Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999
Formal verification o Formal verification means using methods of mathematical argument to determine correctness of systems. o Can be applied to hardware, software and other kinds of systems. o Bugs are expensive when discovered in a finished product. Idea: use FV to discover bugs during the design phase.
Model checkers o Model checkers are among the most widely used FV tools. o Human inspection is not effective: uCurrently designed systems are too large uConcurrency, race conditions uBig verifications done by paper and pencil are hard to re-construct and re-check o Model checkers are good at doing massive (but often simple) case analyses.
The BIG picture Model checker model description property NO + counterexample YES
Spin o Developed in Bell Labs, starting in o Designed for verification of distributed systems. o Model descriptions need to be given in PROMELA (PROcess MEta LAnguage). o Properties are described in LTL (Linear Temporal Logic).
PROMELA overview o A PROMELA program describes a set of concurrent processes. o Execution is asynchronous (each time only one process does a step), except in special cases (rendezvous message passing). o Processes can die or be created dynamically. o Processes can communicate through global variables and channels (message passing).
PROMELA example proctype Pr1 (){ do :: x==0 ->y=1; :: x==1 ->y=0; od; } proctype Pr2 (){ do :: y==0 ->x=1; :: y==1 ->x=0; od; } init { x=0; y=0; run Pr1(); run Pr2(); } X=1 y=0 X=0 y=0 X=0 y=1 Each Promela program generates a unique state transition system. Promela “instructions” correspond to state transitions. :: y==0 ->x=1;
PROMELA special features o Nondeterministic choice:if :: g1 -> s1;:: (x>3) -> x--; :: g2 -> s2;:: true -> y=1;...:: y -> x=x+y; fifi; At each step, execute one of the statements whose guard evaluates to true.
PROMELA special features o Nondeterministic loop:do :: g1 -> s1;:: (x>3) -> x--; :: g2 -> s2;:: true -> y=1;...:: y -> x=x+y; odod; Repeat, choosing nondeterministically at each step.
PROMELA special features o Channel communication: chanc = [2] of {bit}; chandin = [0] of {byte}; chandout = [1] of {byte}; Send a message m on channel c: c!m Receive a message from channel c: c?x din?v -> dout!(v+v); c?1 -> x++; dout!v -> skip;
Other PROMELA features Labels and goto statement Types: bit, bool, byte, short, int o User-defined types o... More about PROMELA on the course webpage.
LTL overview o Expresses properties dependent on time (temporal) o LTL formulas are evaluated on sequences of states (linear) o Standard predicate logic + temporal operators: [] = always <> = eventually
LTL in practice x is always strictly greater than y: [](x>y) Eventually x becomes equal to 1: <>(x==1) o Eventually x becomes equal to 1 and never changes afterwards: <>[](x==1) o If at any moment x becomes negative, y will become negative at some later moment: []((x <>(y<0))
LTL, formal definitions F ::= p (a state predicate, like (x>0) or (x!=y)) | F1 && F2 | F1 || F2 | !F | []F | <>F Given a sequence of states s = s(0), s(1), s(2),... s(i) satisfies []F if for every j>=i, s(j) satisfies F. s(i) satisfies <>F if for some j>=i, s(j) satisfies F. s(i) satisfies []F if for every j>=i, s(j) satisfies F. s(i) satisfies <>F if for some j>=i, s(j) satisfies F. The whole sequence s satisfies F if s(0) satisfies F.
LTL examples p!pp p... <>(!p) []p []<>p <>[]p p,!q!p,qp,!q!p,qp,!q!p,q... [](p||q) []<>q <>(p&&q) (<>p)&&(<>q)
LTL verification in Spin o Given a PROMELA program and an LTL formula, Spin checks whether all possible computation paths satisfy the formula. int a,b,d;init { bit ready=0;a=100; proctype Euclid (int x,y){b=1;do ::(x>y) -> x=x-y:: (b b++ ::(y>x) -> y=y-x:: true -> goto enough :: (x==y)-> goto doneod; od;enough: run Euclid(a,b)} done: ready=1; d=x } LTL: <>(ready && (a%d==0))