Docstoc

SPIN NC programming system

Document Sample
SPIN NC programming system Powered By Docstoc
					Flavio Lerda          Carnegie Mellon University   SPIN




                             SPIN

               An explicit state model checker




                                  1
Flavio Lerda          Carnegie Mellon University   SPIN


        Explict State Model Checker
    • Represents the system as an finite state
      machine
    • Visits each reachable state (state space)
      explicitly
    • Checks some property
        – Property is satisfied
        – Counterexample



                                  2
Flavio Lerda           Carnegie Mellon University   SPIN


                               DFS
    • DFS visit of the state space

        procedure DFS(s)
          visited = visited  {s};
          for each successor s’ of s
            if s’  visited then
              DFS(s’);
            end if
          end for
        end procedure


                                   3
Flavio Lerda              Carnegie Mellon University   SPIN


                                  DFS
    • How do we:
        – Represent the transition relation
        – Store the visited set
               • Needs fast access (hash table)
               • State space explosion
        – Check properties




                                      4
Flavio Lerda         Carnegie Mellon University         SPIN


                        Promela
    • Process Algebra
        – An algebraic approach to the study of
          concurrent processes. Its tools are algebraical
          languages for the specification of processes
          and the formulation of statements about them,
          together with calculi for the verification of
          these statements. [Van Glabbeek, 1987]
    • Describes the system in a way similar to a
      programming language

                                 5
Flavio Lerda     Carnegie Mellon University   SPIN


                    Promela
    • Asynchronous composition of independent
      processes
    • Communication using channels and global
      variables
    • Non-deterministic choices and
      interleavings




                             6
Flavio Lerda                   Carnegie Mellon University        SPIN


                               An Example
    mtype = { NONCRITICAL, TRYING, CRITICAL };
    show mtype state[2];
    proctype process(int id) {
    beginning:
    noncritical:
        state[id] = NONCRITICAL;                            NC
        if
        :: goto noncritical;
        :: true;
        fi;
    trying:                                                 T
        state[id] = TRYING;
        if
        :: goto trying;
        :: true;
        fi;
    critical:                                               C
        state[id] = CRITICAL;
        if
        :: goto critical;
        :: true;
        fi;
        goto beginning;}
    init { run process(0); run process(1); }




                                                 7
Flavio Lerda                   Carnegie Mellon University   SPIN


                               An Example
    mtype = { NONCRITICAL, TRYING, CRITICAL };
    show mtype state[2];
    proctype process(int id) {
    beginning:
    noncritical:
        state[id] = NONCRITICAL;
        if
        :: goto noncritical;
        :: true;
        fi;
    trying:
        state[id] = TRYING;
        if
        :: goto trying;
        :: true;
        fi;
    critical:
        state[id] = CRITICAL;
        if
        :: goto critical;
        :: true;
        fi;
        goto beginning;}
    init { run process(0); run process(1); }




                                                 8
Flavio Lerda                   Carnegie Mellon University   SPIN


                               An Example
    mtype = { NONCRITICAL, TRYING, CRITICAL };
    show mtype state[2];
    proctype process(int id) {
    beginning:
    noncritical:
        state[id] = NONCRITICAL;
        if
        :: goto noncritical;
        :: true;
        fi;
    trying:
        state[id] = TRYING;
        if
        :: goto trying;
        :: true;
        fi;
    critical:
        state[id] = CRITICAL;
        if
        :: goto critical;
        :: true;
        fi;
        goto beginning;}
    init { run process(0); run process(1); }




                                                 9
Flavio Lerda                   Carnegie Mellon University   SPIN


                               An Example
    mtype = { NONCRITICAL, TRYING, CRITICAL };
    show mtype state[2];
    proctype process(int id) {
    beginning:
    noncritical:
        state[id] = NONCRITICAL;
        if
        :: goto noncritical;
        :: true;
        fi;
    trying:
        state[id] = TRYING;
        if
        :: goto trying;
        :: true;
        fi;
    critical:
        state[id] = CRITICAL;
        if
        :: goto critical;
        :: true;
        fi;
        goto beginning;}
    init { run process(0); run process(1); }




                                                 10
Flavio Lerda                   Carnegie Mellon University   SPIN


                               An Example
    mtype = { NONCRITICAL, TRYING, CRITICAL };
    show mtype state[2];
    proctype process(int id) {
    beginning:
    noncritical:
        state[id] = NONCRITICAL;
        if
        :: goto noncritical;
        :: true;
        fi;
    trying:
        state[id] = TRYING;
        if
        :: goto trying;
        :: true;
        fi;
    critical:
        state[id] = CRITICAL;
        if
        :: goto critical;
        :: true;
        fi;
        goto beginning;}
    init { run process(0); run process(1); }




                                                 11
Flavio Lerda                   Carnegie Mellon University        SPIN


                               An Example
    mtype = { NONCRITICAL, TRYING, CRITICAL };
    show mtype state[2];
    proctype process(int id) {
    beginning:
    noncritical:
        state[id] = NONCRITICAL;                            NC
        if
        :: goto noncritical;
        :: true;
        fi;
    trying:                                                 T
        state[id] = TRYING;
        if
        :: goto trying;
        :: true;
        fi;
    critical:                                               C
        state[id] = CRITICAL;
        if
        :: goto critical;
        :: true;
        fi;
        goto beginning;}
    init { run process(0); run process(1); }




                                                 12
Flavio Lerda                    Carnegie Mellon University          SPIN


                     Enabled Statements
    • A statement needs to be enabled for the
      process to be scheduled.
               bool a, b;
               proctype p1()
               {
                 a = true;
                 a & b;
                 a = false;
               }
               proctype p2()
               {
                 b = false;
                 a & b;
                 b = true;
               }
               init { a = false; b = false; run p1(); run p2(); }




                                               13
Flavio Lerda                   Carnegie Mellon University                SPIN


                     Enabled Statements
    • A statement needs to be enabled for the
      process to be scheduled.
               bool a, b;
               proctype p1()            These statements are enabled
               {                        only if both a and b are true.
                 a = true;
                 a & b;
                 a = false;
               }
               proctype p2()
               {
                 b = false;
                 a & b;
                 b = true;
               }
               init { a = false; b = false; run p1(); run p2(); }




                                             14
Flavio Lerda                   Carnegie Mellon University                SPIN


                     Enabled Statements
    • A statement needs to be enabled for the
      process to be scheduled.
               bool a, b;
               proctype p1()            These statements are enabled
               {                        only if both a and b are true.
                 a = true;
                 a & b;
                 a = false;             In this case b is always false
               }                        and therefore there is a
               proctype p2()
                                        deadlock.
               {
                 b = false;
                 a & b;
                 b = true;
               }
               init { a = false; b = false; run p1(); run p2(); }




                                             15
Flavio Lerda                    Carnegie Mellon University   SPIN


                          Other constructs
    • Do loops
               do
               :: count = count + 1;
               :: count = count - 1;
               :: (count == 0) -> break
               od




                                           16
Flavio Lerda                    Carnegie Mellon University   SPIN


                              Other constructs
    • Do loops
    • Communication over channels
               proctype sender(chan out)
               {
                 int x;

                   if
                   ::x=0;
                   ::x=1;
                   fi

                   out ! x;
               }




                                           17
Flavio Lerda                    Carnegie Mellon University   SPIN


                          Other constructs
    • Do loops
    • Communication over channels
    • Assertions
               proctype receiver(chan in)
               {
                 int value;
                 out ? value;
                 assert(value == 0 || value == 1)
               }




                                              18
Flavio Lerda                    Carnegie Mellon University   SPIN


                          Other constructs
    •   Do loops
    •   Communication over channels
    •   Assertions
    •   Atomic Steps
               int value;
               proctype increment()
               { atomic {
                   x = value;
                   x = x + 1;
                   value = x;
               } }




                                           19
Flavio Lerda       Carnegie Mellon University         SPIN


                   On-The-Fly
    • System is the asynchronous composition
      of processes
    • The global transition relation is never build
    • For each state the successor states are
      enumerated using the transition relation of
      each process




                              20
Flavio Lerda   Carnegie Mellon University   SPIN


               On-The-Fly
                  0                0




                  1                1



                          00




                          21
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10




                          22
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10




                          23
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10




                          11


                          24
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          25
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          26
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          27
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          28
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          29
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          30
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          31
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          32
Flavio Lerda   Carnegie Mellon University   SPIN


                On-The-Fly
                    0              0




                    1              1



                          00



               10                      01




                          11


                          33
Flavio Lerda          Carnegie Mellon University               SPIN


                       Visited Set
    • Represents all the states that have been
      reached so far       procedure DFS(s)
                               visited = visited  {s};
    • Will eventually become for each successor s’ of s
                               the set of all
                                        if s’  visited then
      reachable state (state space) DFS(s’);
                                        end if
    • Test of presence of a state in the set must
                               end for
                           end procedure
      be efficient
        – It is performed for each reached state



                                 34
Flavio Lerda          Carnegie Mellon University        SPIN


                       Visited Set
    • Hash table
        – Efficient for testing even if the number of
          elements in it is very big (≥ 106)




                                 35
Flavio Lerda          Carnegie Mellon University                          SPIN


                       Visited Set
    • Hash table
        – Efficient for testing even if the number of
          elements in it is very big (≥ 106)
    • Reduce memory usage
        – Compress each state          When a transition is executed only a
                                       limited part of the state is modified




                                 36
Flavio Lerda          Carnegie Mellon University        SPIN


                       Visited Set
    • Hash table
        – Efficient for testing even if the number of
          elements in it is very big (≥ 106)
    • Reduce memory usage
        – Compress each state
    • Reduce the number of states
        – Partial Order Reduction



                                 37
Flavio Lerda               Carnegie Mellon University            SPIN


                State Representation
    • Global variables
    • Processes and local variables
    • Queues




        Global Variables                Processes       Queues




                                      38
Flavio Lerda      Carnegie Mellon University      SPIN


                 Compression
    • Each transition changes only a small part
      of the state
    • Assign a code to each element
      dynamically
    • Encoded states + basic elements use
      considerably less spaces than the
      uncompressed states



                             39
Flavio Lerda                  Carnegie Mellon University              SPIN


                          Compression
                        P0      P0        Q0     P0    P1
          i=0 j=0
                        x=0     x=1       {1}    x=0   y=0   0 0 1 0 0 2




 3                  3                 3

                          P1
 2                  2                 2
                          y=0

                          P0
 1                  1                 1
                          x=1

                          P0              Q0
 0     i=0 j=0      0                 0
                          x=0             {1}

                                            40
Flavio Lerda                  Carnegie Mellon University              SPIN


                          Compression
                        P0      P0        Q0     P0    P1
          i=0 j=0
                        x=0     x=1        {}
                                          {1}    x=1
                                                 x=0   y=0         1 1
                                                             0 0 1 0 0 2
                                                 q?x




 3                  3                 3

                          P1
 2                  2                 2
                          y=0

                          P0              Q0
 1                  1                 1
                          x=1             {}

                          P0              Q0
 0     i=0 j=0      0                 0
                          x=0             {1}

                                            41
Flavio Lerda      Carnegie Mellon University   SPIN


               Hash Compaction
    • Uses a hashing function to store each
      state using only 2 bits




                             42
Flavio Lerda      Carnegie Mellon University      SPIN


               Hash Compaction
    • Uses a hashing function to store each
      state using only 2 bits
    • There is an non-zero probability that two
      states are mapped into the same bits




                             43
Flavio Lerda      Carnegie Mellon University     SPIN


               Hash Compaction
    • Uses a hashing function to store each
      state using only 2 bits
    • There is an non-zero probability that two
      states are mapped into the same bits
    • If the number of states is quite smaller
      than the number of bits available there is a
      pretty good chance of not having conflicts



                             44
Flavio Lerda      Carnegie Mellon University     SPIN


               Hash Compaction
    • Uses a hashing function to store each
      state using only 2 bits
    • There is an non-zero probability that two
      states are mapped into the same bits
    • If the number of states is quite smaller
      than the number of bits available there is a
      pretty good chance of not having conflicts
    • The result is not (always) 100% correct!

                             45
Flavio Lerda      Carnegie Mellon University      SPIN


     Minimized Automata Reduction
    • Turns the state in a sequence of integers




                             46
Flavio Lerda     Carnegie Mellon University   SPIN


     Minimized Automata Reduction
    • Turns the state in a sequence of integers
    • Constructs an automata which accepts the
      states in the visited set




                            47
Flavio Lerda     Carnegie Mellon University   SPIN


     Minimized Automata Reduction
    • Turns the state in a sequence of integers
    • Constructs an automata which accepts the
      states in the visited set
    • Works like a BDD but on non-binary
      variables (MDD)




                            48
Flavio Lerda         Carnegie Mellon University       SPIN


     Minimized Automata Reduction
    • Turns the state in a sequence of integers
    • Constructs an automata which accepts the
      states in the visited set
    • Works like a BDD but on non-binary
      variables (MDD)
        – The variables are the components of the state




                                49
Flavio Lerda         Carnegie Mellon University       SPIN


     Minimized Automata Reduction
    • Turns the state in a sequence of integers
    • Constructs an automata which accepts the
      states in the visited set
    • Works like a BDD but on non-binary
      variables (MDD)
        – The variables are the components of the state
        – The automata is the minimal automata



                                50
Flavio Lerda         Carnegie Mellon University       SPIN


     Minimized Automata Reduction
    • Turns the state in a sequence of integers
    • Constructs an automata which accepts the
      states in the visited set
    • Works like a BDD but on non-binary
      variables (MDD)
        – The variables are the components of the state
        – The automata is the minimal automata
        – The automata is updated efficiently

                                51
Flavio Lerda        Carnegie Mellon University   SPIN


               Partial Order Reduction
    • Some interleavings of processes are
      equivalent
                               x=0
                               y=0

                        x++           y++

                       x=1              x=0
                                        x=1
                       y=0              y=0
                                        y=1


                       y++           x++
                               x=1
                               y=1



                               52
Flavio Lerda        Carnegie Mellon University   SPIN


               Partial Order Reduction
    • Some interleavings of processes are
      equivalent
    • Computing such interleavings and storing
      the intermediate states is expensive




                               53
Flavio Lerda             Carnegie Mellon University                      SPIN


               Partial Order Reduction
    • Some interleavings of processes are
      equivalent
                           Defines an equivalent relation between
    • Computing such interleavings andquotient of the
                           states and computes the storing
                           state transition graph to obtain a
                           reduced expensive
      the intermediate states isstate transition graph.
    • Partial order reduction defines a reduced
      system which is equivalent to the original
                             less are true of the reduced state
      system but containsPropertiesstates and
                           transition graph if and only if are true of
      transitions          the original graph.



                                    54
Flavio Lerda        Carnegie Mellon University   SPIN


               Partial Order Reduction
    • Optimal partial order reduction is as
      difficult as model checking!




                               55
Flavio Lerda        Carnegie Mellon University   SPIN


               Partial Order Reduction
    • Optimal partial order reduction is as
      difficult as model checking!
    • Compute an approximation based on
      syntactical information




                               56
Flavio Lerda         Carnegie Mellon University                        SPIN


               Partial Order Reduction
                                      Access to local variables
    • Optimal partial order reduction is as
                             Receive on exclusive receive-access queues
                               Send on exclusive send-access queues
      difficult as model checking!
    • Compute an approximation based on
      syntactical information
                                           Not mentioned in the property
        – Independent
        – Invisible
        – Check (at run-time) for actions postponed at
          infinitum
                                             So called stack proviso


                                57
Flavio Lerda        Carnegie Mellon University                   SPIN


                     Properties
    • Safety properties
        – Something bad never happens
        – Properties of states
                                    Reachability is sufficient



    • Liveness properties
        – Something good eventually happens
        – Properties of paths
                                    We need something more
                                    complex to check liveness
                                    properties

                               58
Flavio Lerda             Carnegie Mellon University             SPIN


                      LTL Model Checking
    • Liveness properties are expressed in LTL
        – Subset of CTL* of the form:
               • Af
          where f is a path formula with does not contain any
          quantifiers
    •   The quantifier A is usually omitted.
    •   G is substituted by (always or box)
    •   F is substituted by  (eventually or diamond)
    •   X is substituted by  (next)


                                    59
Flavio Lerda        Carnegie Mellon University                         SPIN


                  LTL Formulae
    • Always eventually p:            p         AGFp in CTL*

                                                  AG AF p in CTL



    • Always after p there is eventually q:
             ( p (  q ) )         AG(pFq) in CTL*

                                                 AG(p AFq) in CTL


    • Fairness:
                                             (AGF p)   in CTL*
              (  p ) 
                                             Can’t express it in CTL



                               60
Flavio Lerda           Carnegie Mellon University               SPIN


                       References
    • http://spinroot.com/
    • Design and Validation of Computer Protocols by Gerard
      Holzmann
    • The Spin Model Checker by Gerard Holzmann
    • An automata-theoretic approach to automatic program
      verification, by Moshe Y. Vardi, and Pierre Wolper
    • An analysis of bitstate hashing, by G.J. Holzmann
    • An Improvement in Formal Verification, by G.J. Holzmann
      and D. Peled
    • Simple on-the-fly automatic verification of linear temporal
      logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre
      Wolper
    • A Minimized automaton representation of reachable
      states, by A. Puri and G.J. Holzmann


                                  61

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:3/21/2011
language:English
pages:61