The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai

What is model checking? Complex system design Too complex to verify the system. Because of too many states Especially concurrent system Some systems are non-deterministic How to verify??? Model of the system Abstraction ( system activities ) Enable arithmetic verification

Spin Model Checker SPIN ( Simple Promela Interpreter ) Efficient software verification Use to trace logical design errors in distributed system design, ( deadlock, race condition, etc…) Works on-the-fly A full LTL(Linear Time Temporal Logic) Model Checking system Supports random, interactive and guided simulation

global state initial state How does spin check a model?

Promela Promela (PROtocol/PROcess MEta LAnguage) Syntax is very similar to C language. Easy to model Specification of processes and communication between processes. Synchronizaiton, atomicity Diffucult to describe Arithmetic operations ( no floating point… )

Outline 1. An Overview of Model Checking 2. The Spin Model Checker 3. Promela Introduction 4. Promela Syntax 5. Correctness claims 6. Examples

Promela syntax Hello, World Object types Variable’s scope Rules for executability Compound statements

Hello, World! /* hello.pml */ active proctype Hello() { printf( “Hello, World!\n” ); } $spin hello.pml Hello, World! 1 process created

Object types A Promela model is contructed from 3 basic types of objects: Processes Data objects Message channels

Processes Processes are instances of proctypes proctype Hello() { … } Proctype body ::= (data_declaration | statement)* Proctype prefixed by active keyword is automatically activated active proctype Hello() { printf( “Hello, World!\n” ); } Another way to start process is using “run” operator with proctype object as operand inside a running process: run Hello();

Data objects Basic data types: bit(0,1), bool(true, false), byte(0..255) chan (channel) mtype (symbolic constant, likes enum in C) pid (process id) short, int Data structures typedef Complex { int real; int img; } Arrays byte x[5] = 1; /* all elements initialized to 1 */

Message channels Message channels are used to model the exchange of data between processes chan qname = [16] of { short, byte, bool } qname is a channel with buffer size of 16 messages and each message is a tuple of (short, byte, bool) Operations: Blocking send: qname!expr1, expr2, expr3 Blocking receive: qname?var1, var2, var3 By default, send/receive buffers are FIFO

Example using Send/Receive mtype = { msg0, msg1, ack0, ack1 }; chan to_sndr = [2] of { mtype }; chan to_rcvr = [2] of { mtype }; active proctype Sender(){ again: to_rcvr!msg1; to_sndr?ack1; to_rcvr!msg0; to_sndr?ack0; goto again; } active proctype Receiver(){ again:to_rcvr?msg1; to_sndr!ack1; to_rcvr?msg0; to_sndr!ack0; goto again; }

Rendezvous communication Channel with buffer size of 0 can be used as rendezvous port 0 buffer channel can pass, but not store message chan port = [0] of { mtype } Message interactions via rendezvous ports are synchronous

Variable’s scope Only 2 levels of scope exist in Promela Model global variables Process local variables Process local variables can be used after declarations and valid until process terminates proctype Hello(){ int x; { int y; x = 5; y = 6; } printf( “%d\n”, y ); } y stills valid outside the block y is declared inside a block

Rules for executability Depending on system state, any statement is either executable or blocked Expressions can be used as if they were statements Expressions are “executable” (passable) if and only if they evaluate to true or non-zero (x==y); /* block until x equals y */ Print statements, assignment statements are always executable

Example of executability proctype proc1() { x = 1; printf( “reached here\n” ); (x == y); /* block until x equals y */ skip; } always executable

Process executability Process is executable if at least one executable statement exists No executable statement  block active proctype block_proc() { (1+1 == 3); printf( “Can not reach here!\n” ); }

Compound statements Atomic sequences Deterministic steps Selections Repetitions Escape sequences

Atomic sequences Execution of atomic sequence is uninterruptible (atomic, no interleaving) atomic { tmp = b; b = a; a = tmp; }

Deterministic steps D_step sequence is always executed as if it were a single statement For defining new types of primitive statements d_step { tmp = b; b = a; a = tmp; } Not be interrupted by blocking statements (error if blocking statement inside an executing d_step) Deterministic

Selections if :: guard1 -> stmt1; stmt2; …; stmt_n; :: guard2 -> stmt1; stmt2;…; stmt_m; ……… :: guardn -> stmt…. fi Selection contains sequences begin with “::” Guard_i is “guard” statement, sequence can be executed if guard statement is executable If more than one sequence can execute then the oracle choose one (non-deterministic)

Repetition do :: guard1 -> stmts :: guard2 -> stmts …. od proctype Euclide(int x, y) { do :: ( x > y ) -> x = x – y :: ( x y = y – x :: else -> goto done od done: printf( “answer: %d\n”, x ); }

Escape sequences { P } unless { E } P’s statements are executed while the first statements in E is not executable When the first statement in E becomes executable, control changes to E and execution continues as defined for E

Correctness claims Correctness claims are used to verify the system Basic types of claims: Basic assertions End-state labels Progress-state labels Never claims Trace assertion

Basic assertions assert( expression ); Similar to C language assertion Example: Increasing common variables int c, x, y; /* initialized to 0 */ active proctype procA() { atomic { c++; x++ } assert( c == x + y ); } active proctype procB() { atomic { c++; y++ } assert( c == x + y ); }

End state Labels beginning with “end” (end, end1,.. ) are end-state labels End-state labels declare a valid end-state Default end-state is end of code End-state labels can be used to declare other additional end state

Progress state label Progress labels begin with “progress” (progress, progress1, progression … ) Every potentially infinite execution cycle permitted by a model passes through at least one of the progress labels in that model. To verity the executing process is making effective progress Example: semaphore with progress label

Never claims A never claim is used to specify either finite or infinite system behavior that should never occur Verify system-wide (not only process level) property Example: Updating 2 variables

Trace assertions Trace assertions verify valid/invalid operations of message channels trace { do :: q1!a; q2?b od } Send operations on channel q1 alternate with receive operations on q2, and all messages of q1 have type a, q2 have type b

Examples Dining Philosophers Mutual exclusion Producers consumers