nach oben

Erschienen in:

2011 | OriginalPaper | Buchkapitel

3. The Choice of TLA⁺/TLC: Comparing Formal Methods

verfasst von : Eric Verhulst, Raymond T. Boute, José Miguel Sampaio Faria, Bernhard H. C. Sputh, Vitaliy Mezhuyev

Erschienen in: Formal Development of a Network-Centric RTOS

Verlag: Springer US

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This book provides a thorough description of OpenComRTOS and of the formal models built for its implementation. Such models were written in TLA⁺ and verified with the TLC model checker. The choice of TLA⁺/TLC was one of the fundamental initial decisions of the project. In effect, over the last years, several languages, techniques, and tools have been developed and made available by the formal methods community. Typically, different formalisms are best suited for different domains of application, and their comparison is not straightforward. It can be a significantly subjective exercise. This chapter addresses this issue, describing the selection process followed in this project.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Requirements and Specifications for the OpenComRTOS Project

Nächstes Kapitel Basic Formal Specification in TLA+

The actual implementation of the marking can be done using an unused bit of the field next of the node.

This mail happen for two reasons: (a) another concurrent process could have deleted the node in the mean time or (b) there was some error in the assignment of the node to delete and it simply does not belong to the linked list.

“Empty” is not an exact term. Once the memory location has been freed it can be in a multiplicity of different states that may lead to the referred error. The actual behavior of a process in this scenario depends on the details of the implementation.

Recall that the comparison is made between the value of the node’s next field previously recorded and the present one. Even if the composition of the list has not changed in the mean time, the values will not match because the present reference is marked while the value previously recorded is not. This is due to decision of marking a node by a change in an unless unused bit of the next filed of the node. In any case, if other implementation scheme would not cause this comparison to fail the process would continue to (VId) and would then forcedly be sent back to (IId), continuing as announced in (8).

For example, the CAS primitive is supported as the “CASA” and “CASXA” operations in Sparc V9 (SPARC International 1994), and as “lock cmpxchg” in Intel Itanium (Intel Corporation 2002).

See Sect. 3.2.4.

Together with the standard modules Naturals and Extends.

This has no effect in the definitions made in the module; it can, however, be taken as an hypothesis in the construction of proofs.

Strictly speaking, there is an exception: IId and IIId were grouped into a single action.

Note the use of “possible instance”. In fact, the configuration file may have many instances by changing the definitions of the constants in it. The TLA⁺ model remains, however, unchanged.

More rigorously, it asserts that the formula follows logically from the definitions in this module, the definitions in the extended modules Naturals, Sequences, and FiniteSets, and the rules of TLA⁺.

In our case, this feature is really useful since variable proc encapsulates many fields.

For differentiation each process is assigned a unique instantiation number. This is done automatically, and the user does not need to worry about it. If necessary, each process can refer to its own instantiation number via the predefined local variable _pid.

No intermediate levels can created, i.e. the scope of a global variable cannot be restricted to a subset of processes and the scope of a local one to specific blocks of statements.

if and only if.

This notation is inspired in (Dijkstra 1975).

This is not mandatory though, for some properties it can be achieved with an assertion clause through the construction: proctype monitor() assert(invariant) , but this looks a “dirtier” solution.

It can be perfectly valid, for instance, for server processes to enter a wait state after a transition is completed, immune to the fact that all user processes have terminated.

And after Sect. 3.4.1, naturally, if you are not familiar with Promela.

Note that operations like reads and writes are executed atomically.

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"