Spin Model Checker for Promela. Seminar Shahar Salzman

Similar documents
Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

The Model Checker SPIN

Formal Verification by Model Checking

INF5140: Specification and Verification of Parallel Systems

Introduction to Promela and SPIN. LACL, Université Paris 12

Software Engineering using Formal Methods

Fundamentals of Software Engineering

Lecture 9 verifying temporal logic

Software Quality Exercise 1

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

The Model Checker SPIN

Quick Start Guide. June 3, 2012

Model Checking: An Introduction

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Stylianos Basagiannis

tutorial: hardware and software model checking

T Reactive Systems: Introduction and Finite State Automata

Model Checking based Software Verification

Model Checking of Software

Testing LTL Formula Translation into Büchi Automata

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Model Checking II Temporal Logic Model Checking

introduction to program monitoring

Verification of Agent Behavioral Models

Real Time Programming: Concepts

Formal Verification and Linear-time Model Checking

Software safety - DEF-STAN 00-55

Temporal Logics. Computation Tree Logic

TEACHING MODEL CHECKING TO UNDERGRADUATES

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Software Modeling and Verification

SHARED HASH TABLES IN PARALLEL MODEL CHECKING

Software Active Online Monitoring Under. Anticipatory Semantics

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

Mutual Exclusion using Monitors

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

Static Program Transformations for Efficient Software Model Checking

Introducing Formal Methods. Software Engineering and Formal Methods

The Course.

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

Regression Verification: Status Report

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Development of dynamically evolving and self-adaptive software. 1. Background

Introducing the Dezyne Modelling Language

SpinRCP The Eclipse Rich Client Platform Integrated Development Environment for the Spin Model Checker

Replication on Virtual Machines

Introduction to Software Verification

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Specification and Analysis of Contracts Lecture 1 Introduction

Tool Support for Model Checking of Web application designs *

Model-Checking Verification for Reliable Web Service

How to design and implement firmware for embedded systems

Tr ends in Software Verification

Sources: On the Web: Slides will be available on:

SIMERO Software System Design and Implementation

A Logic Approach for LTL System Modification

QMC: A Model Checker for Quantum Systems

Algorithmic Software Verification

Concepts of Concurrent Computation

KITES TECHNOLOGY COURSE MODULE (C, C++, DS)

Formal verification of contracts for synchronous software components using NuSMV

Topics. Producing Production Quality Software. Concurrent Environments. Why Use Concurrency? Models of concurrency Concurrency in Java

Linux Process Scheduling Policy

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Lumousoft Visual Programming Language and its IDE

Model Checking Distributed Software

Coverability for Parallel Programs

School of Computer Science

C Programming. for Embedded Microcontrollers. Warwick A. Smith. Postbus 11. Elektor International Media BV. 6114ZG Susteren The Netherlands

Introduction to Programming System Design. CSCI 455x (4 Units)

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Formal Verification Toolkit for Requirements and Early Design Stages

Chapter 3 Operating-System Structures

From Workflow Design Patterns to Logical Specifications

Formal Verification of Software

Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Applying Model Checking to Destructive Testing and Analysis of Software System

Finite Automata. Reading: Chapter 2

Chapter 6, The Operating System Machine Level

WRITING PROOFS. Christopher Heil Georgia Institute of Technology

IEC The Fast Guide to Open Control Software

An Introduction to Computer Science and Computer Organization Comp 150 Fall 2008

Operating Systems OBJECTIVES 7.1 DEFINITION. Chapter 7. Note:

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

Lecture 22: C Programming 4 Embedded Systems

CISC422/853: Formal Methods

Automata-based Verification - I

Multiprocessor Scheduling and Scheduling in Linux Kernel 2.6

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

Fabio Patrizi DIS Sapienza - University of Rome

- An Essential Building Block for Stable and Reliable Compute Clusters

Outline: Operating Systems

2) Write in detail the issues in the design of code generator.

An Implementation Of Multiprocessor Linux

TECH. Requirements. Why are requirements important? The Requirements Process REQUIREMENTS ELICITATION AND ANALYSIS. Requirements vs.

The ConTract Model. Helmut Wächter, Andreas Reuter. November 9, 1999

1394 Bus Analyzers. Usage Analysis, Key Features and Cost Savings. Background. Usage Segmentation

Transcription:

Spin Model Checker for Promela Seminar 236800 Shahar Salzman 1

Parallel Algorithms Parallel and distributed programming is hard! Prone to many errors: Deadlock Livelock, starvation Under specification Over specification 2

Validating Parallel Algorithms Testing approach Functionality testing Cover great deal of the code path Cannot cover all code paths Fatal race condition may occur at extremely low probability Proof of correctness Not always possible Prone to human error 3

Validating Parallel Algorithms Model Checking an automated technique that given a finite state model of a system and a logical property, systematically checks whether this property holds [Clarke & Emerson 1981] State space State machine of interleaved process states Model checker results Property satisfied Property unsatisfied + trace to result 4

Spin & Promela Promela Concurrent and distributed programming modeling language Spin General tool for verifying the correctness of distributed software Verification tool for Promela and c Why Promela (and not c) Modeling allows reducing the program to its most basic states 5

Today s s Lecture Promela Understand and get a feel of the modeling language Shared memory example Spin Overview Verification Example Basic algorithm Optimizations 6

Promela 7

Promela PROMELA = Process/ ocess/protocol Meta Language Verification modeling language Dynamic creation of concurrent processes Communication via message synch/asynch channels C-like programming constructs and data types 8

Promela Example (Daniel Kroening, 251-0247 0247-00L 00L Formal Verification lecture slides) Definitions a process Non Deterministic Choice Dynamic creation of concurent processes 9

Declarations Promela Model Structure Type declarations Channel declarations Global variables Process declarations Init process Declarations Globals Processes Init 10

Promela Model Structure Syntax similar to C and Lotos C like declarations and data-types types C like assignments C like structures Lotos like communications Lotos like non-determinism 11

Declarations C-like syntax Supports types such as bool int byte short 12

Data types Enumeration mtype = {All possible enumerations}; Can be defined only once User defined types (c structs) typedef <name> { types } enumeration User defined type 13

Processes Defined just like a c - function returns process id Actually more like java runnable Aware of global variables - shared memory Input parameters 14

Statements Make up the body of the process C/C++/Java would call them commands But not exactly Statements are either executable/blocked Executable - the statement can be executed immediately Blocked - the statement cannot be executed 15

Statements skip always executable Assert C semantics expressions assignments Control Flow if/fi do/od break Communications send (ch!) receive (ch?) Interleaving atomic{ } d_step{ } Real-time timeout 16

Control Flow if/fi and do/od structures Guards condition checking Else if all fails Skip do nothing Break escape from do/od Guard if/fi structure boundaries 17

Control Flow Non-deterministic choices First all executable statements are evaluated One is chosen non-deterministically Not really non-deterministic uses random() 18

Channels Message passing between processes Synchronous communication [1] of Handshake protocol Asynchronous communication [k] of K>1 19

Asynch Channel Example Asynch channel Send message Receive message 20

Run Launch process Executable if the process can be launched Number of processes is limited 21

Unless { <statements> } unless { guard ; <statements> } Execute statements until guard is executable Resembles exception handling 22

atomic Statements are grouped into an atomic sequence No interleaving with other processes If a statement is blocked then other processes may perform a step and then statement is rechecked 23

timeout Promela does not have real-time properties! Timeout no process in the model can proceed Global timeout 24

Assertions Defensive programming But leaves the code clean... Consider the following if (NULL==ptr){ //clean resources exit(1); } Instead we use assert(null!=ptr) 25

Aiding Readability while/for c/c++/java programmers can t t do without them implies for logical assertions Use macros/inline: 26

Promela Syntax Summary Intuitive to C/C++/Java programmers Easily model large systems No need to think about implementation details inline / macro tricks aid readability 27

Interleaving Semantics Each process is modeled into states Processes are interleaved to generate the statespace Statespace grows very quickly numstatesa X numstatesb XnumStatesC X 28

Interleaving Semantics Interleaved Statespace Process A Process B (1,1) 1 1 (2,1) (1,2) 2 2 (3,1) (2,2) (1,3) 3 3 (3,2) (2,3) (3,3) 29

d_step Same semantics as atomic No intermediate states are constructed If statement is blocked a runtime error is generated May be used to reduce the size of the statespace 30

d_step Interleaved Statespace Process A Process B (1,1) 1 1 (2,1) (1,2) (1,1) 2 2 (3,1) (2,2) (1,3) (3,1) (1,3) 3 3 (3,2) (2,3) (3,3) (3,3) 31

Spin 32

Spin SPIN = Simple Promela Interpreter Model checker for Promela Open source One of the most powerful model checkers (Holzman 1991) Verifies Safety Liveness LTL properties 33

Spin Lots of references Books Online help Workshops check out: http:// ://spinroot.com/spin/whatispin.html#x html#x 34

Intro Applications of Spin Flood barrier Rotterdam Call processing logic Lucent (formerly AT&T) Mission critical SW of space missions Cassini - handoff algorithms for dual CPU control Mars exploration rover motor resource manager 35

XSpin Graphical interface for Spin Generates spin commands based on menu selections Simulator for Promela Spin runs in the background 36

XSpin as Model Simulator Simulator output Global variable values Sequence Chart 37

XSpin as Model Verifier Error example simulation LTL Formulae Verification Verification Results 38

XSpin Verification Safety Safety Safety 39

Spin Verification Assert Progress using special labels end valid end states (otherwise may be recognized as deadlock) progress mark states that have to be visited in every execution cycle accept states that cannot be part of an infinite execution cycle 40

Spin Output Search Parameters Verification Results Memory Usage Static Analysis 41

Behind The Curtains SPIN does not actually do any work! Generates c sources for a problem-specific model checker Saves memory Improves performance Allows direct insertion of c into the model 42

Behind The Curtains Step 1 create model Translate model into a state machine Step 2 create checker Generate never claim from checking parameters Translate never claim into a state machine Step 3 create model checker translate state machines to c (pan.c) Generate c for DFS searches of illegal states *** Now we have a problem specific model checker *** Step 4 verify model Build pan.c to pan.exe and run 43

Building the model Each process is translated into a state machine All of the states of the different processes are interleaved End product a state machine representing the valid model transitions. 44

The model states Each state represents a unique model snapshot Contains Global values Channel contents For each process Locals PC 45

Verification Algorithm No tricks here! Simple concept Clever optimizations DFS through the model searching for illegal states Verification is performed on-the the-fly Use Generated Checker DFS(state s) assert(legal(s)) for each successor t of s which we haven t t visited DFS(t) Requires easily identifying states 46

Statespace explosion DFS requires state matching Each visited state must be saved Spin provides several algorithms for statespace compression 47

Memory Management State compression challenge Good compression vs. Quick state comparison Quick state comparison requires that all states be compressed in the same way Dynamic Huffman encoding - X Lempel Ziv - X Run length coding - The greater the compression the greater the penalty 48

State Compression As of 1995 release a new compression method was released Knowledge of what we are compressing can help Every process and every channel have a relatively small number of states Large number of states is usually a result of process interaction Solution: Store every process state Store every channel state Global model state uses pointers to process/channel states 49

State Matching Naïve O(n) Solution - Hash states Entire state space may be huge Only small percentage is actually reachable Good hash function will prevent conflicts Spin uses multi bit-state hashing 50

Bit State Hashing Allocate huge array Each bit represents a valid state Set bit if state is used Use hash function Map small sub-range of huge range Quick access Problem: no collision detection Solution (partial) use 2 bits and 2 hash functions 51

Other Optimizations Partial order reduction?? Minimized automaton Encode States Dataflow analysis Dead variables/code Slicing algorithm Throw away unneeded branches 52

C verification with spin C commands within Promela model c_decl, c_state, c_code Converter from c to Promela I/O commands don t t really make sense No dynamic memory Process interleaving not the real level of atomicity State space explosion even a bigger problem 53

Example 54

Core-Driver Systems which are inherently concurrent Used in real time systems Embedded systems Multiple core systems Communications Pure SW models DB access RMI 55

Core-Driver Core Separate resource responsible for fast optimized execution Close to the HW Requires complex interface Driver Interface with the core Used by high level components to utilize the core 56

Our Core-Driver Protocol Communication via bus Driver sends request Work split between 2 cores Driver2Core communication on separate line Core2Driver communication on bus 57

Our Core Idle State: Wait for requests Receive Request Finish C2/Send(C2) Computation #1: Compute some of the required request 58

Our Driver Start: Driver is activated Wait #1: Wait for first computation result /Send(Request,Driver2CoreA), Send(Request,Driver2CoreB) Result #1 received Wait #2: Wait for the rest of the result Finish: Result #2 received 59

Summary 60

Summary Promela Syntax all a c/c++/java programmer needs is a cheat sheet Interleaving semantics attempt any possible interleaving Spin Simulator/Model checker Safety/Liveness/Weak Fairness/LTL Thorough checking at cost of memory Model Checking Space Efficiency vs. Runtime Performance 61

Class Experience - Mutual Exclusion Load a model of a simple process Initial verification using LTL formula Find mutual exclusion violation Fix process definition Verify fix 62

References Gerard J. Holzmann, An Analysis of bit-state hashing, Formal Methods in System Design, 13 No. 3, pp 287-305, 1998 Gerard J. Holzmann, On Limits and Possibilities of Automated Protocol Analysis, In Protocol Specification, Testing, and Verification. 7th International Conference pp 339-346, 1987 Gerard J. Holzmann, The Model Checker SPIN, IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 23, NO. 5, MAY 1997 http://en.wikipedia.org/wiki/promela http:// ://en.wikipedia.org/wiki/spin_model_checker http://lwn.net/articles/243851/ http://spinroot.com/spin/whatispin.html http://www.cs.technion.ac.il/~ssdl/veritech/tools/core_2_spin/about.htm out.htm http://www.inf.ethz.ch/personal/daniekro/classes/251-0247 0247-00/f2007/slides/spin.pdf http://www.labri.fr/perso/fleury/courses/fds05/courses.html 63

Questions? 64

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information