Presentation is loading. Please wait.

Presentation is loading. Please wait.

Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.

Published byAntwan Rochester Modified over 9 years ago

Similar presentations

Presentation on theme: "Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker."— Presentation transcript:

1 Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker

2 Outline 2 What is model checking? Why model checking? SPIN Basic Concepts Promela Promela Model Correctness Claims JSpin Case Studies

3 What is model checking? 3 “Model checking is an automated technique that, given a finite-state model of a system and a logical property, systematically checks whether this property holds for (a given initial state in) that model.” Clarke & Emerson 1981 Model Checker A (S, S 0,L,T,F) Requirement  Yes or No plus a system run violating the requirement

4 What is model checking? 4 (Initial) Design Abstract Verification Model Implementation Model Checker abstraction refinement Verification Model Abstraction of a design  simplification Express assumptions about the environment and correctness properties

5 Why model checking? 5 It serves to prove that the design principles are sound Can predict wheter a model is valid or not before its implementation Not expected to be part of the final implementation of a system It anticipates design defects discovery Potential to reduce costs related to rework and risks of failures in mission-critical systems

6 SPIN Introduction 6 SPIN (Simple Promela Interpreter) is a popular open-source model checker that can be used for the formal verification of asynchronous and distributed software systems. Developed at Bell Labs, starting in 1980. Free, since 1991 All Spin software is written in ANSI standard C, and is portable across multiple platforms SPIN homepage is www.spinroot.comwww.spinroot.com 2002 ACM software system award for 2001

7 SPIN Introduction 7 Common flaws that occur in design of distributed software systems: Deadlock Livelock, starvation Underspecification Overspecification

8 SPIN Basic Concepts 8 Spin can be used in 2 basic modes : as a simulator to get a quick impression of the behavior captured by the system model: guided simulation random and interactive simulation as a verifier: when a counterexample is generated, it uses simulation to step through the trace

9 SPIN Basic Concepts 9 SPIN verification: prove correctness of process interactions Processes refer to system components that communicate with each other Communication rendezvous primitives (synchronous) buffered channels (asynchronous ) shared variables

10 SPIN Basic Concepts 10 SPIN provides: An intuitive, C-like notation (Promela) for specifying the finite- state abstraction of a system unambiguously A notation for expressing general correctness requirements as LTL (Linear Temporal Logic) formulae

11 Promela Introduction 11 PROMELA (Process Meta-language), served as input to SPIN Non-deterministic, guarded command language for specifying the system behavior of a distributed system Systems of interacting, asynchronous threads of execution It brings ideas from: CSP process algebra by Hoare for input/output C language in some of the syntax and notational conventions a non-deterministic guarded command language

12 Promela Introduction 12 The properties define the real objectif of a verification Behavior specicification (what is possible) process behavior variables, data types message channels Logical correctness properties (what is valid) assertions end-state, progress-state, and acceptance state labels never claims (LTL formulae) trace assertions default properties: absence of system deadlock absence of unreachable code

13 Promela Model 13 Consists of Process Data objects Message channels Corresponds to a FSM Every object is bounded Process  255 * Message channels  255 * Data  data type dependent * For current versions of SPIN mytype = {MSG, ACK}; chan toS=… chan toR=… bool flag; active proctype Sender(){ …process body… } active proctype Receiver(){ …process body… }

14 Promela Processes 14 Basic structure proctype Sender(chan in; chan out) {... process body... } Process creation init and active proctype You_run() {... process body... } init { run You_run(); } active proctype You_run() {... process body... } active [2] proctype You_run_b() {... process body... }

15 Promela Processes 15 There can be more than one process inside a Promela model A process executes concurrently with other processes. A process also communicates with other processes by sending/receiving messages across channels by using shared (global) variables with other processes Local state of a process is defined by process counter (defines the location of the process) and the values of the local variables of the process.

16 Promela Data Objects 16 Variables can be local or global Default initial value of both local and global variables is 0 Variables can be assigned a value by an assignment, argument passing or message passing Variables can be used in expressions which includes most arithmetic, relational and logical operators of C

17 Promela Basic Types 17 Basic Types Array Declaration Array Access Records type definition Record declaration Record Access Enumeration type for messages From Verification Techniques lecture notes, Uppsala Universitet, Sweden

18 Promela Expressions 18 Operators Conditional expressions Operations on channels identifiers From Verification Techniques lecture notes, Uppsala Universitet, Sweden

19 Promela Message Channels 19 Communication between processes through channels FIFO Declared as arrays There can be two types of communications: Message-passing or asynchronous Rendezvous or synchronous (channel of dimension 0)

20 Promela Message Channels 20 Declaration chan qname = [16] of {short, byte, bool} Sending message qname!expr1, expr2, expr3 Receiving message qname?var1, var2, var3 constrained  qname?cons1,var2,var3 To test if a send receive can be executable without side effect qname?[var1, var2, var3]

21 Promela Message Channels 21 Asynchronous communication mtype = { msg0, msg1, ack0, ack1 }; chan to_sndr = [2] of { mtype }; chan to_rcvr = [2] of { mtype }; active proctype Sender(){ again:to_rcvr!msg1; to_sndr?ack1; to_rcvr!msg0; to_sndr?ack0; goto again } active proctype Receiver(){ again:to_rcvr?msg1; to_sndr!ack1; to_rcvr?msg0; to_sndr!ack0; goto again }

22 Promela Message Channels 22 Synchronous communication (rendezvous) mtype = { msgtype }; chan name = [0] of { mtype, byte }; active proctype A(){ name!msgtype(124); name!msgtype(121) } active proctype B(){ byte state; name?msgtype(state) }

23 Promela Message Channels 23 Synchronous communication (rendezvous) mtype = { msgtype }; chan glob = [0] of { chan }; active proctype A(){ chan loc = [0] of { mtype, byte }; glob!loc; loc?msgtype(121) } active proctype B(){ chan who; glob?who; who!msgtype(121) }

24 Promela Statements 24 Statements are separated by a semi-colon Assignments and expressions are statements skip statement: does nothing, only changes the process counter printf statement: not evaluated during verification assert(expr): Assert statement is used to check if the property speci fi ed by the expression expr is valid within a state. If expr evaluates to 0, it implies that it is not valid and SPIN will exit with an error.

25 Promela Statements 25 if statement if :: choice1 -> stat1.1; stat1.2; :: choice2 -> stat2.1; stat2.2; :: … :: choicen -> statn.1; statn.2; fi; if statement is executable if there is at least one choice which is executable and is blocked if none of the choices are executable If more than one choice is executable, SPIN non- deterministically chooses one of the executable choices

26 Promela Statements 26 do statement do :: choice1 -> stat1.1; stat1.2; :: choice2 -> stat2.1; stat2.2; :: … :: choicen -> statn.1; statn.2; od; do statement behaves in the same way as if statement in terms of choice selection but, executes the choice selection repeatedly break statement can be used to come out of a do loop transferring control to the statement just outside the loop

27 Promela Atomic operator 27 A process whose control is inside atomic{ } executes without being interrupted by other processes From Verification Techniques lecture notes, Uppsala Universitet, Sweden

28 Promela Correcteness Claims 28 Basic assertions (checked during simulation run) End-state labels Progress-state labels Accept-state labels checked during verification run Never claims Trace assertions

29 Promela Correcteness Claims 29 safety property “nothing bad ever happens” invariant x is always less than 5 deadlock freedom the system never reaches a state where no actions are possible SPIN find a trace leading to the “bad” thing. If there is not such a trace, the property is satisfied. liveness property “something good will eventually happen” termination the system will eventually terminate response if action X occurs then eventually action Y will occur SPIN find a (infinite) loop in which the “good” thing does not happen. If there is not such a loop, the property is satisfied.

30 Promela Correcteness Claims 30 Correctness properties can be expressed: as properties of reachable states (generic safety properties) as properties of sequences of states (generic liveness properties) In Promela: properties of states assertions local process assertions system invariants end-state labels to define proper termination points of processes accept-state labels when looking for acceptance cycles progress-state labels when looking for non-progress cycles never claims (optionally derived from LTL formulae) trace assertions properties of sequences of states

31 Promela Correcteness Claims 31 Assertion byte state = 1; active proctype A() { (state == 1) -> state++; assert(state== 2) } active proctype B() { (state == 1) -> state--; assert(state== 0) } pan: assertion violated (state==2) (at depth 6) pan: wrote assertion-example.pml.trail (Spin Version 4.3.0 -- 22 June 2007) Warning: Search not completed + Partial Order Reduction Full statespace search for: never claim - (none specified) assertion violations+ cycle checks - (disabled by -DSAFETY) invalid end states- (disabled by -E flag) State-vector 16 byte, depth reached 6, errors: 1 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) 2.302 memory usage (Mbyte)

32 Promela Correcteness Claims 32 Assertion byte state = 1; active proctype A() { (state == 1) -> state++; assert(state== 2) } active proctype B() { (state == 1) -> state--; assert(state== 0) } pan: assertion violated (state==2) (at depth 6) pan: wrote assertion-example.pml.trail (Spin Version 4.3.0 -- 22 June 2007) Warning: Search not completed + Partial Order Reduction Full statespace search for: never claim - (none specified) assertion violations+ cycle checks - (disabled by -DSAFETY) invalid end states- (disabled by -E flag) State-vector 16 byte, depth reached 6, errors: 1 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) 2.302 memory usage (Mbyte) What is the problem with this model?

33 Promela Correcteness Claims 33 Assertion byte state = 1; active proctype A() { atomic {(state == 1) -> state++; } assert(state== 2) } active proctype B() { atomic{(state == 1) -> state--;} assert(state== 0) } (Spin Version 4.3.0 -- 22 June 2007) + Partial Order Reduction Full statespace search for: never claim - (none specified) assertion violations+ cycle checks - (disabled by -DSAFETY) invalid end states- (disabled by -E flag) State-vector 16 byte, depth reached 3, errors: 0 6 states, stored 0 states, matched 6 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) 2.302 memory usage (Mbyte) unreached in proctype A (0 of 5 states) unreached in proctype B (0 of 5 states)

34 Promela Correcteness Claims 34 End-state mtype= { p, v }; chan sem= [0] of { mtype}; byte count; active proctype semaphore() { end: do :: sem!p-> sem?v od } active [5] proctype user() { end: do :: sem?p; count++; /* critical section */ count--; sem!v od } (Spin Version 4.3.0 -- 22 June 2007) + Partial Order Reduction Full statespace search for: never claim - (none specified) assertion violations+ cycle checks - (disabled by -DSAFETY) invalid end states+ State-vector 36 byte, depth reached 5, errors: 0 16 states, stored 5 states, matched 21 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) 2.302 memory usage (Mbyte) unreached in proctype semaphore line 9, state 6, "-end-" (1 of 6 states) unreached in proctype user line 19, state 8, "-end-" (1 of 8 states)

35 Promela Correcteness Claims 35 Progress-state mtype= { p, v }; chan sem= [0] of { mtype}; byte count; active proctype semaphore() { end: do :: sem!p-> progress: sem?v od } active [5] proctype user() { end: do :: sem?p; count++; /* critical section */ count--; sem!v od } (Spin Version 4.3.0 -- 22 June 2007) + Partial Order Reduction Full statespace search for: never claim + assertion violations+ (if within scope of claim) non-progress cycles + (fairness disabled) invalid end states- (disabled by never claim) State-vector 44 byte, depth reached 9, errors: 0 21 states, stored 5 states, matched 26 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) 2.302 memory usage (Mbyte) unreached in proctype semaphore line 10, state 6, "-end-" (1 of 6 states) unreached in proctype user line 20, state 8, "-end-" (1 of 8 states) Non-progress verification

36 Promela Correcteness Claims 36 SPIN’s automata for semaphore problem End: Progress:

37 Promela Correcteness Claims 37 Fairness  finite progress assumption when a process can make progress, it eventually will 1. weak fairness: if a statement is executable infinitely long, it will eventually be executed 2. strong fairness: if a statement is executable infinitely often, it will eventually be executed fairness can be applied to non-deterministic statement selection within a process non-deterministic statement selection between processes

38 Promela Correcteness Claims 38 Accept-state mtype= { p, v }; chan sem= [0] of { mtype}; byte count; active proctype semaphore() { do :: sem!p-> sem?v od } active [5] proctype user() { do :: sem?p-> accept: count++; /* critical section */ count--; sem!v od } pan: acceptance cycle (at depth 0) pan: wrote _accept-example.pml.trail (Spin Version 4.3.0 -- 22 June 2007) Warning: Search not completed + Partial Order Reduction Full statespace search for: never claim - (none specified) assertion violations+ acceptance cycles + (fairness disabled) invalid end states+ State-vector 40 byte, depth reached 5, errors: 1 4 states, stored 0 states, matched 4 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) 2.302 memory usage (Mbyte) Acceptance verification

39 Promela Correcteness Claims 39 SPIN’s counterexample for acceptance example Implicit meaning: there should not exist any executions that can pass through an accept-state infinitely often

40 Promela Correcteness Claims 40 Linear Temporal Logic (LTL) and Buchi Automata never { /* <>(p&&[]!q) */ T0_init: if :: (! ((q)) && (p)) -> goto accept_S4 :: (1) -> goto T0_init fi; accept_S4: if :: (! ((q))) -> goto accept_S4 fi; } Temporal logic operators:   eventually   always From Verification Techniques lecture notes, Uppsala Universitet, Sweden

41 Promela Correcteness Claims 41 Never claim Needed capability for defining more precise checks Implicit meaning: specifies finite or infinite behavior that should never occur Note: p and q need to be defined as macros: #define p (x>10) #define q (x<100) never { /* <>(p&&[]!q) */ T0_init: if :: (! ((q)) && (p)) -> goto accept_S4 :: (1) -> goto T0_init fi; accept_S4: if :: (! ((q))) -> goto accept_S4 fi; }

42 JSpin 42 It is a java based GUI for SPIN model checker Adapted from Theo C. Ruys - SPIN Beginners' Tutorial JSpin

43 Case Studies 43 peterson’s mutual exclusion algorithm paper: Towards a Methodology for Formal Design and Analysis of Agent Interaction Protocols

44 References 44 Gerard J. Holzmann.The SPIN model checker: primer and reference guide, Addison-Wesley, September 2003 G. Holzmann, The Model Checker Spin,IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295 SPIN page: http://spinroot.com Theo C. Ruys. SPIN Beginners’ Tutorial, SPIN Workshop 2002, Grenoble, France, 2002 Wei Jun, Cheung Shing-Chi, Wang Xul. Towards a Methodology for Formal Design and Analysis of Agent Interaction Protocols - An Investigation in Electronic Commerce, Wuhan University Journal of Natural Sciences Vol. 6 No. 1-2, 2001

45 45 Questions?

Download ppt "Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker."

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.

The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.
תרגול 9 META LABELS. Basic types of claims State properties.

תרגול 9 META LABELS. Basic types of claims State properties.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐

SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐
Sept 2011 1 COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Similar presentations

Ads by Google