Microsoft PowerPoint - Introduction to SPIN by lindash

VIEWS: 11 PAGES: 15

More Info
									                                                                            Acknowledgments


                                                                                                Parts of the slides are based on an
                                                                                               earlier lecture by Radu Iosif, Verimag.

                                  Introduction to SPIN

                                              Ralf Huuck




 Ralf Huuck                                        COMP 4152            1
                                                                             Ralf Huuck                                COMP 4152                           2




 PROMELA/SPIN                                                               Features

                                                                             Given a PROMELA model (program), SPIN can do:
PROMELA (PROcess MEta LAnguage) is:                                                   – a random simulation i.e. it interprets the program
       – a language to describe concurrent (distributed) systems:                         • this mode cannot be used in exhaustive verification
                                                                                          • useful for viewing error traces
                  • network protocols, telephone systems
                  • multi-threaded (-process) programs
                                                                                      – an exhaustive analysis
       – similar with some structured languages (e.g. C, Pascal)
                                                                                          • considers all possible executions of the program
                                                                                          • finds all potential errors, both deadlock and user-specified
SPIN (Simple Promela INterpreter) is a tool for:
       – detecting logical errors in the design of systems e.g:              Deadlock:
                  • deadlocks                                                         – situation in which at least one process remains blocked forever
                  • assertions (e.g. race conditions)                                   while waiting for an inexistent event to happen
                  • temporal logic formulas
                                                                             User specified constraints:
                                                                                      – assertions
                                                                                      – temporal (never) claims
     Ralf Huuck                                    COMP 4152        3        Ralf Huuck                                COMP 4152                           4




                                                                                                                                                               1
Example                                                                 SPIN Simulation


 PROMELA “Hello World”                                                      init {
                                                                             printf(“Hello World\n”);
                                                                            }
              init {
                  printf(“Hello World\n”);
              }
                                                                                                                   C:\> spin –p hello.prom
                                                                                                   SPIN
 The simplest erroneous specification
                                                                                                                              simulation trace
                                                                                                   0:          proc - (:root:) creates proc   0 (:init:)
              init {
                                                                                                   Hello World
                  0;                                                                                 1:        proc 0 (:init:) line    3 "pan_in" (state
                                                                                                   1)          [printf(‘Hello World\\n')]
              }

 Ralf Huuck                       COMP 4152                         5    Ralf Huuck                             COMP 4152                                  6




SPIN Analysis (1)                                                       SPIN Analysis (2)


    init {                                                                pan.exe               dlock.prom.trail            ERROR
     0;                                       C:\> spin –a dlock.prom
    }                             SPIN

                                                                             OK
                                                                                                        SPIN          C:\> spin –p -t dlock.prom
                  pan.t   pan.m    pan.b      pan.h    pan.c


                                                                                                                             error trace
                                                                                  #processes: 1
                                    GCC                                            -4:     proc 0 (:init:) line       3 "pan_in" (state 1)
                                                                                  1 processes created




                                   pan.exe

 Ralf Huuck                       COMP 4152                         7    Ralf Huuck                             COMP 4152                                  8




                                                                                                                                                               2
                                                                        Similar to C


                                                                                      • all C pre-processor directives can be used

                                                                                                 #define NAME 5
                         The PROMELA language
                                                                                      • definitions of types, variables, processes

                                                                                      • if,do,break,goto control flow constructs




Ralf Huuck                                   COMP 4152              9
                                                                         Ralf Huuck                            COMP 4152             10




Basic Types and Ranges                                                  Recode Types (user defined)


                 bit, bool            0..1
                                                                                           typedef S {
                 byte                 0..255
                                                                                                short a, b;
                 short                - 2^15 - 1 .. 2^15 - 1
                 int                  -2^31 – 1 .. 2^31 - 1
                                                                                                byte x;
                                                                                           };
                 Warning: type ranges are OS-dependent
                             (just like in C)                                             • look like C structures

                 At most one enumeration type


                 mtype = {one, two, three};
    Ralf Huuck                               COMP 4152         11        Ralf Huuck                            COMP 4152             12




                                                                                                                                          3
Variables                                                                   Procedures

                                                                             there are no procedures, only processes
 Variables (same C syntax)
                                                                               proctype foo(int x, y; bit b){...}
                   int x, y;                                                 • the init process (like main in C)
                                                                                      – has no parameters
                   int z = 0;
                                                                             • can be activated by
                   mtype m = one;

                                                                                 run foo(254, 255,0);
                                                                                  or automatically


                                                                                 active proctype foo(int x, y; bit b){...}


 Ralf Huuck                         COMP 4152                          13    Ralf Huuck                         COMP 4152                               14




Scoping                                                                     Arrays and Constants



                                                                                      – arrays declared like variables:
              – variables are global if declared outside any                              int vector[32];
                process
                                                                                      – indexes are zero-based
                                                                                      – scoping rules apply (there might be global and local vectors)
              – variables are local a process if declared within its
                proctype declaration

              – local variables shadow globals with the same
                name


 Ralf Huuck                         COMP 4152                          15    Ralf Huuck                         COMP 4152                               16




                                                                                                                                                             4
Example                                                                Expressions


 #define length 64                                                               –   logical:                    ||, &&, !
 mtype = {red, yellow, green};                                                   –   arithmetic:                 +, -, /, %
 byte state = green;                                                             –   relational:                 >,<,<=,>=,==,!=
 int counter;                                                                    –   vector access:              v[i]
 bit memory[length];                                                             –   record access:              x.f
 init {                                                                          –   process creation:           run X()
 ...
 }




 Ralf Huuck                           COMP 4152                   17    Ralf Huuck                             COMP 4152               18




Statements (1)                                                         Statements (2)


          – are execution steps of processes                            • Expression statements
          – an important characteristic is executability:                             • not executable iff expression evaluates to 0
                                                                        • Assignment statements
              For instance:                                                           • always executable
                                                                        • Skip statements
                                  x <= 10;                                            • always executable
                                                                                      • do “nothing” (only change control location)
              is the (proper) way of expressing something like:         • Print statements
                                                                                      • always executable

                              wait until(x <= 10);



 Ralf Huuck                           COMP 4152                   19    Ralf Huuck                             COMP 4152               20




                                                                                                                                            5
Statements (3)                                                                        Control Flow (1)

                                                                                           • Select construct
                                                                                                    if
 • Assert statements                                                                                :: <choice1> -> <stat11>; <stat12>; …
                  assert( <expression> );                                                           :: <choice2> -> <stat21>; <stat22>; …
                   • always executable                                                              …
                   • expression evaluates to zero => program exits                                  fi;

                                                                                           • What does it do?
 • Statements are atomic                                                                                   • if a (random) choice is executable, continues execution
                   • in a concurrent program, each statement is executed                                     with the corresponding branch
                     without interleaving with other processes                                             • if no choice is executable, the whole select is not
                                                                                                             executable
                                                                                                           • if more than one choice is executable, we say the
                                                                                                             selection is non-deterministic
 Ralf Huuck                              COMP 4152                               21    Ralf Huuck                               COMP 4152                              22




Control Flow (2)                                                                      Control Flow (3)

 • Loop construct                                                                      • The else choice
              do
                                                                                                         • is executable only when no other choice is executable
              :: <choice1> -> <stat11>; <stat12>; …
              :: <choice2> -> <stat21>; <stat22>; …
                                                                                       • The break statement
              …
                                                                                                         • transfers control at the end of loop
              od;

                                                                                       • The goto statement
 • What does it do?                                                                                      • transfers control to a labeled location
                   • same as the selection, except that at the end of a branch
                     it loops back and repeats the choice selection



 Ralf Huuck                              COMP 4152                               23    Ralf Huuck                               COMP 4152                              24




                                                                                                                                                                            6
Traffic Light Example                                           Concurrency


                                                                 • Processes can spawn other processes using the run
                                                                   expression
 mtype = {red, yellow, green};
 byte state = green;                                                    proctype foo(int x; byte y) {…}
 init {
       do                                                               init {
       :: (state == green) -> state = yellow;                                 int pid;
       :: (state == yellow) -> state = red;                                   pid = run foo(256, 255);
       :: (state == red) -> state = green;                                    /* or simply: */
       od                                                                     run foo(256, 255);
 }                                                                            …
                                                                        }
 Ralf Huuck                COMP 4152                       25    Ralf Huuck                        COMP 4152                        26




Interleaving                                                    Complexity



• Premises:                                                                   s11        s21
                                                                                                                s11
                                                                                                                        s21

    – two or more processes composed of atomic statements
    – one processor shared between processes                                  s12        s22              s12         s21


                                                                                                                              ...
• Problems:
    – worst-case complexity is exponential in number of
                                                                 • how many states can be reached in this example?
      processes
    – improper mutex (locking) may cause race conditions         • express this number as function of:
                                                                        K = number of processes
                                                                        N = number of states/process
 Ralf Huuck                COMP 4152                       27    Ralf Huuck                        COMP 4152                        28




                                                                                                                                         7
 Reducing Complexity (1)                                                   Reducing Complexity (2)


                                                   s11                                                                         s11+s12
                         s11        s21                  s21                                       s11         s21                        s21

atomic                                                                    d_step
                         s12        s22      s12                                                   s12         s22                       s21


                                                               ...                                                                              ...
                                                   s21


                                                                                 • if a statement inside d_step is not executable
                                                                                   => error (block inside d_step)
                                                                                 • no if, do, break, goto, run allowed
       • if a statement inside atomic is not executable,                           inside d_step (i.e., deterministic step)
         transfer temporarily control to another process
   Ralf Huuck                         COMP 4152                      29      Ralf Huuck                            COMP 4152                          30




 Apprentice Example                                                        Apprentice Example

       • Good apprentice                                                         • Good apprentice
                int counter = 0;                                                          int counter = 0;
                active[2] proctype incr() {                                               active[2] proctype incr() {
                    counter = counter + 1;                                                    counter = counter + 1;
                }                                                                         }

       • creates 2 identical copies,                                             • Bad apprentice
       • share variable counter                                                           int counter = 0;

       • interleaving                                                                     active[2] proctype incr() {
                                                                                              int tmp;
                                                                                              tmp = counter + 1;
                                                                                              counter = tmp;
                                                                                          }
   Ralf Huuck                         COMP 4152                      31      Ralf Huuck                            COMP 4152                          32




                                                                                                                                                           8
Apprentice Example                                                                         Mutual Exclusion (bad) Example

        • Good apprentice
                                                                                                 proctype Y() {                        proctype X() {
                 int counter = 0;
                                                                                                         x = 1;                              y = 1;
                 active[2] proctype incr() {
                                                                                                         y == 0;                             x == 0;
                     counter = counter + 1;
                                                                                                         mutex ++;                           mutex ++;
                 }
                                                                                                         mutex --;                           mutex --;
        • Bad apprentice
                                                                                                         x = 0;                              y = 0;
                 int counter = 0;
                                                                                                 }                                     }
                 active[2] proctype incr() {
                     int tmp;
                                                                                                                     proctype monitor() {
                     tmp = counter + 1;
                                               atomic                                                                    assert(mutex != 2);
                     counter = tmp;
                                                                                                                     }
                 }
    Ralf Huuck                              COMP 4152                                 33    Ralf Huuck                           COMP 4152               34




Dekker’s Mutual Exclusion                                                                  Bakery Mutual Exclusion

proctype A() {                                          proctype B() {
    x = 1;                                                  y = 1;
                                                                                             proctype A() {
    turn = Bturn;                                           turn = Aturn;
                                                                                                   do
    (y == 0) || (turn == Aturn);                            (x == 0) || (turn == Bturn);
    mutex ++;                                               mutex ++;
                                                                                                   :: 1 -> turnA = 1;

    mutex --;                                               mutex --;                                   turnA = turnB + 1;
    x = 0;                                                  y = 0;
                                                                                                        verification terminate?
                                                                                                 • does (turnB == 0) || (turnA < turnB);

}                                                       }                                                   mutex ++; mutex --;
                                                                                                            turnA = 0;
                                                                                                   od
                                proctype monitor() {
                                                                                             }
                                    assert(mutex != 2);
                                }
    Ralf Huuck                              COMP 4152                                 35    Ralf Huuck                           COMP 4152               36




                                                                                                                                                              9
Communication                                                           Communication (2)


 1. Message passing                                                      •            Send statement                   q ! <expr>;
 2. Rendez-vous synchronization
                                                                                –       for rendez-vous channels is executable iff
 •            Both methods rely on channels:                                            another process is ready to receive at the same
                                                                                        time    both processes are involved in a rendez-
                chan q = [<dim>] of {<type>};                                           vous
                chan q; /* just declaration */
                                                                                –       for asynchronous queues is executable iff the
        –       if dim is 0 then q is a rendez-vous port                                queue is not full
        –       otherwise q is an asynchronous channel


 Ralf Huuck                       COMP 4152                        37    Ralf Huuck                        COMP 4152                       38




Communication (2)                                                       Communication (3)


                                              q ? <var>;                 •            Channel test statement               q ? <expr>;
 •            Receive statement               q ? _;
                                                                                –       same as receive for rendez-vous channels
        –       for rendez-vous channels is executable iff
                another process is ready to send at the same
                time    both processes are involved in a rendez-                –       for asynchronous queues is executable iff the first
                vous                                                                    value in the queue matches the result of expr

        –       for asynchronous queues is executable iff the
                queue is not empty


 Ralf Huuck                       COMP 4152                        39    Ralf Huuck                        COMP 4152                       40




                                                                                                                                                10
Inter-locking Example

              chan lock = [1] of bit;
              proctype foo(chan q) {
                  q ? 1;
                  /* critical section */                                      Correctness Claims
                  q ! 1;
              }
              init {
                  lock ! 1;
                  run foo(lock);
                  run foo(lock);
              }
                                                   Ralf Huuck                             COMP 4152             42
 Ralf Huuck                    COMP 4152      41




Claims                                             Basic Assertions


•   basic assertions                                                        assert {expression}

•   end state labels
•   progress state labels                                           SPIN reports any violation of assertions
                                                                    during simulation or verification.
•   accept state labels
•   never claims                                                               proctype monitor() {

•   trace assertions                                                               assert(mutex != 2);
                                                                               }

    all provide means to check requirements
                                                          spin: line 2 “pan”, Error: assertion violated


 Ralf Huuck                    COMP 4152      43       Ralf Huuck                         COMP 4152            44




                                                                                                                     11
Meta Labels                                                        End States


• labels with special meaning                                       • an end state in PROMELA is a state with no
• reserved                                                            successors
• only available in verification mode                               • end states can be labeled as valid by
                                                                      introducing labels that start with end
 Labels for                                                                  – end0,endsome, …
• end states                                                        • at the end of each process there is a default
• progress states                                                     valid end state
• accept states                                                     • a deadlock is a state with no successors in
                                                                      which at least one process is not in a valid
                                                                      end state
 Ralf Huuck                      COMP 4152                    45    Ralf Huuck               COMP 4152                46




Example End State                                                  Progress States


                                                                   • similar to end states
                                                                   • progress states are introduced by labels that
              proctype Y() {                 proctype X() {

                                                                     start with progress
                  x = 1;                         y = 1;
              endY:                          endX:
                                                                        – progress0,progresssome, …
                  y == 0;                        x == 0;
                  mutex ++;                      mutex ++;         • verifier must in each execution reach progress
                  mutex --;                      mutex --;           label infinitely often
                  x = 0;                         y = 0;            • typically requires fairness
              }                              }



                      Allow processes to block.
 Ralf Huuck                      COMP 4152                    47    Ralf Huuck               COMP 4152                48




                                                                                                                           12
Example Progress State                                                  Accept States


                                                                        • dual to end states
                                                                        • accept states are introduced by labels that start
                 proctype Y() {                proctype X() {

                                                                          with accept
                     x = 1;                        y = 1;
                     y == 0;                       x == 0;
                                                                             – accept0,acceptsome, …
                     mutex ++;                     mutex ++;
                     mutex --;                     mutex --;            • verifier must not reach in any execution reach
                 progressY:                    progressX:                 accept label in infinitely often
                     x = 0;                        y = 0;
                 }                             }



     Mutual exclusion infinitely many times for both processes.
 Ralf Huuck                        COMP 4152                       49    Ralf Huuck                      COMP 4152                  50




Example Accept State                                                    Never Claims (1)


                                                                                                  never {statement}
                 proctype Y() {                proctype X() {
                     x = 1;                        y = 1;

                                                                                      • special type of process, is instantiated once
                     y == 0;                       x == 0;

                                                                                      • used to detect illegal behaviors
                     mutex ++;                     mutex ++;
                     mutex --;                     mutex --;
                 acceptY:                      y = 0;
                                                                                      • SPIN has LTL to never claim translator
                     x = 0;                    }
                 }



              Mutual exclusion infinitely many times for X only.
 Ralf Huuck                        COMP 4152                       51    Ralf Huuck                      COMP 4152                  52




                                                                                                                                         13
Never Claims (2)


                          never {statement}



              SPIN reports any violation of never claims                               SPIN Options
              during simulation or verification.
               Invariant p:   never {
                                     do
                                     :: !p -> break
                                     :: else
                                     od
                                     }

                                                                 Ralf Huuck                  COMP 4152        54
 Ralf Huuck                       COMP 4152                 53




Simulation                                                       Generating Verifier


 random simulation: spin model                                   -a syntax check and verifier generation
                                                                 -f formula generates never claim from LTL
 -i performs interactive simulation
                                                                 -F file same but from file
 -jN skips first N steps of random/guided sim.
 -p shows execution of states
 -s/-r shows details about send/receive
 -t interactive sim following on produced execution trace
 -v verbose
 and many more!



 Ralf Huuck                       COMP 4152                 55       Ralf Huuck              COMP 4152       56




                                                                                                                   14
Verification                                    References


-A suppresses basic assertion violations        • http://spinroot.com/
-a use for accept cycle detection               • quick references http://spinroot.com/spin/Man/Quick.html
-f uses weak fairness
-l use for progress cycles                      you better read them ☺




 Ralf Huuck                  COMP 4152     57    Ralf Huuck               COMP 4152                     58




                                                                                                             15

								
To top