Presentation is loading. Please wait.

Presentation is loading. Please wait.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

Published byTaylor White Modified over 10 years ago

Similar presentations

Presentation on theme: "The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial."— Presentation transcript:

1 The SPIN System

2 What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial order reduction). Developed in Bell Laboratories.

3 Documentation Paper: The model checker SPIN, G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, 279- 295. Web: http://www.spinroot.com

4 The language of SPIN The expressions are from C. The communication is from CSP. The constructs are from Guarded Command.

5 Expressions Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==, != Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --

6 Declaration byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];

7 Message types and channels mtype = {OK, READY, ACK} mtype Mvar = ACK chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte} Ng has a buffer of 2, each message consists of two bytes and an enumerable type (mtype). Next is used with handshake message passing.

8 Sending and receiving a message Channel declaration: chan qname=[3] of {mtype, byte, byte} In sender: qname!tag3(expr1, expr2) or equivalently: qname!tag3, expr1, expr2 In Receiver: qname?tag3(var1,var2)

9 Defining an array of channels Channel declaration: chan qname=[3] of {mtype, byte, byte} defines a channel with buffer size 3. chan comm[5]=[0] of {byte, byte} defines an array of channels (indexed 0 to 4. Communication is synchronous (handshaking), meaning that the sender waits for the receiver.

10 Condition if :: x%2==1 -> z=z*y; x-- :: x%2==0 -> y=y*y; x=x/2 fi If more than one guard is enabled: a nondeterministic choice. If no guard is enabled: the process waits (until a guard becomes enabled).

11 Looping do :: x>y -> x=x-y :: y>x -> y=y-x :: else break od; Normal way to terminate a loop: with break. (or goto). As in condition, we may have a nondeterministic loop or have to wait.

12 Processes Definition of a process: proctype prname (byte Id; chan Comm) { statements } Activation of a process: run prname (7, Con[1]);

13 init process is the root of activating all others init { statements } init {byte I=0; atomic{do ::I run prname(I, chan[I]); I=I+1 ::I=10 -> break od}} atomic allows performing several actions as one atomic step.

14 Exmaples of Mutual exclusion Reference: A. Ben-Ari, Principles of Concurrent and Distributed Programs, Prentice-Hall 1990.

15 General structure loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Propositions: inCRi, inTRi.

16 Properties loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Assumption: ~<>[]inCRi Requirements: []~(inCR0/\inCR1) [](inTRi--><>inCRi) Not assuming: []<>inTRi

17 Turn:bit:=1; task P0 is begin loop Non_Critical_Sec; Wait Turn=0; Critical_Sec; Turn:=1; end loop end P0. task P1 is begin loop Non_Critical_Sec; Wait Turn=1; Critical_Sec; Turn:=0; end loop end P1.

18 Translating into SPIN #define critical (incrit[0] ||incrit[1]) byte turn=0, incrit[2]=0; proctype P (bool id) { do :: 1 -> do :: 1 -> skip :: 1 -> break od; try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od} init { atomic{ run P(0); run P(1) } }

19 The leader election algorithm A directed ring of computers. Each has a unique value. Communication is from left to right. Find out which value is the greatest.

20 Example 7 2 3 12 9 4

21 Informal description: Initially, all the processes are active. A process that finds out it does not represent a value that can be maximal turns to be passive. A passive process just transfers values from left to right.

22 More description The algorithm executes in phases. In each phase, each process first sends its current value to the right. Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.

23 Continued When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left. If the left active process has greatest value among three, then keep this value. Otherwise, become passive.

24 7 2 3 12 9 4 3 2 9 7 4

25 7 2 3 9 4 3, 7 2, 9 9, 4 7, 2 4, 12 12, 3

26 7 2 3 12 9 4 3, 7 2, 9 9, 4 7, 2 4, 12 12, 3

27 9 7 12

28 9 7 12, 7 7, 9 9, 12

29 12

30 send(1, my_number); state:=active; when received(1,number) do if state=active then if number!=max then send(2, number); neighbor:=number; else (max is greatest, send to all processes); end if; else send(1,number); end if; end do; when received(2,number) do if state=active then if neighbor>number and neighbor>max then max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if; end do;

31 Now, translate into SPIN (Promela) code

32 Running SPIN Can download and implement (for free) using www.spinroot.comwww.spinroot.com Available in our system. Graphical interface: xspin

33 Homework: check properties There is never more than one maximal value found. A maximal value is eventually found. From the time a maximal value is found, we continue to have one maximal value. There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end. The maximal value is always 5.

34 Dekkers algorithm P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; end end critical section 1 c1:=1; turn:=2 end. P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; end end critical section 2 c2:=1; turn:=1 end. boolean c1 initially 1; boolean c2 initially 1; integer (1..2) turn initially 1;

35 Project Model in Spin Specify properties Do model checking Can this work without fairness? What to do with fairness?

Download ppt "The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial."

Similar presentations

Symmetric Multiprocessors: Synchronization and Sequential Consistency.

Symmetric Multiprocessors: Synchronization and Sequential Consistency.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching15-398 SPIN Examples.

1 Carnegie Mellon UniversitySPIN ExamplesFlavio Lerda Bug Catching SPIN Examples.
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 14: Simulations 1.

CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 14: Simulations 1.
CS542 Topics in Distributed Systems Diganta Goswami.

CS542 Topics in Distributed Systems Diganta Goswami.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.

CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.
1 Chapter 2 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld © 2007 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld.

1 Chapter 2 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld © 2007 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld.
Multiprocessor Synchronization Algorithms (20225241) Lecturer: Danny Hendler The Mutual Exclusion problem.

Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.
© 2011 Carnegie Mellon University SPIN: Part 2 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.

© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.

Similar presentations

Ads by Google