Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Published byCason Harston Modified over 9 years ago

Similar presentations

Presentation on theme: "Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999."— Presentation transcript:

1 Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999

2 Formal verification o Formal verification means using methods of mathematical argument to determine correctness of systems. o Can be applied to hardware, software and other kinds of systems. o Bugs are expensive when discovered in a finished product. Idea: use FV to discover bugs during the design phase.

3 Model checkers o Model checkers are among the most widely used FV tools. o Human inspection is not effective: uCurrently designed systems are too large uConcurrency, race conditions uBig verifications done by paper and pencil are hard to re-construct and re-check o Model checkers are good at doing massive (but often simple) case analyses.

4 The BIG picture Model checker model description property NO + counterexample YES

5 Spin o Developed in Bell Labs, starting in 1980. o Designed for verification of distributed systems. o Model descriptions need to be given in PROMELA (PROcess MEta LAnguage). o Properties are described in LTL (Linear Temporal Logic).

6 PROMELA overview o A PROMELA program describes a set of concurrent processes. o Execution is asynchronous (each time only one process does a step), except in special cases (rendezvous message passing). o Processes can die or be created dynamically. o Processes can communicate through global variables and channels (message passing).

7 PROMELA example proctype Pr1 (){ do :: x==0 ->y=1; :: x==1 ->y=0; od; } proctype Pr2 (){ do :: y==0 ->x=1; :: y==1 ->x=0; od; } init { x=0; y=0; run Pr1(); run Pr2(); } X=1 y=0 X=0 y=0 X=0 y=1  Each Promela program generates a unique state transition system.  Promela “instructions” correspond to state transitions. :: y==0 ->x=1;

8 PROMELA special features o Nondeterministic choice:if :: g1 -> s1;:: (x>3) -> x--; :: g2 -> s2;:: true -> y=1;...:: y -> x=x+y; fifi; At each step, execute one of the statements whose guard evaluates to true.

9 PROMELA special features o Nondeterministic loop:do :: g1 -> s1;:: (x>3) -> x--; :: g2 -> s2;:: true -> y=1;...:: y -> x=x+y; odod; Repeat, choosing nondeterministically at each step.

10 PROMELA special features o Channel communication: chanc = [2] of {bit}; chandin = [0] of {byte}; chandout = [1] of {byte}; Send a message m on channel c: c!m Receive a message from channel c: c?x din?v -> dout!(v+v); c?1 -> x++; dout!v -> skip;

11 Other PROMELA features  Labels and goto statement  Types: bit, bool, byte, short, int o User-defined types o... More about PROMELA on the course webpage.

12 LTL overview o Expresses properties dependent on time (temporal) o LTL formulas are evaluated on sequences of states (linear) o Standard predicate logic + temporal operators: [] = always <> = eventually

13 LTL in practice  x is always strictly greater than y: [](x>y)  Eventually x becomes equal to 1: <>(x==1) o Eventually x becomes equal to 1 and never changes afterwards: <>[](x==1) o If at any moment x becomes negative, y will become negative at some later moment: []((x <>(y<0))

14 LTL, formal definitions F ::= p (a state predicate, like (x>0) or (x!=y)) | F1 && F2 | F1 || F2 | !F | []F | <>F Given a sequence of states s = s(0), s(1), s(2),...  s(i) satisfies []F if for every j>=i, s(j) satisfies F.  s(i) satisfies <>F if for some j>=i, s(j) satisfies F.  s(i) satisfies []F if for every j>=i, s(j) satisfies F.  s(i) satisfies <>F if for some j>=i, s(j) satisfies F. The whole sequence s satisfies F if s(0) satisfies F.

15 LTL examples p!pp p... <>(!p) []p []<>p <>[]p + - + - p,!q!p,qp,!q!p,qp,!q!p,q... [](p||q) []<>q <>(p&&q) (<>p)&&(<>q) + + - +

16 LTL verification in Spin o Given a PROMELA program and an LTL formula, Spin checks whether all possible computation paths satisfy the formula. int a,b,d;init { bit ready=0;a=100; proctype Euclid (int x,y){b=1;do ::(x>y) -> x=x-y:: (b b++ ::(y>x) -> y=y-x:: true -> goto enough :: (x==y)-> goto doneod; od;enough: run Euclid(a,b)} done: ready=1; d=x } LTL: <>(ready && (a%d==0))

Download ppt "Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Generating test cases specifications for BPEL compositions of web services using SPIN José García-Fanjul, Javier Tuya, and Claudio de la Riva Pointner.

Generating test cases specifications for BPEL compositions of web services using SPIN José García-Fanjul, Javier Tuya, and Claudio de la Riva Pointner.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.

Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
1 Chapter Six Algorithms. 2 Algorithms An algorithm is an abstract strategy for solving a problem and is often expressed in English A function is the.

1 Chapter Six Algorithms. 2 Algorithms An algorithm is an abstract strategy for solving a problem and is often expressed in English A function is the.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

Similar presentations

Ads by Google