Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

Published byChad Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai."— Presentation transcript:

1 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/1 The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai

2 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/2 What is model checking? Complex system design Too complex to verify the system. Because of too many states Especially concurrent system Some systems are non-deterministic How to verify??? Model of the system Abstraction ( system activities ) Enable arithmetic verification

3 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/3 Spin Model Checker SPIN ( Simple Promela Interpreter ) Efficient software verification Use to trace logical design errors in distributed system design, ( deadlock, race condition, etc…) Works on-the-fly A full LTL(Linear Time Temporal Logic) Model Checking system Supports random, interactive and guided simulation

4 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/4 global state initial state How does spin check a model?

5 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/5 Promela Promela (PROtocol/PROcess MEta LAnguage) Syntax is very similar to C language. Easy to model Specification of processes and communication between processes. Synchronizaiton, atomicity Diffucult to describe Arithmetic operations ( no floating point… )

6 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/6 Outline 1. An Overview of Model Checking 2. The Spin Model Checker 3. Promela Introduction 4. Promela Syntax 5. Correctness claims 6. Examples

7 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/7 Promela syntax Hello, World Object types Variable’s scope Rules for executability Compound statements

8 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/8 Hello, World! /* hello.pml */ active proctype Hello() { printf( “Hello, World!\n” ); } $spin hello.pml Hello, World! 1 process created

9 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/9 Object types A Promela model is contructed from 3 basic types of objects: Processes Data objects Message channels

10 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/10 Processes Processes are instances of proctypes proctype Hello() { … } Proctype body ::= (data_declaration | statement)* Proctype prefixed by active keyword is automatically activated active proctype Hello() { printf( “Hello, World!\n” ); } Another way to start process is using “run” operator with proctype object as operand inside a running process: run Hello();

11 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/11 Data objects Basic data types: bit(0,1), bool(true, false), byte(0..255) chan (channel) mtype (symbolic constant, likes enum in C) pid (process id) short, int Data structures typedef Complex { int real; int img; } Arrays byte x[5] = 1; /* all elements initialized to 1 */

12 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/12 Message channels Message channels are used to model the exchange of data between processes chan qname = [16] of { short, byte, bool } qname is a channel with buffer size of 16 messages and each message is a tuple of (short, byte, bool) Operations: Blocking send: qname!expr1, expr2, expr3 Blocking receive: qname?var1, var2, var3 By default, send/receive buffers are FIFO

13 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/13 Example using Send/Receive mtype = { msg0, msg1, ack0, ack1 }; chan to_sndr = [2] of { mtype }; chan to_rcvr = [2] of { mtype }; active proctype Sender(){ again: to_rcvr!msg1; to_sndr?ack1; to_rcvr!msg0; to_sndr?ack0; goto again; } active proctype Receiver(){ again:to_rcvr?msg1; to_sndr!ack1; to_rcvr?msg0; to_sndr!ack0; goto again; }

14 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/14 Rendezvous communication Channel with buffer size of 0 can be used as rendezvous port 0 buffer channel can pass, but not store message chan port = [0] of { mtype } Message interactions via rendezvous ports are synchronous

15 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/15 Variable’s scope Only 2 levels of scope exist in Promela Model global variables Process local variables Process local variables can be used after declarations and valid until process terminates proctype Hello(){ int x; { int y; x = 5; y = 6; } printf( “%d\n”, y ); } y stills valid outside the block y is declared inside a block

16 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/16 Rules for executability Depending on system state, any statement is either executable or blocked Expressions can be used as if they were statements Expressions are “executable” (passable) if and only if they evaluate to true or non-zero (x==y); /* block until x equals y */ Print statements, assignment statements are always executable

17 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/17 Example of executability proctype proc1() { x = 1; printf( “reached here\n” ); (x == y); /* block until x equals y */ skip; } always executable

18 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/18 Process executability Process is executable if at least one executable statement exists No executable statement  block active proctype block_proc() { (1+1 == 3); printf( “Can not reach here!\n” ); }

19 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/19 Compound statements Atomic sequences Deterministic steps Selections Repetitions Escape sequences

20 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/20 Atomic sequences Execution of atomic sequence is uninterruptible (atomic, no interleaving) atomic { tmp = b; b = a; a = tmp; }

21 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/21 Deterministic steps D_step sequence is always executed as if it were a single statement For defining new types of primitive statements d_step { tmp = b; b = a; a = tmp; } Not be interrupted by blocking statements (error if blocking statement inside an executing d_step) Deterministic

22 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/22 Selections if :: guard1 -> stmt1; stmt2; …; stmt_n; :: guard2 -> stmt1; stmt2;…; stmt_m; ……… :: guardn -> stmt…. fi Selection contains sequences begin with “::” Guard_i is “guard” statement, sequence can be executed if guard statement is executable If more than one sequence can execute then the oracle choose one (non-deterministic)

23 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/23 Repetition do :: guard1 -> stmts :: guard2 -> stmts …. od proctype Euclide(int x, y) { do :: ( x > y ) -> x = x – y :: ( x y = y – x :: else -> goto done od done: printf( “answer: %d\n”, x ); }

24 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/24 Escape sequences { P } unless { E } P’s statements are executed while the first statements in E is not executable When the first statement in E becomes executable, control changes to E and execution continues as defined for E

25 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/25 Correctness claims Correctness claims are used to verify the system Basic types of claims: Basic assertions End-state labels Progress-state labels Never claims Trace assertion

26 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/26 Basic assertions assert( expression ); Similar to C language assertion Example: Increasing common variables int c, x, y; /* initialized to 0 */ active proctype procA() { atomic { c++; x++ } assert( c == x + y ); } active proctype procB() { atomic { c++; y++ } assert( c == x + y ); }

27 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/27 End state Labels beginning with “end” (end, end1,.. ) are end-state labels End-state labels declare a valid end-state Default end-state is end of code End-state labels can be used to declare other additional end state

28 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/28 Progress state label Progress labels begin with “progress” (progress, progress1, progression … ) Every potentially infinite execution cycle permitted by a model passes through at least one of the progress labels in that model. To verity the executing process is making effective progress Example: semaphore with progress label

29 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/29 Never claims A never claim is used to specify either finite or infinite system behavior that should never occur Verify system-wide (not only process level) property Example: Updating 2 variables

30 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/30 Trace assertions Trace assertions verify valid/invalid operations of message channels trace { do :: q1!a; q2?b od } Send operations on channel q1 alternate with receive operations on q2, and all messages of q1 have type a, q2 have type b

31 http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/31 Examples Dining Philosophers Mutual exclusion Producers consumers

Download ppt "The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai."

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.

The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.
תרגול 9 META LABELS. Basic types of claims State properties.

תרגול 9 META LABELS. Basic types of claims State properties.
Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.

Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.

Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.

Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.
Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};

Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
© 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

Similar presentations

Ads by Google