Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011."— Presentation transcript:

1 © 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011

2 2 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University What is This All About? Spin On-the-fly verifier developed at Bell-labs by Gerard Holzmann and others http://spinroot.com Promela Modeling language for SPIN Targeted at asynchronous systems – Switching protocols http://spinroot.com/spin/Man/Quick.html

3 3 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University History Work leading to Spin started in 1980 First bug found on Nov 21, 1980 by Pan One-pass verifier for safety properties Succeeded by Pandora (82), Trace (83), SuperTrace (84), SdlValid (88), Spin (89) Spin covered omega-regular properties

4 4 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Spin Capabilities Interactive simulation For a particular path For a random path Exhaustive verification Generate C code for verifier Compile the verifier and execute Returns counter-example Lots of options for fine-tuning

5 5 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Spin Overall Structure GUI Front-end GUI Front-end Promela Parser Promela Parser LTL Parser and Translator LTL Parser and Translator Syntax Error Reports Syntax Error Reports Interactive Simulation Interactive Simulation Verifier Generator Verifier Generator Optimized Model Checker (ANSI C) Optimized Model Checker (ANSI C) Executable O-T-F Verifier Executable O-T-F Verifier Counter Example

6 6 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Promela Stands for Process Meta Language Language for asynchronous programs Dynamic process creation Processes execute asynchronously Communicate via shared variables and message channels – Races must be explicitly avoided – Channels can be queued or rendezvous Very C like

7 7 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Executability No difference between conditions and statements Execution of every statement is conditional on its executability Executability is the basic means of synchronization Declarations and assignments are always executable Conditionals are executable when they hold The following are the same while (a != b) skip (a == b)

8 8 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Delimitors Semi-colon is used a statement separator not a statement terminator Last statement does not need semi-colon Often replaced by ! to indicate causality between two successive statements (a == b); c = c + 1 (a == b) ! c = c + 1

9 9 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Data Types Basic : bit/bool, byte, short, int, chan Arrays: fixed size byte state[20]; state[0] = state[3 * i] + 5 * state[7/j]; Symbolic constants Usually used for message types mtype = {SEND, RECV};

10 10 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Process Definition byte state = 2; proctype A() { (state == 1) ! state = 3 } proctype B() { state = state – 1 }

11 11 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Process Instantiation byte state = 2; proctype A() { (state == 1) ! state = 3 } proctype B() { state = state – 1 } init { run A(); run B() } run can be used anywhere Sample 1

12 12 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Process Parameterization byte state = 1 proctype A(byte x; short foo) { (state == 1 && x > 0) ! state = foo } init { run A(1,3); } Data arrays or processes cannot be passed Sample 2

13 13 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Race Condition byte state = 1; proctype A() { byte x = state; x = x + 1; state = x; } proctype B() { byte y = state; y = y + 2; state = y; } init { run A(); run B() } Sample 3

14 14 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Deadlock byte state = 2; proctype A() { (state == 1) ! state = state + 1 } proctype B() { (state == 1) ! state = state – 1 } init { run A(); run B() } Sample 4

15 15 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Atomic sequences byte state = 1; proctype A() { atomic { byte x = state; x = x + 1; state = x; } byte state = 1; proctype A() { atomic { byte x = state; x = x + 1; state = x; } proctype B() { atomic { byte y = state; y = y + 2; state = y; } init { run A(); run B() } proctype B() { atomic { byte y = state; y = y + 2; state = y; } init { run A(); run B() } Sample 5

16 16 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing Channel declaration chan qname = [16] of {short} chan qname = [5] of {byte,int,chan,short} Sending messages qname!expr qname!expr1,expr2,expr3 Receiving messages qname?var qname?var1,var2,var3

17 17 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing More parameters sent Extra parameters dropped More parameters received Extra parameters undefined Fewer parameters sent Extra parameters undefined Fewer parameters received Extra parameters dropped

18 18 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing chan x = [1] of {byte,byte}; chan y = [1] of {byte,byte}; proctype A(byte p, byte q) { x!p,q ; y?p,q } chan x = [1] of {byte,byte}; chan y = [1] of {byte,byte}; proctype A(byte p, byte q) { x!p,q ; y?p,q } proctype B() { byte p,q; x?p,q ; y!q,p } init { run A(5,7); run B() } proctype B() { byte p,q; x?p,q ; y!q,p } init { run A(5,7); run B() } Sample 6

19 19 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Message passing Convention: first message field often specifies message type (constant) Alternatively send message type followed by list of message fields in braces qname!expr1(expr2,expr3) qname?var1(var2,var3)

20 20 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Executability Send is executable only when the channel is not full Receive is executable only when the channel is not empty Optionally some arguments of receive can be constants qname?RECV,var,10 Value of constant fields must match value of corresponding fields of message at the head of channel queue len(qname) returns the number of messages currently stored in qname If used as a statement it will be unexecutable if the channel is empty

21 21 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Composite conditions Invalid in Promela (qname?var == 0) (a > b && qname!123) Either send/receive or pure expression Can evaluate receives qname?[ack,var] Subtle issues qname?[msgtype] ! qname?msgtype (len(qname) < MAX) ! qname!msgtype Second statement not necessarily executable after the first – Race conditions Returns true if the receive would be enabled

22 22 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 1

23 23 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Rendezvous Channel of size 0 defines a rendezvous port Can be used by two processed for a synchronous handshake No queueing The first process blocks Handshake occurs after the second process arrives

24 24 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Example #define msgtype 33 chan name = [0] of {byte,byte}; proctype A() { name!msgtype(99); name!msgtype(100) } proctype B() { byte state; name?msgtype(state) } init { run A(); run B() } Sample 7

25 25 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Control flow We have already seen some Concatenation of statements, parallel execution, atomic sequences There are a few more Case selection, repetition, unconditional jumps

26 26 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Case selection if :: (a < b) ! option1 :: (a > b) ! option2 :: else ! option3/* optional */ fi Cases need not be exhaustive or mutually exclusive Non-deterministic selection

27 27 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 2

28 28 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od } byte count = 1; proctype counter() { do :: count = count + 1 :: count = count – 1 :: (count == 0) ! break od }

29 29 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Repetition proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od } proctype counter() { do :: (count != 0) ! if :: count = count + 1 :: count = count – 1 fi :: (count == 0) ! break od }

30 30 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Unconditional jumps proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip } proctype Euclid (int x, y) { do :: (x > y) ! x = x – y :: (x < y) ! y = y – x :: (x == y) ! goto done od ; done: skip }

31 31 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Procedures and Recursion Procedures can be modeled as processes Even recursive ones Return values can be passed back to the calling process via a global variable or a message

32 32 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 3

33 33 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Timeouts Proctype watchdog() { do :: timeout ! guard!reset od } Get enabled when the entire system is deadlocked No absolute timing considerations

34 34 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Assertions assert(any_boolean_condition) pure expression If condition holds ) no effect If condition does not hold ) error report during verification with Spin

35 35 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Time for example 4

36 36 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University References http://cm.bell-labs.com/cm/cs/what/spin/ http://cm.bell- labs.com/cm/cs/what/spin/Man/Manual.html http://cm.bell- labs.com/cm/cs/what/spin/Man/Quick.html

37 37 Binary Decision Diagrams – Part 2 Sagar Chaki, Sep 14, 2011 © 2011 Carnegie Mellon University Questions? Sagar Chaki Senior Member of Technical Staff RTSS Program Telephone: +1 412-268-1436 Email: chaki@sei.cmu.educhaki@sei.cmu.edu U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu/staff/chaki Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257

Download ppt "© 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011."

Similar presentations

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Intermediate Code Generation

Intermediate Code Generation
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.

Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.

The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.
Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.

Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.

Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
© 2011 Carnegie Mellon University SPIN: Part 1 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

Similar presentations

Ads by Google