VIEWS: 2 PAGES: 61 POSTED ON: 3/21/2011 Public Domain
Flavio Lerda Carnegie Mellon University SPIN SPIN An explicit state model checker 1 Flavio Lerda Carnegie Mellon University SPIN Explict State Model Checker • Represents the system as an finite state machine • Visits each reachable state (state space) explicitly • Checks some property – Property is satisfied – Counterexample 2 Flavio Lerda Carnegie Mellon University SPIN DFS • DFS visit of the state space procedure DFS(s) visited = visited {s}; for each successor s’ of s if s’ visited then DFS(s’); end if end for end procedure 3 Flavio Lerda Carnegie Mellon University SPIN DFS • How do we: – Represent the transition relation – Store the visited set • Needs fast access (hash table) • State space explosion – Check properties 4 Flavio Lerda Carnegie Mellon University SPIN Promela • Process Algebra – An algebraic approach to the study of concurrent processes. Its tools are algebraical languages for the specification of processes and the formulation of statements about them, together with calculi for the verification of these statements. [Van Glabbeek, 1987] • Describes the system in a way similar to a programming language 5 Flavio Lerda Carnegie Mellon University SPIN Promela • Asynchronous composition of independent processes • Communication using channels and global variables • Non-deterministic choices and interleavings 6 Flavio Lerda Carnegie Mellon University SPIN An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; NC if :: goto noncritical; :: true; fi; trying: T state[id] = TRYING; if :: goto trying; :: true; fi; critical: C state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 7 Flavio Lerda Carnegie Mellon University SPIN An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 8 Flavio Lerda Carnegie Mellon University SPIN An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 9 Flavio Lerda Carnegie Mellon University SPIN An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 10 Flavio Lerda Carnegie Mellon University SPIN An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 11 Flavio Lerda Carnegie Mellon University SPIN An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; NC if :: goto noncritical; :: true; fi; trying: T state[id] = TRYING; if :: goto trying; :: true; fi; critical: C state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } 12 Flavio Lerda Carnegie Mellon University SPIN Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } 13 Flavio Lerda Carnegie Mellon University SPIN Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() These statements are enabled { only if both a and b are true. a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } 14 Flavio Lerda Carnegie Mellon University SPIN Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() These statements are enabled { only if both a and b are true. a = true; a & b; a = false; In this case b is always false } and therefore there is a proctype p2() deadlock. { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } 15 Flavio Lerda Carnegie Mellon University SPIN Other constructs • Do loops do :: count = count + 1; :: count = count - 1; :: (count == 0) -> break od 16 Flavio Lerda Carnegie Mellon University SPIN Other constructs • Do loops • Communication over channels proctype sender(chan out) { int x; if ::x=0; ::x=1; fi out ! x; } 17 Flavio Lerda Carnegie Mellon University SPIN Other constructs • Do loops • Communication over channels • Assertions proctype receiver(chan in) { int value; out ? value; assert(value == 0 || value == 1) } 18 Flavio Lerda Carnegie Mellon University SPIN Other constructs • Do loops • Communication over channels • Assertions • Atomic Steps int value; proctype increment() { atomic { x = value; x = x + 1; value = x; } } 19 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly • System is the asynchronous composition of processes • The global transition relation is never build • For each state the successor states are enumerated using the transition relation of each process 20 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 21 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 22 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 23 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 11 24 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 25 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 26 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 27 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 28 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 29 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 30 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 31 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 32 Flavio Lerda Carnegie Mellon University SPIN On-The-Fly 0 0 1 1 00 10 01 11 33 Flavio Lerda Carnegie Mellon University SPIN Visited Set • Represents all the states that have been reached so far procedure DFS(s) visited = visited {s}; • Will eventually become for each successor s’ of s the set of all if s’ visited then reachable state (state space) DFS(s’); end if • Test of presence of a state in the set must end for end procedure be efficient – It is performed for each reached state 34 Flavio Lerda Carnegie Mellon University SPIN Visited Set • Hash table – Efficient for testing even if the number of elements in it is very big (≥ 106) 35 Flavio Lerda Carnegie Mellon University SPIN Visited Set • Hash table – Efficient for testing even if the number of elements in it is very big (≥ 106) • Reduce memory usage – Compress each state When a transition is executed only a limited part of the state is modified 36 Flavio Lerda Carnegie Mellon University SPIN Visited Set • Hash table – Efficient for testing even if the number of elements in it is very big (≥ 106) • Reduce memory usage – Compress each state • Reduce the number of states – Partial Order Reduction 37 Flavio Lerda Carnegie Mellon University SPIN State Representation • Global variables • Processes and local variables • Queues Global Variables Processes Queues 38 Flavio Lerda Carnegie Mellon University SPIN Compression • Each transition changes only a small part of the state • Assign a code to each element dynamically • Encoded states + basic elements use considerably less spaces than the uncompressed states 39 Flavio Lerda Carnegie Mellon University SPIN Compression P0 P0 Q0 P0 P1 i=0 j=0 x=0 x=1 {1} x=0 y=0 0 0 1 0 0 2 3 3 3 P1 2 2 2 y=0 P0 1 1 1 x=1 P0 Q0 0 i=0 j=0 0 0 x=0 {1} 40 Flavio Lerda Carnegie Mellon University SPIN Compression P0 P0 Q0 P0 P1 i=0 j=0 x=0 x=1 {} {1} x=1 x=0 y=0 1 1 0 0 1 0 0 2 q?x 3 3 3 P1 2 2 2 y=0 P0 Q0 1 1 1 x=1 {} P0 Q0 0 i=0 j=0 0 0 x=0 {1} 41 Flavio Lerda Carnegie Mellon University SPIN Hash Compaction • Uses a hashing function to store each state using only 2 bits 42 Flavio Lerda Carnegie Mellon University SPIN Hash Compaction • Uses a hashing function to store each state using only 2 bits • There is an non-zero probability that two states are mapped into the same bits 43 Flavio Lerda Carnegie Mellon University SPIN Hash Compaction • Uses a hashing function to store each state using only 2 bits • There is an non-zero probability that two states are mapped into the same bits • If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts 44 Flavio Lerda Carnegie Mellon University SPIN Hash Compaction • Uses a hashing function to store each state using only 2 bits • There is an non-zero probability that two states are mapped into the same bits • If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts • The result is not (always) 100% correct! 45 Flavio Lerda Carnegie Mellon University SPIN Minimized Automata Reduction • Turns the state in a sequence of integers 46 Flavio Lerda Carnegie Mellon University SPIN Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set 47 Flavio Lerda Carnegie Mellon University SPIN Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD) 48 Flavio Lerda Carnegie Mellon University SPIN Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD) – The variables are the components of the state 49 Flavio Lerda Carnegie Mellon University SPIN Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD) – The variables are the components of the state – The automata is the minimal automata 50 Flavio Lerda Carnegie Mellon University SPIN Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD) – The variables are the components of the state – The automata is the minimal automata – The automata is updated efficiently 51 Flavio Lerda Carnegie Mellon University SPIN Partial Order Reduction • Some interleavings of processes are equivalent x=0 y=0 x++ y++ x=1 x=0 x=1 y=0 y=0 y=1 y++ x++ x=1 y=1 52 Flavio Lerda Carnegie Mellon University SPIN Partial Order Reduction • Some interleavings of processes are equivalent • Computing such interleavings and storing the intermediate states is expensive 53 Flavio Lerda Carnegie Mellon University SPIN Partial Order Reduction • Some interleavings of processes are equivalent Defines an equivalent relation between • Computing such interleavings andquotient of the states and computes the storing state transition graph to obtain a reduced expensive the intermediate states isstate transition graph. • Partial order reduction defines a reduced system which is equivalent to the original less are true of the reduced state system but containsPropertiesstates and transition graph if and only if are true of transitions the original graph. 54 Flavio Lerda Carnegie Mellon University SPIN Partial Order Reduction • Optimal partial order reduction is as difficult as model checking! 55 Flavio Lerda Carnegie Mellon University SPIN Partial Order Reduction • Optimal partial order reduction is as difficult as model checking! • Compute an approximation based on syntactical information 56 Flavio Lerda Carnegie Mellon University SPIN Partial Order Reduction Access to local variables • Optimal partial order reduction is as Receive on exclusive receive-access queues Send on exclusive send-access queues difficult as model checking! • Compute an approximation based on syntactical information Not mentioned in the property – Independent – Invisible – Check (at run-time) for actions postponed at infinitum So called stack proviso 57 Flavio Lerda Carnegie Mellon University SPIN Properties • Safety properties – Something bad never happens – Properties of states Reachability is sufficient • Liveness properties – Something good eventually happens – Properties of paths We need something more complex to check liveness properties 58 Flavio Lerda Carnegie Mellon University SPIN LTL Model Checking • Liveness properties are expressed in LTL – Subset of CTL* of the form: • Af where f is a path formula with does not contain any quantifiers • The quantifier A is usually omitted. • G is substituted by (always or box) • F is substituted by (eventually or diamond) • X is substituted by (next) 59 Flavio Lerda Carnegie Mellon University SPIN LTL Formulae • Always eventually p: p AGFp in CTL* AG AF p in CTL • Always after p there is eventually q: ( p ( q ) ) AG(pFq) in CTL* AG(p AFq) in CTL • Fairness: (AGF p) in CTL* ( p ) Can’t express it in CTL 60 Flavio Lerda Carnegie Mellon University SPIN References • http://spinroot.com/ • Design and Validation of Computer Protocols by Gerard Holzmann • The Spin Model Checker by Gerard Holzmann • An automata-theoretic approach to automatic program verification, by Moshe Y. Vardi, and Pierre Wolper • An analysis of bitstate hashing, by G.J. Holzmann • An Improvement in Formal Verification, by G.J. Holzmann and D. Peled • Simple on-the-fly automatic verification of linear temporal logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper • A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann 61