Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.

Slides:



Advertisements
Similar presentations
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Global States.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
UPPAAL Introduction Chien-Liang Chen.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
תרגול 9 META LABELS. Basic types of claims State properties.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Chapter 3 The Critical Section Problem
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
CSE 486/586 CSE 486/586 Distributed Systems PA Best Practices Steve Ko Computer Sciences and Engineering University at Buffalo.
Wishnu Prasetya Model Checking with SPIN A Bit More about SPIN.
Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 15 More Advanced Program Properties: Temporal logic and jSpin John Gurd,
Concurrency. A process is a program executing on a virtual computer Processor speed and multiplexing of shared resources are ignored Order of thread execution.
MODEL CHECKING WITH SPIN MODELING AND VERIFICATION WITH SPIN ANDREA ORLANDINI – ISTC (CNR) TexPoint fonts used in EMF. Read the TexPoint manual before.
Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.
The Complexity of Distributed Algorithms. Common measures Space complexity How much space is needed per process to run an algorithm? (measured in terms.
Radu Iosif Introduction to SPIN Radu Iosif
CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright , Matt Dwyer, John Hatcliff,
Temporal Logic Model-checking with SPIN
The Spin Model Checker : Part I Moonzoo Kim KAIST.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,
Hwajung Lee. Well, you need to capture the notions of atomicity, non-determinism, fairness etc. These concepts are not built into languages like JAVA,
Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,
/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
Alternating Bit Protocol Protocol for simplex data-transfer channel: data flows from sender to receiver control flows in both directions the transfer medium.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.
1 Chapter 11 Global Properties (Distributed Termination)
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 9 Promela, jSpin and the problem of Interference John Gurd, Graham Riley.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with Promela.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
November COMP60621 Designing for Parallelism Lecture 14 Deadlock + Channels in Promela John Gurd, Graham Riley Centre for Novel Computing School.
Formal verification in SPIN
CSE 503 – Software Engineering
COMP60611 Fundamentals of Parallel and Distributed Systems
An explicit state model checker
Concurrency Specification
The Spin Model Checker - Advanced Features
COMP60621 Designing for Parallelism
An explicit state model checker
A Refinement Calculus for Promela
CSE 555 Protocol Engineering
The Spin Model Checker - Advanced Features
CSE 503 – Software Engineering
Presentation transcript:

Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN

Overview Architecture & a bit more about SPIN SPIN’s modeling language Examples of models in SPIN Acknowledgement: some slides are taken and adapted from Theo Ruys’s SPIN Tutorials. 2

Spin and Promela SPIN = Simple Promela Interpreter Promela = Process Meta Language Is a modelling language! (not a language to build an application) Strong features : Powerful constructs to synchronize concurrent processes Cutting edge model checking technology Simulation to support analysis (of the models) 3

(i)SPIN Architecture LTL Translater spin Simulator Verifier Generator spin command line tool random guided interactive ispin ϕ deadlocks safety properties liveness properties Promela model M editing window simulation options verification options MSC simulation window C program checker pan.* pan.exe counter example false 4

Command line mode Simulate: spin model.pml Intersect: spin –a model.pml Compile: cc pan.c Verify: a.exe Debug: spin –t –c model.pml 5 #define N 4 byte x[N] ; proctype P(byte i) { do :: x[i-1] != x[i] -> x[i] = x[i-1] ; od } init { run P(0) ; run P(1)} ltl p0 { <>(x[0]=x[1]) }

Frontend XSpin 6

System, process, and action. A system in SPIN consists of a set of interacting and concurrent processes. Each process is sequential, but possibly non- deterministic. Each process is built from atomic actions (transition). Concurrent execution is modeled by interleaving. Fairness can be impossed. 7

Example 8 byte x = 1 ; active proctype P1() { x++ ; assert (x==2) ; } active proctype P2() { x-- ; } (using a global variable to interact)

Interleaving model of concurrency Consider (with pseudo notation): Concurrent execution of P||Q has the same effect as interleaving execution : 9 P : x++ y++ Q :

Interleaving model of concurrency What if they operate on the same variables ? Assume each arrow is atomic. An execution of P||Q abstractly proceeds as one of these paths : 10 P : x++ print x Q :

Degree of atomicity Whether it is reasonable to model a statement as ‘atomic’, depends on your situation. x++usually no problem x>0  y:=xok, if we can lock both x and y 0  S  found:=true....? 11

Data types Bit0,1 Booltrue, false Byte Short Int Pid Mtype0..255// user-def. enumeration Chan One dimensional array Record 12

What you don’t have… No sophisticated data types No methods ; you have macros There are only 2 levels of scope: global var (visible in the entire sys) local var (visible only to the process that contains the declaration) there is no inner blocks 13

(Enabledness) Expression This process has 3 atomic actions. The action “y==0” only enabled in a state where the expression is true it can only be executed when it is enabled; the effect is skip so, as long as it is disabled, the process will block if it is not enabled in the current state, a transition in another process may make it enabled in the next state. even if it is enabled in the current state, there is no guarantee the action will be selected for execution; but there is a way in SPIN to impose fairness. active proctype P { x++ ; (y==0) ; x-- } 14

Example Use it to synchronize between processes : // both will terminate, but forcing Q to finish last byte x=0, y=0 active proctype P { x++ ; (y>0) ; x-- } active proctype Q { (x>0) ; y++ ; (x==0) ; y-- } 15

Multiprogramming is tricky…. E.g. one or more processes can become stuck (deadlocked) : (6 potential executions…) byte x=0, y=0 active proctype P { x++ ; (y>0) ; x-- ; (y==0) } active proctype Q { y++ ; (x>0) ; (x==0) ; y-- } 16

Processes can also synchronize with channels chan c = [3] of {byte} ; active proctype producer() { do :: c ! 0 od } active proctype consumer() { do :: c ? x od } 17

Channels for exchanging messages between processes finite sized and asynchronously, unless you set it to size 0  synchronous channel Syntax : c ! 0 sending over channel c; blocking if c is full c ? x receives from c, transfer it to x; blocking if c is empty d ? DATA, b, y match and receives There are some more exotic channel operations : checking empty/full, testing head-value, copying instead of receiving, sorted send, random receive...  check out the Manual chan c = [0] of {bit}; chan d = [2] of {mtype, bit, byte}; chan e[2] = [1] of {bit}; chan c = [0] of {bit}; chan d = [2] of {mtype, bit, byte}; chan e[2] = [1] of {bit}; 18 mtype = { DATA, ack }

Conditional if :: stmt 1 :: … :: stmt n fi if :: stmt 1 :: … :: stmt n fi 19 The alternatives do not have to be atomic! The first action in an alternative acts as its “guard”, which determines if the alternative is enabled on a given state. Non-deterministically choose one enabled alternatives. If there is none, the entire IF blocks. “else” is a special expression that is enabled if all other alternatives block. if :: stmt 1 :: … :: else -> … fi if :: stmt 1 :: … :: else -> … fi

loop : do-statement Non-deterministic, as in IF If no alternative is enabled, the entire loop blocks. Loop on forever, as long as there are enabled alternatives when the block cycle back. To exit you have explicitly do a break. do :: stmt 1 :: … :: stmt n od do :: stmt 1 :: … :: stmt n od 20

Non-determinism can be useful for modeling 21 active proctype consumer() { do :: c ? x ; :: c ? x ; x=corrupted ; // to model occasional corrupted data od }

Exiting a loop do :: (i>0)  i-- :: (i==0)  break do do :: { (i>0) ; i-- } :: { (i==0) ; break } do 22 do :: { i-- ; (i>0) } :: break do

Label and jump Labels can also be useful in specification, e.g. <> Referring to labels as above goes actually via a mechanism called “remote reference”, which can also be used to inspect the value of local variables for the purpose of specification. L0: (x==0) ; if :: … goto L0 ; :: … fi L0: (x==0) ; if :: … goto L0 ; :: … fi 23

Expressing local correctness with assertions active proctype P … active proctype Q { …; assert (x==0 && y==0) } 24 (here it implies that when Q terminates, x and y should be 0)

But we can also express global invariant! Thanks to built-in non-determinism in the interleaving semantics, we can also use assertion to specify a global invariant ! // implying that at any time during the run x is either 0 or 1 byte x=0, y=0 active proctype P { x++ ; (y>0) ; x-- } active proctype Q { (x>0) ; y++ ; (x==0) ; y--} active proctype Monitor { assert ((x==0 || x==1)) } byte x=0, y=0 active proctype P { x++ ; (y>0) ; x-- } active proctype Q { (x>0) ; y++ ; (x==0) ; y--} active proctype Monitor { assert ((x==0 || x==1)) } 25

(Global) Deadlock checking When a system comes to a state where it has no enabled transition, but one of its processes is not in its terminal (end) state: Deadlocked, will be reported by SPIN But sometimes you want to model that this is ok  suppress it via the invalid-endstate option. The terminal state of a process P is by default just P’s textual end of code. You can specify additional terminal states by using end-label: Of the form “end_1”, “end_blabla” etc 26

Expressing progress requirement We can mark some states as progress states Using “progress*” labels Any infinite execution must pass through at least one progress label infinitely many often; else violation. We can ask SPIN (with an option) to verify no such violation exists ( non-progress cycles option). 27

Dining philosophers N philosophers Each process: 1. grab left and right fork simultaneously 2. eat release forks 4. think then go back to 1 28

“Simplistic” philisopher in Promela 29 #define N 4 byte fork[N] ; bool eating[N] ; proctype P(byte i) { do :: (fork[i] == N && fork[(i + 1) % N] == N) -> { fork[i] = i fork[(i + 1) % N] = i ; eating[i] = 1 ;// eat... eating[i] = 0 ; fork[i] = N ; fork [(i + 1) % N]= N } od } Why use bytes ? Should we enable the default end- state checking? How to instantiate the P(i)’s ? Ehm... this is not correct ! atomic {..... }

Creating processes and init { … } 30 init { byte i ;... // initialize forks i = 0 ; do :: i { run P(i) ; i++ ; } :: i>=N -> break ; od } Put this in atomic { … } ; Be aware of what it means!

How to express the specification? 31 assert (fork[i] == i && fork[(i+1)%N]== i) proctype P(byte i) { do :: { atomic {(fork[i] == N && fork[(i + 1) % N] == N) ; fork[i] = i ; fork[(i + 1) % N] = i } ; eating[i] = 1 ; eating[i] = 0 ; fork[i] = N ; fork [(i + 1) % N]= N } od }

Using a “monitor” process 32 active proctype monitor() { byte i ; i = 0 ; do :: i>=N -> break ; :: i { assert(!eating[i] || (fork[i]==i && fork[i+1%N]==i)) ; i++ ; } od } But we still can’t express that if a process is “hungry”, it will eventually eat. Using progress labels does not seem sufficient either. For more general temporal specification, use of LTL formulas.

Example: Alternating bit protocol imperfect “connections”, but corrupted data can be detected (e.g. with checksum etc). Possible solution: send data, wait for a positive acknowledgement before sending the next one. Just 1 bit is needed for the ack, hence the “bit” in the name. sender receiver 33

You can think of several ways to work it out... A note on reliable full-duplex transmission over half- duplex links, K. A. Bartlett, R. A. Scantlebury, P. T. Wilkinson, Communications of the ACM, Vol 12, NPL Protocol M<2 Protocol (we’ll discuss this one) For more, check out: e.g. Go-Back-N Sliding Window Protocol 34

M<2 Protocol, Sender part State 1 is the starting state, and its accepting state in the sense when the sender is in this state, it assumes the last data package it sent has been successfully received by the receiver, and so it fetches a new data package to send !1,data ? error !0,data // Sender wants to resend ? 0 // Receiver wants Sender to resend ?1 !1,data Fetch a new data. 35

M<2 Protocol, Receiver part !0 // request Sender to resend ?0,rd // Sender wants Receiver to resend !1 ?1,rd ? error !1 36

Scenario: 1x error, corrected !1,data ? error !0,data // Sender wants to resend ?0 // Receiver wants S to resend ?1 !1,data Fetch a new data !0 // request Sender to resend ?0,rd // Sender wants R to resend !1 ?1,rd ? error !1 Though each automaton is simple, the combined (and concrete) behavior is quite complex;  100 states in my (abstract) SPIN model (there are more explicit states, if we take the “data” into account). 37

Modeling in Promela 38 chan S2R = [BufSize] of { bit, byte } ; chan R2S = [BufSize] of { bit } ; proctype Sender (chan in, chan out) { … } proctype Receiver(chan in, chan out) { … } init { run Sender(R2S, S2R) ; run Receiver(S2R, R2S) }

Modelling in SPIN proctype Receiver(chan in, out) { show byte rd ; /* received data */ show bit cbit ; /* control bit */ do :: in ? cbit, rd ; if :: (cbit == 1) -> out!1 :: (cbit == 0) -> out!1 :: printf("MSC: ERROR1\n") ; out!0 fi od } proctype Receiver(chan in, out) { show byte rd ; /* received data */ show bit cbit ; /* control bit */ do :: in ? cbit, rd ; if :: (cbit == 1) -> out!1 :: (cbit == 0) -> out!1 :: printf("MSC: ERROR1\n") ; out!0 fi od } So, how big the channels should be? Is 0 good enough ? 39

A different style, with “goto” proctype Sender(chan in, out) { show byte data ; /* message data */ show bit cbit ; /* received control bit */ S1: data = (data+1) % MAX ; out!1,data ; goto S2; S2: in ? cbit ; if :: (cbit == 1) -> goto S1 :: (cbit == 0) -> goto S3 :: printf("MSC: AERROR1\n") -> goto S4 fi ; S3: out!1,data ; goto S2 ; S4: out!0,data ; goto S2 ; } 40

Specification, with assertions? This time, not possible with assertions (at least not without the help of ‘something else’). In LTL (to be discussed later), we can try something along this line : But this still does not quite express the above. Each data package, if accepted by the receiver, is accepted exactly once! 41   ==

Specification, using shadow variables Extend the model with ‘shadow variables’ Are used purely for expressing specifications Must not influence the original behavior In our case: exploit that sender generates new data by data+1 introduce a shadow variable “last”  previously accepted data Impose this assertion on the acceptance state (of Receiver): Each data package, if accepted by the receiver, is accepted exactly once! 42 current data to be accepted = last + 1

Extending the model proctype Receiver(chan in, out) { show byte rd ; /* received data */ show bit cbit ; /* control bit */ do :: in?cbit,rd ; progress: if :: (cbit == 1) -> out!1 :: (cbit == 0) -> out!1 :: printf("MSC: ERROR1\n") ; out!0 fi od } proctype Receiver(chan in, out) { show byte rd ; /* received data */ show bit cbit ; /* control bit */ do :: in?cbit,rd ; progress: if :: (cbit == 1) -> out!1 :: (cbit == 0) -> out!1 :: printf("MSC: ERROR1\n") ; out!0 fi od } show byte last assert (rd == (last+1) % MAX) ; last = rd ; This is the Receiver’s accepting state S3 43

2x successive errors !1,data ? error !0,data // Sender wants to resend ?0 // Receiver wants S to resend ?1 !1,data Fetch a new data !0 // request Sender to resend ?0,rd // Sender wants R to resend !1 ?1,rd ? error !1 Ouch… 44

Ok... but suppose we still want to verify these: 45 But, if error does not occur twice successively then: every pck sent, if accepted, is accepted exactly once. If no error occur, every data sent will eventually be accepted. The first can be expressed simply by constraining the model how it simulates error), by putting the constraint in LTL, to specify the kind of executions we want to consider. The 2 nd one can’t be expressed with just assertions and shadow variables. Alternative: LTL.

More on Promela 46

Exception/Escape S unless E Statement! Not to be confused with LTL “unless”. If E ever becomes enabled during the execution of S, then S is aborted and the execution continues with E. More precisely… check manual. 47

Predefined variables in Promela _pid (local var) current process’ instantiation number _nr_pr the number of active processes np_ true when the model is not in a “progress state” _last the pid of process that executed last else true if no statement in the current process is executable timeout true if no statement in the system is executable … 48

Timeout timeout useful as a mechanism to avoid deadlock beware of statements that are always executable. do :: c ? x ... :: timeout  break od do :: c ? x ... :: timeout  break od 49