Temporal Logic Model-checking with SPIN

Slides:



Advertisements
Similar presentations
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Advertisements

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
UPPAAL Introduction Chien-Liang Chen.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
Promela/SPIN Acknowledgements: These notes used some of the material presented by Flavio Lerda as part of Ed Clarke’s model-checking course.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
The model checker SPIN1 The Model Checker SPIN. The model checker SPIN2 SPIN & Promela SPIN(=Simple Promela Interpreter) –tool for analyzing the logical.
Frederico Araujo CS6362 – Fall 2010 The SPIN Model Checker.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with SPIN.
CIS 725 Guarded Command Notation. Programming language style notation Guarded actions en(a)  a en(a): guard of the action boolean condition or boolean.
© 2011 Carnegie Mellon University SPIN: Part /614 Bug Catching: Automated Program Verification Sagar Chaki April 21, 2014.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Shin Hong, KAIST17 th April,2007 1/33 Provable Software Laboratory, CS KAIST.
Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 5: Some PROMELA examples.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
CSCE 121, Sec 200, 507, 508 Fall 2010 Prof. Jennifer L. Welch.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 3: The PROMELA Semantics.
More on RDT Robert John Walters. RDT – a reprise A Graphically based formal modelling language Models represented as diagrams (not text) Communications.
Automating Checking of Models Built Using a Graphically Based Formal Language Robert John Walters.
CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Wishnu Prasetya Model Checking with SPIN A Bit More about SPIN.
Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.
1 Rendez-Vous Logical extension of chan buffer = [N] of byte is chan port = [0] of byte Channel port is a rendez-vous port (binary handshake). Two processes,
Project 1 Due Date: September 25 th Quiz 4 is due September 28 th Quiz 5 is due October2th 1.
MODEL CHECKING WITH SPIN MODELING AND VERIFICATION WITH SPIN ANDREA ORLANDINI – ISTC (CNR) TexPoint fonts used in EMF. Read the TexPoint manual before.
Today’s Agenda  Quiz 4 next Tuesday  Quick Review  Continue on SPIN Overview.
Radu Iosif Introduction to SPIN Radu Iosif
May University of Glasgow Generalising Feature Interactions in Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.
The Spin Model Checker : Part I Moonzoo Kim KAIST.
Loops cause a section of a program to be repeated a certain number of times. The repetition continues while a condition remains true. When a condition.
 In computer programming, a loop is a sequence of instruction s that is continually repeated until a certain condition is reached.  PHP Loops :  In.
Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,
/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.
Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.
Alternating Bit Protocol Protocol for simplex data-transfer channel: data flows from sender to receiver control flows in both directions the transfer medium.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Wishnu Prasetya Model Checking with SPIN Modeling and Verification with Promela.
1 CSC103: Introduction to Computer and Programming Lecture No 9.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
November COMP60621 Designing for Parallelism Lecture 14 Deadlock + Channels in Promela John Gurd, Graham Riley Centre for Novel Computing School.
Formal verification in SPIN
CSE 503 – Software Engineering
COMP60611 Fundamentals of Parallel and Distributed Systems
BY GAWARE S.R. COMPUTER SCI. DEPARTMENT
11/10/2018.
The Spin Model Checker - Advanced Features
An explicit state model checker
A Refinement Calculus for Promela
CSE 555 Protocol Engineering
The Spin Model Checker - Advanced Features
CSE 503 – Software Engineering
Presentation transcript:

Temporal Logic Model-checking with SPIN Part 2: The PROMELA Language COMP6004 Stéphane Lo Presti splp@ecs.soton.ac.uk

Last Lecture Xspin LTL parser and translator PROMELA parser Simulation Verifier (analyzer) generator C Pre-processor/Compilation Counter-example Execution

Introduction PROMELA is the input language of SPIN Inspired by: C, Guarded Command/CSP Describes the model and part of the specification (other part: correctness claim as LTL formula)

What is a model? FOLDOC (Free Online Directory of Computing, wombat.doc.ic.ac.uk/foldoc): A description of observed behaviour, simplified by ignoring certain details. Models allow complex systems to be understood and their behaviour predicted within the scope of the model, but may give incorrect descriptions and predictions for situations outside the realm of their intended use.

PROMELA Basic Elements Process Types and instances Local scope Variables Data types Arrays Statements/Conditions Channels FIFO queue (array)

Macro definitions #define name value ex: #define red 2 x = x+red

Processes (1) Process type Process instantiation proctype myprocess(parameters) { ... } Process instantiation run myprocess(param_values)

Processes (2) Data arrays or process types are the only types that cannot be passed as parameters Process state defined by the values of its variables Special process: init

Data types Name Range Typically bit / bool 0 .. 1 false .. true byte 0 .. CHAR_BIT 0 .. 255 short SHRT_MIN .. SHRT_MAX -215-1 .. 215-1 int INT_MIN .. INT_MAX -232-1 .. -215-1

Symbolic values Message types Special 0 is false mtype = {value_names} ex: mtype = {red, green, blue} Special 0 is false Any non-0 value is true

Records C struct Typedef name { fieldtype1 fieldname1; Ex: Typedef picture{ int numcolors; int vert_resolution; int horz_resolution:}

Variables Declaration datatype variable_name Assignment Test ex: int counter Assignment variable_name = value ex: counter = 1 Test variable_name == value ex: counter == 0

Arrays Declaration Element value elem_type array_name[size] ex: int vector[10] Element value array_name[index] ex: vector[0]

Statements (1) Statements and conditions are not differentiated: both are either executable or blocked Conditions are executable when true blocked when false Statements are executable when eligible for execution blocked when waiting for synchronization

Statements (2) Always executable Always blocked Variable declarations, Assignments, printf Assertions true / non-0 values skip, goto, break Always blocked false and 0 (a.k.a. block, hang) values

Statements (3) Special case run is executable if a process of the specified type can be instantiated (memory limit, too many processes) Statement separators (where interleaving may occur) ; or ->

Atomic sequences Indivisible unit (no interleaving) atomic { statements }

First example byte state = 1; proctype A() {byte tmp; (state==1) -> tmp=state; tmp=tmp+1; state=tmp} proctype B() (state==1)->tmp=state; tmp=tmp-1; state=tmp} init { run A(); run B() }

Process communication (1) Via (buffered) channels Declaration chan channame = [size] of {msgtype} ex: chan com1 = [16] of {byte,int} Global or local

Process communication (2) Sending a value on a channel channame!value Receiving a value on a channel channame?varname

Process communication (3) More than one value channame?value1,value2,... Convention: first value is message type (mtype) channame!mtype(value2,...) Test a receive statement channame?[values]

Process communication (4) Size of the channel buffer len(channame) Rendez-vous communication (synchronous): channel of buffer size 0

Second example proctype A(chan q1) { chan q2; q1?q2; q2!123 } proctype B(chan qforb) { int x; qforb?x; printf(“x= %d\n”,x) } init { chan qname = [1] of {chan}; chan qforb = [1] of {int}; run A(qname); run B(qforb); qname!qforb}

Control flow (1) Case selection ex: if if :: statement1 :: statement2 :: (a==b) -> option1 :: (a!=b) -> option2

Control flow (2) Repetition Terminating the repetition: break do :: statement1 :: statement2 od Terminating the repetition: break

Control flow (3) Unconditional jump Three special kinds of labels Declare a label mylabel: ... Jump to that label goto mylabel Three special kinds of labels end, progress, accept

Control flow (4) Unless {statement1} unless {statement2;statement3}

Pseudo-statements Timeout Else do :: statement1 :: timeout -> statement2 Od Else if :: else -> statement2 fi

Assertions assert(condition) Combined with labels to express the specification

Semantics of PROMELA http://www.spinroot.com/spin/Man/Intro.html Operational model based on: Processes (Labelled transition Systems) Variables Channels Semantics engine

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.