Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999
Formal verification Formal verification means using methods of mathematical argument to determine correctness of systems. Can be applied to hardware, software and other kinds of systems. Bugs are expensive when discovered in a finished product. Idea: use FV to discover bugs during the design phase.
Model checkers Model checkers are among the most widely used FV tools. Human inspection is not effective: Currently designed systems are too large Concurrency, race conditions Big verifications done by paper and pencil are hard to re-construct and re-check Model checkers are good at doing massive (but often simple) case analyses.
The BIG picture Model checker model description property YES NO + counterexample
Spin Developed in Bell Labs, starting in 1980. Designed for verification of distributed systems. Model descriptions need to be given in PROMELA (PROcess MEta LAnguage). Properties are described in LTL (Linear Temporal Logic).
PROMELA overview A PROMELA program describes a set of concurrent processes. Execution is asynchronous (each time only one process does a step), except in special cases (rendezvous message passing). Processes can die or be created dynamically. Processes can communicate through global variables and channels (message passing).
PROMELA example Each Promela program generates proctype Pr1 (){ do :: x==0 ->y=1; :: x==1 ->y=0; od; } proctype Pr2 (){ :: y==0 ->x=1; :: y==1 ->x=0; init { x=0; y=0; run Pr1(); run Pr2(); X=1 y=0 X=0 y=1 Each Promela program generates a unique state transition system. Promela “instructions” correspond to state transitions. :: y==0 ->x=1;
PROMELA special features Nondeterministic choice: if if :: g1 -> s1; :: (x>3) -> x--; :: g2 -> s2; :: true -> y=1; . . . :: y -> x=x+y; fi fi; At each step, execute one of the statements whose guard evaluates to true.
PROMELA special features Nondeterministic loop: do do :: g1 -> s1; :: (x>3) -> x--; :: g2 -> s2; :: true -> y=1; . . . :: y -> x=x+y; od od; Repeat, choosing nondeterministically at each step.
PROMELA special features Channel communication: chan c = [2] of {bit}; chan din = [0] of {byte}; chan dout = [1] of {byte}; Send a message m on channel c: c!m Receive a message from channel c: c?x din?v -> dout!(v+v); c?1 -> x++; dout!v -> skip;
Other PROMELA features Labels and goto statement Types: bit, bool, byte, short, int User-defined types . . . More about PROMELA on the course webpage.
LTL overview Expresses properties dependent on time (temporal) LTL formulas are evaluated on sequences of states (linear) Standard predicate logic + temporal operators: [] = always <> = eventually
[]((x<0) ==> <>(y<0)) LTL in practice x is always strictly greater than y: [](x>y) Eventually x becomes equal to 1: <>(x==1) Eventually x becomes equal to 1 and never changes afterwards: <>[](x==1) If at any moment x becomes negative, y will become negative at some later moment: []((x<0) ==> <>(y<0))
LTL, formal definitions F ::= p (a state predicate, like (x>0) or (x!=y)) | F1 && F2 | F1 || F2 | !F | []F | <>F Given a sequence of states s = s(0), s(1), s(2), ... s(i) satisfies []F if for every j>=i, s(j) satisfies F. s(i) satisfies <>F if for some j>=i, s(j) satisfies F. The whole sequence s satisfies F if s(0) satisfies F.
LTL examples p !p ... <>(!p) []p []<>p <>[]p + + - - p,!q !p,q ... [](p||q) []<>q <>(p&&q) (<>p)&&(<>q) + + - +
LTL verification in Spin Given a PROMELA program and an LTL formula, Spin checks whether all possible computation paths satisfy the formula. int a,b,d; init { bit ready=0; a=100; proctype Euclid (int x,y){ b=1; do do ::(x>y) -> x=x-y :: (b<a) -> b++ ::(y>x) -> y=y-x :: true -> goto enough :: (x==y)-> goto done od; od; enough: run Euclid(a,b)} done: ready=1; d=x } LTL: <>(ready && (a%d==0))