Association from PROMELA to Java

Suprapto, Member, IAENG, Retantyo Wardoyo, Belawati H. Widjaja, and Reza Pulungan

Abstract—The association between the subset of PROMELA’s TABLE I: Construct association between a subset of constructs (or statements) and the subset of Java’s constructs

PROMELA and Java constructs

is intended to provide a collection of rules that can be used as

a reference in developing a model of code translator from a Java PROMELA model to a Java program. The idea arises from the

fact that, both PROMELA model and Java program are built

Assignment

Assignment

(or composed) by various elementary elements called constructs.

Send and receive

Two defined methods in separate classes together

Although this kind of association has already been introduced with the required channel (buffer) that can be

invoked either by regular invocation or by socket in some previous researches, they provided no proofs about its

programming.

correctness.

while · · · switch, namely a switch in a while loop. In this paper we propose a formal proof of association’s

atomic

d step

synchronize

correctness by showing the equivalence (or similarity) of the

Generally, a program is specifically built to have program graphs for every two associated constructs in the

if · · · f i

a priority in selecting certain condition; in which association. The correctness of association means that every two

case nondeterminisms can be removed. Otherwise, associated constructs in association have equivalent semantics.

if nondeterminism is preserved (or at least imi- In addition, at the end of this paper we also introduce a

tated), randomize is implemented. translator tool we have developed based on this association’s

Fixed repetition f or loop. definition to translate PROMELA model to Java program.

Deterministic

f or do · · · od

Repetition of selection together with nondetermin- Index Terms—Constructs association, PROMELA, Java, cor-

ism resolution as described for if · · · f i. rectness, equivalence, preserving, program graph, similarity,

Exception handling try..catch. semantics.

unless

NTRODUCTION I. I

of Java language can be used in the translation of certain PROMELA properties. Therefore, Java is one of a few

The widespread use of source-to-source translation for im- reasonable candidates that can be used as a target language perative languages would help software engineering if such for PROMELA translation [6]. translator could be written and if it were easier to translate

A construct association from PROMELA to Java is an an existing program into another language than building association from a subset of PROMELA’s statements (or the program from scratch [5]. Source-to-source translation constructs) to a subset of Java’s statements associating every has been studied by various researchers, and is often used statement in the first subset to probably more than one state- together with program optimization. It is sometime, however, ment in the second subset. According to their functionality, used without program optimization. Translators that do not statements in PROMELA can be classified into five groups, optimize programs but only preserve the same structure

i.e. , meta terms (9 statements), declarators (21 statements), from one language to another have significant potential for control flows (8 statements), basic statements (6 statements), software engineering. and predefined (21 statements) [17]. Of them, however, there

A translator was also developed to detect deadlock exis- are only ten constructs in PROMELA to be selected in the tence on Java programs based on PROMELA and SPIN [2]. association. The selection was made by considering that An abstract formal model expressed in PROMELA is gener- some constructs in a PROMELA model are only used for ated from Java source using the Java2Spin translator. Then verification purpose, hence, they are not required in the the model is analyzed by SPIN [7], [8], and possible error system (or Java program) development. In addition, some traces are converted back to traces of Java statements and bigger constructs can be composed by several elementary reported to the user. An indirect way of model checking ones. An informal definition of construct association is given

C programs was proposed in [11] by first translating the in Table I.

C code to PROMELA. The translator was developed by Even though this kind of associations has already been in- using syntax-directed translation techniques to perform the troduced in previous researches [3], [6], [16], [17], however, translations, and several tools and languages are involved. the proof that can guarantee the association’s correctness has PROMELA is one of the most widely used modeling never been provided. This research proposes a formal proof language to model systems, especially distributed, reactive of association’s correctness by showing the equivalence of and concurrent ones [10]. On the other hand, some parts semantics for pair of associated constructs, and this equiv-

Manuscript received June 09, 2015; revised July 15, 2015.

alence in turn is proven by their program graphs similarity.

Suprapto, R. Wardoyo, and R. Pulungan are with the Department

The proof is performed by executing the following steps:

of Computer Science and Electronics, Faculty of Mathematics and Nat- ural Sciences, Universitas Gadjah Mada, Yogyakarta, Indonesia e-mail:

1. For each two associated constructs in the association:

sprapto@ugm.ac.id, rw@ugm.ac.id, and pulungan@ugm.ac.id. B.H. Widjaja is with the Faculty of Computer Science, Universitas

1.1 Derive the program graph for PROMELA con-

Indonesia, Jakarta, Indonesia e-mail: bela@cs.ui.ac.id.

struct, and its associate Java construct.

1.2 Compare the two program graphs for their similar- ity.

1.3 If they are not similar, then modify its associate in Java , and go to 1.1.

2. If there are still pairs of associated constructs in the Fig. 1: An illustration of ignorable locations association, then go to 1 for next pair of association.

Otherwise, go to 3.

3. Stop, and the association’s correctness is proved.

B. Substatements The set of substatements of a PROMELA statement (con-

RELIMINARIES II. P

struct) stmt is defined recursively [1]. The set of sub-

A. Program Graph statements for an atomic statement stmt ∈ {expr, x = expr, c?x, c!expr} is sub(stmt) = {stmt, exit}, since an

A program graph (PG) over a set of typed variables is a atomic statement only requires one-step of execution. For se- digraph whose edges are labeled with conditions on these quential composition stmt 1 ; stmt 2 , the set of substatements variables and actions. It is formally defined as follows [1]:

is defined as:

Definition 1. A program graph P G over set V ar of typed

variables is a tuple (Loc, Act, Ef f ect, ֒→, Loc ,g ), with: sub(stmt 1 ; stmt 2 ) = {stmt ; stmt 2 | stmt ∈ sub(stmt 1 )

• Loc is a set of locations, \ {exit}} ∪ sub(stmt 2 ). • Act is a set of actions,

As an illustration, consider the sequential composition in • Effect : Act × Eval(V ar) × Eval(V ar) is an effect Listing 1. function, • ֒→⊆ Loc × Cond(V ar) × Act × Loc is the conditional

Listing 1: Sequential composition transition relation,

• Loc

0 ⊆ Loc is a set of initial locations, and

x=x+3;

• g 0 ∈ Cond(V ar) is the initial condition.

y=2y+2;

z=3z+1;

The program graph associated with a statement (or con- ... struct) stmt formalizes the control flow when it is being Since all constructs in the composition are assignment and

executed. It means the substatements play the role of the in PROMELA assignments are always atomic, then sub(x = locations, and a special location exit must be provided in x+3; y = 2y+2; z = 3z +1) = {(x = x+3; y = 2y+2; z = order to model termination. Roughly speaking, any guarded 3z + 1), (y = 2y + 2; z = 3z + 1), (z = 3z + 1), exit}. These command g ⇒ stmt corresponds to an edge with the label substatements determine a set of location, Loc, of program

g : α where α stands for the first action of stmt [1]. g :α graph. In addition, assignments are always executable, so

The notation ℓ ֒−−→ ℓ ′ is used to concisely represent that the condition of transition is always true, Act = {x =

(ℓ, g, α, ℓ ′ ) ∈֒→. The condition g is also called the guard of x+3; y = 2y +2; z = 3z +1}, and Loc 0 g = {(x = x+3; y = the conditional transition :α ℓ ֒−−→ ℓ ′ . If the guard is tautology 2y +2; z = 3z +1)}. Then, the corresponding program graph

(e.g., g = true or g = ((x < 1)∨(x ≥ 1))), then it is simply is shown in Fig. 2. written as α ℓ ֒− →ℓ ′ .

The behavior of location ℓ ∈ Loc depends on the current variable evaluation η. A nondeterministic selection is made g

between all transitions ′ ℓ ֒−−→ ℓ that satisfy the condition g in evaluation η (i.e., η |= g). The execution of action α changes

the evaluation of variables according to Effect(α, ·, ·). Sub- sequently, the system changes into location ℓ ′ . If no such transition is possible, the system stops.

A location ℓ in a program graph is ignorable if the execution of action α does not change the evaluation of variables according to Effect(α, ·, ·) of the next location ℓ ′ , Fig. 2: Program graph for sequential composition in Listing 1 provided that any variable being involved in the computation is completely new and independent. More formally, this

The set of substatements of if · · · f i selection statement concept might be stated in the following proposition. The is defined incrementally, as the set consisting of the if · · · f i ignorable locations is illustrated in Fig. 1.

statement itself plus substatements of its guarded commands. Proposition 1. Let L A , L B be any two locations in a That is, let if f i be if :: g 1 → stmt 1 . . . :: g n → stmt n f i, program graph

P G over variable V ar, and L then:

1 ,L 2 ,...,L m

are locations induced by introducing any new variables sub(if f i) = {if f i, exit} ∪ { {stmt ′ | stmt ′ ∈ sub(stmt i )

x ′ ∈ V ar. Then the existence of L / 1 ,L 2 ,...,L m in between

1≤i≤n

L A and L B is ignorable. Hence, locations L 1 ,L 2 ,...,L m

\ {stm ′ , exit}}}

can be coalesced with L 1 into a new single location, and

they ( ′ i.e., locations L

1 ,L 2 ,...,L m ) are called coalesceable where stm is the first action in stmt i .

locations. An example for a conditional statement if · · · f i is shown in Listing 2.

Listing 2: A conditional statement if · · · f i

if stmt2 1 never executable.

cond=if Then, it can be seen that each element in the set of :: true −> x = x + 1 ; y = 2 y + 1 ;

substatements of PROMELA as well as Java constructs

corresponds to the locations of program graph for the cor- : : x == 0 −> c ? x ; c ! y ;

z=3z+1;

::c?z responding construct. For example, the locations of pro-

−> y = 3 z + 5 ; fi

gram graph for atomic statement such as assignment are assignment itself and exit, namely sub(assignment) =

According to the definition of substatements for con- {assignment, exit}. Similarly, the locations in program ditional statements, sub(cond) = {cond, exit} ∪ {y = graph for if · · · f i selection statement is if f i itself plus 2y + 1; , z = 3z + 1; , z = 3z + 1} ∪ {c!y}. There are union of locations of each guarded command. three edges going out of the initial location cond with label true : x = x + 1 to location y = 2y + 1; z = 3z + 1, then leaving this location with label true : y = 2y +1 for location

C. Semantics

z = 3z + 1, and subsequently leaving this location with label As mentioned before, the intention of this research is to true : z = 3z + 1 for location exit. Meanwhile, an edge formally prove the semantics’ equivalence of every two asso- from location cond with label x == 0 : c?x goes to location ciated constructs in the association. Therefore, the following c!y, then leaves this location with label ¬f ull(c) : c!y for lemma helps explain the formal semantics of any PROMELA location exit. In addition, out of location cond there is an as well as Java statements. edge labeled c?z : y = 3z + 5 leaving for location exit. Since, there is always an executable guard (i.e., true), then Lemma 1. The semantics for any statement of both it does not block. Consequently, there is no edge returning PROMELA and Java stmt is described by three rules that to initial location cond. Graphically, the program graph for classify them into one-step statement, multi-step statement, conditional construct if · · · f i is shown in Fig. 3.

and blocked statement. If the computation of stmt terminates in one step by the execution of action α, then control of stmt moves to exit after executing α:

stmt ֒−−→exit

g :α

If the first step of stmt leads to a location (or statement) different from exit, then the rule looks like:

Fig. 3: Program graph for construct if · · · f i in Listing 2

. Similarly, the set of substatements of do · · · od repetition

stmt ֒−−→stmt ′ 6= exit statement is defined as the set containing of the do · · · od

g :α

On the other hand, if the computation of stmt for some statement itself plus exit, and substatements of its guarded reasons cannot be performed (blocked), then control does not

commands plus loop minus exit. move. The following rule will satisfy:

Let dood be do :: g 1 → stmt 1 . . . :: g n → stmt n od,

then:

stmt ֒−−→stmt sub(dood) = {loop, exit} ∪ {

g :α

{stmt ′ ; loop

As a consequence, Lemma 1 leads to a more general form of sequential composition stmt 1 ; stmt 2 , that is stated in the

1≤i≤n

| stmt ′ ∈ sub(stmt i ) \ {stm ′ , exit}}

following corollary.

where stm ′ is the first statement in stmt i . Corollary 1. Sequential composition stmt

is defined According to the definition of the set of substatements

1 ; stmt 2 by two rules that distinguish whether or not stmt terminates

of atomic, then sub(atomic{stmt 1 , stmt

2 , . . . , stmt n }) = in one step. If the computation of stmt terminates in one

{atomic{stmt 1 , stmt 2 , . . . , stmt n }, atomic{stmt i +1 ,

step by executing action α, then control of stmt ; stmt stmt i

+2 , . . . , stmt n }, exit}. It strongly restates

that

moves to stmt after executing α:

atomic is indivisible. The same is true for d step, hence

sub(d step{stmt}) = {d step{stmt}, exit}. g :α stmt

1 ֒−−→exit For unless statement, let unless construct repre-

stmt 1 ; stmt 2 ֒−−−−→stmt 2 then:

true :α

sent {stmt1 1 , . . . , stmt1 m } unless {stmt2 1 , . . . , stmt2 n },

If the first step of stmt 1 leads to a location (or statement)

sub(unless construct) = sub(stmt2 1 ; . . . ; stmt2 n ),

different from exit, then the following rule applies [1]:

when stmt2 ′

1 is executable for the first checking, then there stmt 1 ֒−−→stmt 1 6= exit

g :α

. is no statement in the main sequence executed, or:

g :α

stmt 1 ; stmt 2 ֒−−→stmt ′ 1 ; stmt 2

sub(unless construct) = sub(stmt1 1 ; . . . ; stmt1 i −1 )

If the computation of stmt 1 for some reasons cannot be

performed (blocked), then control does not move, and the stmt2 following rule will satisfy:

∪ sub(stmt2 1 ; . . . ; stmt2 n ).

1 is executable, when for some

i, 2 ≤ i ≤ n − 1,

stmt1 i will be executed, or:

g stmt :α

1 ֒−−→stmt 1

sub(unless construct) = sub(stmt1 1 ; . . . ; stmt1 m )

stmt :α

1 ; stmt 2 ֒−−→stmt 1 ; stmt 2

Inference rules for both PROMELA and Java constructs, Theorem 1. The association CA is correct only if for every such as expression, assignment, send, receive, etc., will association (Cp i , Cj k ) ∈ CA, Cp i ∈ P , and Cj k ∈ J, then

be derived from both Lemma 1 and Corollary 1. Subse- P G(Cp i ) ≃ P G(Cj k ), where P G(Cp i ) is a program graph quently, these rules are used to generate program graphs for for Cp i , and P G(Cj k ) is a program graph for Cj k . the corresponding constructs.

The proof of Theorem 1 is given in the following subsec- tion.

D. Program Graph Equivalence The definition of equivalence (or similarity) between two

A. The proof of Construct Association’s Correctness program graphs is inspired by the definition of digraph

The proof is carried out for all association (Cp i , Cj k )∈ isomorphism. The only difference is that the bijective func- CA; Cp

i ∈ P , Cj k ∈ J (see Fig. 4). tion f maps two locations representing statements from two According to the Definition 1, a program graph consists

different program graphs. For any two locations ℓ 1 and

of a set of locations Loc, a set of actions Act, an effect ℓ 2 ,

f (ℓ 1 )=ℓ 2 if and only if both ℓ 1 and ℓ 2 represent function Effect, a conditional transition relation ֒→, a set of two semantically equivalent statements or substatements. The initial locations Loc , and an initial condition

0 g 0 . Loc is determined by the corresponding set of substate-

formal definition of program graph similarity is stated in the

Definition 2. ments, while the conditional transition relation is provided Definition 2. Let PG 1 = (Loc 1 , Act 1 , Effect 1 , ֒→ 1 , Loc 0,1 , by inference rules represented in Structured Operational

g 0,1 ) and P G 2 = (Loc 2 , Act 2 , Effect 2 , ֒→ 2 , Loc 0,2 ,g 0,2 ) be Semantics (SOS) notation determining the transition from two PGs over variables

V ar 1 and

V ar 2 , respectively. PG 1 one location to other locations. In the level of program graph, and PG 2 are called equivalent (or similar), denoted PG 1 ≃ actions are normally in the form of expression, assignment, PG 2 , only if there are two bijective functions f : Loc 1 → and send or receive. The effect function could be any eval-

uation function that has any possibility to change variable’s • for any ℓ 1 ∈ Loc 1 there is ℓ 2 ∈ Loc 2 such that f (ℓ 1 )= value in the construct. In graphical representation of program ℓ 2 ; and

Loc 2 and g : Loc 1 × Loc 1 → Loc 2 × Loc 2 , such that:

graph, the initial location will be denoted by double-line • for any (ℓ 1 i ,ℓ 1 j ) ∈ Loc 1 × Loc 1 there is (ℓ 2 m ,ℓ 2 n )∈ circle (or ellipse) pointed by an arrow. Loc 2 × Loc 2 such that g(ℓ 1 i ,ℓ 1 j ) = (ℓ 2 m ,ℓ 2 n ), where

1) Expression: In PROMELA, an expression expr P is

f (ℓ 1 i )=ℓ 2 m , f (ℓ 1 j )=ℓ 2 n .

the most elementary construct in modeling, and it is an atomic statement [1]. Therefore, it only needs one step of

execution when the value of expr P is not zero [9], it means The list of construct associations between the subset of that there is a transition from an initial location to the next

ISCUSSION III. D

PROMELA and Java constructs in Table I can be formally location exit. This transition is depicted by the following defined in the Definition 3.

inference rule.

Definition 3. Let P and J be the subset of PROMELA con-

value (expr P )6=0

structs and Java constructs, respectively, in CA (construct expr P ֒−−−−−−−−−−→exit association). CA is defined as a relation from P to J, namely

On the other hand, if the value of expr P is zero, then there CA : P → J, such that for any construct Cp i ∈ P , and is no transition to the next location. Since the expression Cj k ∈ J, (Cp i , Cj k ) ∈ CA only if there is a PROMELA expr P blocks, the execution cannot be continued, namely it construct Cp i associated with a Java construct Cj k . This is has to wait until the value of expr P is not zero. The inference illustrated in Fig. 4.

rule for this transition is as follows:

. expr P ֒−−−−−−−−−−→expr P

value (expr P )=0

The set of locations Loc of a program graph for expr P , P G(expr P ) is determined by its substatement, so that Loc = sub(expr P ) = {expr P , exit}. Act is the evaluation of expr P , conditional transition relation is represented by its

inference rules, the initial location, Loc 0 = {expr P }, and the initial condition, g 0 is val(expr P ) 6= 0. Then, the program graph for expr P , P G(expr P ), is shown in Fig. 5. In Java, an expression expr J has a similar form with the one in PROMELA. Unlike expression in PROMELA, expression in Java is not atomic—especially for the long one. However, the synchronization in Java can be used to ensure that there is no other process interfering the result of expression evaluation. In this way, the atomicity of expr J

Fig. 4: Association diagram from set P to J can be preserved. In Java, this implementation is carried out by defining some methods, such as lock() and unlock()

The correctness of association defined in Definition 3 in a class containing global variables. Suppose header is is proved by showing the similarity between two program the name of the intended class, then the implementation of graphs of every two associated constructs in association.

locking is shown in Listing 3.

Listing 3: The usage of lock and unlock

A program graph for assgn P consists of Loc = ...

{assgn P , exit}, Act contains evaluation of x = expr P , header.lock();

conditional transition relation is represented by inference exprJ;

rules, Loc 0 = {assgn P }, and g 0 = true (an assignment header.unlock();

... is always executable). Graphically, a program graph for

assgn P is then shown in Fig. 7.

Fig. 7: A program graph for a PROMELA assignment, assgn P

Fig. 5: A program graph for a PROMELA expression, expr P In Java, an assignment assgn J also has the form of x=

This implementation guarantees atomicity, and the pro- expr J . It is always executable, provided that x and expr J

gram graph for expr J can be generated in similar way. For are compatible, i.e., type(value(expr J )) ⊆ type(value(x). example, transition to the next location exit will occur only The effect of its execution is that the value of expr J is if the value of expr J is not zero. See the following inference stored to x. Because assignment contains expression, and in rules:

Java expression is not atomic, then assignment is not atomic.

However, by giving it the same handling as in expression expr J ֒−−−−−−−−−−−−−−→exit

value (expression J )6=0

(i.e., header.lock(); x = expr J ; header.unlock();), it can Otherwise, transition will move back to the initial location,

be made atomic. Hence, the transition occurs from the initial expr J , as it is shown by the following inference rule:

location assgn J to the next location exit as described by the following inference rule:

. Formally, a program graph for expr J , P G(expr J ) consists

expr J ֒−−−−−−−−−−→expr J

value (expr J )=0

assgn J ֒−−−−−−−−−−−−−−−−−−−−−−→exit of a set of locations, Loc = sub(expr J ) = {expr J , exit},

type (value(expr J ))⊆type(value(x))

Formally, a program graph for assgn J consists of Loc =

a set of actions, Act containing the evaluation of expr J , {assgn J , exit}, Act contains evaluation of x := expr J ,

conditional transition relation is represented by its inference conditional transition relation is inference rule, Loc 0 = rules, a set of initial location, Loc 0 = {expr J }, and an initial {assgn J }, and g 0 = true (an assignment is always exe-

condition, g 0 is val(expr J ) 6= 0. Then, the program graph cutable). And graphically, it is shown in Fig. 8.

for expr J is shown in Fig. 6.

Fig. 8: A program graph for a Java assignment, assgn J

The last step is proving the similarity between Fig. 6: A program graph for a Java expression, expr J

P G(assgn P ) and P G(assgn J ). From Fig. 7 and Fig. 8, it can be seen that these two program graphs are exactly

The last step is proving that P G(expr P ) ≃ P G(exprJ) the same. Therefore, there must be two bijective functions is satisfied. It can be seen from Fig. 5 and Fig. 6 that

f and g, such that f (assgn P ) = assgn J , f (exit) = exit; there must be two bijective functions

f and g, such that and g((assgn P , exit)) = (assgn J , exit). Hence, it is proven

f (expr P ) = expr J ,

f (exit) = exit; and g(expr P , exit) = that P G(assgn P ) ≃ P G(assgn P

(expr J , exit), g(expr P , expr P ) = (expr J , expr J ). Hence,

3) Communications: PROMELA has two kinds of com- it is proven that P G(expr P munication operations, i.e., send and receive statements.

2) Assignment: Given the association (assgn P , assgn J ) They are atomic [1]. Both send and receive operations as- ∈ CA, and we prove that P G(assgn P ) ≃ P G(assgn J ).

sume that the capacity of communication media (or channel) In PROMELA, an assignment has the form of x = expr P , is greater than zero (buffered, or asynchronous) [9].

and like an expression, an assignment is atomic [1]. In addi- In PROMELA, send operation has two forms: c!expr tion, it is always executable provided that the value of expr P

and c!!expr. These operations can be performed when the and x are compatible, i.e., dom(value(expr P )) ⊆ dom(x). channel c is not full, otherwise it will block (i.e., it has to wait

The effect of its execution is that the value of expr P is stored until there is a space in the channel). In addition, expr and c to variable x. Since an assignment is atomic, it only requires must be compatible. Each of these send operations, c!expr one step of execution. The transition occurs from the initial and c!!expr, gives different effect to the channel. c!expr and location assgn P to the next location exit as depicted by the c!!expr place the value of expr in the rear, and in the front following inference rule:

of channel, respectively.

This operation requires one step of execution, so that assgn P ֒−−−−−−−−−−−−−−−−−−−−−−−−−−−→exit

dom (value(expr))⊆dom(x):x←value(expr)

when all conditions are met the transition occurs from initial when all conditions are met the transition occurs from initial

from the initial location c??x to the next location exit as depicted in the following inference rule:

¬f ull(c)

¬empty(c)

, c??x ֒−−−−−−−−−−−−−−−→exit and

c!expr ֒−−−−−−−−−−−−−−−−−−−−−−−−−→exit

dom (expr)⊆dom(c):c.rear←value(expr)

dom (c.i)⊆dom(x):x←c.i

for some

i, f ront ≤ i ≤ rear.

¬f ull(c)

The program graph for the receive statements c?x, c? <

x >, c??x, or c?? < x > is, respectively, defined formally c!!expr ֒−−−−−−−−−−−−−−−−−−−−−−−−−−→exit

dom (expr)⊆dom(c):c.f ront←value(expr)

with Loc = sub(c?x) = {c?x, exit}, Loc = sub(c? < x > ) = {c? < x >, exit}, Loc = sub(c??x) = {c??x, exit},

A program graph for send consists of Loc = sub(send) = and Loc = sub(c?? < x >) = {c?? < x >, exit}, {c!expr, exit}, Act contains expression, and assignment Act contains expression, assignment forms. The conditional forms, conditional transition relation is its inference rules, transition relation is inference rule, Loc = {c?x}, Loc =

Loc 0 = {c!expr}, and g 0 is ¬f ull(c). Graphically, a

0 program graph for = {c?? < x >}, and g 0 is ¬empty(c). Based on the way the value moves

{c? < x >}, Loc 0 = {c??x}, and Loc send is then shown in Fig. 9.

from the channel to the variable, the program graph for c?x and c??x are very much the same. Therefore, the program graphs for receive statements are sufficiently depicted one in Fig. 10.

Fig. 9: A program graph for a send operation, c!expr As mentioned above, the only difference between c!expr

and c!!expr is on the effect to the channel. Therefore, they have the same program graph (see Fig. 9).

Fig. 10: A program graph for a receive statement On the other hand, receive statement is used for receiving messages from channels. Unlike send statement, it has four

Communication operations between two or more processes forms: c?x, c??x, c? < x >, and c?? < x >, where c and x in Java (i.e., both send and receive), either they are in the denote the name of the channel and the list of argument(s) same computer or different computers are implemented by used to receive the messages, respectively.

defining a separate class containing at least a buffer and The first and third forms of the statement (written in ?) two methods. Particularly, when two or more communicating are executable if the first message in the channel matches the processes are in different computers, then either socket pattern from the receive statement. While, the second and programming or Remote Method Invocation (RMI) should fourth forms of the statement (written in ??) are executable

be implemented.

if there exists at least one message anywhere in the channel In Java, socket programming is the most widely used that matches the pattern from the receive statement.

concept in networking [14], [15]. Sockets provide the com-

A match of a message is obtained if all message fields munication mechanism between two computers using TCP that contain constant values in the receive statement equal the (Transmission Control Protocol). A client program creates values of the corresponding message fields in the message. If

a socket on its end of the communication and attempts to no angle brackets are used, the message is removed from the connect that socket to a server. When the connection is channel buffer after the values are copied, otherwise (angle made, the server creates a socket object on its end of the brackets are used), the message is not removed and remains communication. The client and server can now communicate in the channel.

by writing to and reading from the socket [14], [15]. When a For any form of receive statement, it should be assumed communication is performed via socket, the success of both

that the channel c is not empty, otherwise it blocks (it has operations actually does not only depend on contention of the to wait until there is a value in the channel). c?x needs an buffer, but also on the network connection. The sending and additional requirement: c and x must be compatible. The receiving can only proceed when the buffer is not full and is effect of c?x operation is that the value of the front channel not empty, respectively, plus connection is still maintained. (i.e.,

c.f ront) will be taken from c and stored into x. In accordance with the implementation discussed above, When all requirements are met, there will be a transition send and receive statements in PROMELA are implemented

from the initial location c?x to the next location exit as by a method send and receive respectively in Java. In this depicted in the following inference rule:

way, they can be defined in a similar way to send and receive statements in PROMELA. Hence, the program graph

¬empty(c)

for send statement in PROMELA and send method in Java,

receive statement in PROMELA and receive method in c?x ֒−−−−−−−−−−−−−−−−−→exit

dom (c)⊆dom(x):x←c.f ront

Java

4) Weak Atomicity: Given (atomic, while − switch) ∈ one for the previous statement, which is there must be at least CA, for atomic ∈ P , while − switch ∈ J, and we prove one

The compatibility requirement for c??x is softer than the

i, f ront ≤ i ≤ rear such that c.i and x are compatible. that P G(atomic) ≃ P G(while − switch). The effect of c??x operation is that the value of the i-th

In PROMELA, an atomic construct is expressed in a form position in c (i.e., c.i) will be taken and stored into x.

of atomic{stmt 1 , . . . , stmt n }, in which stmt i for 1≤i≤ of atomic{stmt 1 , . . . , stmt n }, in which stmt i for 1≤i≤

header.lock();

the last statement stmt n is completely evaluated. In the

switch(stmtnmbr) {

execution of an atomic construct, there might be case1: stmt

if ( ! s t m t 1 ) break ; some j, 1 ≤ j ≤ n, that blocks, and control flow stays in the

j for

stmt1;

location where the list of arguments stmt 1 , . . . , stmt j −1 for

stmtnmbr=2;

some j, 1 ≤ j ≤ n has completely been executed. The rest

case2:

of arguments list stmt j , . . . , stmt n will be treated exactly if ( ! s t m t 2 ) break ; the same as an atomic except with shorter length of the list. stmt2;

stmtnmbr=3;

Hence, during an atomic construct’s execution, it is possible

that other process(es) take control until stmt j is executable.

The inference rule of an atomic construct if all statements

casen:

in the argument list are executable during the execution is if ( ! s t m t n ) break ;

stmtn;

defined as: stmtnmbr=nmbrofstmt+1; ∀i, 1 ≤ i ≤ n, stmt i executable

atomic{stmt 1 , . . . , stmt n }−→exit

header.unlock();

However, if for some

i, 1 ≤ i ≤ n, stmt i blocks, it is defined

as: ∃i, stmt i block

The loop of a while is exited when stmt nmbr > . nmbr of stmt—when all statements in the argument list of

atomic{stmt 1 , . . . , stmt n }−→atomic{stmt i , . . . , stmt n } an atomic had completely been executed (nmbr of stmt In the latter case, the transition stops in the “temporary” loca- denotes the number of statements are in an atomic construct).

tion atomic{stmt i , . . . , stmt n }. Whenever stmt i becomes The block of switch is surrounded by header.lock() and executable, it will be treated similarly as the previous one header.unlock() to ensure the atomicity of a stmt i exe- except with the shorter list of arguments.

cution in each case. According to the switch definition in Formally, a program graph for an atomic P G(atomic) Listing 4, for any

i, 1 ≤ i ≤ n, if stmt i is false then exit consists of a set of locations, Loc = sub(atomic) = from switch before updating the value of stmt nmbr. If

i ≤ n, then stmt nmbr ≤ nmbr of stmt and program exit}; a set of actions, Act consists of actions are in control is still in while loop. However, once exit the switch,

{atomic{stmt 1 , . . . , stmt n }, atomic{stmt i , . . . , stmt n },

the form of an expression, assignment, send or receive, header.unlock() is executed—the lock is released. This Loc 0 = {atomic{stmt 1 , . . . , stmt n }}, and g 0 is stmt 1 means that other processes are allowed to take a control flow executable. Therefore, a program graph for an atomic until stmt i becomes true. It is similar with what happen in construct is graphically depicted in Fig. 11.

an atomic construct when stmt i is not executable.

The inference rules for while − switch are defined as inside atomic might be interleaved by a certain number of follows: If stmt i is executable for all

The execution of a sequence stmt 1 , stmt s , . . . , stmt n

i, 1 ≤ i ≤ n during other processes because of blocking. The consequence is that the execution, then:

an atomic is partitioned into several subatomics. Even so, the effect of variable valuation will be accumulated at the

∀i, 1 ≤ i ≤ n, stmt i executable .

execution of the last statement in the list of arguments. [while − switch]{stmt 1 , . . . , stmt n }−→exit

However, when there is

i, 1 ≤ i ≤ n, and stmt i is not

executable, then

block [while − switch]{stmt1, . . . , stmtn}−→[while − switch]{stmti, . . . , stmtn} .

stmti, 2 ≤ i ≤ n

Formally, a program graph for a while − switch con- struct consists of a set of locations, Loc = sub([while − switch]) = {[while−switch]{stmt 1 , . . . , stmt n }, [while−

Fig. 11: A program graph for an atomic construct switch]{stmt i , . . . , stmt n }, exit}, a set of actions, Act consists of either an expression, assignment, send or receive.

In Java, an atomic construct is implemented by a switch Loc 0 = {[while − switch]{stmt 1 , . . . , stmt n }}, and g 0 is construct inside of a while loop. The switch construct is stmt 1 executable. And, the corresponding program graph is used to accommodate a number of guards, while the

while shown in Fig. 12.

loop is used to make the flow of program keeps returning To prove the equivalence (or similarity) between the pro- to the loop until the last statement in the atomic is com- gram graph for atomic construct and one for while − switch

pletely executed. A Java code fragment of switch − while construct in Java is done by comparing the program graph implementation is depicted in Listing 4.

in Fig. 11 and one in Fig. 12, and it is evident that Listing 4: An implementation of atomic in Java

5) Strong Atomicity: Given (d step, synchronize) ∈ ...

CA, for d step ∈ P , synchronize ∈ J, and we prove that intstmtnmbr=1;

P G(d step) ≃ P G(synchronize).

d step introduces a deterministic code fragment that is Java provides a synchronized keyword to methods that executed indivisibly [17]. Syntactically, it is like atomic cause only one invocation of a synchronized method on construct, except some differences : (1) goto cannot come the same object at a time. Every object has an intrinsic into or go out of a

d step sequence; (2) the sequence is lock associated with it. A thread that needs exclusive and executed deterministically, if non-determinism occurs, it is consistent access to an object’s fields has to acquire the carried out in deterministic manner, for example, by always object’s intrinsic lock before accessing them, and then release selecting the first true (or executable) guard in every selection the intrinsic lock when it is done with them. A Java method and repetition structure; and (3) if the execution of any may be synchronized, which guarantees that at most one statement inside the sequence can block, it is an error. For thread can execute the method at a time. Other threads this reason, in most cases send and receive statements wishing access are forced to wait until the currently executing cannot be used inside d step sequence.

thread completes [14], [15].

There is also a synchronized statement in Java that forces threads to execute a block of code sequentially. Unlike synchronized methods, synchronized statements must specify the object that provides the intrinsic lock.

Synchronize in Java might be used to implement d step construct in PROMELA. In accordance with

d step con- struct’s behavior, however, synchronized statement is more appropriate than synchronized method.

The inference rule for a synchronize is defined as: Fig. 12: A program graph for a while − switch construct in

Java . synchronize{stmt 1 , . . . , stmt n }−→exit

Formally, a program graph for a synchronize consists consists of a set of locations, Loc = sub(d step) = of a set of locations, Loc = sub(synchronize) =

Formally, a program graph for a

d step construct

stmt n }, exit}; set of Act is in the form of an expression, assignment, actions, Act

{d step{stmt 1 , . . . , stmt n }, exit}; a set of actions, {synchronize{stmt 1 ,...,

either an expression, or send and receive; a set of initial locations, assignment, send or receive; set of initial locations, Loc 0 = {d step{stmt 1 , . . . , stmt n }}; and an initial Loc 0 = {synchronize{stmt 1 , . . . , stmt n }}; and go 0 is condition, g 0 which is the executability of stmt 1 (i.e., the the executability of stmt 1 . And the program graph for a first statement in the sequence). And graphically, a program synchronize is shown in Fig. 15. graph for a d step construct is shown in Fig. 13.

consists

of

Fig. 15: A program graph for a synchronize in Java Fig. 13: A program graph for a d step construct

To prove the equivalence (or similarity) between the program graph for a

d step and one for a synchronize The above situation can only be achieved when a is done by comparing these two program graphs from

d step construct is in the verified model—all state- Fig. 13 and Fig. 15 respectively. It is evident that ments in the argument list are already proved exe- there must be two bijection functions

f , and g such cutable. Otherwise, the program graph for

f (d step) = synchronize, f (exit) = exit, and consist of a set of locations, Loc = sub(d step) = g(d step, exit) = g(synchronize, exit). Hence, it is proven

d step will that

{d step{stmt 1 , . . . , stmt n }, error, exit}; a set of ac- that tions, Act is in the form of an expression, assignment,

The synchronize’s implementation in Fig. 15 is taken send or receive; a set of initial locations, Loc 0 = by assuming (or assuring) that every stmt i ,

1 ≤ i ≤ n, {d step{stmt 1 , . . . , stmt n }}; and an initial condition, g 0 is executable. Otherwise, it is error as described in the

which is the executability of stmt 1 . And graphically, a following inference rule:

program graph for a d step with the possibility of error is presented in Fig. 14.

∃i; 1 ≤ i ≤ n, stmt i block . synchronize{stmt 1 , . . . , stmt n }−→error

Formally, a program graph for a synchronize with error has a set of locations, Loc = {synchronize{stmt 1 ,..., stmt n }, error, exit}; a set of actions, Act is in the form of an expression, assignment, send or receive. The conditional transition relation is its inference rules; a set of initial

locations Loc 0 = {synchronize{stmt 1 , . . . , stmt n }}, and the initial condition g 0 is the executability of stmt 1 . The

Fig. 14: A program graph for a d step construct with the program graph for a synchronize with error is shown in possibility of error

Fig. 16.

The only difference with a program graph in the previous Formally, a program graph for a nondeterministic selection case (i.e., one with no error) is an additional location exit. construct if f i has a set of locations, Loc = sub(if f i) = S Therefore, in this case there is also an equivalence (or a {if f i, exit} ∪ 1≤i≤n {sub(stmt i ) \ {stm ′ , exit}}; a set of similarity) between a program graph for a d step with error actions, Act is normally in the form of an expression, assign- and one for

ment, and send or receive; conditional transition relation is all inference rules mentioned above; a set of initial locations,

Loc 0 = {if f i}; and an initial condition, g 0 is guard for selected option g i ’s. And graphically, it is shown in Fig. 17.

Fig. 16: The program graph for a synchronize with Error in Java

6) Selection if f i: In PROMELA, a selection construct if f i has a unique start and stop state. Each option sequence inside the construct defines outgoing transitions for the start state, leading to the stop state. By default, the end of each option sequence leads to the control state that follows the Fig. 17: A program graph for a nondeterministic selection construct [17].

construct if f i

The selection construct if f i must have at least one option sequence (for some integer

In Java, a nondeterministic selection construct if f i is stmt i for some

i, 1 ≤ i ≤ n). A sequence,

i, 1 ≤ i ≤ n, can be selected for execution implemented in two approaches: (i) randomize, and (2) only when its guard statement g i is executable. If more than priority. The behavior of the randomize approach is closer one guard statements are executable, one of them will be to the one of selection construct if f i in PROMELA than selected in non-deterministic manner. Otherwise, if there is the priority. Since the priority approach behaves like most no executable guard statement, the selection construct as a general purpose (programming) languages including Java. whole blocks. This means that a non-deterministic selection

Furthermore, the randomize approach is implemented in construct if f i as a whole is executable only if there is at two versions (i.e., if f i r 1 , if f i r 2 ). The first version of least one guard inside it is executable.

i, 1 ≤ i ≤ n for some positive integer n (in which n is number of guards Listing 5: A syntax of the selection construct, if f i

randomize initially generates a random number

inside selection construct if f i). Then the value of i is if

assigned to a variable choice to select the matching case {

in the switch construct, and evaluate the guard g i . If the ::g1 −> s t m t 1 ;

guard g i holds (or executable), the corresponding sequence ::g2 −> s t m t 2 ;

... stmt i will be executed. Otherwise, the function will generate

... another random number j repeatedly until finds a guard g j ::gn −> s t m t n ;

for some j, 1 ≤ j ≤ n holds. As normal, header.lock() and }

header.unlock() are used to guarantee an atomicity. Then, fi

a Java code fragment for this implementation is shown in The syntax of the selection construct if f i is expressed in Listing 6.

a form as shown in Listing 5. Listing 6: A Java code fragment of random selection in Java The inference rules of a selection construct if f i are version one

defined as:

h :α

stmt i ֒−−→stmt i 6= exit

booleanifflag=false;

g i ∧h:α

while(!ifflag) {

if f i ֒−−−−→stmt i i n t c h o i c e =1+ Math . random ( ) * n m b r o f o p t s ; when the corresponding statement stmt i of the selected

switch(choice) {

guard case1: g

i requires more than one step of execution, or:

header.lock();

stmt i ֒−−→stmt i = exit header.unlock();

h :α

if (!g1) {

if f i break ; ֒−−−−→exit

g i ∧h:α

when the corresponding statement stmt i of g i is one-step of

ifflag=true;

execution, or:

stmt1; break ;

case2:

if f i ֒−−−−−−−−−−→if f i

¬g 1 ∧¬g 2 ... ∧¬g n

header.lock();

if (!g2) {

when there is no guard holds, the selection blocks. header.unlock(); when there is no guard holds, the selection blocks. header.unlock();

stmt2; break ;

casen: header.lock(); if (!gn) {

header.unlock(); break ;

} ifflag=true;

stmtn; break ;

} Fig. 18: A program graph for a random selection if f i r 1

version one

header.unlock(); ...

There are two levels of break statement used in this in P G(if f i r 1 ) can be coalesced with the initial location ′ implementation; one is inside if statement and the other is if f i r 1 becomes one new location, say if f i r 1 . And the outside. The former is used to exit from switch when guard i result of this coalescing process is a program graph shown is not true, and allow another process to take the program in Fig. 19. control (by unlocking). While the later is used to exit from the switch when a guard g i is true, after executing stmt i . Therefore, a statement header.unlock() is placed outside the while loop.

The semantics of a Java selection construct using the randomize approach version one is formally explained by

the following inference rules: If a randomly selected guard g i

satisfied, and the corresponding action stmt i is not one-step ′ statement, then there is a transition to the location stmt i :

i ←− random(1 . . . n) ∧ sequence ′

i 6= exit

if f i r ′ 1 ֒−−−−→sequence

guard i

Fig. 19: The result of coalescing locations in a program graph Fig. 18

If a randomly selected guard g i satisfied, and the corre-

sponding action stmt i is one-step statement, then there is

a transition to location exit: From Fig. 19, it can be observed that number of loca- ′

tions in P G(if f i r 1 ) is equal to number of locations in

i ←− random(1 . . . n) ∧ sequence i = exit P G(if f i). Then, there must be two bijective functions f

if f i r 1 ֒− →exit

and

g mapping locations and transitions respectively from P G(if f i) to P G(if f i r 1 ). Hence, this proves P G(if f i) ≃

If a randomly selected guard, g i is not satisfied, the transition

P G(if f i r 1

returns to the location

while: Unlike the first version, this second version of implemen-

tation works by first checking all guards g i in the if f i ¬guard if f i r i

i ←− random(1 . . . n)

1 ֒−−−−−→if f i r 1 construct. If a g i is executable, then the number i is stored in the corresponding position of a List variable options

A program graph for an if f i r 1 is formally derived (i.e., options.add(i)). If there is no executable guard (i.e., by determining its components: Loc = sub(if f i r 1 )= options.size() = 0), then blocks and waits until there is at {if f i r 1 , switch, exit}∪{sub(stmt i )\{stmt ′ , exit}}, Act least one executable guard; otherwise (i.e., options.size() > containing an expression, assignment and send or receive,

0) generates a number j, 1 ≤ j ≤ options.size() randomly Loc 0 = {if f i r 1 , switch}, and g 0 is guard for selecting to select the corresponding case in the switch construct.

stmt i . Since a new location switch does not give any Because all of options.size() guards in the options variable effect toward the value changes of any other variables in are executable, so that any number j, 1 ≤ j ≤ options.size() the construct, this location can be ignored. Graphically, generated by the random function will cause an execution of

a program graph for construct if f i r 1 is represented in stmt j . Therefore, only one level of break statement needed Fig. 18.

in this implementation. Then, the Java code fragment of this The last step is proving P G(if f i) ≃ P G(if f i r 1 ). implementation is shown in Listing 7.

Unlike the previous constructs, the number of locations between these two compared program graphs is different.

Listing 7: A Java code for if f i r 2 implementation This different is caused by an additional location switch

in P G(if f i r 1 ) to facilitate a random selection. How-

booleanifflag=false;

ever, in accordance with Proposition 1, location switch

while(!ifflag) {

L i s t <I n t e g e r > o p t i o n s =new L i s t ( ) ; header.lock();

if (g1) { o p t i o n s . add ( 1 ) ; } if (g2) { o p t i o n s . add ( 2 ) ; } ... if (gn) { o p t i o n s . add ( n ) ; }

header.unlock(); if (options.size()>0) {

ifflag=true; i n t c h o i c e =Math . random ( ) *

options.size();

choice=options.get(choice); switch(choice) {

case1:stmt1;

break ; case2:stmt2;

break ; ... ...

caseoptions.size() : Fig. 20: A program graph for the randomize implementation,

stmtoptions.size();

if f i r 2 in Java

break ;

flow of execution is similar with one of else if in Java, ...

except the process is repeated until one of condition in The semantics of a randomize implementation version two else if is executable. Then, the Java code fragment for this for the selection construct, if f i r 2 is formally explained by implementation is shown in Listing 8. the following inference rules:

Listing 8: A Java code for the priority selection, if f i pr

i≤n

stmt ... j ←− stmt i ;j++

booleanifflag=false;

This inference rule is to store stmt i with satisfied guard g i

while(!ifflag) {

into new variable list j , or

intchoice= −1;

header.lock();

j ←− random(1 . . . m) ∧ stmt j 6= exit

if (g1) {

true

choice=1;

if f i r 2 ֒−−→stmt j

}elseif(g2){

choice=2; }

when list j is not a one-step statement, i.e., list j 6= exit, or:

else if (gn) {

j ←− random(1 . . . m) ∧ stmt j = exit

c h o i c e =n ; }

true

header.unlock();

if f i r 2 ֒−−→exit

when switch(choice) stmt j is a one-step statement, i.e.,

stmt {

j = exit.

case1:

Formally, a program graph for the if f i r 2 construct

ifflag=true;

s t m t 1 ; break ; {if f i r 2 , f or, switch, exit} ∪ {sub(stmt i ) \ {stm ′ , exit}};

consists of a set of locations, Loc = sub(if f i r 2 )=

case2: