1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011

2 Common Design Flaws Deadlock Livelock, Starvation Under-specification Over-specification Violation of Constraints Etc. Most of the errors caused by these flaws can be detected by model checking.

3 Model Checking and Spin Model Checking:  Is an automated technique that, given a finite model of a system and a logical property, systematically checks whether this property holds for that model. Spin is a well known classical model checker.  Aims towards concurrent systems  Only checks functional properties  Does not model real-time, but is capable of modeling timeouts. Design Abstract Verification Model Implementation Model Checker abstraction refinement

4 Material which needs to be covered Spin Architecture  We wont cover JSpin  How to install  How to use it Promela  Basic building blocks

5 jSpin Install  Create a directory for mingw, and install mingw in that directory.  Create separate directory for Jspin. Download executable for Jspin in directory, and run executable. Running jSpin  -javaw –jar jSpin.jar (with optional Promela file). Demo jspin

6 jSpin Check  Runs a syntax check. Random  Runs a random simulation. Interactive  Runs an interactive simulation. Guided  Runs a guided simulation using the trail file created by the execution of the analyzer.

Verification with jSpin With LTL formulas:  formula must be converted to an automaton written as a Promela never claim.  Remember to do Translate.  Translated LTL formula's will be saved in a *.ltl file.  Original LTL formulas can be saved in*.prp. 7

Verification with jSpin Without LTL formulas:  Safety Properties Using assertions  Acceptance cycles: Testing for acceptance cycles is generally testing for the absence of unwanted infinite behavior. Acceptance cycle is a cycle that infinitely often visits an acceptance state.  Non-Progress cycles: Progress is the guarantee of wanted infinite behavior. Non-progress cycle is a cycle that does not visit a progress state infinitely often. 8

Promela Promela consists of:  Processes Describes the behavior of the system.  Channels Define the environment in which the processes run.  Variables Define the environment in which the processes run. The scope of a variable is global if it is declared outside all process declarations, and local if it is declared within a process declaration. 9

10 Promela Statements in Promela: Are all conditional: A statement will only be executed if the condition of its execution is satisfied. Hence:  Statement is either Executable or Blocked. Example: (a == b) is similar to While(a != b) { // Skip } Promela cant have unbounded  Data, Channels, Processes, Process Creation.

11 Promela-variables Basic Types:  Bit  Bool  Byte  Short  Int Arrays  Byte test[9] Record  Typedef test {int test1, byte test2}

12 Promela-variables Message type mtype  mtype {int, byte} Channels  chan toR = [6] of {mtype, bit} Global Variables Variables can be given values by: assignment, argument passing and message passing.

13 Promela-processes Processes Can be created by run or active. Can be created at any point. Processes can interact via channels or global variables. The run statement can pass parameter values of all basic data types to the new process. byte state; active [2] proctype P() { (state == 1) -> state = 3 } name numberexecution proctype P() { … } Init{ Int pid2 = run P(); } OR

14 Promela- Advanced Topics atomic:  Statements in atomic are executed as one indivisible unit, non- interleaved with any other processes. d_step:  Similar to atomic  Does not save intermediate states  Can not contain non-determinism or blocking statements proctype P() { atomic { (state==1) -> state = state+1 }

15 Promela-Statements If-statement: If more than one guard is satisfied, we have non- determinism. If all guards are un-executable the process will block until at least one of them can be selected. There is no restriction on the type of statements that can be used as a guard. if :: (a >= b ) -> Stmt1 ; Stmt2 ; … :: (a Stmt3 ; Stmt4 ; … :: (a == b ) -> Stmt5 ; Stmt6 ; … :: else -> Stmt7 fi if :: count = count + 1 :: count = count – 1 fi if :: count = count + 1 :: count = count – 1 fi

16 Promela-Statements Do-statement Same as if-statement, only in a while loop. do :: (a >= b ) -> Stmt1 ; Stmt2 ; … :: (a Stmt3 ; Stmt4 ; … :: (a == b ) -> Stmt5 ; Stmt6 ; … :: else -> Stmt7 od do :: count = count + 1 :: count = count – 1 :: (count == 0) -> break od do :: count = count + 1 :: count = count – 1 :: (count == 0) -> break od

Promela-Communication Processes can communicate in two ways:  Global variables  Channels: chan = [ ] of {,,.., }  Example: chan toR = [2] of {int, int} Asynchronously : dimension > 0 Synchronously : dimension = 0 Actions:  Sending : ch !,..,  Receiving: ch ? var_1,..,var_n If send and receive can not happen, process will block. 17 toR!(1,5) ……. toR?(x1,x2) toR!(1,5) ……. toR?(x1,x2)

18 Promela-Statements Special Statements:  goto  skip: same as 1 or true,  run  assert ( ) check whether certain properties hold. Gives an error if violated.

19 Promela- Advanced Topics Timeout  Promela has no real-time features  The timeout statement can only be executed when no other statement in the system can be executed  Can help get out of deadlock  The timeout models a special condition that allows a process to abort the waiting for a condition that may never become true, e.g. an input from an empty channel.  Example: do :: guard1 -> Stmt1; … :: timeout -> break ;… od

20 Conclusion Spin is suitable for concurrent systems Can not model time JSpin is easy to install and use via the graphical interface Promela is similar to C, therefore easy to cope with. Beware of state explosion Need basic knowledge of LTL.

21 References Spin official page  Spin online tutorials  Jspin  Erigone 