Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 503 – Software Engineering

Published byMárk Tóth Modified over 4 years ago

Similar presentations

Presentation on theme: "CSE 503 – Software Engineering"— Presentation transcript:

1 CSE 503 – Software Engineering
Lecture 6: Practice with the Spin model checker Rob DeLine 14 Apr 2004

2 Matching channel contents
Channels support primitive pattern matching mtype = { START, STOP } // these are constants chan msgs = [10] of {byte} proctype Fetch () { do :: msgs?START -> /* do start command */ :: msgs?STOP -> /* do stop command */ od } Channel data must equal constant for receive to be executable You can also match channel data against the value of a variable: proctype A (byte b) { do :: msgs?eval(b) -> ... } init { run A(0); run A(1); }

3 Checking properties Easiest way to check safety properties: use assert
Spin also has built-in checks deadlocks (every process blocked on another process) unreachable code livelocks (processes are busy, but no “progress”) Spin also checks properties in linear temporal logic (LTL) Temporal logics are a huge field by themselves We’ll stick to basic formulae in this class

4 LTL describes traces LTL formulae are defined over traces of system states Spin “state” consists of globals, process locals, channel contents Due to nondeterminism, there are many possible traces LTL talks about one trace at a time (A different logic, CTL, talks about all traces at once) LTL built on top of atomic propositions With Spin, these are Promela expressions, given names with #define We’ll label a state with a proposition that holds in that state S0 S1 S2 S3 S4 S5 ... P

5 LTL temporal operators
P P holds in the initial state X P P holds in the next state (not in Spin) □ P P holds in all states (a.k.a. G P) ◊ P P holds in some future state (a.k.a. F P) P U Q P holds until Q holds P ... P ... P ... P ... P Q ...

6 LTL “patterns” Certain cliches appear again and again
See Dwyer, Avrunin, and Corbett, “Patterns in Property Specifications for Finite-State Verification”, 1999 Universal property (P always holds) [] P Response property (Q always happens after P happens) [] P -> <> Q Precedence property (S always precedes P) <> P -> (!P U (S && !P))

7 Let’s practice with elevators
We’ll model an elevator in an N-floor building On each floor there’s a door and a button. Pressing the button sends a request for the elevator to come to that floor. To enter the elevator, the door must be open when the elevator is at that floor. The door must not be open when the elevator is not on that floor. A controller on each floor controls the door. The elevator moves only in response to requests. Syntax reminder: chan c = [2] of {int} int i = 0; proctype Loopy (int n) { int i=0, j=0; do :: i < n -> i--; :: c?j -> i = i + j; od } proctype Send (int n) { if :: n < 0 -> n = -n; c!n; :: n >= 0 -> c!n; fi init { run Loopy(3); }

Download ppt "CSE 503 – Software Engineering"

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.

Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.

Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.

Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Similar presentations

Ads by Google