Promela/SPIN. Explicit State Model Checker

Similar documents
Formal Verification by Model Checking

INF5140: Specification and Verification of Parallel Systems

The Model Checker SPIN

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Introduction to Promela and SPIN. LACL, Université Paris 12

Software Engineering using Formal Methods

Fundamentals of Software Engineering

Lecture 9 verifying temporal logic

The Model Checker SPIN

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

tutorial: hardware and software model checking

Generalising Feature Interactions in

Formal verification of contracts for synchronous software components using NuSMV

Quick Start Guide. June 3, 2012

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

On Limits and Possibilities of Automated Protocol Analysis

SPIN Beginners Tutorial

CISC422/853: Formal Methods

Stylianos Basagiannis

LTL Model Checking with Logic Based Petri Nets

Verification of Agent Behavioral Models

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Testing LTL Formula Translation into Büchi Automata

Real Time Programming: Concepts

Automata-based Verification - I

Temporal Logics. Computation Tree Logic

VeriTech - A Framework for Translating among Model Description Notations

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Model Checking Interactions of Composite Web Services

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Model-Checking Verification for Reliable Web Service

EMBEDDED C CODE 17. The purpose of analysis is not to compel belief but rather to suggest doubt. (Imre Lakatos, Proofs and Refutations)

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Formal Verification of Software

Algorithmic Software Verification

Overview of Lecture 3. Model Checking with SPIN. First attempt (revisited) Linear Temporal Logic (LTL) CDP #3

Our premise is that a notable part of the delays that can be encountered in. We show that modeling and verifying the requirements separately, before

QMC: A Model Checker for Quantum Systems

Software Modeling and Verification

An LTL Specification and Verification of a Mobile Teleconferencing System

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

Model Checking of Software

Applying Model Checking to Destructive Testing and Analysis of Software System

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Tr ends in Software Verification

Combining Software and Hardware Verification Techniques

Software Model Checking Extracting Verification Models from Source Code

Model Checking II Temporal Logic Model Checking

Rover. ats gotorock getrock gotos. same time compatibility. Rock. withrover 8-39 TIME

A FORMAL ANALYSIS OF A DIGITAL SIGNATURE ARCHITECTURE

Business Process Verification: The Application of Model Checking and Timed Automata

Model Checking: An Introduction

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Feature Interaction Detection by Pairwise Analysis of LTL Properties - a case study

Model Checking based Software Verification

Software Quality Exercise 1

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

Static Program Transformations for Efficient Software Model Checking

LTL Satisfiability Checking

Lexical Analysis and Scanning. Honors Compilers Feb 5 th 2001 Robert Dewar

Model Checking LTL Properties over C Programs with Bounded Traces

Model Checking Distributed Software

A Logic Approach for LTL System Modification

Semantic Analysis: Types and Type Checking

Boolean Expressions, Conditions, Loops, and Enumerations. Precedence Rules (from highest to lowest priority)

Introducing Formal Methods. Software Engineering and Formal Methods

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

Constructing Automata from Temporal Logic Formulas : A Tutorial

PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE

The programming language C. sws1 1

NSPK Protocol Security Model Checking System Builder

Regression Verification: Status Report

Automata-Based Verification of Temporal Properties on Running Programs

Workflow Management Models and ConDec

Investigating a File Transfer Protocol Using CSP and B


Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Concepts of Concurrent Computation

Compilers. Introduction to Compilers. Lecture 1. Spring term. Mick O Donnell: michael.odonnell@uam.es Alfonso Ortega: alfonso.ortega@uam.

Tutorial on C Language Programming


SpinRCP The Eclipse Rich Client Platform Integrated Development Environment for the Spin Model Checker

The ConTract Model. Helmut Wächter, Andreas Reuter. November 9, 1999

SHARED HASH TABLES IN PARALLEL MODEL CHECKING

Project 4: Pseudo USB Simulation Introduction to UNIVERSAL SERIAL BUS (USB) STANDARD

Table-based Software Designs: Bounded Model Checking and Counterexample Tracking

Verifying Large SDL-Specifications using Model Checking

T Reactive Systems: Introduction and Finite State Automata

Debugging. Common Semantic Errors ESE112. Java Library. It is highly unlikely that you will write code that will work on the first go

An Approach to Model Checking Ada Programs

MBP_MSTR: Modbus Plus Master 12

Informatica e Sistemi in Tempo Reale

Introduction to Software Verification

A Classification of Model Checking-based Verification Approaches for Software Models

Compiler Construction

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

Development of dynamically evolving and self-adaptive software. 1. Background

Specification and Analysis of Contracts Lecture 1 Introduction

Transcription:

Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke s model-checking course Explicit State Model Checker Represents the system as a finite state machine Visits each reachable state (state space) explicitly (using Nested DFS) Performs on-the-fly computation Uses partial order reduction Efficient memory usage State compression Bit-state hashing Version 4: Uninterpreted C code can be used as part of Promela model 3 SPIN For checking correctness of process interactions Specied using buffered channels, shared variables or combination Focus: asynchronous control in software systems Promela program-like notation for specying design choices Models are bounded and have countably many distinct behaviors Generate a C program that performs an efficient online verication of the system s correctness properties Types of properties: Deadlock, violated assertions, unreachable code System invariants, general LTL properties Ranm simulations of the system s execution Proof approximation LTL Translator Buchi Translator High Level Organization LTL formula Buchi Automaton Promela Model Promela Parser The Buchi automaton is turned into a Promela Abstract Syntax Tree process and composed Automata Automata with the rest of the system. Generator The generated verier is C Generator specic to the model and property we started with. C Code C Compiler Verication Result Pan Verier 4 1

Promela (Process Meta Language) Asynchronous composition of independent processes Communication using channels and global variables Non-deterministic choices and interleavings Based on Dijkstra s guarded command language Every statement guarded by a condition and blocks until condition becomes true Example: while (a!= b) skip /* wait for a == b */ vs (a == b) 5 Process Instantiation Need to execute processes proctype only defines them How to it? By default, process of type init always executes run starts processes Alternatively, define them as active (see later) Processes can receive parameters all basic data types and message channels. Data arrays and process types are not allowed. Example: proctype A (byte state; short foo) (state == 1) -> state = foo init run A(1, 3) 7 Process Types State of variable or message channel can only be changed or inspected by processes (defined using proctype) ; and -> are statement separators with same semantics. -> used informally to indicate causal relation between statements Example: byte state = ; proctype A() (state == 1) -> state = 3 proctype B() state = state -1 state here is a global variable 6 Example As mentioned earlier, no distinction between a statement and condition. bool a, b; proctype p1() a = true; a & b; These statements are enabled only both a and b are true. a = false; In this case b is always false proctype p() and therefore there is a deadlock. b = false; a & b; b = true; init a = false; b = false; run p1(); run p(); 8 3 4

An Example mtype = NONCRITICAL, TRYING, CRITICAL ; mtype state[]; proctype process(int id) beginning: noncritical: state[id] = NONCRITICAL; :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; :: true; fi; critical: state[id] = CRITICAL; :: goto critical; :: true; fi; goto beginning; init run process(0); run process(1) At most one mtype can be declared NC T C 9 Do loops Other constructs Communication over channels proctype sender(chan out) int x; ::x=0; ::x=1; fi out! x; 11 Do loops :: count = count + 1; :: count = count - 1; :: (count == 0) -> break od Other constructs Do loops Other constructs Communication over channels Assertions proctype receiver(chan in) int value; in? value; assert(value == 0 value == 1) 10 1 5 6

Do loops Other constructs Communication over channels Assertions Atomic Steps int value; proctype increment() atomic x = value; x = x + 1; value = x; Message Passing Example proctype A(chan q1) chan q; q1?q; q!13 proctype B(chan qforb) int x; qforb?x; print( x=%d\n, x) init chan qname = [1] of chan ; chan qforb = [1] of int ; run A(gname); run B(qforb); qname!qforb Prints: 13 13 15 Message Passing chan qname = [16] of short qname!expr writing (appending) to channel qname?expr reading (from head) of the channel qname??expr peaking (without removing content) qname!!expr checking there is room to write can declare channel for exclusive read or write: chan in, out; xr in; xs out; qname!exp1, exp, exp3 writing several vars qname!expr1(expr, expr3) type and params Randez-vous Communications Buffer of size 0 can pass but not store messages Message interactions by definition synchronous Example: #define msgtype 33 chan name = [0] of byte, byte ; proctype A() name!msgtype(13); name!msgtype(11); /* non-executable */ qname?vari(var, var3) qname?cons1, var, cons can send constants Less parameters sent than received others are undefined More parameters sent remaining values are lost Constants sent must match with constants received 14 proctype B() byte state; name?msgtype(state) init atomic run A(); run B() 16 7 8

Randez-Vous Communications (Cont d) If channel name has zero buffer capacity: Handshake on message msgtype and transfer of value 13 to variable state. The second statement will not be executable since no matching receive operation in B If channel name has size 1: Process A can complete its first send but blocks on the second since channel is filled. B can retrieve this message and complete. Then A completes, leaving the last message in the channel If channel name has size or more: A can finish its execution before B even starts 17 Example Cont d mtype = ack, nak, err, next, accept; proctype transfer (chan in, out, chin, chout) byte o, I; in?next(o); :: chin?nak(i) -> out!accept(i); chout!ack(o) :: chin?ack(i) -> out!accept(i); in?next(o); chout!ack(o) :: chin?err(i) -> chout!nak(o) od 19 Example protocol Channels Ain and Bin to be filled with token messages of type next and arbitrary values (ASCII chars) by unspecied background processes: the users of the transfer service These users can also read received data from the channels Aout and Bout The channels are initialized in a single atomic statement And started with the dummy err message. 18 Example (Cont d) init chan AtoB = [1] of mtype, byte ; chan BtoA = [1] of mtype, byte ; chan Ain = [] of mtype, byte ; chan Bin = [] of mtype, byte ; chan Aout = [] of mtype, byte ; chan Bout = [] of mtype, byte ; atomic run transfer (Ain, Aout, AtoB, BtoA); run transfer (Bin, Bout, BtoA, AtoB); Ain!next(0); AtoB!err(0) 0 9 10

Mutual Exclusion Peterson s solution to the mutual exclusion problem bool turn, flag[]; Mutual Exclusion in SPIN _pid: Identier of the process flag 0 =1 turn=0 flag 1 == 0 turn == 1 flag 1!= 0 && turn!= 1 flag 0 =0 active [] proctype user() assert: Checks that there are only at most two instances with assert(_pid == 0 pid == 1); identiers 0 and 1 again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); /* critical section */ Critical Section 1 flag[_pid] = 0; goto again; 3 Mutual Exclusion in SPIN bool turn; bool flag[]; proctype mutex0() again: flag[0] = 1; turn = 1; (flag[1] == 0 turn == 0); /* critical section */ flag 1 == 0 turn == 0 flag[0] = 0; goto again; flag 1!= 0 && turn!= 0 flag 0 =1 turn=1 flag 0 =0 Critical Section Mutual Exclusion in SPIN bool turn, flag[]; byte ncrit; ncrit: Counts the number of active [] proctype user() processes in the critical section assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); ncrit++; assert(ncrit == 1); /* critical section */ assert: ncrit--; Checks that there is always at most one process in the critical section flag[_pid] = 0; goto again; 4 11 1

Verication Generate, compile and run the verier to check for deadlocks and other major problems: $ spin a mutex $ cc O pan pan.c $ pan full statespace search for: assertion violations and invalid endstates vector 0 bytes, depth reached 19, errors: 0 79 states, stored 0 states, linked 38 states, matched total: 117 hash conflicts: 4 (resolved) (size s^18 states, stack frames: 3/0) unreached code _init (proc 0); reached all 3 states unreached code P (proc 1): reached all 1 states 5 Mutual Exclusion in SPIN bool turn, flag[]; byte ncrit; active [] proctype user() assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn ==_pid); ncrit++; /* critical section */ ncrit--; flag[_pid] = 0; goto again; active proctype monitor() assert (ncrit == 0 ncrit == 1) 7 Mutual Exclusion Verier: Assertion can be violated Can use -t -p to find out the trace Or use XSpin Another way of catching the error Have another monitor process ran in parallel Allows all possible relative timings of the processes Elegant way to check validity of system invariant Finally, Can specy an LTL formula and run the modelchecker Example: #define p count <= 1 LTL claim: [] p Note: all variables in LTL claims have to be global! LTL claim gets translated into NEVER claim and stored either in.ltl file or at the end of model file Only one LTL property can be veried at a time Parameters can be set using XSpin Depth of search, available memory, etc. 6 8 13 14

bool turn, flag[]; bool critical[]; Mutual Exclusion in SPIN active [] proctype user() assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); critical[_pid] = 1; /* critical section */ critical[_pid] = 0; flag[_pid] = 0; goto again; LTL Properties: [] (critial[0] critical[1]) [] <> (critical[0]) [] <> (critical[1]) [] (critical[0] -> (critial[0] U (!critical[0] && ((!critical[0] &&!critical[1]) U critical[1])))) [] (critical[1] -> (critial[1] U (!critical[1] && ((!critical[1] &&!critical[0]) U critical[0])))) Note: critical[ ] is a global var! 9 Command Line Tools Spin Generates the Promela code for the LTL formula $ spin f []<>p The proposition in the formula must correspond to #defines Generates the C source code $ spin a source.pro The property must be included in the source Pan Performs the verication Has many compile time options to enable dferent features Optimized for performance 31 #define p ncrit <= 1 #define q ncrit = 0 bool turn, flag[]; byte ncrit; Alternatively, active [] proctype user() assert(_pid == 0 pid == 1); again: flag[_pid] = 1; turn = 1 - _pid; (flag[1 - _pid] == 0 turn == _pid); ncrit++; /* critical section */ ncrit--; LTL Properties: [] (p) []<> (!q) GUI for Spin Xspin flag[_pid] = 0; goto again; 30 3 15 16

Simulator Spin can also be used as a simulator Simulated the Promela program It is used as a simulator when a counterexample is generated Steps through the trace The trace itself is not readable Can be used for ranm and manually guided simulation as well Alternating Bit Protocol Two processes want to communicate They want acknowledgement of received messages Sending winw of one message Each message is identied by one bit Alternating values of the identier 33 35 Alternating Bit Protocol A few examples Sender Receiver msg0 ack0 Alternating Bit Protocol Leader Election msg1 ack1 msg0 ack0 msg1 36 17 18

Alternating Bit Protocol Sender Process Sender msg0 ack1 msg0 ack0 Receiver 37 active proctype Sender() :: :: receiver!msg0; :: skip fi; :: sender?ack0 -> break :: sender?ack1 :: timeout -> :: receiver!msg0; :: skip fi; od; :: :: receiver!msg1; :: skip fi; :: sender?ack1 -> break :: sender?ack0 :: timeout -> :: receiver!msg1; :: skip fi; od; od; 39 Alternating Bit Protocol Receiver Process Sender msg0 msg0 ack0 Receiver active proctype Receiver() :: :: receiver?msg0 -> sender!ack0; break; :: receiver?msg1 -> server!ack1 od mtype = msg0, msg1, ack0, ack1 chan sender = [1] of mtype ; chan receiver = [1] of mtype ; msg1 ack1 :: receiver?msg1 -> sender!ack1; break; :: receiver?msg0 -> server!ack0 od od 38 40 19 0

Leader Election Elect leader in unidirectional ring. All processes participate in election Cannot join after the execution started Global property: It should not be possible for more than one process to declare to be the leader of the ring LTL: [] (nr_leaders <= 1) Use assertion (line 57) assert (nr_leaders == 1) this is much more efficient! Eventually a leader is elected <> [] (nr_leaders == 1) Verication of Leader Election 1 :: Active -> 3 4 :: nr!= maximum -> out!two(nr); neighbour = nr; 5 :: else -> 6 /* max is the greatest number */ 7 assert (nr == N); 8 know_winner = 1; 9 out!winner(nr); 30 fi 33 :: else -> 34 out!one(nr) 35 fi 36 37 :: in?two(nr) -> 38 39 :: Active -> 40 41 43 Verication of Leader Election 1 #define N 5 /* nr of processes */ #define I 3 /* node given the smallest number */ 3 #define L 10 /* size of buffer (>= *N) */ 4 5 mtype = one, two, winner; /* symb. message names */ 6 chan q[n] = [L] of mtype, byte /* asynch channel */ 7 8 byte nr_leaders = 0; /* count the number of processes 9 that think they are leader of the ring */ 10 proctype node (chan in, out; byte mynumber) 11 bit Active = 1, know_winner = 0; 1 byte nr, maximum = mynumber, neighbour; 13 14 xr in; /* claim exclusive recv access to in */ 15 xs out; /* claims exclusive send access to out */ 16 17 printf ( MSC: %d\n, mynumber); 18 out!one(mynumber) /* send msg of type one */ 19 one: 0 :: in?one(nr) -> /* receive msg of type one */ 4 Verication of Leader Election 41 :: neighbour > nr && neighbour > maximum 4 maximum = neighbour; 43 out!one(neighbour) 44 :: else -> 45 Active = 0 46 fi 47 :: else -> out!two (nr) 48 fi 49 :: in?winner(nr) -> 50 51 :: nr!= mynumber -> printf ( LOST\n ); 5 :: else -> 53 printf ( Leader \n ); 54 nr_leaders++; 55 assert(nr_leaders == 1); 56 fi 57 58 :: know_winner 59 :: else -> 60 out!winner(nr) 44 1

Verication of Leader Election 6 fi; 63 break 64 od 65 66 67 init 68 byte proc; 69 atomic /* activate N copies of proc template */ 70 proc = 1; 71 7 :: proc <= N -> 73 run node (q[proc-1], q[proc%n], 74 (N+I-proc)% N+1); 75 proc++ 76 :: proc > N -> break 77 od 78 79 Comments DFS es not necessarily find the shortest counterexample There might be a very short counterexample but the verication might go out of memory If we n t finish, we might still have some sort of a result (coverage metrics) 45 47 Summary Distinction between behavior and requirements on behavior Which are checked for their internal and mutual consistency After verication, can refine decisions towards a full system implementation Promela is not a full programming language Can simulate the design before verication starts On-The-Fly System is the asynchronous composition of processes The global transition relation is never build For each state the successor states are enumerated using the transition relation of each process 46 48 3 4

Hash table Visited Set Efficient for testing even the number of elements in it is very big ( 10 6 ) Reduce memory usage Compress each state Reduce the number of states Partial Order Reduction When a transition is executed only a limited part of the state is modied State Representation Global variables Processes and local variables Queues Global Variables Processes Queues 49 51 SPIN and Bit-state Hashing Command line: cc DBITSTATE o run pan.c Can specy amount of available (non-virtual) memory directly using w N option, e.g., -w 7 means 18 Mb of memory $ run assertion violated pan aborted hash factor: 67650.064516 (size ^ states, stack frames: 0/5) Hash factor: max number of states / actual number Maximum number is or about 3 million Hash factor > 100 coverage around 100% Hash factor = 1 coverage approaches 0% 50 Compression Each transition changes only a small part of the state Assign a code to each element dynamically Encoded states + basic elements use considerably less spaces than the uncompressed states 5 5 6

3 i=0 j=0 3 x=0 P1 y=0 Compression x=1 3 Q0 1 x=0 P1 y=0 0 0 1 0 0 Hash Compaction Uses a hashing function to store each state using only bits There is a non-zero probability that two states are mapped into the same bits If the number of states is much smaller than the number of bits available there is a pretty good chance of not having conflicts The result is not (always) 100% correct! 1 1 x=1 1 0 i=0 j=0 0 x=0 0 Q0 1 53 55 3 i=0 j=0 3 x=0 P1 y=0 Compression x=1 3 Q0 1 x=0 x=1 q? x P1 y=0 0 0 1 01 01 Minimized Automata Reduction Turns the state into a sequence of integers Constructs an automaton which accepts the states in the visited set Works like a BDD but on non-binary variables (MDD) The variables are the components of the state The automaton is minimal The automaton is updated efficiently 1 1 x=1 1 Q0 0 i=0 j=0 0 x=0 0 Q0 1 54 56 7 8

Partial Order Reduction Optimal partial order reduction is as dficult as model checking! Compute an approximation based on syntactical information Access to local variables Receive on exclusive receive-access queues Send on exclusive send-access queues Independent Invisible Check (at run-time) for actions postponed at infinitum Not mentioned in the property So called stack proviso 57 http://spinroot.com/ References Design and Validation of Computer Protocols by Gerard Holzmann The Spin Model Checker by Gerard Holzmann An automata-theoretic approach to automatic program verication, by Moshe Y. Vardi, and Pierre Wolper An analysis of bitstate hashing, by G.J. Holzmann An Improvement in Formal Verication, by G.J. Holzmann and D. Peled Simple on-the-fly automatic verication of linear temporal logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann 58 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information