Presentation is loading. Please wait.

Presentation is loading. Please wait.

An explicit state model checker

Published byKristopher Harrington Modified over 5 years ago

Similar presentations

Presentation on theme: "An explicit state model checker"— Presentation transcript:

1 An explicit state model checker
SPIN An explicit state model checker

2 Explict State Model Checker
Represents the system as an finite state machine Visits each reachable state (state space) explicitly Checks some property Property is satisfied Counterexample

3 DFS DFS visit of the state space procedure DFS(s)
visited = visited  {s}; for each successor s’ of s if s’  visited then DFS(s’); end if end for end procedure

4 DFS How do we: Represent the transition relation Store the visited set
Needs fast access (hash table) State space explosion Check properties

5 Promela Process Algebra
An algebraic approach to the study of concurrent processes. Its tools are algebraical languages for the specification of processes and the formulation of statements about them, together with calculi for the verification of these statements. [Van Glabbeek, 1987] Describes the system in a way similar to a programming language

6 Promela Asynchronous composition of independent processes
Communication using channels and global variables Non-deterministic choices and interleavings

7 An Example mtype = { NONCRITICAL, TRYING, CRITICAL };
show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning;} init { run process(0); run process(1); } NC C T

8 An Example mtype = { NONCRITICAL, TRYING, CRITICAL };
show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning;} init { run process(0); run process(1); }

9 An Example mtype = { NONCRITICAL, TRYING, CRITICAL };
show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning;} init { run process(0); run process(1); }

10 An Example mtype = { NONCRITICAL, TRYING, CRITICAL };
show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning;} init { run process(0); run process(1); }

11 An Example mtype = { NONCRITICAL, TRYING, CRITICAL };
show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning;} init { run process(0); run process(1); }

12 An Example mtype = { NONCRITICAL, TRYING, CRITICAL };
show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; :: goto trying; critical: state[id] = CRITICAL; :: goto critical; goto beginning;} init { run process(0); run process(1); } NC T C

13 Enabled Statements A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() b = false; b = true; init { a = false; b = false; run p1(); run p2(); }

14 Enabled Statements A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() b = false; b = true; init { a = false; b = false; run p1(); run p2(); } These statements are enabled only if both a and b are true.

15 Enabled Statements A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() b = false; b = true; init { a = false; b = false; run p1(); run p2(); } These statements are enabled only if both a and b are true. In this case b is always false and therefore there is a deadlock.

16 Other constructs Do loops do :: count = count + 1;
:: (count == 0) -> break od

17 Other constructs Do loops Communication over channels
proctype sender(chan out) { int x; if ::x=0; ::x=1; fi out ! x; }

18 Other constructs Do loops Communication over channels Assertions
proctype receiver(chan in) { int value; in ? value; assert(value == 0 || value == 1) }

19 Other constructs Do loops Communication over channels Assertions
Atomic Steps int value; proctype increment() { atomic { x = value; x = x + 1; value = x; } }

20 On-The-Fly System is the asynchronous composition of processes
The global transition relation is never build For each state the successor states are enumerated using the transition relation of each process

21 On-The-Fly 1 0 0

22 On-The-Fly 1 0 0 1 0

23 On-The-Fly 1 0 0 1 0

24 On-The-Fly 1 0 0 1 0 1 1

25 On-The-Fly 1 0 0 1 0 0 1 1 1

26 On-The-Fly 1 0 0 1 0 0 1 1 1

27 On-The-Fly 1 0 0 1 0 0 1 1 1

28 On-The-Fly 1 0 0 1 0 0 1 1 1

29 On-The-Fly 1 0 0 1 0 0 1 1 1

30 On-The-Fly 1 0 0 1 0 0 1 1 1

31 On-The-Fly 1 0 0 1 0 0 1 1 1

32 On-The-Fly 1 0 0 1 0 0 1 1 1

33 On-The-Fly 1 0 0 1 0 0 1 1 1

34 Visited Set Represents all the states that have been reached so far
Will eventually become the set of all reachable state (state space) Test of presence of a state in the set must be efficient It is performed for each reached state procedure DFS(s) visited = visited  {s}; for each successor s’ of s if s’  visited then DFS(s’); end if end for end procedure

35 Visited Set Hash table Efficient for testing even if the number of elements in it is very big (≥ 106)

36 Visited Set Hash table Reduce memory usage
Efficient for testing even if the number of elements in it is very big (≥ 106) Reduce memory usage Compress each state When a transition is executed only a limited part of the state is modified

37 Visited Set Hash table Reduce memory usage Reduce the number of states
Efficient for testing even if the number of elements in it is very big (≥ 106) Reduce memory usage Compress each state Reduce the number of states Partial Order Reduction

38 State Representation Global variables Processes and local variables
Queues Global Variables Processes Queues

39 Compression Each transition changes only a small part of the state
Assign a code to each element dynamically Encoded states + basic elements use considerably less spaces than the uncompressed states

40 Compression i=0 j=0 P0 x=0 P0 x=1 Q0 {1} P0 x=0 P1 y=0 1 2 3 2 1 3 2 1
1 2 3 2 1 3 2 1 3 2 P1 y=0 1 P0 x=1 i=0 j=0 P0 x=0 Q0 {1}

41 Compression i=0 j=0 P0 x=0 P0 x=1 Q0 {} Q0 {1} P0 x=1 P0 x=0 P1 y=0 1
1 1 1 2 q ? x 3 2 1 3 2 1 3 2 P1 y=0 1 P0 x=1 Q0 {} i=0 j=0 P0 x=0 Q0 {1}

42 Hash Compaction Uses a hashing function to store each state using only 2 bits

43 Hash Compaction Uses a hashing function to store each state using only 2 bits There is an non-zero probability that two states are mapped into the same bits

44 Hash Compaction Uses a hashing function to store each state using only 2 bits There is an non-zero probability that two states are mapped into the same bits If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts

45 Hash Compaction Uses a hashing function to store each state using only 2 bits There is an non-zero probability that two states are mapped into the same bits If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts The result is not (always) 100% correct!

46 Minimized Automata Reduction
Turns the state in a sequence of integers

47 Minimized Automata Reduction
Turns the state in a sequence of integers Constructs an automata which accepts the states in the visited set

48 Minimized Automata Reduction
Turns the state in a sequence of integers Constructs an automata which accepts the states in the visited set Works like a BDD but on non-binary variables (MDD)

49 Minimized Automata Reduction
Turns the state in a sequence of integers Constructs an automata which accepts the states in the visited set Works like a BDD but on non-binary variables (MDD) The variables are the components of the state

50 Minimized Automata Reduction
Turns the state in a sequence of integers Constructs an automata which accepts the states in the visited set Works like a BDD but on non-binary variables (MDD) The variables are the components of the state The automata is the minimal automata

51 Minimized Automata Reduction
Turns the state in a sequence of integers Constructs an automata which accepts the states in the visited set Works like a BDD but on non-binary variables (MDD) The variables are the components of the state The automata is the minimal automata The automata is updated efficiently

52 Partial Order Reduction
Some interleavings of processes are equivalent x=0 y=0 x++ y++ x=1 y=0 x=1 y=0 x=0 y=1 x=0 y=1 y++ x++ x=1 y=1

53 Partial Order Reduction
Some interleavings of processes are equivalent Computing such interleavings and storing the intermediate states is expensive

54 Partial Order Reduction
Some interleavings of processes are equivalent Computing such interleavings and storing the intermediate states is expensive Partial order reduction defines a reduced system which is equivalent to the original system but contains less states and transitions Defines an equivalent relation between states and computes the quotient of the state transition graph to obtain a reduced state transition graph. Properties are true of the reduced state transition graph if and only if are true of the original graph.

55 Partial Order Reduction
Optimal partial order reduction is as difficult as model checking!

56 Partial Order Reduction
Optimal partial order reduction is as difficult as model checking! Compute an approximation based on syntactical information

57 Partial Order Reduction
Access to local variables Receive on exclusive receive-access queues Send on exclusive send-access queues Optimal partial order reduction is as difficult as model checking! Compute an approximation based on syntactical information Independent Invisible Check (at run-time) for actions postponed at infinitum Not mentioned in the property So called stack proviso

58 References http://spinroot.com/
Design and Validation of Computer Protocols by Gerard Holzmann The Spin Model Checker by Gerard Holzmann An automata-theoretic approach to automatic program verification, by Moshe Y. Vardi, and Pierre Wolper An analysis of bitstate hashing, by G.J. Holzmann An Improvement in Formal Verification, by G.J. Holzmann and D. Peled Simple on-the-fly automatic verification of linear temporal logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann

Download ppt "An explicit state model checker"

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Model Checking and Testing combined

Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.

CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.
Timed Automata.

Timed Automata.
Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.

Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Similar presentations

Ads by Google