1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Advertisements

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Global States.
A Survey of Runtime Verification Jonathan Amir 2004.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
UPPAAL Introduction Chien-Liang Chen.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
תרגול 9 META LABELS. Basic types of claims State properties.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
1 Wednesday, June 28, 2006 Command, n.: Statement presented by a human and accepted by a computer in such a manner as to make the human feel that he is.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Review of the automata-theoretic approach to model-checking.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Temporal Logic-Overview FM Temporal Logic u Classical logic: Good for describing static conditions u Temporal logic: Adds temporal operators Describe.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Wishnu Prasetya Model Checking with SPIN A Bit More about SPIN.
Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,
Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 15 More Advanced Program Properties: Temporal logic and jSpin John Gurd,
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Temporal Logic Model-checking with SPIN
2015 Concurrency: logical properties 1 ©Magee/Kramer 2 nd Edition Chapter 14 Logical Properties Satisfied? Not satisfied?
VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
15-820A 1 LTL Model Checking A Flavio Lerda.
Formal verification in SPIN
Formal Methods in software development
An explicit state model checker
Linear Time Properties
Translating Linear Temporal Logic into Büchi Automata
Introduction to verification
Formal Methods in software development
COMP60621 Designing for Parallelism
CIS 720 Lecture 3.
CIS 720 Lecture 3.
CSE 503 – Software Engineering
Presentation transcript:

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually happen need to check infinite behaviours – e.g. progression Three types of reasoning in SPIN: assertions process and system invariants proctype monitor {assert (invariant)} run monitor, run process1, run process2;... validation labels temporal claims (Linear Temporal Logic)

2 Validation Labels End state labels Distinguish between valid and invalid endstates valid endstates are not just termination could be acceptable waiting state a valid endstate is one where all processes reached end of code (i.e. }) all channels are empty it is indicated by a label beginning with end e.g. end, end_1, endhere, … In SPIN you check for invalid endstates. Checking for invalid endstates (deadlock) is a SAFETY PROPERTY.

3 End state label: Example If you check the semaphores example for invalid endstates (deadlock), i.e. with chan sema = [0] of byte; proctype Semaphore() { do :: sema!p -> sema?v od } Then an error will be reported because the system will terminate but the process Semaphore will not. However, if you check the semaphores example for invalid endstates (deadlock), i.e. with chan sema = [0] of byte; proctype Semaphore() { do end :: sema!p -> sema?v od } Then no error will be reported because when the system terminates the process Semaphore will be at end..

4 Validation Labels Progress state labels Allow you to distinguish between valid and invalid execution cycles. Allow you to state that a finite sequence should not be repeated infinitely often through the concept of progress - a process should always be able to make progress. The modeller defines what constitutes progress with a progress label. progress labels: progress, progress_1, progresshere,... In SPIN you check for non-progress (i.e. you might not reach a progress label). SPIN will report an error if there is an execution that does not visit infinitely often a progress state. Checking for non-progress (livelock) is a LIVENESS PROPERTY.

5 Validation Labels Progress state label: Examples chan sema = [0] of byte; proctype Semaphore() {end: do :: sema!p -> progress: sema?v od } Check for non-progress is passed. (You will always pass progress.) proctype Loop() {byte count=1; do :: count=count+1 :: break od progress: skip } Contains a non-progress loop. Check for non-progress is not passed An error will be reported because there is a cycle where progress is never reached.

6 Validation Labels Acceptance state labels Distinguish between states that cannot be repeated infinitely often. Converse of progress. Acceptance labels: accept1, accept2, etc. In SPIN you check for acceptance cycles. SPIN will report an error if there is an execution that visits infinitely often an acceptance state. Checking for acceptance cycles is a LIVENESS PROPERTY. (Recall: LIVENESS involves consideration of infinite execution sequences.)

7 Validation Labels Acceptance state labels: Example chan sema = [0] of byte; proctype Semaphore() {end: do :: sema!p -> accept: sema?v od } Check that it is impossible to cycle through p and v infinitely often. i.e., check accept is not passed infinitely often. SPIN would report no acceptance cycles, if this semaphore is used properly.

8 Validation Labels Acceptance state labels: Example proctype Loop() {byte count=1; accept do :: (count count=count+1 :: (count==10) ->break od progress: skip } SPIN would report no acceptance cycles. SPIN would report no non-progress cycles.

9 Complexity Size of state space (worst case) is exponential in no. of processes. E.g. 10 n, for n processes. assertions & end states < progress < accept assertions & end states linear in no. of states (both CPU time and memory) progress & acceptance 2 x CPU time no additional memory

10 LTL - Linear Temporal Logic Propositional logic + temporal operators. form ::= prop | true | false | (form) | form bop form | uop form uop ::= [](always) | <> (eventually) | ! (negation) bop ::= && (conjunction) | || (disjunction) | -> (implication) | U (strong until) p U q strong iff <>q ****(implemented in SPIN) weak if []p is a possibility

11 LTL - Linear Temporal Logic Quantification When you express an LTL formula, which execution paths does it pertain to? ALL (or indeed, none). There is an implicit universal quantification for all formulae

12 LTL - Examples Invariance: []p all states arising in a computation satisfy p. E.g. [](device == on) Response: [](p -> <>q) every state satisfying p is eventually followed by one which satisfies q. E.g. [](device == off) -> <> (device == on) Precedence: [](p -> q U r) every state satisfying p is followed by a sequence in which q is satisfied and that sequence is terminated by a state in which r is satisfied. E.g. [](device == off) -> (device == off) U (event == toggle)

13 LTL A formula is interpreted with respect to a computation path and a state. Note the difference between [], <> and []<>. []p Consider computation path s0 s1 s2 s3 ….. sn sn+1 … and current state s0. p has to hold at every si. <>p Consider computation path s0 s1 s2 s3 ….. sn sn+1 …and current state s0. p has to hold at some sj, j>=0. [] <>p Consider computation path s0 s1 s2 s3 ….. sn sn+1 …and current state s0. for every state si, there is a state sj, j>=i, s.t. p holds at sj.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.