1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
The SPIN Model Checker
description
Transcript of The SPIN Model Checker
Frederico Araujo
CS6362 – Fall 2010
The SPIN Model Checker
Outline
2
What is model checking?Why model checking?SPIN
Basic ConceptsPromela
Promela ModelCorrectness Claims
JSpinCase Studies
What is model checking?
3
“Model checking is an automated technique that, given a finite-state model of a system and a logical property, systematically checks whether this property holds for (a given initial state in) that model.”
Clarke & Emerson 1981
Model Checker
A (S, S0,L,T,F)
Requirement
Yes or No plus a system run violating the requirement
What is model checking?
4
(Initial) Design
Abstract Verification
Model
Implementation
Model Checker
abstraction
refinement
Verification Model Abstraction of a design
simplification Express assumptions about the
environment and correctness properties
Why model checking?
5
It serves to prove that the design principles are soundCan predict wheter a model is valid or not
before its implementationNot expected to be part of the final
implementation of a systemIt anticipates design defects discovery
Potential to reduce costs related to rework and risks of failures in mission-critical systems
SPIN Introduction
6
SPIN (Simple Promela Interpreter) is a popular open-source model checker that can be used for the formal verification of asynchronous and distributed software systems.
Developed at Bell Labs, starting in 1980.Free, since 1991All Spin software is written in ANSI standard C,
and is portable across multiple platformsSPIN homepage is www.spinroot.com2002 ACM software system award for 2001
SPIN Introduction
7
Common flaws that occur in design of distributed software systems:DeadlockLivelock, starvationUnderspecificationOverspecification
SPIN Basic Concepts
8
Spin can be used in 2 basic modes :as a simulator to get a quick impression of
the behavior captured by the system model:guided simulationrandom and interactive simulation
as a verifier: when a counterexample is generated, it uses simulation to step through the trace
SPIN Basic Concepts
9
SPIN verification: prove correctness of process interactions
Processes refer to system components that communicate with each other
Communication rendezvous primitives (synchronous)buffered channels (asynchronous )shared variables
SPIN Basic Concepts
10
SPIN provides:An intuitive, C-like notation (Promela) for
specifying the finite-state abstraction of a system unambiguously
A notation for expressing general correctness requirements as LTL (Linear Temporal Logic) formulae
Promela Introduction
11
PROMELA (Process Meta-language), served as input to SPIN
Non-deterministic , guarded command language for specifying the system behavior of a distributed system
Systems of interacting, asynchronous threads of execution
It brings ideas from:CSP process algebra by Hoare for input/outputC language in some of the syntax and notational
conventionsa non-deterministic guarded command language
Promela Introduction
12
The properties define the
real objectif of a
verification
Behavior specicification (what is possible)• process behavior• variables, data types• message channelsLogical correctness properties (what is valid)• assertions• end-state, progress-state, and acceptance state labels• never claims (LTL formulae)• trace assertions• default properties:• absence of system deadlock• absence of unreachable code
Promela Model
13
Consists ofProcessData objectsMessage channels
Corresponds to a FSMEvery object is bounded
Process 255*
Message channels 255*
Data data type dependent* For current versions of SPIN
mytype = {MSG, ACK};chan toS=…chan toR=…bool flag;active proctype Sender(){…process body…}active proctype Receiver(){…process body…}
Promela Processes
14
Basic structureproctype Sender(chan in; chan out){
... process body ...}
Process creationinit and active
proctype You_run(){
... process body ...}init {
run You_run();}
active proctype You_run(){ ... process body ...}active [2] proctype You_run_b(){ ... process body ...}
Promela Processes
15
There can be more than one process inside a Promela model
A process executes concurrently with other processes.
A process also communicates with other processes by sending/receiving messages across channels by using shared (global) variables with other processes
Local state of a process is defined by process counter (defines the location of the process) and the values of the local variables of the process.
Promela Data Objects
16
Variables can be local or globalDefault initial value of both local and global
variables is 0Variables can be assigned a value by an
assignment, argument passing or message passing
Variables can be used in expressions which includes most arithmetic, relational and logical operators of C
Promela Basic Types
17
Basic Types
Array DeclarationArray Access
Records type definition
Record declarationRecord Access
Enumeration type for messagesFrom Verification Techniques lecture notes, Uppsala Universitet, Sweden
Promela Expressions
18
Operators
Conditional expressions
Operations on channels identifiers
From Verification Techniques lecture notes, Uppsala Universitet, Sweden
Promela Message Channels
19
Communication between processes through channels
FIFODeclared as arraysThere can be two types of communications:
Message-passing or asynchronousRendezvous or synchronous (channel of
dimension 0)
Promela Message Channels
20
Declarationchan qname = [16] of {short, byte, bool}
Sending messageqname!expr1, expr2, expr3
Receiving messageqname?var1, var2, var3constrained qname?cons1,var2,var3
To test if a send receive can be executable without side effectqname?[var1, var2, var3]
Promela Message Channels
21
Asynchronous communicationmtype = { msg0, msg1, ack0, ack1 };chan to_sndr = [2] of { mtype };chan to_rcvr = [2] of { mtype };active proctype Sender(){again: to_rcvr!msg1;
to_sndr?ack1;to_rcvr!msg0;to_sndr?ack0;goto again
}active proctype Receiver(){again: to_rcvr?msg1;
to_sndr!ack1;to_rcvr?msg0;to_sndr!ack0;goto again
}
Promela Message Channels
22
Synchronous communication (rendezvous)mtype = { msgtype };chan name = [0] of { mtype, byte };active proctype A(){
name!msgtype(124);name!msgtype(121)
}active proctype B(){
byte state;name?msgtype(state)
}
Promela Message Channels
23
Synchronous communication (rendezvous)mtype = { msgtype };chan glob = [0] of { chan };active proctype A(){
chan loc = [0] of { mtype, byte };glob!loc;
loc?msgtype(121)}active proctype B(){
chan who;glob?who;who!msgtype(121)
}
Promela Statements
24
Statements are separated by a semi-colonAssignments and expressions are statementsskip statement: does nothing, only changes the
process counterprintf statement: not evaluated during verificationassert(expr): Assert statement is used to check if
the property specified by the expression expr is valid within a state. If expr evaluates to 0, it implies that it is not valid and SPIN will exit with an error.
Promela Statements
25
if statementif:: choice1 -> stat1.1; stat1.2;:: choice2 -> stat2.1; stat2.2;:: …:: choicen -> statn.1; statn.2;fi;
if statement is executable if there is at least one choice which is executable and is blocked if none of the choices are executable
If more than one choice is executable, SPIN non-deterministically chooses one of the executable choices
Promela Statements
26
do statementdo:: choice1 -> stat1.1; stat1.2;:: choice2 -> stat2.1; stat2.2;:: …:: choicen -> statn.1; statn.2;od;
do statement behaves in the same way as if statement in terms of choice selection but, executes the choice selection repeatedly
break statement can be used to come out of a do loop transferring control to the statement just outside the loop
Promela Atomic operator
27
A process whose control is inside
atomic{ }
executes without being interrupted by other processes
From Verification Techniques lecture notes, Uppsala Universitet, Sweden
Promela Correcteness Claims
28
Basic assertions (checked during simulation run)
End-state labelsProgress-state labelsAccept-state labels checked during
verification runNever claimsTrace assertions
Promela Correcteness Claims
29
safety property“nothing bad ever happens”
invariantx is always less than 5
deadlock freedomthe system never reaches a state
where no actions are possibleSPIN
find a trace leading to the “bad” thing. If there is not such a trace, the property is satisfied.
liveness property
“something good will eventually happen”
terminationthe system will eventually
terminate response
if action X occurs then eventually action Y will occur
SPINfind a (infinite) loop in which the “good” thing does not happen. If there is not such a loop, the property is satisfied.
Promela Correcteness Claims
30
Correctness properties can be expressed:as properties of reachable states (generic safety properties)as properties of sequences of states (generic liveness properties)
In Promela:
properties of states
assertionslocal process assertionssystem invariants
end-state labelsto define proper termination
points of processesaccept-state labels
when looking for acceptance cyclesprogress-state labels
when looking for non-progress cyclesnever claims (optionally derived from LTL formulae)trace assertions
properties ofsequencesof states
Promela Correcteness Claims
31
Assertionbyte state = 1;active proctype A(){
(state == 1) -> state++;assert(state== 2)
}active proctype B(){
(state == 1) -> state--;assert(state== 0)
}
pan: assertion violated (state==2) (at depth 6)pan: wrote assertion-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed
+ Partial Order ReductionFull statespace search for:
never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states - (disabled by -E
flag)State-vector 16 byte, depth reached 6, ••• errors: 1 ••• 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)
Promela Correcteness Claims
32
Assertionbyte state = 1;active proctype A(){
(state == 1) -> state++;assert(state== 2)
}active proctype B(){
(state == 1) -> state--;assert(state== 0)
}
pan: assertion violated (state==2) (at depth 6)pan: wrote assertion-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed
+ Partial Order ReductionFull statespace search for:
never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states - (disabled by -E
flag)State-vector 16 byte, depth reached 6, ••• errors: 1 ••• 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)
What is the problem with this
model?
Promela Correcteness Claims
33
Assertionbyte state = 1;active proctype A(){atomic {(state == 1) -> state++; } assert(state== 2)}active proctype B(){atomic{(state == 1) -> state--;} assert(state== 0)}
(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction
Full statespace search for:never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states - (disabled by -E
flag)State-vector 16 byte, depth reached 3, ••• errors: 0 ••• 6 states, stored 0 states, matched 6 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype A
(0 of 5 states)unreached in proctype B
(0 of 5 states)
Promela Correcteness Claims
34
End-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){end: do :: sem!p-> sem?v od}active [5] proctype user(){end: do :: sem?p; count++; /* critical section */ count--; sem!v od}
(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction
Full statespace search for:never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states +
State-vector 36 byte, depth reached 5, ••• errors: 0 ••• 16 states, stored 5 states, matched 21 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype semaphore
line 9, state 6, "-end-"(1 of 6 states)
unreached in proctype userline 19, state 8, "-end-"(1 of 8 states)
Promela Correcteness Claims
35
Progress-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){end: do :: sem!p-> progress: sem?v od}active [5] proctype user(){end: do :: sem?p; count++; /* critical section */ count--; sem!v od}
(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction
Full statespace search for:never claim +assertion violations + (if within scope
of claim)non-progress cycles +
(fairness disabled)invalid end states - (disabled by
never claim)State-vector 44 byte, depth reached 9, ••• errors: 0 ••• 21 states, stored 5 states, matched 26 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype semaphore
line 10, state 6, "-end-"(1 of 6 states)
unreached in proctype userline 20, state 8, "-end-"(1 of 8 states)
Non-progress verification
Promela Correcteness Claims
36
SPIN’s automata for semaphore problemEnd: End:
Progress:
Promela Correcteness Claims
37
Fairness finite progress assumptionwhen a process can make progress, it eventually will
1. weak fairness:if a statement is executable infinitely long, it will eventually be executed
2. strong fairness:if a statement is executable infinitely often, it will eventually be executed
fairness can be applied tonon-deterministic statement selection within a processnon-deterministic statement selection between processes
Promela Correcteness Claims
38
Accept-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){do:: sem!p-> sem?vod}active [5] proctype user(){do:: sem?p->accept: count++;/* critical section */count--;sem!vod}
pan: acceptance cycle (at depth 0)pan: wrote _accept-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed
+ Partial Order ReductionFull statespace search for:
never claim - (none specified)assertion violations +acceptance cycles + (fairness
disabled)invalid end states +
State-vector 40 byte, depth reached 5, ••• errors: 1 ••• 4 states, stored 0 states, matched 4 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)
Acceptance verification
Promela Correcteness Claims
39
SPIN’s counterexample for acceptance example
Implicit meaning: there should not exist any executions that can pass through an accept-state infinitely often
Promela Correcteness Claims
40
Linear Temporal Logic (LTL) and Buchi Automata never { /* <>(p&&[]!q) */
T0_init:if:: (! ((q)) && (p)) -> goto accept_S4:: (1) -> goto T0_initfi;
accept_S4:if:: (! ((q))) -> goto accept_S4fi;
}
Temporal logic operators:
eventually always
From Verification Techniques lecture notes, Uppsala Universitet, Sweden
Promela Correcteness Claims
41
Never claimNeeded capability for
defining more precise checks
Implicit meaning: specifies finite or infinite behavior that should never occur
Note: p and q need to be defined as macros: #define p (x>10)#define q (x<100)
never { /* <>(p&&[]!q) */T0_init:
if:: (! ((q)) && (p)) -> goto accept_S4:: (1) -> goto T0_initfi;
accept_S4:if:: (! ((q))) -> goto accept_S4fi;
}
JSpin
42
It is a java based GUI for SPIN model checker
Adapted from Theo C. Ruys - SPIN Beginners' Tutorial
JSpin
Case Studies
43
peterson’s mutual exclusion algorithmpaper: Towards a Methodology for Formal
Design and Analysis of Agent Interaction Protocols
References
44
Gerard J. Holzmann.The SPIN model checker: primer and reference guide, Addison-Wesley, September 2003
G. Holzmann, The Model Checker Spin ,IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295
SPIN page: http://spinroot.comTheo C. Ruys. SPIN Beginners’ Tutorial, SPIN Workshop
2002, Grenoble, France, 2002Wei Jun, Cheung Shing-Chi, Wang Xul. Towards a
Methodology for Formal Design and Analysis of Agent Interaction Protocols - An Investigation in Electronic Commerce, Wuhan University Journal of Natural Sciences Vol. 6 No. 1-2, 2001
45
Questions?