Presentation is loading. Please wait.

Presentation is loading. Please wait.

Who says model checking doesn’t find real problems?

Published byClyde Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Who says model checking doesn’t find real problems?"— Presentation transcript:

1 Who says model checking doesn’t find real problems?
Alice Miller Department of Computing Science University of Glasgow

2 Outline An introduction to Model checking + SPIN
Wireless sensor networks, the DIAS project WSN modelling language - Insense Model checking Insense Future work London Hoppers 4/5/2010

3 Model checking (using SPIN) property holds Kripke structure (FSA)
Promela) Model check (using SPIN) system Buchi automaton Counterexample, modify system, model or property Specify property (using LTL)

4 Context: DIAS project Design Implementation and Adaptation of Sensor Networks The DIAS project was a collaboration between: University of Manchester University of Glasgow University of Kent Strathclyde University Lancaster University St Andrews University Aim: to extend the notion of hw/sw co-design into multiple dimensions Systems generated by combining individual components with appropriate software/firmware “glue” London Hoppers 4/5/2010

5 Wireless Sensor Networks
WSNs used by experts in different fields to gather data, e.g. Environmental measurements Air/water pollution Users expected to produce software for concurrent, RT and resource-constrained computing environment E.g. Crowden Great Brook, Derbyshire (Lancs. University) Crowden Great Brook London Hoppers 4/5/2010

6 Crowden Great Brook To characterise the activity in a small side stream Current deployment 15 nodes 2 base-stations with a GSM modem to communicate alarm events back. 12 measure temperature, humidity, soil moisture 2 of these have extra features (turbidity sensor/rain gauge) 3 extra nodes (no radio) measure stream depth Nodes have enough battery/solar to last 1yr 174MHz and 433MHz radios London Hoppers 4/5/2010

7 WSNs contd. More what we had in mind.. London Hoppers 4/5/2010

8 Tmote Sky 8MHz Texas Instruments MSP430 microcontroller
10k RAM, 48k Flash 250kbps 2.4GHz IEEE Chipcon Wireless Transceiver Integrated Humidity, Temperature, and Light sensors Running (e.g. Contiki) OS London Hoppers 4/5/2010

9 Insense Language to run on a WSN. Developed at St Andrews. Features include: abstraction over complex/low-level programming issues reduced risk of run-time errors due to strong typing + ability to statically determine space and time requirements of programs ability to dynamically change configuration of applications, portability of application : programs independent of any specific operating system or hardware platform London Hoppers 4/5/2010

10 Example: UML deployment diagram
sensor = new TempSensor () averager = new TempAverager () logger = new TempLogger () connect sensor.output to averager.input connect averager.output to logger.input London Hoppers 4/5/2010

11 Channel implementation
Each connection consists of two half-channels Supported operations: Send / Receive Connect / Disconnect (non-deterministic) Select When connection made between outgoing and incoming channels, channels locked in turn using mutex This talk! London Hoppers 4/5/2010

12 Half-channel Object that contains:
Buffer for storing 1 item of corresponding message type Ready flag List of half-channels it’s connected to 2 binary semaphores: mutex and blocked London Hoppers 4/5/2010

13 Why model check Insense?
This talk! Verify correctness of implementation Deadlocks / Livelocks Violations of constraints SPIN as a debugger for Insense Programs Guided and random simulations Communication sequences Inspection of variable values Check basic properties London Hoppers 4/5/2010

14 Modelling Send and Receive in Promela
Half channel representation: Typedef halfchan{ // Binary semaphores bit mutex; // locks access to channels bit blocked; // indicates channel is blocked // Boolean flags bit ready; // TRUE if ready to send/recv // Buffer byte buffer; // List of connections to other half-channels bit connections[NUMHALFCHANS]; } London Hoppers 4/5/2010

15 Send and Receive in Promela contd.
Locks: atomic{ hctab[me].mutex!=LOCKED; // wait for mutex hctab[me].mutex=LOCKED // LOCK mutex } Data Transfer: Sender pushes data Receiver pulls data (register via global flags, for verification purposes) London Hoppers 4/5/2010

16 Bug in published version
Using Spin, easily uncovered error in published algorithms What was it? Receiver could return without receiving correct data How discovered with Spin? Simple (terminating) Sender + Receiver processes Littered with assert statements Assertion violation + examination of error trace London Hoppers 4/5/2010

17 Send/Recv Algorithms 1. wait( cout.mutex ) 2. set ( cout.ready ) 3. signal ( cout.mutex ) foreach (halfchan hc in cout.connList) { wait( hc.mutex ) if ( hc.ready ) { hc.buf = data // push … return } signal ( hc.mutex ) cout.buf = data wait ( cout.blocked ) 4. wait( cin.mutex ) 5. set ( cin.ready ) 6. signal ( cin.mutex ) 7. foreach (halfchan hc in cin.connList) { 8. wait( hc.mutex ) 9. if ( hc.ready ) { 10. cin.buf = hc.buf // pull return } signal ( hc.mutex ) wait ( cin.blocked ) London Hoppers 4/5/2010

18 The initial bug contd. Why not discovered during simulation (Contiki simulator tool: Cooja)? Contiki not truly concurrent Why do we care? Want it to be correct regardless of the underlying operating system Only a simple bug! But it convinced Insense developers of the usefulness of Spin Solution? Set Sender’s buffer before ready flag set London Hoppers 4/5/2010

19 Set of properties In a connected system, send and receive operations are free from deadlock Finite progress- in a connected system data always flows from senders to receivers For any connection between a sender and a receiver, either the sender can push or the receiver can pull, but not both The send operation does not return until data has been written to a receiver’s buffer (either by sender-push or receiver-pull) (plus 3 more properties, see paper) London Hoppers 4/5/2010

20 Properties in LTL S senders and R receivers (non-terminating), S+R  4, R,S  1 Property 1 can be checked via “invalid endstate” check with Spin Property 2: [ ] < > Push1 || Pull1 || Push2 || Pull2 || … || PushR || PullR Property 3: [ ] ! (Push1 && Pull1 )||(Push2 && Pull2)|| … ||(PushR && PullR ) London Hoppers 4/5/2010

21 Spin verification Promela models generated from template via Perl script. See Spin paper for table of results All properties verified for S + R  4, R,S  1 Max depth (S=3, R=1) reached at most 1.5 x 106 Max no. states (S=2, R=2, property 2), 2.8 x 107 Max memory required (S=2, R=2, property 2) approx 1Gb London Hoppers 4/5/2010

22 Connect/Disconnect Algorithms for dynamic connection/disconnection using Spin to test for deadlock Many iterations required! Verified previously unpublished algorithms Prevent deadlocks via Is_Input field of half channel, to impose common order on mutex locking in send/receive (global) conn_op_mutex to prevent deadlock when exectuting concurrent connect/disconnect operations NOT IDEAL … .. but alternative version not fully verified (state-space explosion) In model RxS Connect processes, R+S Disconnect ...interleaving London Hoppers 4/5/2010

23 Removal of the global locks
Leads to massive state space (exceeds available 32 Gb memory) – due to increase in interleavings Usual tricks employed to improve tractability (“low fat” code, Spin options (e.g. state compression, stack cycling)) But lots of symmetry: E.g. If s is state in which S1 and R1 are connected, hctab[S1] and hctab[R1] have values v and u, then there is an equivalent state a(s) in which S1 and R2 are connected, hctab[S1], hctab[R2] have values a(v) and a(u), action of a defined in appropriate way. London Hoppers 4/5/2010

24 Symmetry reduction Current symmetry reduction packages for Spin not appropriate (SymmSpin/TopSpin) Need to exploit symmetry between (pid indexed) global variables hctab elements here Current work at Glasgow: extending TopSpin to handle this sort of case Will hopefully allow for full verification (work in progress) (Meanwhile – any suggestions?) London Hoppers 4/5/2010

25 Model checking Insense programs
Exploit the similarity between Insense and Promela (both based on pi-calculus) SPIN used to debug Insense programs Subject of current work (converter implemented) Alternative approach – to develop direct model checking approach (à la JPF2) to model check automatically created abstract form (future work) London Hoppers 4/5/2010

26 Conclusions Initial steps toward verifying correctness of WSN applications Verification of inter-component synchronisation mechanism Still evolving – verification at design time Revealed error in previously published version of channel implementation Aided development of revised algorithms New Connect/Disconnect algorithms London Hoppers 4/5/2010

27 Future work Verification of Insense language implementation completed by modelling Select operation Show Send and Receive operations safe for any S and any R (PMCP) Can show some properties hold for S=1 (any R>0) Symmetry reduction to reduce state space size Verification of Insense programs Direct model checker for Insense London Hoppers 4/5/2010

28 Credit to: (Glasgow/St Andrews contingent of) DIAS project team, specifically: Oliver Sharma, Joe Sventek (Glasgow) John Lewis, Al Dearle, Dharini Balasubramaniam, Ron Morrison, (St Andrews) TopSpin: Alastair Donaldson London Hoppers 4/5/2010

Download ppt "Who says model checking doesn’t find real problems?"

Similar presentations

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
System Integration and Performance

System Integration and Performance
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.

Similar presentations

Ads by Google