APR/08 LFM 14

Integration of User Code

Hardware Components

RTOS Facilities

Packages

External EventRoutines

CSP++ ControlLayer

P2P3P1

f1 f3f4

f2

P1 CSP process

CSP event

f1 user function

30/APR/08 LFM 15

Restrictions on User Code

• Can link to individual events, or multiple cooperating events of leaf-level process

• Cannot rely on static storage (due to multiple process instances) except as provided by framework

• Cannot “go behind back” of CSP spec to contact other processes– preserves convention that interprocess

communication/synchronization done via CSP

30/APR/08 LFM 16

What can you do with CSP++?

• Case studies to date:– Disk controller (performance benchmark)– Point-of-sale terminal [Carter & Xu 2005]

• Targets Xilinx Microblaze processor core onVirtex-II FPGA

– Automated teller [Doxsee & Gardner 2005]• With 22 user-coded functions

• Network interface to simulated bank using MySQL

– Robot probe [Carter & Gardner 2007]

30/APR/08 LFM 17

CSPm for one ATM process

SESSION = insertcard_i -> READINGCARDREADINGCARD = readcard?c -> (cardset!c -> READINGPIN)

[] badcard -> EJECTREADINGPIN = readpin?p -> (pinset!p -> CHOOSING)

[] cancel -> EJECTCHOOSING = chosen?menu -> (choose!menu -> TRANS)

[] cancel -> EJECTTRANS = endtrans -> EJECT

[] anothertrans -> CHOOSING[] holdingcard -> DONE

EJECT = ejectcard -> DONEDONE = sessiondone -> SESSION

We will see the READINGPIN process translated to C++ next

30/APR/08 LFM 18

Sample Translation of CSPm by cspt to C++

//READINGPIN = readpin?p -> (pinset!p -> CHOOSING)//[] cancel -> EJECTChannel readpin("readpin", readpin_p);AGENTPROC( READINGPIN_ ) FreeVar p; Agent::startDChoice( 2 ); readpin >> p; cancel(); switch ( Agent::whichDChoice() ) { case 0: { pinset << p; CHAIN0( CHOOSING_ ); } default: { CHAIN0( EJECT_ ); } }}

We will see the readpin channel input event replaced by a user-coded C++ function next

30/APR/08 LFM 19

Sample User-coded C++ Function

• linked to the CSPm channel readpin?p• obtains PIN and returns it via status

void readpin_chanInput( ActionType t,ActionRef* a, Var* status, Lit* l )

{ int pinnumber; cout << "Welcome to the CSP++ ATM" << endl; cout << "Please enter your PIN -> "; cin >> pinnumber; *status = Lit(pinnumber); // store input

}

30/APR/08 LFM 20

ATM Performance Metrics

• 1.5 GHz Pentium M, 512 Mb RAM

• UCFs removed so only framework overhead measured

• 10,000 ATM transactions

• Compared with commercial SW synthesis tool, Rational Rose RealTime V6.5– Generates C++ from UML state diagrams

30/APR/08 LFM 21

ATM Timing

• Learned:– Structure of CSPm spec strongly influences run-time

performance (environment stack, threads)

– Pth is slow compared to native POSIX threads

10,000 transactions Total Secs.

RRRT V6.5 4.92

CSP++ original CSPm 19.8

CSP++ flattened CSPm 8.45

30/APR/08 LFM 22

Contrast Component Kit Approach

• Construct executable system from library of components with CSP semantics– E.g., JCSP/CCSP/C++CSP– Appropriate for static process structure– Event/channel renaming not applicable

• [Raju et al 2003] Translates CSPm to CTJ, JCSP, CCSP– CSP++ does more operators

30/APR/08 LFM 23

Process Definitions

• Simple: M = a -> b-> SKIP• Parameterized: P(1,n) = ch!n -> Q

P(x,n) = R(x) ||| S(n)

• Translation-time vs. run-time binding

… -> M … b?y -> P(y,4)

… -> P(1,5)

30/APR/08 LFM 24

Process Composition

• Interleaving: P ||| Q ||| R• Sequence: P ; Q ; R• Interface (sharing) parallel: P[|events|]Q

– Simple event set: {a,b,c}– Event closure: {|chan|}

30/APR/08 LFM 25

Supported Operators

• Comments: -- and {-…-}• Prefix: ->• I/O: ch.1.5!12 … ch.1.5?z• if … then … else• External choice: a->P [] b->Q

– Limitation: initial event must be exposed

• Renaming: [[e<-f]]• Hiding: \{e}

30/APR/08 LFM 26

OO Application Framework

• A given translated C++ program =a customization of the framework

• Most generated code instantiates OOAF classes– Process; Channel; Event; etc.– Classes incorporate CSP execution semantics

• Targeting OOAF shortens translation “distance” compared to directly generating assembly code & C++ OOAF more portable

30/APR/08 LFM 27

Run-time Environment Stack

• Branches at composition operators (tree)

• Records all…– Synchronization sets (sync objects become

“control center” for sync/comm in progress)– Hiding & renaming

• Event execution searches up stack to identify sync/comm, apply hiding/renaming– Trace printing reflects hiding/renaming– Can verify that trace refines original spec

30/APR/08 LFM 28

Recent developments (1)

• Added synthesis of Timed CSP operators to CSP++– Original CSP is untimed– Timed CSP adds delays -d->, timeouts [d>, and

timed interrupts /d\ (+untimed versions [> /\ )– Recent tool for carrying out timed verification:

• HORAE, National Univ. of Singapore

– Includes robot vacuum case study

30/APR/08 LFM 29

Recent developments (2)

• New Eclipse plug-in for CSP++– CSP-highlighting specification editor

– Integrated with Formal Systems tools (ProBE, FDR2) and maybe HORAE

– One-click translation/build

– Export execution trace to FDR for verification

– Convenient integration of C++ user-coded functions

• Goal: Make CSP++ attractive for use in education– Help automate, smooth design flow

30/APR/08 LFM 30

Future work

• More data types (only int now)

• Extend CSP channels/events to coprocessor– Target digital logic on FPGA, SOPC

• Add hardware synthesis to cspt translator– Hardware/software codesign:

• Partition CSP spec: SW part→C++ source code

• HW part→HW description language → FPGA netlist

• Synthesize the communication links between them

30/APR/08 LFM 31

Future work (2)

• Concise training for roles:– CSPm “guru”:

– write CSPm, write assertions, run verification tools

– System designers identify named CSP events to be linked with C++ functions

• I/O, interface to external components, calculations

– UCF coder: write C++, test/debug system– How much CSP knowledge is enough?

30/APR/08 LFM 32

Availability

• Formal Systems tools (ProBE, FDR) free fornon-commercial use (www.fsel.com)

• CSP++ also free– Only needs GNU g++ and Pth portable threads– Threading model is non-preemptible without

priorities

30/APR/08 LFM 33

CSP++ Versions

• Download from my website:www.cis.uoguelph.ca/~wgardner“Research & Downloads” link– V4.1 binaries available now + case studies code– V4.2 soon to be released as “open source”

• Will include Eclipse plug-in

– V5.0 with timed operators still in testing

30/APR/08 LFM 34

Conclusion

• CSP++ makes synthesizable subset of verifiable CSPm specifications executable & extensible

– Tool for carrying out selective formalism with user-coded C++ functions

– Possibility of making (some) formalism more palatable & practical to the resistant

30/APR/08 LFM 36

Utilize 4 kinds of CSP

• Functional model:– Processes with desired system behaviour

• Environment model:– Processes simulate entities interacting with system

• Constraint model:– Optional processes limit/constrain event sequences

(including safety properties)

• Implementation model:– Detailed functionality for synthesis

30/APR/08 LFM 37

Refinement checking in FDR

• Does candidate implementation X “refine” specification S?– Done by verifying traces(X) traces(S)

• “Spec S is ‘trace refined’ by implementation X”

• Verify that traces output from CSP++ simulation refine original CSP spec!(have tool for this)

30/APR/08 LFM 38

Safety properties in FDR

• After given sequence of events, system should not engage in certain “unsafe” events– Set up specification of a bad CSP process that

you don’t want to occur– Check whether it refines original spec

• If not, proves the spec is safe (in that regard)

30/APR/08 LFM 39

Prospects for adoption

• Realistically, groundwork for industry practice laid in university education today– Where are formal methods in our/anyone’s

undergrad curriculum?

• Suitable for 4th yr/grad course– 50% exposure to variety of methods– 50% concentrate on actually using one

30/APR/08 LFM 40

• Related work: libraries approach– Since manually assembled, not “correct by

construction”– Suitable for specs with static process structure

(no renaming, hiding, little/no dynamic process creation)

• Tech’l: CPA talk

• ATM: CPA talk