Lecture 9 verifying temporal logic

Size: px

Start display at page:

Download "Lecture 9 verifying temporal logic"

Rosalind Scott
9 years ago
Views:

1 Basics of advanced software systems Lecture 9 verifying temporal logic formulae with SPIN 21/01/2013 1

2 Outline for today 1. Introduction: motivations for formal methods, use in industry 2. Developing models : automaton, specification of correctness properties 3. Verification Techniques : simulation, model checking, schedulability analysis, theorem proving, etc 4. Focus : Promela Spin for the verification of concurrent processes 5. Lab work: modeling & verification of an electronic purse - 2

3 Limits of assertions for verification No separation of concerns between the model and correctness properties Invariance properties are more conveniently expressed as global properties, e.g.: array index k must be within bounds at each step of a program : 0 <= x <= len- 1 the number of processes accessing the network interface at each point in time must be less than or equal to 1 Many correctness properties cannot be expressed with assertions: Absence of deadlocks: if several planes are waiting to land, eventually one of them will be allowed to land Absence of starvation: if one plane wants to land, eventually that place will be permitted to land 3

4 Recap on how to specify properties (1/2) Safety: Something good is guaranteed throughout each run: [] p Something bad never happens: []! p Liveness: Something good will eventually happen: <>p 4

5 Recap on how to specify properties (2/2) p : always p (p is always true), express invariance p : eventually p (p will become true at some point), express guarantee One has! p!p and! p!p p q : p implies eventually q, express response to an event p : always eventually p ( if p happens to be false, it is always guaranteed to become true again ), p : eventually always p ( at some point, p will become invariantly true for the remainder of the run ) - 5

6 Verifying temporal logic formulae with Spin (1/2) Step1: defining properties Add #define at the top of the program defining each variable used in the formulae, e.g. #define p (! (Gate_is_up && train_is_passing) ) #define q ( nb==1 ) Define temporal logic in the model file (.pml): ltl <name> { <TL formula> }, ex: ltl q_is_always_true { [] q } ltl other_property { <> ( critical <= 1 ) } 6

7 Verifying temporal logic formulae with Spin (2/2) Step2 - case A : verifying safety properties spin610 a model.pml; gcc DSAFETY o pan pan.c;./pan N property_name Step2 - case B : verifying liveness properties spin610 a model.pml; gcc o pan pan.c; sometimes DNFAIR=x is needed./pan a f N property_name 7

8 Exercise: producers consumers continued Question 1: check that it never happens that starting from some point only productions occur, only consumptions occur. Test the two opposite properties as well, and resimulate the failing trace: spin t p l model.pml (uses the pml file) Question 2: extend the model so that the same consumer does not consume twice in a row 8

9 Exercise: let us consider the following code #define NUM_PROCS 3 bool locked = false; int nb = 0; active[num_procs] proctype loop() { do :: true-> atomic { }! locked -> locked = true; nb++; /* interesting code would go here */ printf( current process %d \n", _pid ); nb--; } locked = false; od 9

10 Verifying temporal logic formulae with Spin Question 1 : understand the program, what does it do? What is the range of variation of nb? Question 2: check using an assert statement that there is exactly one process in critical section. Question 3: using verification with temporal logic, prove that the property on variable nb holds at each possible state of the system. Question 4: using verification with temporal logic, verify that the value of nb alternates between 0 and 1. 10

Software Engineering using Formal Methods

Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model