The University of Adelaide, School of Computer Science

Slides:



Advertisements
Similar presentations
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Choose a Leader Example: find extrema in unidirectional ring There are N processes configured into a unidirectional ring; i.e. For 1
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
CDA 3103 Computer Organization Review Instructor: Hao Zheng Dept. Comp. Sci & Eng. USF.
CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Principles of programming languages 2: Answers for exercises
Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.
Concurrency. A process is a program executing on a virtual computer Processor speed and multiplexing of shared resources are ignored Order of thread execution.
Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.
Radu Iosif Introduction to SPIN Radu Iosif
CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright , Matt Dwyer, John Hatcliff,
Chapter 7 Low-Level Programming Languages. 2 Features in Pep/7 Figure 7.1 Pep/7’s architecture.
Temporal Logic Model-checking with SPIN
General Techniques for Symmetry Reduction in Model Checking Alastair Donaldson Alice Miller Department of Computing Science University of Glasgow.
Q1:Royal Garden’s Puzzle as a Model Checking Problem Pictures from UbiSoft HW6: Due Dec 4th 23:59.
Software Systems Engineering Rob Oshana Southern Methodist University EMIS 7312.
/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
Alternating Bit Protocol Protocol for simplex data-transfer channel: data flows from sender to receiver control flows in both directions the transfer medium.
1 Pass the Parcel /* Pass the parcel in Promela */ /* passing is not atomic */ /* communication is asynchronous */ /* Muffy Calder, November 2000 */ mtype.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with Promela.
Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova.
Formal verification in SPIN
CSE 503 – Software Engineering
Formal Methods in Software Engineering 1
Computer Architecture & Operations I
The Spin Model Checker - Advanced Features
An explicit state model checker
A Refinement Calculus for Promela
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
Engine Part ID Part 1.
Engine Part ID Part 2.
Engine Part ID Part 2.
HW6: Due Dec 14 23:59 To specify a corresponding Promela specification
COMP60621 Designing for Parallelism
The University of Adelaide, School of Computer Science
Basics Prof. Hsin-Mu (Michael) Tsai (蔡欣穆)
The University of Adelaide, School of Computer Science
HW6: Due Nov 26 23:59 To specify a corresponding Promela specification
The Spin Model Checker - Advanced Features
The University of Adelaide, School of Computer Science
CSE 503 – Software Engineering
HW6: Due Dec 20 23:59 To specify a corresponding Promela specification
Presentation transcript:

The University of Adelaide, School of Computer Science Computer Architecture A Quantitative Approach, Fifth Edition The University of Adelaide, School of Computer Science 22 February 2019 CDA 5416 Computer System Verification HW Review Instructor: Hao Zheng Department of Computer Science & Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Chapter 2 — Instructions: Language of the Computer

HW 4

Problem 2

Problem 3

Problem 4

HW 3

HW 2

Draw program graphs for two processes with id = {0,1}. Show an execution of the composed program graph. Build a Promela model for this algorithm with three processes.  Think about the type of channels that should be used. Format the relevant correctness requirement(s) using a separate process(es) and/or assertions in Promela.  Use the SPIN to check that the leader election model satisfies the correctness requirements.

C0 (c0) P1 P0 C1 (c1) 1 1 stop 2 /send(id0) /recv(c0) /send(c0) /send(id0) /recv(c0) /send(c0) 1 1 /recv(m0) m0<id0 stop 2 m0=id0 m0>id0/send(m0)

C0 P1 P0 C1 1 1 1 1 1 1 1 1 /<send(id0), recv(c1)> /<send(id0), recv(c1)> /<send(id1), recv(c0)> 1 1 1 1 /<send(id1), recv(c0)> /<send(id0), recv(c1)> 1 1 1 1

C0 P1 P0 C1 1 1 1 1 2 1 1 1 1 2 /<send(id1), recv(c0)> /<send(c0), recv(m0)> /<send(c1), recv(m1)> 2 1 1 1 1 2

C0 P1 P0 C1 chan C1 = [1] of {byte}; chan C2 = [1] of {byte};

:: m0<id0 -> goto stop :: m0>id0 -> C1 ! m0 fi od stop: } proctype P0() { byte m0; C1 ! id0; do :: C0 ? m0; if :: m0<id0 -> goto stop :: m0>id0 -> C1 ! m0 fi od stop: } /C1 ! id0 1 /C0 ? m0 m0<id0 stop 2 m0=id0 m0>id0/ C1 ! m0

HW 1

byte n = 0; active [2] proctype P() {     byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; } What are the largest and smallest values that n can be produced by the model upon termination?

byte n = 0; byte stop = 0; active [2] proctype P() {     byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; } /* passed  active proctype checker1() {         if          :: stop==2 -> assert (n <= 20);         fi } */ /* failed */ active proctype checker2()         :: stop==2 -> assert (n <= 19);

byte n = 0; byte stop = 0; active [2] proctype P() {     byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; } /* passed active proctype checker4() {         if          :: stop==2 -> assert (n >= 2);         fi } */ /* failed */         :: stop==2 -> assert (n >= 3);

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   1: proc  1 (p:1) a1_3.pml:12 (state 3) [else]   2: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]   3: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)] n = 0; reg0=0, cnt0=0, reg1=1, cnt1=0   4: proc  0 (p:1) a1_3.pml:12 (state 3) [else]   5: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]   6: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]   7: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)] n = 1; reg0=0, cnt0=0, reg1=1, cnt1=1   8: proc  1 (p:1) a1_3.pml:12 (state 3) [else]   9: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  10: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)] 11: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  12: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)] n = 2; reg0=0, cnt0=0, reg1=2, cnt1=2 spin -p -t model.pml /* replay error trace “model.pml.trail” */

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; } n = 2; reg0=0, cnt0=0, reg1=2, cnt1=2  13: proc  1 (p:1) a1_3.pml:12 (state 3) [else]  14: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  15: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  16: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  17: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 3; reg0=0, cnt0=0, reg1=3, cnt1=3 18: proc  1 (p:1) a1_3.pml:12 (state 3) [else]  19: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  20: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  21: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  22: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 4; reg0=0, cnt0=0, reg1=4, cnt1=4

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 4; reg0=0, cnt0=0, reg1=4, cnt1=4  23: proc  1 (p:1) a1_3.pml:12 (state 3) [else]  24: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  25: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  26: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  27: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 5; reg0=0, cnt0=0, reg1=5, cnt1=5  28: proc  1 (p:1) a1_3.pml:12 (state 3) [else]  29: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  30: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  31: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  32: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 6; reg0=0, cnt0=0, reg1=6, cnt1=6

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 8; reg0=0, cnt0=0, reg1=8, cnt1=8 43: proc  1 (p:1) a1_3.pml:12 (state 3) [else]  44: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  45: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  46: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  47: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]  48: proc  1 (p:1) a1_3.pml:12 (state 3) [else]   n = 9; reg0=0, cnt0=0, reg1=9, cnt1=9  49: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  50: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]   n = 1; reg0=1, cnt0=0, reg1=9, cnt1=9  51: proc  1 (p:1) a1_3.pml:13 (state 4) [reg = n]  52: proc  1 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]   n = 1; reg0=1, cnt0=0, reg1=2, cnt1=9

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 1; reg0=1, cnt0=0, reg1=2, cnt1=9 53: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 1; reg0=1, cnt0=1, reg1=2, cnt1=9  54: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  55: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  56: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  57: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  58: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 2; reg0=2, cnt2=2, reg1=2, cnt1=9  59: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  60: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  61: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  62: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  63: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 3; reg0=3, cnt0=3, reg1=2, cnt1=9

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 3; reg0=3, cnt0=3, reg1=2, cnt1=9 64: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  65: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  66: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  67: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  68: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 4; reg0=4, cnt0=4, reg1=2, cnt1=9  69: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  70: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  71: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  72: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  73: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 5; reg0=5, cnt0=5, reg1=2, cnt1=9

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 5; reg0=5, cnt0=5, reg1=2, cnt1=9  74: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  75: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  76: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  77: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  78: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 6; reg0=6, cnt0=6, reg1=2, cnt1=9  79: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  80: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  81: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  82: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  83: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 7; reg0=7, cnt0=7, reg1=2, cnt1=9

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 7; reg0=7, cnt0=7, reg1=2, cnt1=9  84: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  85: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  86: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  87: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  88: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]    n = 8; reg0=8, cnt0=8, reg1=2, cnt1=9 89: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  90: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  91: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  92: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]  93: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)]   n = 9; reg0=9, cnt0=9, reg1=2, cnt1=9

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; }   n = 9; reg0=9, cnt0=9, reg1=2, cnt1=9  94: proc  0 (p:1) a1_3.pml:12 (state 3) [else]  95: proc  0 (p:1) a1_3.pml:13 (state 4) [reg = n]  96: proc  0 (p:1) a1_3.pml:14 (state 5) [reg = (reg+1)]  97: proc  0 (p:1) a1_3.pml:15 (state 6) [n = reg]    n = 10; reg0=10, cnt0=9, reg1=2, cnt1=9 98: proc  1 (p:1) a1_3.pml:15 (state 6) [n = reg]  99: proc  1 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)] 100: proc  1 (p:1) a1_3.pml:11 (state 1) [((cnt==10))] 101: proc  1 (p:1) a1_3.pml:18 (state 11) [stop = (stop+1)] n = 2; reg0=9, cnt0=9, reg1=2, cnt1=10; stop=1

byte n = 0; byte stop = 0; active [2] proctype P() { byte reg;     byte cnt = 0;     do      :: cnt == 10 -> break     :: else ->             reg = n;             reg++;             n = reg;             cnt++     od; stop++; } n = 2; reg0=9, cnt0=9, reg1=2, cnt1=10; stop=1 102: proc  0 (p:1) a1_3.pml:16 (state 7) [cnt = (cnt+1)] 103: proc  0 (p:1) a1_3.pml:11 (state 1) [((cnt==10))] 104: proc  0 (p:1) a1_3.pml:18 (state 11) [stop = (stop+1)] n = 2; reg0=9, cnt0=10, reg1=2, cnt1=10; stop=2 105: proc  2 (checker4:1) a1_3.pml:71 (state 1) [((stop==2))] 106: proc  2 (checker4:1) a1_3.pml:71 (state 2) [assert((n>=3))]

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.