An explicit state model checker

Slides:

Advertisements

Similar presentations

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

A Survey of Runtime Verification Jonathan Amir 2004.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

1 Generalized Buchi automaton. 2 Reminder: Buchi automata A=  Alphabet (finite). S: States (finite).  : S x  x S ) S is the transition relation. I.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

UPPAAL Introduction Chien-Liang Chen.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

S. Ramesh Model-Checking Distributed Software S. Ramesh IIT Bombay.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Bandera: Extracting Finite-state Models from Java Source Code James C. Corbett (Hawai’i) Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. Păsăreanu,

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Property-Based Test Generation Li Tan, Oleg Sokolsky, and Insup Lee University of Pennsylvania.

Witness and Counterexample Li Tan Oct. 15, 2002.

OOTI Workshop on Model Checking and Static Analysis Day 2 Dragan Bošnački Eindhoven University of Technology The Netherlands.

Witness and Counterexample Li Tan Oct. 15, 2002.

Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

1 Translating from LTL to automata. 2 Why translating? Want to write the specification in some logic. Want to check that an automaton (or a Kripke structure)

The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.

LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

1 Temporal Logic-Overview FM Temporal Logic u Classical logic: Good for describing static conditions u Temporal logic: Adds temporal operators Describe.

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.

Model Checking and Related Techniques

Jun. Sun Singapore University of Technology and Design Songzheng Song and Yang Liu National University of Singapore.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.

Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, Open Implication.

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Programming Lifecycle

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,

MODEL CHECKING WITH SPIN MODELING AND VERIFICATION WITH SPIN ANDREA ORLANDINI – ISTC (CNR) TexPoint fonts used in EMF. Read the TexPoint manual before.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

Models of Computation. Computation: Computation is a general term for any type of information processing information processing CPU memory.

HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.

/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

String Analysis for JavaScript Programs Serena KingDr.Lu Yves Engelmann.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

IWFST 2005 Formal Specification and Verification of a Communication Protocol Ho Jung Bang Sung Deok Cha.

Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

15-820A 1 LTL Model Checking A Flavio Lerda.

Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.

Language Translation Compilation vs. interpretation.

CIS 842: Specification and Verification of Reactive Systems

Formal verification in SPIN

Automatic Verification

Monitoring Programs using Rewriting

High Level Programming Languages

IOA Code Generator (Making IOA Run)

An explicit state model checker

A Refinement Calculus for Promela

Translating Linear Temporal Logic into Büchi Automata

Verification Environment for Distributed Control Applications

RANDOM NUMBERS SET # 1:

CSE 503 – Software Engineering

Presentation transcript:

An explicit state model checker SPIN An explicit state model checker

How does Spin work? We already saw: The Algorithm The Promela Language We need to see how we does the tool work.

High Level Organization LTL formula Promela Model LTL Translator Buchi Automaton Buchi Translator Promela Parser The Buchi automaton is turned into a Promela process and composed with the rest of the system. Abstract Syntax Tree Automata Generator Automata The generated verifier is specific to the model and property we started with. C Generator C Code C Compiler Pan Verifier Verification Result

Command Line Tools Spin Pan Generates the Promela code for the LTL formula ~$ spin –f “[]<>p” The proposition in the formula must correspond to #defines Generates the C source code ~$ spin –a source.pro The property must be included in the source Pan Performs the verification Has many compile time options to enable different features Optimized for performance

Xspin GUI for Spin

Simulator Spin can also be used as a simulator Simulated the Promela program It is used as a simulator when a counterexample is generated Steps through the trace The trace itself is not “readable” Can be used for random and manually guided simulation as well

Comments DFS does not necessarily find the shortest counterexample There might be a very short counterexample but the verification might go out of memory If we don’t finish we might still have some sort of a result (coverage metrics)