CSE 503 – Software Engineering

Slides:

Advertisements

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

ICE1341 Programming Languages Spring 2005 Lecture #13 Lecture #13 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

ISBN Chapter 8 Statement-Level Control Structures.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

ISBN Chapter 8 Statement-Level Control Structures.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 3: The PROMELA Semantics.

Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements "Control" is the general study of the semantics of execution.

CONTROL STATEMENTS Lakhbir Singh(Lect.IT) S.R.S.G.P.C.G. Ludhiana.

Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.

Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.

Chapter 8 High-Level Programming Languages. 8-2 Chapter Goals Describe the translation process and distinguish between assembly, compilation, interpretation,

Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.

Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.

ISBN Chapter 8 Statement-Level Control Structures.

第八章敘述層級的控制結構 (Statement-Level Control Structures)

Radu Iosif Introduction to SPIN Radu Iosif

8-1 Statement-Level Control Structures Introduction Selection Statements Iterative Statements Unconditional Branching Guarded Commands Conclusions.

Temporal Logic Model-checking with SPIN

April 16, ICE 1341 – Programming Languages (Lecture #14) In-Young Ko Programming Languages (ICE 1341) Lecture #14 Programming Languages (ICE 1341)

Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.

Chapter 8 © 2002 by Addison Wesley Longman, Inc Introduction - Levels of Control Flow: 1. Within expressions 2. Among program units 3. Among program.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

C Part 1 Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens A History Lesson Development of language by Dennis Ritchie at Bell.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 9 Promela, jSpin and the problem of Interference John Gurd, Graham Riley.

JAVA Programming (Session 2) “When you are willing to make sacrifices for a great cause, you will never be alone.” Instructor: รัฐภูมิ เถื่อนถนอม

The Machine Model Memory

8.1 Introduction - Levels of Control Flow: 1. Within expressions

CS 326 Programming Languages, Concepts and Implementation

Formal verification in SPIN

Programming for Mobile Technologies

Lecture 14: Iteration and Recursion (Section 6.5 – 6.6)

Prepared By: G.UshaRani B.Pranalini A.S.Lalitha

Chapter 8: Control Structures

Programmazione I a.a. 2017/2018.

Control Structures (Structured Programming) for controlling the procedural aspects of programming CS1110 – Kaminski.

Chapter 10 Programming Fundamentals with JavaScript

Statement-Level Control Structures

Character Set The character set of C represents alphabet, digit or any symbol used to represent information. Types Character Set Uppercase Alphabets A,

Control Structures In Text: Chapter 8.

Lecture 18 Arrays and Pointer Arithmetic

The Spin Model Checker - Advanced Features

Introduction C is a general-purpose, high-level language that was originally developed by Dennis M. Ritchie to develop the UNIX operating system at Bell.

Summary Two basic concepts: variables and assignments Basic types:

Seoul National University

COMP60621 Designing for Parallelism

An explicit state model checker

A Refinement Calculus for Promela

Chapter8: Statement-Level Control Structures April 9, 2019

CSE 555 Protocol Engineering

Comparing Python and Java

C Language B. DHIVYA 17PCA140 II MCA.

The Spin Model Checker - Advanced Features

CprE 185: Intro to Problem Solving (using C)

Review of Java Fundamentals

CSE 503 – Software Engineering

Presentation transcript:

CSE 503 – Software Engineering Lecture 5: An introduction to the Spin model checker Rob DeLine 12 Apr 2004

Exploring state Using Alloy to explore state Model system state using sets and relations Define state changing operations declaratively as functions Use asserts to test properties of particular operation sequences Alloy tries to find states that break asserts Using Promela (language)/Spin (tool) to explore state Model system using processes with local variables and channels Define state changing operations imperatively as algorithms Use temporal logic formulae/asserts to specify states that we want/don’t want the system to reach Spin tries to find operation sequences that break formulae/asserts Today: Promela syntax and semantics, use of Spin Wed: Case studies

Promela data types Basic types (integers of various widths) bit, bool 1-bit, unsigned byte 8-bit, unsigned short 16-bit, signed int 32-bit, signed Arrays (index starts at zero) bit[8] Records typedef Header { bit flag0, flag1; byte dest; } Enumerated types (underlying type is byte) mtype = { ack, nack }

Variable declarations and assignments int x; // basic types initialize to zero by default byte b = 123; byte[3] array; byte[3] initArray = 1; // all elements initialized to 1 Header h; // apparently, no initializer allowed byte msgtype = ack; // mtypes are just bytes Assignment has C’s syntax x = 3; array[2] = y;

Expressions Promela has many expressions from C Arithmetic: a+b, a-b, a*b, a/b, a%b Comparisons: a==b, a!=b, a<b, a<=b, a>b, a>=b Logicals: a&&b, a||b,! a Bit-level: a&b, a|b, a^b, ~a, a<<b, a>>b Side-effecting: a++, a-- (postfix only) Plus other Promela-specific expressions (more later)

Process declarations Promela program consists of one or more processes Program begins with distinguished process “init” (no parameters) Start a process with “run” command, which returns a process id A process is defined with “proctype” proctype Hello () { printf(“hi\n”); } init { run Hello(); } Process != procedure No return value, no call stack if A “runs” B, then A and B execute concurrently However, process cannot end until all processes that it runs end

Control statements Conditionals (execute any branch whose condition is true) if :: condition0 -> statements0 :: conditionn -> statementsn fi Loops do od Unconditional jumps: break (leave nearest do); goto label assert(cond) means crash if cond isn’t true

Executability Expressions as statements Like C, an expression can be used as a statement Unlike C, an expression statement is blocked until it is true This is useful for making a process wait for a condition Conditionals and loops revisted General forms if :: statements0 :: ... :: statementsn fi do :: statements0 :: ... :: statementsn od S -> T is equivalent to S; T if/do nondeterministically choose any executable statement Timeout Special statement “timeout” is executable iff every process is blocked at a non-executable statement

What does this print? Two answers int i = 0; proctype A () { do :: i == 10 -> break; :: i % 2 == 0 -> printf(“%d\n”, i); i++; :: i % 2 == 1 -> i++; od } init { run A(); } Two answers 0, 2, 4, 6, 8 all even naturals

Concurrency Processes run concurrently Execution is interleaved on the statement level You can force multiple statements to be interleaved as one atomic { statements } Two forms of interaction between processes Global variables Shared communication channels

Producer/consumer using globals int buffer[10]; int i = 0; proctype Consumer () { int x; do :: i > 0 -> i--; x = buffer[i]; od } proctype Producer () { int item; do :: i < 10 -> buffer[i] = item; item++; i++; od init { run Consumer(); run Producer(); } Can any items get lost?

Oops! Race condition! initial Producer: buffer[i] = item; Producer: i++; Producer: buffer[i] = item; Producer: i++; Consumer: i--; Consumer: x = buffer[i]; Producer: buffer[i] = item; Consumer: i--; Consumer: x = buffer[i]; Producer: i++; Producer: buffer[i] = item; 1 1 1 1 2 2 3

Repaired producer/consumer int buffer[10]; int i = 0; proctype Consumer () { int x; do :: i > 0 -> atomic { i--; x = buffer[i]; Use(x); } od } proctype Producer () { int item; do :: i < 10 -> atomic { buffer[i] = item; item++; i++; } od init { run Consumer(); run Producer(); }

Interaction using channels A channel is a fixed-size buffer for communication Channels are named and contain typed data chan name = [size] of { type0, ..., typen } Process can read channel data, which blocks when channel empty name?var0,...,varn Process can write channel data, which blocks when channel full name!expr0,...,exprn Channels can be global or local Channels can be passed as process parameters

Producer/consumer with channels chan buffer = [10] of {int} proctype Consumer () { int x; do :: buffer?x -> Use(x); od } proctype Producer () { int item; do :: buffer!item -> item++; od init { run Consumer(); run Producer(); } Let’s see Spin in action!