© 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

Slides:



Advertisements
Similar presentations
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Intermediate Code Generation
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.
Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
© 2011 Carnegie Mellon University Binary Decision Diagrams Part Bug Catching: Automated Program Verification and Testing Sagar Chaki September.
Homework Any Questions?. Statements / Blocks, Section 3.1 An expression becomes a statement when it is followed by a semicolon x = 0; Braces are used.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.
Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements "Control" is the general study of the semantics of execution.
Review of C++ Programming Part II Sheng-Fang Huang.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Wishnu Prasetya Model Checking with SPIN A Bit More about SPIN.
Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.
ASP.NET Programming with C# and SQL Server First Edition Chapter 3 Using Functions, Methods, and Control Structures.
1 Chapter 4: Selection Structures. In this chapter, you will learn about: – Selection criteria – The if-else statement – Nested if statements – The switch.
COMPUTER PROGRAMMING. Control Structures A program is usually not limited to a linear sequence of instructions. During its process it may repeat code.
1 Rendez-Vous Logical extension of chan buffer = [N] of byte is chan port = [0] of byte Channel port is a rendez-vous port (binary handshake). Two processes,
CS6133 Software Specification and Verification
MODEL CHECKING WITH SPIN MODELING AND VERIFICATION WITH SPIN ANDREA ORLANDINI – ISTC (CNR) TexPoint fonts used in EMF. Read the TexPoint manual before.
Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.
CPS120: Introduction to Computer Science Decision Making in Programs.
COMPUTER PROGRAMMING. Iteration structures (loops) There may be a situation when you need to execute a block of code several number of times. In general,
Radu Iosif Introduction to SPIN Radu Iosif
Introduction to Java Java Translation Program Structure
 2007 Pearson Education, Inc. All rights reserved C Structures, Unions, Bit Manipulations and Enumerations.
Temporal Logic Model-checking with SPIN
 In the java programming language, a keyword is one of 50 reserved words which have a predefined meaning in the language; because of this,
/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
Alternating Bit Protocol Protocol for simplex data-transfer channel: data flows from sender to receiver control flows in both directions the transfer medium.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with Promela.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
Formal verification in SPIN
CSE 503 – Software Engineering
An explicit state model checker
The Spin Model Checker - Advanced Features
The University of Adelaide, School of Computer Science
An explicit state model checker
A Refinement Calculus for Promela
CSE 555 Protocol Engineering
HW6: Due Dec 14 23:59 To specify a corresponding Promela specification
HW6: Due Nov 26 23:59 To specify a corresponding Promela specification
The Spin Model Checker - Advanced Features
CSE 503 – Software Engineering
HW6: Due Dec 20 23:59 To specify a corresponding Promela specification
Presentation transcript:

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011

2 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University What is This All About? Spin On-the-fly verifier developed at Bell-labs by Gerard Holzmann and others Promela Modeling language for SPIN Targeted at asynchronous systems – Switching protocols

3 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University History Work leading to Spin started in 1980 First bug found on Nov 21, 1980 by Pan One-pass verifier for safety properties Succeeded by Pandora (82), Trace (83), SuperTrace (84), SdlValid (88), Spin (89) Spin covered omega-regular properties

4 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Spin Capabilities Interactive simulation For a particular path For a random path Exhaustive verification Generate C code for verifier Compile the verifier and execute Returns counter-example Lots of options for fine-tuning

5 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Spin Overall Structure GUI Front-end GUI Front-end Promela Parser Promela Parser LTL Parser and Translator LTL Parser and Translator Syntax Error Reports Syntax Error Reports Interactive Simulation Interactive Simulation Verifier Generator Verifier Generator Optimized Model Checker (ANSI C) Optimized Model Checker (ANSI C) Executable O-T-F Verifier Executable O-T-F Verifier Counter Example

6 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Promela Stands for Process Meta Language Language for asynchronous programs Dynamic process creation Processes execute asynchronously Communicate via shared variables and message channels – Races must be explicitly avoided – Channels can be queued or rendezvous Very C like

7 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Executability No difference between conditions and statements Execution of every statement is conditional on its executability Executability is the basic means of synchronization Declarations and assignments are always executable Conditionals are executable when they hold The following are the same while (a != b) skip (a == b)

8 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Delimitors Semi-colon is used a statement separator not a statement terminator Last statement does not need semi-colon Often replaced by ! to indicate causality between two successive statements (a == b); c = c + 1 (a == b) ! c = c + 1

9 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Data Types Basic : bit/bool, byte, short, int, chan Arrays: fixed size byte state[20]; state[0] = state[3 * i] + 5 * state[7/j]; Symbolic constants Usually used for message types mtype = {SEND, RECV};

10 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Process Definition byte state = 2; proctype A() { (state == 1) ! state = 3 } proctype B() { state = state – 1 }

11 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Process Instantiation byte state = 2; proctype A() { (state == 1) ! state = 3 } proctype B() { state = state – 1 } init { run A(); run B() } run can be used anywhere Sample 1

12 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Process Parameterization byte state = 1 proctype A(byte x; short foo) { (state == 1 && x > 0) ! state = foo } init { run A(1,3); } Data arrays or processes cannot be passed Sample 2

13 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Race Condition byte state = 1; proctype A() { byte x = state; x = x + 1; state = x; } proctype B() { byte y = state; y = y + 2; state = y; } init { run A(); run B() } Sample 3

14 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Deadlock byte state = 2; proctype A() { (state == 1) ! state = state + 1 } proctype B() { (state == 1) ! state = state – 1 } init { run A(); run B() } Sample 4

15 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Atomic sequences byte state = 1; proctype A() { atomic { byte x = state; x = x + 1; state = x; } byte state = 1; proctype A() { atomic { byte x = state; x = x + 1; state = x; } proctype B() { atomic { byte y = state; y = y + 2; state = y; } init { run A(); run B() } proctype B() { atomic { byte y = state; y = y + 2; state = y; } init { run A(); run B() } Sample 5

16 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing Channel declaration chan qname = [16] of {short} chan qname = [5] of {byte,int,chan,short} Sending messages qname!expr qname!expr1,expr2,expr3 Receiving messages qname?var qname?var1,var2,var3

17 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing More parameters sent Extra parameters dropped More parameters received Extra parameters undefined Fewer parameters sent Extra parameters undefined Fewer parameters received Extra parameters dropped

18 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing chan x = [1] of {byte,byte}; chan y = [1] of {byte,byte}; proctype A(byte p, byte q) { x!p,q ; y?p,q } chan x = [1] of {byte,byte}; chan y = [1] of {byte,byte}; proctype A(byte p, byte q) { x!p,q ; y?p,q } proctype B() { byte p,q; x?p,q ; y!q,p } init { run A(5,7); run B() } proctype B() { byte p,q; x?p,q ; y!q,p } init { run A(5,7); run B() } Sample 6

19 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing Convention: first message field often specifies message type (constant) Alternatively send message type followed by list of message fields in braces qname!expr1(expr2,expr3) qname?var1(var2,var3)

20 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Executability Send is executable only when the channel is not full Receive is executable only when the channel is not empty Optionally some arguments of receive can be constants qname?RECV,var,10 Value of constant fields must match value of corresponding fields of message at the head of channel queue len(qname) returns the number of messages currently stored in qname If used as a statement it will be unexecutable if the channel is empty

21 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Composite conditions Invalid in Promela (qname?var == 0) (a > b && qname!123) Either send/receive or pure expression Can evaluate receives qname?[ack,var] Subtle issues qname?[msgtype] ! qname?msgtype (len(qname) < MAX) ! qname!msgtype Second statement not necessarily executable after the first – Race conditions Returns true if the receive would be enabled

22 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 1

23 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Rendezvous Channel of size 0 defines a rendezvous port Can be used by two processed for a synchronous handshake No queueing The first process blocks Handshake occurs after the second process arrives

24 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Example #define msgtype 33 chan name = [0] of {byte,byte}; proctype A() { name!msgtype(99); name!msgtype(100) } proctype B() { byte state; name?msgtype(state) } init { run A(); run B() } Sample 7

25 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Control flow We have already seen some Concatenation of statements, parallel execution, atomic sequences There are a few more Case selection, repetition, unconditional jumps

26 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Case selection if :: (a < b) ! option1 :: (a > b) ! option2 :: else ! option3/* optional */ fi Cases need not be exhaustive or mutually exclusive Non-deterministic selection

27 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 2

28 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od } byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od }

29 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od } proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od }

30 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Unconditional jumps proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip } proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip }

31 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Procedures and Recursion Procedures can be modeled as processes Even recursive ones Return values can be passed back to the calling process via a global variable or a message

32 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 3

33 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Timeouts Proctype watchdog() { do :: timeout ! guard!reset od } Get enabled when the entire system is deadlocked No absolute timing considerations

34 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Assertions assert(any_boolean_condition) pure expression If condition holds ) no effect If condition does not hold ) error report during verification with Spin

35 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 4

36 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University References labs.com/cm/cs/what/spin/Man/Manual.html labs.com/cm/cs/what/spin/Man/Quick.html

37 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Questions? Sagar Chaki Senior Member of Technical Staff RTSS Program Telephone: U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.