Introduction to Spin and Promela
description
Transcript of Introduction to Spin and Promela
![Page 1: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/1.jpg)
Introduction to Spin and Promela
Sagar Chaki
CMU
![Page 2: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/2.jpg)
What is this all about? Spin
On-the-fly verifier developed at Bell-labs by Gerard Holzmann and others
Promela Modeling language for SPIN Targeted at asynchronous systems
Switching protocols
![Page 3: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/3.jpg)
Roadmap Historical perspective Overview of Spin Overview of Promela Simulation with Spin Overview of LTL Verification with Spin
![Page 4: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/4.jpg)
Part IHistorical Perspective
![Page 5: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/5.jpg)
History Work leading to Spin started in 1980
First bug found on Nov 21, 1980 by Pan One-pass verifier for safety properties
Succeeded by Pandora (82), Trace (83), SuperTrace (84), SdlValid (88), Spin (89)
Spin covered omega-regular properties
![Page 6: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/6.jpg)
Meanwhile … Temporal logic model checking
Clarke et. al. CMU 1981 Sifakis et. al. Grenoble 1982
Symbolic model checking McMillan 1991 SMV
![Page 7: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/7.jpg)
Currently .. Theory of symbolic and on-the-fly
model checking well-understood
Algorithms for different logics suited for different implementations CTL properties – symbolic LTL properties – on-the-fly
![Page 8: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/8.jpg)
Part IIOverview of Spin
![Page 9: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/9.jpg)
Spin capabilities Interactive simulation
For a particular path For a random path
Exhaustive verification Generate C code for verifier Compile the verifier and execute Returns counter-example
Lots of options for fine-tuning
![Page 10: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/10.jpg)
Spin overall structureXSpin
Front-end
PromelaParser
LTL Parser andTranslator
SyntaxError
Reports
InteractiveSimulation
VerifierGenerator
Optimized ModelChecker (ANSI C)
Executable O-T-FVerifier
Counter Example
![Page 11: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/11.jpg)
Part IIIOverview of Promela
![Page 12: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/12.jpg)
Promela Language for asynchronous programs
Dynamic process creation Processes execute asynchronously Communicate via shared variables and
message channels Races must be explicitly avoided Channels can be queued or rendezvous
Very C like
![Page 13: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/13.jpg)
Executability No difference between conditions and
statements Execution of every statement is
conditional on its executability Executability is the basic means of
synchronization
![Page 14: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/14.jpg)
Executbility Declarations and assignments are
always executable Conditionals are executable when they
hold The following are the same
while (a != b) skip (a == b)
![Page 15: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/15.jpg)
Delimitors Semi-colon is used a statement
separator not a statement terminator Last statement does not need semi-colon Often replaced by -> to indicate causality
between two successive statements (a == b); c = c + 1 (a == b) -> c = c + 1
![Page 16: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/16.jpg)
Data Types Basic : bit/bool, byte, short, int, chan Arrays: fixed size
byte state[20]; state[0] = state[3 * i] + 5 * state[7/j];
Symbolic constants Usually used for message types mtype = {SEND, RECV};
![Page 17: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/17.jpg)
Process types
byte state = 2;
proctype A() { (state == 1) -> state = 3 }
proctype B() { state = state – 1 }
![Page 18: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/18.jpg)
Process instantiationbyte state = 2;
proctype A() { (state == 1) -> state = 3 }
proctype B() { state = state – 1 }
init { run A(); run B() }
run can be used anywhere
![Page 19: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/19.jpg)
Parameter passingproctype A(byte x; short foo) {
(state == 1) -> state = foo
}
init { run A(1,3); }
Data arrays or processes cannot be passed
![Page 20: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/20.jpg)
Variable scoping Similar to C
globals, locals, parameters
byte foo, bar, baz;
proctype A(byte foo) {
byte bar;
baz = foo + bar;
}
![Page 21: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/21.jpg)
Races and deadlockbyte state = 1;
proctype A() {
(state == 1) -> state = state + 1
}
proctype B() {
(state == 1) -> state = state – 1
}
init { run A(); run B() }
![Page 22: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/22.jpg)
Atomic sequencesbyte state = 1;
proctype A() { atomic {
(state == 1) -> state = state + 1
} }
proctype B() { atomic {
(state == 1) -> state = state – 1
} }
init() { run A(); run B() }
![Page 23: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/23.jpg)
Message passing Channel declaration
chan qname = [16] of {short} chan qname = [5] of {byte,int,chan,short}
Sending messages qname!expr qname!expr1,expr2,expr3
Receiving messages qname?var qname?var1,var2,var3
![Page 24: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/24.jpg)
Message passing More parameters sent
Extra parameters dropped More parameters received
Extra parameters undefined Fewer parameters sent
Extra parameters undefined Fewer parameters received
Extra parameters dropped
![Page 25: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/25.jpg)
Message passingchan x = [1] of {bool};
chan y = [1] of {bool,bool};
proctype A(bool p, bool q) { x!p,q ; y?p }
proctype B(bool p, bool q) { x?p,q ; y!q }
init { run A(1,2); run B(3,4) }
![Page 26: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/26.jpg)
Message passing Convention: first message field often
specifies message type (constant) Alternatively send message type followed
by list of message fields in braces qname!expr1(expr2,expr3) qname?var1(var2,var3)
![Page 27: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/27.jpg)
Executability
Send is executable only when the channel is not full
Receive is executable only when the channel is not empty
![Page 28: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/28.jpg)
Executability Optionally some arguments of receive
can be constants qname?RECV,var,10 Value of constant fields must match
value of corresponding fields of message at the head of channel queue
![Page 29: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/29.jpg)
Queue length len(qname) returns the number of
messages currently stored in qname
If used as a statement it will be unexecutable if the channel is empty
![Page 30: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/30.jpg)
Composite conditions Invalid in Promela
(qname?var == 0) (a > b && qname!123) Either send/receive or pure expression
Can evaluate receives qname?[ack,var]
![Page 31: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/31.jpg)
Subtle issues Consider the following
qname?[msgtype] -> qname?msgtype (len(qname) < MAX) -> qname!msgtype
Second statement not necessarily executable after the first Race conditions
![Page 32: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/32.jpg)
Time for example 1
![Page 33: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/33.jpg)
Rendezvous Channel of size 0 defines a rendezvous
port Can be used by two processed for a
synchronous handshake No queueing The first process blocks Handshake occurs after the second
process arrives
![Page 34: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/34.jpg)
Example#define msgtype 33chan name = [0] of {byte,byte};
proctype A() { name!msgtype(99); name!msgtype(100)
}
proctype B() {byte state; name?msgtype(state)}
init { run A(); run B() }
![Page 35: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/35.jpg)
Control flow We have already seen some
Concatenation of statements, parallel execution, atomic sequences
There are a few more Case selection, repetition, unconditional
jumps
![Page 36: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/36.jpg)
Case selectionIf:: (a < b) -> option1:: (a > b) -> option2:: else -> option3 /* optional */fi Cases need not be exhaustive or
mutually exclusive Non-deterministic selection
![Page 37: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/37.jpg)
Time for example 2
![Page 38: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/38.jpg)
Repetitionbyte count = 1;
proctype counter() {
do
:: count = count + 1
:: count = count – 1
:: (count == 0) -> break
od
}
![Page 39: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/39.jpg)
Repetitionproctype counter()
{
do
:: (count != 0) ->
if
:: count = count + 1
:: count = count – 1
fi
:: (count == 0) -> break
od
}
![Page 40: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/40.jpg)
Unconditional jumpsproctype Euclic (int x, y) {
do
:: (x > y) -> x = x – y
:: (x < y) -> y = y – x
:: (x == y) -> goto done
od ;
done: skip
}
![Page 41: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/41.jpg)
Procedures and Recursion Procedures can be modeled as
processes Even recursive ones Return values can be passed back to the
calling process via a global variable or a message
![Page 42: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/42.jpg)
Time for example 3
![Page 43: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/43.jpg)
TimeoutsProctype watchdog() {
do
:: timeout -> guard!reset
od
} Get enabled when the entire system is
deadlocked No absolute timing considerations
![Page 44: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/44.jpg)
Assertions assert(any_boolean_condition)
pure expression
If condition holds -> no effect
If condition does not hold -> error report during verification with Spin
![Page 45: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/45.jpg)
Time for example 4
![Page 46: Introduction to Spin and Promela](https://reader035.fdocuments.in/reader035/viewer/2022062722/56813adf550346895da32b65/html5/thumbnails/46.jpg)
References
http://cm.bell-labs.com/cm/cs/what/spin/
http://cm.bell-labs.com/cm/cs/what/spin/Man/Manual.html
http://cm.bell-labs.com/cm/cs/what/spin/Man/Quick.html