The Model Checker SPIN



Similar documents
Formal Verification by Model Checking

Software Engineering using Formal Methods

Testing LTL Formula Translation into Büchi Automata

tutorial: hardware and software model checking

Fundamentals of Software Engineering

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Formal Verification of Software

Model Checking of Software

Lecture 9 verifying temporal logic

Software Model Checking: Theory and Practice

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Automata-based Verification - I

The Course.

Algorithmic Software Verification

Model Checking: An Introduction

Static Program Transformations for Efficient Software Model Checking

INF5140: Specification and Verification of Parallel Systems

LTL Model Checking with Logic Based Petri Nets

Formal verification of contracts for synchronous software components using NuSMV

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

A Classification of Model Checking-based Verification Approaches for Software Models

T Reactive Systems: Introduction and Finite State Automata

Validated Templates for Specification of Complex LTL Formulas

Model Checking based Software Verification

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Finding Liveness Errors with ACO

Runtime Verification for Real-Time Automotive Embedded Software

Classification - Examples

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

Formal Verification and Linear-time Model Checking

CSI 333 Lecture 1 Number Systems

Specification and Analysis of Contracts Lecture 1 Introduction

Temporal Logics. Computation Tree Logic

Software Verification: Infinite-State Model Checking and Static Program

Model Checking LTL Properties over C Programs with Bounded Traces

Introducing Formal Methods. Software Engineering and Formal Methods

Software Model Checking: Theory and Practice

Stylianos Basagiannis

24 Uses of Turing Machines

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Introduction to Promela and SPIN. LACL, Université Paris 12

Model Checking II Temporal Logic Model Checking

Combining Software and Hardware Verification Techniques

Monitoring Metric First-order Temporal Properties

SHARED HASH TABLES IN PARALLEL MODEL CHECKING

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Software safety - DEF-STAN 00-55

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Bounded LTL Model Checking with Stable Models

Automatic Verification of UML-based System on Chip Design

Automata Theory. Şubat 2006 Tuğrul Yılmaz Ankara Üniversitesi

Verifying Real-Time Embedded Software by Means of Automated State-based Online Testing and the SPIN Model Checker Application to RTEdge Models

Finding Liveness Errors with ACO

Software Model Checking Extracting Verification Models from Source Code

INF5140: Specification and Verification of Parallel Systems

CS 3719 (Theory of Computation and Algorithms) Lecture 4

Logic in Computer Science: Logic Gates

Introduction to Automata Theory. Reading: Chapter 1

Business Process Verification: The Application of Model Checking and Timed Automata

Formal Verification Toolkit for Requirements and Early Design Stages

Introduction to Software Verification

Unified Static and Runtime Verification of Object-Oriented Software

From Workflow Design Patterns to Logical Specifications

SCADE Suite in Space Applications

Today s topics. Digital Computers. More on binary. Binary Digits (Bits)

6.080/6.089 GITCS Feb 12, Lecture 3

Software Quality Exercise 1

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

Feature Specification and Automated Conflict Detection

The ProB Animator and Model Checker for B

Automata and Formal Languages

School of Computer Science

Development of dynamically evolving and self-adaptive software. 1. Background

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

LTL Satisfiability Checking

6.852: Distributed Algorithms Fall, Class 2

TEACHING MODEL CHECKING TO UNDERGRADUATES

The Halting Problem is Undecidable

Software Verification/Validation Methods and Tools... or Practical Formal Methods

Theory of Computation Chapter 2: Turing Machines

Transcription:

The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel

Outline Introduction Structure Foundation Algorithms Memory management Example/Demo

SPIN-Introduction Introduction SPIN (Simple( Promela INterpreter terpreter): Tool for software model checking. Written by Gerard Holzmann and others. System to be verified is described in PROMELA (Pro( Process Meta Language). Properties to be verified are expressed as LTL formulae. Also works as simulator.

SPIN-Introduction Introduction(cont (cont.) SPIN does not actually perform model-checking itself, but instead generates C sources for a problem-specific model checker. Options to further speed up the process and save memory: Partial order reduction State compression Bit-state state hashing

SPIN-Introduction Introduction(cont (cont.) SPIN aims to provide: Program like notation to specify design choices unambiguously. Concise notation for expressing general correctness requirements. A methodology for establishing the logical consistency of the design choices.

Basic Structure

Foundation The predecessors of SPIN were limited to standard safety properties and limited liveness properties. Automata theoretic model became the formal basis for temporal logic model checking in SPIN. Description of a concurrent system in PROMELA is one or more process templates ( (proctype definitions). Each template is translated into a finite automate.

Foundation The global system behavior (asynchronous interleaving product) is also an automaton. Correctness claim (temporal logic formula) is converted into Buchi automaton. Combined behaviour: : synchronous product of the system and claim Correctness claims are used to specify undesirable behaviours of the system. In worst case, reachability graph has the size of the Cartesian product of the components of the system.

LTL Requirements SPIN uses negative correctness claims. Positive claim requires to prove that all executions of the system are included in the language of the claim. Size of state space is At most the Cartesian product of the system and claim. At least size of their sum. Negative claim requires to prove that the intersection of language of the system and of the claim is empty. Size of state space is In the size of the Cartesian product of the system and claim in worst case. Zero for the best case.

LTL Requirements(Cont (Cont.) A Buchi automaton accepts a system execution iff there exists at least one acceptance cycle. We need to prove the absence of acceptance cycles to prove correctness of the system. The nested depth-first search algorithm is used for this purpose.

SPIN Verification System description: PROMELA Templates Correctness claim: LTL Formula Buchi Automaton Buchi Automaton Negated LTL Formula Asynchronous interleaving product: Global system behavior Automaton for negated LTL formula Counter example Acceptance cycle exists Synchronous Product: Combined behavior Absence of acceptance cycle No execution satisfies Negated claim

Algorithms Nested depth-first search From LTL formula to Buchi automaton Partial order reduction Memory management

Nested Depth-First Search Tarjan s depth-first search adds two integer numbers to every state reached: the dfs-number and the lowlink-number. number. This algorithm is not compatible with the bit-state hashing techniques. Nested depth-first search: For an accepting cycle to exist in the reachability graph, at least one accepting state must be both reachable from the initial system state and it much be reachable from itself.

Nested Depth-First Search(Cont (Cont.) Two searches are performed. If acceptance cycle exists, complete execution sequence is constructed which acts as the counter example of a correctness claim. It cannot detect all possible acceptance cycles. In SPIN, this algorithm is extended with an optional weak fairness constraint.

Buchi Automata LTL formula can contain: Lower case propositional symbol p. Combined with unary or binary, Boolean and/or temporal operators.

Buchi Automata(Cont (Cont.) [] (p U q) = G (p U q) [] (<> p) = GFP

Partial Order Reduction To reduce the number of reachable states that must be explored. Validity of an LTL formula is insensitive to the order in which concurrent and independent events are interleaved in the depth-first search. Implementation is based on a static reduction technique. Best case performance:

Partial Order Reduction(Cont (Cont.) It cannot cause significant increase of the memory requirement, compared to exhaustive searches. It is not sensitive to decisions about process or variable orderings. Correctness properties were verified using the theorem prover HOL.

Memory Management A main goal of researchers is to devise techniques that can economize the memory requirements without incurring unrealistic increases in runtime requirements. Two such techniques are used in SPIN: State compression Bit-state hashing

State Compression Static Huffman encoding and run-length encoding techniques can be effective for this purpose. A different technique was added to SPIN in late 1995. Every process and channel has relatively small number of local states. s Store local states separately from global states and use unique indices to the local state tables inside the global state tables.

State Compression In practice, most commonly observed reduction is 60 to 80 percent.

Bit-State Hashing 2 bits of memory are used to store a reachable state. S : width of system state M : total machine memory (bytes) L : M/S (maximum number of states that can be stored) R : total number of reachable states generated by SPIN When R>L, problem coverage of verification run is M/(R x S). Ex: M=10 8 bytes, S=10 3 bytes and R=10 6 states problem coverage=0.1 (10%)

Bit-State Hashing Bit-state hashing technique produces problem coverage close to 1 (100%).

Example Leader Election P 1 P 6 P 2 Preceived < P i : reject Preceived > P i : pass Preceived == P i : P 3 P 5 P 4 Winner has the largest identifier. Unidirectional ring. Process can decide to join at a later point in the execution.

Example Leader Election Properties: No more than on leader : [] (nr_leader( <= 1) There must be one leader: <>[] (nr_leader( == 1) Leader must have largest identifier Modify algorithm for processes to defer their decision to participate in the election. A process would decide to participate (only when) first receiving a message concerning the election.

PROMELA Example Copied from: Lecture SPIN-INTRO: Introduction To SPIN (Matt Dwyer, John Hatcliff)

SPIN Data Structures Copied from: Lecture SPIN-INTRO: Introduction To SPIN (Matt Dwyer, John Hatcliff)

SPIN Demo http://www.spinroot.com/spin/man/gettingstarted.html

Question 1 Partial order reduction algorithm generates reduced state space with only representatives of classes of execution sequences that are distinguishable for a given correctness property. What criteria is used to distinguish the execution sequences?

Question 2 Second property of partial order reduction: The reduction method is not sensitive to decision about process or variable ordering. How does it affect the performance of SPIN?

Question 3 How does the weak fairness constraint in SPIN affects nested depth-first search?