© 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

Slides:



Advertisements
Similar presentations
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching SPIN Examples.
While loops.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.
© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
Avishai Wool lecture Introduction to Systems Programming Lecture 4 Inter-Process / Inter-Thread Communication.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.
LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 15 More Advanced Program Properties: Temporal logic and jSpin John Gurd,
6.3 Peterson’s Solution The two processes share two variables: Int turn; Boolean flag[2] The variable turn indicates whose turn it is to enter the critical.
Concurrency. A process is a program executing on a virtual computer Processor speed and multiplexing of shared resources are ignored Order of thread execution.
Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.
Radu Iosif Introduction to SPIN Radu Iosif
Temporal Logic Model-checking with SPIN
Q1:Royal Garden’s Puzzle as a Model Checking Problem Pictures from UbiSoft HW6: Due Dec 4th 23:59.
/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Agenda  Quick Review  Finish Introduction  Java Threads.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Chapter 5: Process Synchronization – Part 3
Formal verification in SPIN
CSE 503 – Software Engineering
Automatic Verification
The Spin Model Checker - Advanced Features
The University of Adelaide, School of Computer Science
An explicit state model checker
HW6: Due Dec 14 23:59 To specify a corresponding Promela specification
COMP60621 Designing for Parallelism
HW6: Due Nov 26 23:59 To specify a corresponding Promela specification
The Spin Model Checker - Advanced Features
CSE 503 – Software Engineering
HW6: Due Dec 20 23:59 To specify a corresponding Promela specification
Presentation transcript:

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011

2 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Control flow We have already seen some Concatenation of statements, parallel execution, atomic sequences There are a few more Case selection, repetition, unconditional jumps

3 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Case selection if :: (a < b) ! option1 :: (a > b) ! option2 :: else ! option3/* optional */ fi Cases need not be exhaustive or mutually exclusive Non-deterministic selection

4 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od } byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od }

5 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od } proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od }

6 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Unconditional jumps proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip } proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip }

7 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Procedures and Recursion Procedures can be modeled as processes Even recursive ones Return values can be passed back to the calling process via a global variable or a message

8 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 3

9 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Timeouts Proctype watchdog() { do :: timeout ! guard!reset od } Get enabled when the entire system is deadlocked No absolute timing considerations

10 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Assertions assert(any_boolean_condition) pure expression If condition holds ) no effect If condition does not hold ) error report during verification with Spin

11 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 4

12 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University LTL model checking Two ways to do it Convert Kripke to Buchi Convert claim (LTL) to Buchi Check language inclusion OR Convert ~Claim (LTL) to Buchi Check empty intersection

13 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University What Spin does Checks non-empty intersection Requires very little space in best case Works directly with Promela No conversion to Kripke or Buchi Must provide Spin with negation of property you want to prove

14 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University LTL syntax in SPIN  :=p proposition |true | false | (  ) |  binop  | unop   :=p proposition |true | false | (  ) |  binop  | unop  unop := []always (G) | <>eventually (F) | Xnext time | !logical negation binop := Ustrong until | &&logical AND | ||logical OR | ->implication | equivalence unop := []always (G) | <>eventually (F) | Xnext time | !logical negation binop := Ustrong until | &&logical AND | ||logical OR | ->implication | equivalence

15 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 5

16 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Peterson’s Algorithm in SPIN bool turn, flag[2]; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); /* critical section */ flag[_pid] = 0; goto again; } Active process: automatically creates instances of processes _pid: Identifier of the process assert: Checks that there are only at most two instances with identifiers 0 and 1

17 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Peterson’s Algorithm in SPIN bool turn, flag[2]; byte ncrit; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); ncrit++; assert(ncrit == 1); /* critical section */ ncrit--; flag[_pid] = 0; goto again; } ncrit: Counts the number of Process in the critical section assert: Checks that there are always at most one process in the critical section

18 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Peterson’s Algorithm in SPIN bool turn, flag[2]; bool critical[2]; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); critical[_pid] = 1; /* critical section */ critical[_pid] = 0; flag[_pid] = 0; goto again; } LTL Properties: 1.[] (!critical[0] || !critical[1]) 2.[]<> (critical[0]) && []<> (critical[1]) 3.[] (critical[0] -> (critical[0] U (!critical[0] && ((!critical[0] && !critical[1]) U critical[1])))) 4.[] (critical[1] -> (critical[1] U (!critical[1] && ((!critical[1] && !critical[0]) U critical[0])))) mutex no starvation alternation

19 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Mutual Exclusion in SPIN bool turn, flag[2]; bool critical[2]; active [2] proctype user() { assert(_pid == 0 || _pid == 1); again: flag[_pid] = 1; turn = _pid; (flag[1 - _pid] == 0 || turn == 1 - _pid); critical[_pid] = 1; /* critical section */ critical[_pid] = 0; flag[_pid] = 0; goto again; } LTL Properties (negated): 1.<> (critial[0] && critical[1]) 2.<>[] (!critical[0]) || <>[] (!critical[1]) 3.<> (critical[0] && !(critical[0] U (!critical[0] && ((!critical[0] && !critical[1]) U critical[1])))) 4.<> (critical[1] && !(critical[1] U (!critical[1] && ((!critical[1] && !critical[0]) U critical[0])))) holds does not hold

20 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University N S W Traffic Controller

21 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Modeling in SPIN System No turning allowed Traffic either flows East-West or North-South Traffic Sensors in each direction to detect waiting vehicles Traffic.pml Properties: Safety : no collision (traffic1.ltl) Progress – each waiting car eventually gets to go (traffic2.ltl) Optimality – light only turns green if there is traffic (traffic3.ltl)

22 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Dining Philosophers

23 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Modeling in SPIN Each fork is a rendezvous channel A philosopher picks up a fork by sending a message to the fork. A philosopher releases a fork by receiving a message from the fork. Properties No deadlock Safety – two adjacent philosophers never eat at the same time – dp0.ltl No livelock – dp1.ltl No starvation – dp2.ltl Versions dp.pml – deadlock, livelock and starvation dp_no_deadlock1.pml – livelock and starvation dp_no_deadlock2.pml – starvation

24 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University References labs.com/cm/cs/what/spin/Man/Manual.html labs.com/cm/cs/what/spin/Man/Quick.html

25 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Questions? Sagar Chaki Senior Member of Technical Staff RTSS Program Telephone: U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.