Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN



Similar documents
Introduction to Promela and SPIN. LACL, Université Paris 12

Fundamentals of Software Engineering

INF5140: Specification and Verification of Parallel Systems

Lecture 9 verifying temporal logic

Software Engineering using Formal Methods

Formal Verification by Model Checking

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Software Quality Exercise 1

Quick Start Guide. June 3, 2012

The Model Checker SPIN

SPIN Beginners Tutorial

Stylianos Basagiannis

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Temporal Logics. Computation Tree Logic

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

CISC422/853: Formal Methods

Formal verification of contracts for synchronous software components using NuSMV

tutorial: hardware and software model checking

Lecture 8: Safety and Liveness Properties

Mutual Exclusion using Monitors

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

Model Checking: An Introduction


The Model Checker SPIN

Verification of Agent Behavioral Models

Static Program Transformations for Efficient Software Model Checking

The Course.

Formal Verification and Linear-time Model Checking

EMBEDDED C CODE 17. The purpose of analysis is not to compel belief but rather to suggest doubt. (Imre Lakatos, Proofs and Refutations)

Last Class: Semaphores

Combining Software and Hardware Verification Techniques

Model Checking II Temporal Logic Model Checking

Model Checking LTL Properties over C Programs with Bounded Traces

An LTL Specification and Verification of a Mobile Teleconferencing System

Sources: On the Web: Slides will be available on:

C++ Programming Language

Testing LTL Formula Translation into Büchi Automata

Software Modeling and Verification

Overview of Lecture 3. Model Checking with SPIN. First attempt (revisited) Linear Temporal Logic (LTL) CDP #3

A Classification of Model Checking-based Verification Approaches for Software Models

VeriTech - A Framework for Translating among Model Description Notations

Software safety - DEF-STAN 00-55

Chapter 6, The Operating System Machine Level

Model Checking Interactions of Composite Web Services

Concepts of Concurrent Computation

An Approach to Model Checking Ada Programs

Introduction to Software Verification

T Reactive Systems: Introduction and Finite State Automata

Formal Verification of Software

Rigorous Software Development CSCI-GA

Operating Systems 4 th Class

CS11 Java. Fall Lecture 7

SSC - Concurrency and Multi-threading Java multithreading programming - Synchronisation (I)

Software Model Checking: Theory and Practice

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

introduction to program monitoring

Using RAID Admin and Disk Utility

Software Engineering

Outline. Conditional Statements. Logical Data in C. Logical Expressions. Relational Examples. Relational Operators

Generalising Feature Interactions in

Applying Model Checking to Destructive Testing and Analysis of Software System

SVA4T: SystemVerilog Assertions - Techniques, Tips, Tricks, and Traps

Runtime Verification of Concurrent Haskell Programs

Informatica e Sistemi in Tempo Reale

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

GameTime: A Toolkit for Timing Analysis of Software

Java Virtual Machine Locks

A Tutorial on Uppaal 4.0

Tr ends in Software Verification

Shared Address Space Computing: Programming

XMOS Programming Guide

End to End Verification and Validation with SPIN

The programming language C. sws1 1

Model Checking Distributed Software

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

Lecture 6: Semaphores and Monitors

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

MonitorExplorer: A State Exploration-Based Approach to Testing Java Monitors

A Dynamic Assertion-based verification platform for UML Statecharts over Rhapsody

Common Errors in C/C++ Code and Static Analysis

Static Byte-Code Analysis for State Space Reduction. Master Thesis

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

University of Konstanz Department of Computer and Information Science

Storage. The text highlighted in green in these slides contain external hyperlinks. 1 / 14

TEACHING MODEL CHECKING TO UNDERGRADUATES

Fabio Patrizi DIS Sapienza - University of Rome


Model Checking based Software Verification

Specification and Analysis of Contracts Lecture 1 Introduction

A Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN

QUIZ-II QUIZ-II. Chapter 5: Control Structures II (Repetition) Objectives. Objectives (cont d.) 20/11/2015. EEE 117 Computer Programming Fall

Chapter 13: Verification

Monitors, Java, Threads and Processes

Programing the Microprocessor in C Microprocessor System Design and Interfacing ECE 362

OpenACC 2.0 and the PGI Accelerator Compilers

Debugging with TotalView

Transcription:

Acknowledgments Introduction to SPIN Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck Ralf Huuck COMP 4152 1 Ralf Huuck COMP 4152 2 PROMELA/SPIN PROMELA (PROcess MEta LAnguage) is: a language to describe concurrent (distributed) systems: network protocols, telephone systems multi-threaded (-process) programs similar with some structured languages (e.g. C, Pascal) SPIN (Simple Promela INterpreter) is a tool for: detecting logical errors in the design of systems e.g: deadlocks assertions (e.g. race conditions) temporal logic formulas Features Given a PROMELA model (program), SPIN can do: a random simulation i.e. it interprets the program this mode cannot be used in exhaustive verification useful for viewing error traces an exhaustive analysis considers all possible executions of the program finds all potential errors, both deadlock and user-specified Deadlock: situation in which at least one process remains blocked forever while waiting for an inexistent event to happen User specified constraints: assertions temporal (never) claims Ralf Huuck COMP 4152 3 Ralf Huuck COMP 4152 4 1

Example SPIN Simulation PROMELA Hello World printf( Hello World\n ); The simplest erroneous specification 0; printf( Hello World\n ); SPIN C:\> spin p hello.prom simulation trace 0: proc - (:root:) creates proc 0 (:init:) Hello World 1: proc 0 (:init:) line 3 "pan_in" (state 1) [printf( Hello World\\n')] Ralf Huuck COMP 4152 5 Ralf Huuck COMP 4152 6 SPIN Analysis (1) SPIN Analysis (2) 0; SPIN C:\> spin a dlock.prom pan.exe dlock.prom.trail ERROR pan.t pan.m pan.b pan.h pan.c OK SPIN C:\> spin p -t dlock.prom error trace GCC #processes: 1-4: proc 0 (:init:) line 3 "pan_in" (state 1) 1 processes created pan.exe Ralf Huuck COMP 4152 7 Ralf Huuck COMP 4152 8 2

Similar to C The PROMELA language all C pre-processor directives can be used #define NAME 5 definitions of types, variables, processes if,do,break,goto control flow constructs Ralf Huuck COMP 4152 9 Ralf Huuck COMP 4152 10 Basic Types and Ranges Recode Types (user defined) bit, bool byte short int 0..1 0..255-2^15-1.. 2^15-1 -2^31 1.. 2^31-1 Warning: type ranges are OS-dependent (just like in C) typedef S { short a, b; byte x; ; look like C structures At most one enumeration type mtype = {one, two, three; Ralf Huuck COMP 4152 11 Ralf Huuck COMP 4152 12 3

Variables Variables (same C syntax) int x, y; int z = 0; mtype m = one; Procedures there are no procedures, only processes proctype foo(int x, y; bit b){... the init process (like main in C) has no parameters can be activated by run or automatically foo(254, 255,0); active proctype foo(int x, y; bit b){... Ralf Huuck COMP 4152 13 Ralf Huuck COMP 4152 14 Scoping Arrays and Constants variables are global if declared outside any process variables are local a process if declared within its proctype declaration arrays declared like variables: int vector[32]; indexes are zero-based scoping rules apply (there might be global and local vectors) local variables shadow globals with the same name Ralf Huuck COMP 4152 15 Ralf Huuck COMP 4152 16 4

Example Expressions #define length 64 mtype = {red, yellow, green; byte state = green; int counter; bit memory[length];... logical:, &&,! arithmetic: +, -, /, % relational: >,<,<=,>=,==,!= vector access: v[i] record access: x.f process creation: run X() Ralf Huuck COMP 4152 17 Ralf Huuck COMP 4152 18 Statements (1) Statements (2) are execution steps of processes an important characteristic is executability: For instance: x <= 10; is the (proper) way of expressing something like: wait until(x <= 10); Expression statements not executable iff expression evaluates to 0 Assignment statements always executable Skip statements always executable do nothing (only change control location) Print statements always executable Ralf Huuck COMP 4152 19 Ralf Huuck COMP 4152 20 5

Statements (3) Assert statements assert( <expression> ); always executable expression evaluates to zero => program exits Statements are atomic in a concurrent program, each statement is executed without interleaving with other processes Ralf Huuck COMP 4152 21 Control Flow (1) Select construct if :: <choice1> -> <stat11>; <stat12>; :: <choice2> -> <stat21>; <stat22>; fi; What does it do? if a (random) choice is executable, continues execution with the corresponding branch if no choice is executable, the whole select is not executable if more than one choice is executable, we say the selection is non-deterministic Ralf Huuck COMP 4152 22 Control Flow (2) Loop construct do :: <choice1> -> <stat11>; <stat12>; :: <choice2> -> <stat21>; <stat22>; od; What does it do? same as the selection, except that at the end of a branch it loops back and repeats the choice selection Control Flow (3) The else choice is executable only when no other choice is executable The break statement transfers control at the end of loop The goto statement transfers control to a labeled location Ralf Huuck COMP 4152 23 Ralf Huuck COMP 4152 24 6

Traffic Light Example Concurrency mtype = {red, yellow, green; byte state = green; do :: (state == green) -> state = yellow; :: (state == yellow) -> state = red; :: (state == red) -> state = green; od Ralf Huuck COMP 4152 25 Processes can spawn other processes using the run expression proctype foo(int x; byte y) { int pid; pid = run foo(256, 255); /* or simply: */ run foo(256, 255); Ralf Huuck COMP 4152 26 Interleaving Complexity Premises: two or more processes composed of atomic statements one processor shared between processes s11 s12 s22 s12 s11 Problems: worst-case complexity is exponential in number of processes improper mutex (locking) may cause race conditions Ralf Huuck COMP 4152 27... how many states can be reached in this example? express this number as function of: K = number of processes N = number of states/process Ralf Huuck COMP 4152 28 7

Reducing Complexity (1) Reducing Complexity (2) s11 s11 s11 s11+s12 atomic s12 s22 s12 d_step s12 s22...... if a statement inside atomic is not executable, transfer temporarily control to another process Ralf Huuck COMP 4152 29 if a statement inside d_step is not executable => error (block inside d_step) no if, do, break, goto, run allowed inside d_step (i.e., deterministic step) Ralf Huuck COMP 4152 30 Apprentice Example Good apprentice int counter = 0; active[2] proctype incr() { counter = counter + 1; creates 2 identical copies, share variable counter interleaving Ralf Huuck COMP 4152 31 Apprentice Example Good apprentice int counter = 0; active[2] proctype incr() { counter = counter + 1; Bad apprentice int counter = 0; active[2] proctype incr() { int tmp; tmp = counter + 1; counter = tmp; Ralf Huuck COMP 4152 32 8

Apprentice Example Good apprentice int counter = 0; active[2] proctype incr() { counter = counter + 1; Bad apprentice int counter = 0; active[2] proctype incr() { int tmp; tmp = counter + 1; atomic counter = tmp; Ralf Huuck COMP 4152 33 Mutual Exclusion (bad) Example proctype Y() { proctype X() { x = 1; y = 1; y == 0; x == 0; x = 0; y = 0; proctype monitor() { assert(mutex!= 2); Ralf Huuck COMP 4152 34 Dekker s Mutual Exclusion Bakery Mutual Exclusion proctype A() { proctype B() { x = 1; y = 1; turn = Bturn; turn = Aturn; (y == 0) (turn == Aturn); (x == 0) (turn == Bturn); x = 0; y = 0; proctype monitor() { assert(mutex!= 2); Ralf Huuck COMP 4152 35 proctype A() { do :: 1 -> turna = 1; turna = turnb + 1; does (turnb verification == terminate? 0) (turna < turnb); turna = 0; od Ralf Huuck COMP 4152 36 9

Communication Communication (2) 1. Message passing 2. Rendez-vous synchronization Both methods rely on channels: chan q = [<dim>] of {<type>; chan q; /* just declaration */ if dim is 0 then q is a rendez-vous port otherwise q is an asynchronous channel Send statement q! <expr>; for rendez-vous channels is executable iff another process is ready to receive at the same time both processes are involved in a rendezvous for asynchronous queues is executable iff the queue is not full Ralf Huuck COMP 4152 37 Ralf Huuck COMP 4152 38 Communication (2) Communication (3) Receive statement q? <var>; q? _; for rendez-vous channels is executable iff another process is ready to send at the same time both processes are involved in a rendezvous Channel test statement q? <expr>; same as receive for rendez-vous channels for asynchronous queues is executable iff the first value in the queue matches the result of expr for asynchronous queues is executable iff the queue is not empty Ralf Huuck COMP 4152 39 Ralf Huuck COMP 4152 40 10

Inter-locking Example chan lock = [1] of bit; proctype foo(chan q) { q? 1; /* critical section */ q! 1; lock! 1; run foo(lock); run foo(lock); Correctness Claims Ralf Huuck COMP 4152 42 Ralf Huuck COMP 4152 41 Claims Basic Assertions basic assertions end state labels progress state labels accept state labels never claims trace assertions all provide means to check requirements assert {expression SPIN reports any violation of assertions during simulation or verification. proctype monitor() { assert(mutex!= 2); spin: line 2 pan, Error: assertion violated Ralf Huuck COMP 4152 43 Ralf Huuck COMP 4152 44 11

Meta Labels End States labels with special meaning reserved only available in verification mode Labels for end states progress states accept states an end state in PROMELA is a state with no successors end states can be labeled as valid by introducing labels that start with end end0,endsome, at the end of each process there is a default valid end state a deadlock is a state with no successors in which at least one process is not in a valid end state Ralf Huuck COMP 4152 45 Ralf Huuck COMP 4152 46 Example End State Progress States proctype Y() { x = 1; endy: y == 0; x = 0; proctype X() { y = 1; endx: x == 0; y = 0; similar to end states progress states are introduced by labels that start with progress progress0,progresssome, verifier must in each execution reach progress label infinitely often typically requires fairness Allow processes to block. Ralf Huuck COMP 4152 47 Ralf Huuck COMP 4152 48 12

Example Progress State Accept States proctype Y() { x = 1; y == 0; progressy: x = 0; proctype X() { y = 1; x == 0; progressx: y = 0; dual to end states accept states are introduced by labels that start with accept accept0,acceptsome, verifier must not reach in any execution reach accept label in infinitely often Mutual exclusion infinitely many times for both processes. Ralf Huuck COMP 4152 49 Ralf Huuck COMP 4152 50 Example Accept State Never Claims (1) proctype Y() { x = 1; y == 0; accepty: x = 0; proctype X() { y = 1; x == 0; y = 0; never {statement special type of process, is instantiated once used to detect illegal behaviors SPIN has LTL to never claim translator Mutual exclusion infinitely many times for X only. Ralf Huuck COMP 4152 51 Ralf Huuck COMP 4152 52 13

Never Claims (2) never {statement SPIN reports any violation of never claims during simulation or verification. SPIN Options Invariant p: never { do ::!p -> break :: else od Ralf Huuck COMP 4152 54 Ralf Huuck COMP 4152 53 Simulation Generating Verifier random simulation: spin model -i performs interactive simulation -jn skips first N steps of random/guided sim. -p shows execution of states -s/-r shows details about send/receive -t interactive sim following on produced execution trace -v verbose and many more! -a syntax check and verifier generation -f formula generates never claim from LTL -F file same but from file Ralf Huuck COMP 4152 55 Ralf Huuck COMP 4152 56 14

Verification References -A suppresses basic assertion violations -a use for accept cycle detection -f uses weak fairness -l use for progress cycles http://spinroot.com/ quick references http://spinroot.com/spin/man/quick.html you better read them Ralf Huuck COMP 4152 57 Ralf Huuck COMP 4152 58 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information