Download presentation

Presentation is loading. Please wait.

Published byKelly Thomas Modified about 1 year ago

1
/24Hong,Shin @ PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm

2
/24Hong,Shin @ PSWLAB Contents Introduction Checking Safety Properties Checking Liveness Properties Adding Fairness Further work 2015-05-07SPIN Search Algorithm2

3
/24Hong,Shin @ PSWLAB Introduction 1/1 A global reachability graph A={S, s 0, L, T, F} is generated by P ROMELA semantic engine. Global reachability graph A captures the behavior of asynchronous execution of processes A 1 … A k. Verify correctness properties of P ROMELA models. - Checking Safety properties - Checking Liveness properties 2015-05-07SPIN Search Algorithm3

4
/24Hong,Shin @ PSWLAB Checking Safety Properties 1/7 Depth-first search algorithm systematically visits every reachable state. By depth-first searching, safety properties such as deadlock state, progress assertions, and system invariant that should hold at some state s can be checked. A stack and a state space are used in the algorithm. 2015-05-07SPIN Search Algorithm4

5
/24Hong,Shin @ PSWLAB Checking Safety Properties 2/7 1Stack D = {} ; Statespace V = {} 2 Start() { 3 Add_Statespace(V, A.s 0 ) ; 4Push_Stack(D, A.s 0 ) ; 5Search() ; 6 } 7 Search() { 8s = Top_Stack(D) ; 9foreach (s,l,s’) 2 A.T 10if In_Statespace(V, s’) == false { 11Add_Statespace(V, s’) 12Push_Stack(D, s’) 13Search() 14} 15 Pop_Stack(D) 16 } Basic Depth-First Search Algorithm 2015-05-07SPIN Search Algorithm5

6
/24Hong,Shin @ PSWLAB Checking Safety Properties 3/7 2015-05-07SPIN Search Algorithm6 1 Stack D = {} ; Statespace V = {} 2 Start() { 3Add_Statespace(V, A.s 0 ) ; 4Push_Stack(D, A.s 0 ) ; 5Search() ; 6 } 7 Search() { 8s = Top_Stack(D) ; 9if (!Safety(s)) Print_Stack(D) ; 10foreach (s,l,s’) 2 A.T 11if In_Statespace(V, s’) == false { 12Add_Statespace(V, s’) ; 13Push_Stack(D, s’) ; 14Search() ; 15} 16Pop_Stack(D) ; 17 } Extended Algorithm for Checking Safety Properties

7
/24Hong,Shin @ PSWLAB Checking Safety Properties 4/7 We can adopt the depth-first search algorithms easily into depth-limited search to guarantees coverage up to a given depth bound. 2015-05-07SPIN Search Algorithm7 S0S0 S1S1 S2S2 e Depth-limit is 2 Store the depth value together with each state in statespace V.

8
/24Hong,Shin @ PSWLAB Checking Safety Properties 5/7 2015-05-07SPIN Search Algorithm8 1 Stack D = {} ; Statespace V = {} 2 Start() { 3Add_Statespace(V, A.s 0 ) ; 4Push_Stack(D, A.s 0 ) ; 5 Search() ;} 6 Search() { 7if (Depth >= BOUND) return ; 8Depth++ ; 9s = Top_Stack(D) ; 10if !Safety(s) Print_Stack(D) ; 11foreach (s,l,s’) 2 A.T 12if In_Statespace(V, s’, Depth) == false { 13Add_Statespace(V, s’, Depth) 14Push_Stack(D, s’) 15Search() } 17Pop_Stack(D) ; 18Depth-- ; 19 } Depth-Limited Search Depth for each state visiting is store in state space if pan.c is compiled with DREACH option.

9
/24Hong,Shin @ PSWLAB Checking Safety Properties 6/7 2015-05-07SPIN Search Algorithm9 1 Stack D = {} ; 2 Start() { 3Push_Stack(D, A.s 0,0) ; 4 Search() ; 5 } 6 Search() { 7s = Top_Stack(D) ; 8if (!Safety(s)) { 9Print_Stack(D) ; 10if (iterative) BOUND = DEPTH ; 11} 12foreach (s,l,s’) 2 A.T 13if (In_Stack(D, s’) == false) { 14Push_Stack(D, s’) ; 15Search() ; 16} 17Pop_Stack(D); 18} Stateless Search

10
/24Hong,Shin @ PSWLAB Checking Safety Properties 7/7 2015-05-07SPIN Search Algorithm10 1 Queue D = {} ; Statespace V={} ; 2 Start() { 3Add_Statespace(V, A.s 0 ) ; 4Push_Stack(D, A.s 0 ) ; 5 Search() ; 6 } 7 Search() { 8while (Empty_Queue(D) == false) { 9 s = Del_Queue(D) ; 10 foreach (s,1,s') 2 A.T { 11if (In_Statespace(V, s') == false) { 12Add_Statespace(V, s') ; 13Add_Queue(D, s') ; 14} 15 } 16} 17 } Breath-First Search Algorithm Pros - Guarantee the shortest possible error Cons - Additional work is necessary for error trace generation - Hard to extend beyond safety properties

11
/24Hong,Shin @ PSWLAB Checking Liveness Properties 1/5 We can only have an infinite run in a finite system if the run is cyclic. We are particularly interested in case where the set of states that are reached infinitely often contains one or more accepting states since these runs correspond to ! accepting run. An accepting cycle in the global reachability graph exists if and only if (1) At least one accepting state is reachable from initial state. (2) At least one of those accepting state is reachable from itself. Use nested depth-first search algorithm for liveness properties checking. c.f. In synchronous product of automaton A = A 1 A 2 … A.F is the set of pairs (s 1, s 2 ) ∈ A.S where s 1 ∈ A 1.F or s 2 ∈ A 2.F 2015-05-07SPIN Search Algorithm11

12
/24Hong,Shin @ PSWLAB Checking Liveness Properties 2/5 Depth-first search determines that an accepting state has been reached, and all successors of that state have also been explored, it starts a nested search to see if the state is reachable from itself. Nested search in post-order Store a copy of the accepting state in a global, called seed. Store pairs of a state and a boolean variable toggle for stack and state space elements. 2015-05-07SPIN Search Algorithm12

13
/24Hong,Shin @ PSWLAB Checking Liveness Properties 3/5 2015-05-07SPIN Search Algorithm13 1Stack D = {} ; 2Statespace V = {} ; 3State seed = nil ; 4Boolean toggle = false ; 5 Start() { 6Add_Statespace(V, A.s 0, toggle) ; 7Push_Stack(D, A.s 0, toggle) ; 8 Search() ; 9 } 10 Search() { 11(s, toggle) = Top_Stack(D) ; 12foreach (s, l, s’) 2 A.T { 13if (toggle == true) { 14if (s’ == seed || On_Stack(D, s’, false) { 15PrintStack(D) ; 16PopStack(D) ; 17return ; } 18} // end of if (toggle == true)

14
/24Hong,Shin @ PSWLAB Checking Liveness Properties 4/5 2015-05-07SPIN Search Algorithm14 19if (In_Statespace(V, s’, toggle) == false) { 20Add_Statespace(V, s’, toggle) ; 21Push_Stack(D, s’, toggle) ; 22Search() ; 23} 24} // end of foreach 25if (s 2 A.F && toggle == false) { 26seed = s ; 27toggle = true ; 28Push_Stack(D, s, toggle) ; 29Search() ; 30Pop_Stack() ; 31seed = nil ; 32toggle = false ; 33} // end of if 34Pop_Stack(D) ; 35} // end of Search() ;

15
/24Hong,Shin @ PSWLAB Checking Liveness Properties 5/5 In nested search, if a successor was visited with toggle value true then it does not explore that successor. - Nested searching is excuted in post-order - Z a is seed accepting state - Z e is a successor with toggle value true - Z n is an accepting state from which Z e was reachable. 2015-05-07SPIN Search Algorithm15 ZaZa ZeZe ZnZn

16
/24Hong,Shin @ PSWLAB Adding Fairness 1/8 What will be the result from SPIN ? 2015-05-07SPIN Search Algorithm16 bit a = 0 ; active proctype A() { do :: a = 0 ; od ; } active proctype B() { do :: a = 1 ;od ; } never { accept_init: T0_init: if :: (!a) -> goto T0_init ; fi ; } -bash-3.1$./a.out -a warning: for p.o. reduction to be valid the never claim must be stutter-invariant (never claims generated from LTL formulae are stutter-invariant) pan: acceptance cycle (at depth 0) pan: wrote fairness.pml.trail (Spin Version 4.2.7 -- 23 June 2006) : -bash-3.1$ spin -t -p fairness.pml Starting A with pid 0 Starting B with pid 1 Starting :never: with pid 2 >>>> Never claim moves to line 23 [(!(a))] 2: proc 0 (A) line 7 "fairness.pml" (state 1) [a = 0] spin: trail ends after 2 steps

17
/24Hong,Shin @ PSWLAB Adding Fairness 2/8 Strong Fairness An ! -run ¾ satisfies the strong fairness requirement if it contains infinitely many transitions from every component automaton that is enabled infinitely often in ¾. Weak Fairness An ! -run ¾ satisfies the weak fairness requirement if it contains infinitely many transitions from every component automaton that is enabled infinitely long in ¾. * Component automaton A i is said to be enabled at state s of global automaton A if s has at least one valid outgoing transition from A i. 2015-05-07SPIN Search Algorithm17

18
/24Hong,Shin @ PSWLAB Adding Fairness 3/8 Chouseka’s flag construction method - SPIN only checks weak fairness of components. - For a global reachability graph A which is product of k component automaton A 1, A 2, … A k. (1)Create k+2 copies(0 to k+1) of the global reachability graph. (2)Preserve the acceptance labels only in the 0-th copy and remove the accepting labels from all states in the remaining copies. (3)Change the destination states for all outgoing transitions of accepting states in 0-th copy to point to the same states in the 1-st copy. (4)In the i-th copy(1 · i · k), change the destination of each transition that was contributed by component automaton Ai to the same state in the (i+1)-th copy. (5)For k+1-th copy, change all transitions such that their destination state is now in the 0-th copy. (6) Add null transition from every state s in i-th copy (1 · i · k) to the same state in the (i+1)-th copy whenever automaton component i has no enabled transitions in s. 2015-05-07SPIN Search Algorithm18

19
/24Hong,Shin @ PSWLAB Adding Fairness 4/8 2015-05-07SPIN Search Algorithm19 copy0 copy1 copy2 copy k+1 _pid 1 _pid 2 _pid = 1..k _pid = 1 _pid = 2 _pid = k _pid = 1..k (k + 2) Times Unfolded State Space for Weak Fairness

20
/24Hong,Shin @ PSWLAB Adding Fairness 5/8 These changes do not add or remove behavior but it should be clear that any accepting ! –run in (k+2) times unfolded state space now necessarily includes transitions from all k component automata. Nested depth-first search can be used to detect all fair accepting runs in the original graph. This algorithm can enforce weak fairness. In SPIN implementation, each state holds 2(k+2) additional bits to represent (k+2) copies of global reachability graph. 2015-05-07SPIN Search Algorithm20

21
/24Hong,Shin @ PSWLAB Adding Fairness 6/8 bit a = 0 ; active proctype A() /* pid=1 */ { do :: (a == 0) -> accept: a = 1 ; od ; } active proctype B() /* pid=2 */ { do :: (a == 1) -> a = 0 ; od ; } 2015-05-07SPIN Search Algorithm21 S 1 a=0 S 2 a=1 pid=1 pid=2

22
/24Hong,Shin @ PSWLAB Adding Fairness 7/8 2015-05-07SPIN Search Algorithm22 S01S01 S11S11 S12S12 S21S21 S22S22 S31S31 S32S32 S02S02 copy 0copy1 copy2 copy3

23
/24Hong,Shin @ PSWLAB Adding Fairness 8/8 add weak fairness (-f option of ‘pan’) 2015-05-07SPIN Search Algorithm23 bit a = 0 ; active proctype A() { do :: a = 0 ; od ; } active proctype B() { do :: a = 1 ;od ; } never { accept_init: T0_init: if :: (!a) -> goto T0_init ; fi ; }./a.out -f -a warning: for p.o. reduction to be valid the never claim must be stutter-invariant (never claims generated from LTL formulae are stutter-invariant) (Spin Version 4.2.7 -- 23 June 2006) + Partial Order Reduction Full statespace search for: never claim + assertion violations + (if within scope of claim) acceptance cycles + (fairness enabled) invalid end states - (disabled by never claim)

24
/24Hong,Shin @ PSWLAB Further Works Search Optimization (Ch. 9) – Partial Order Reduction, Bitstate Hashing, State Compressions, etc. 2015-05-07SPIN Search Algorithm24

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google