Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011."— Presentation transcript:

1 © 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011

2 2 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Control flow We have already seen some Concatenation of statements, parallel execution, atomic sequences There are a few more Case selection, repetition, unconditional jumps

3 3 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Case selection if :: (a < b) ! option1 :: (a > b) ! option2 :: else ! option3/* optional */ fi Cases need not be exhaustive or mutually exclusive Non-deterministic selection

4 4 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od } byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od }

5 5 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od } proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od }

6 6 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Unconditional jumps proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip } proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip }

7 7 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Procedures and Recursion Procedures can be modeled as processes Even recursive ones Return values can be passed back to the calling process via a global variable or a message

8 8 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 3

9 9 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Timeouts Proctype watchdog() { do :: timeout ! guard!reset od } Get enabled when the entire system is deadlocked No absolute timing considerations

10 10 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Assertions assert(any_boolean_condition) pure expression If condition holds ) no effect If condition does not hold ) error report during verification with Spin

11 11 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 4

12 12 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University LTL model checking Two ways to do it Convert Kripke to Buchi Convert claim (LTL) to Buchi Check language inclusion OR Convert ~Claim (LTL) to Buchi Check empty intersection

13 13 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University What Spin does Checks non-empty intersection Requires very little space in best case Works directly with Promela No conversion to Kripke or Buchi Must provide Spin with negation of property you want to prove

14 14 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University LTL syntax in SPIN  :=p proposition |true | false | (  ) |  binop  | unop   :=p proposition |true | false | (  ) |  binop  | unop  unop := []always (G) | <>eventually (F) | Xnext time | !logical negation binop := Ustrong until | &&logical AND | ||logical OR | ->implication | equivalence unop := []always (G) | <>eventually (F) | Xnext time | !logical negation binop := Ustrong until | &&logical AND | ||logical OR | ->implication | equivalence

15 15 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 5

16 16 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Peterson’s Algorithm in SPIN bool turn, flag[2]; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); /* critical section */ flag[_pid] = 0; goto again; } Active process: automatically creates instances of processes _pid: Identifier of the process assert: Checks that there are only at most two instances with identifiers 0 and 1

17 17 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Peterson’s Algorithm in SPIN bool turn, flag[2]; byte ncrit; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); ncrit++; assert(ncrit == 1); /* critical section */ ncrit--; flag[_pid] = 0; goto again; } ncrit: Counts the number of Process in the critical section assert: Checks that there are always at most one process in the critical section

18 18 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Peterson’s Algorithm in SPIN bool turn, flag[2]; bool critical[2]; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); critical[_pid] = 1; /* critical section */ critical[_pid] = 0; flag[_pid] = 0; goto again; } LTL Properties: 1.[] (!critical[0] || !critical[1]) 2.[]<> (critical[0]) && []<> (critical[1]) 3.[] (critical[0] -> (critical[0] U (!critical[0] && ((!critical[0] && !critical[1]) U critical[1])))) 4.[] (critical[1] -> (critical[1] U (!critical[1] && ((!critical[1] && !critical[0]) U critical[0])))) mutex no starvation alternation

19 19 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Mutual Exclusion in SPIN bool turn, flag[2]; bool critical[2]; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); critical[_pid] = 1; /* critical section */ critical[_pid] = 0; flag[_pid] = 0; goto again; } LTL Properties (negated): 1.<> (critial[0] && critical[1]) 2.<>[] (!critical[0]) || <>[] (!critical[1]) 3.<> (critical[0] && !(critical[0] U (!critical[0] && ((!critical[0] && !critical[1]) U critical[1])))) 4.<> (critical[1] && !(critical[1] U (!critical[1] && ((!critical[1] && !critical[0]) U critical[0])))) holds does not hold

20 20 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University N S W Traffic Controller

21 21 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Modeling in SPIN System No turning allowed Traffic either flows East-West or North-South Traffic Sensors in each direction to detect waiting vehicles Traffic.pml Properties: Safety : no collision (traffic1.ltl) Progress – each waiting car eventually gets to go (traffic2.ltl) Optimality – light only turns green if there is traffic (traffic3.ltl)

22 22 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Dining Philosophers

23 23 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Modeling in SPIN Each fork is a rendezvous channel A philosopher picks up a fork by sending a message to the fork. A philosopher releases a fork by receiving a message from the fork. Properties No deadlock Safety – two adjacent philosophers never eat at the same time – dp0.ltl No livelock – dp1.ltl No starvation – dp2.ltl Versions dp.pml – deadlock, livelock and starvation dp_no_deadlock1.pml – livelock and starvation dp_no_deadlock2.pml – starvation

24 24 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University References http://cm.bell-labs.com/cm/cs/what/spin/ http://cm.bell- labs.com/cm/cs/what/spin/Man/Manual.html http://cm.bell- labs.com/cm/cs/what/spin/Man/Quick.html

25 25 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Questions? Sagar Chaki Senior Member of Technical Staff RTSS Program Telephone: +1 412-268-1436 Email: chaki@sei.cmu.educhaki@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu/staff/chaki Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

Download ppt "© 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011."

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching15-398 SPIN Examples.

1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching SPIN Examples.
While loops.

While loops.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.

Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
© 2011 Carnegie Mellon University SPIN: Part 1 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

Similar presentations

Ads by Google