Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 503 – Software Engineering

Published byLinda Caldwell Modified over 6 years ago

Similar presentations

Presentation on theme: "CSE 503 – Software Engineering"— Presentation transcript:

1 CSE 503 – Software Engineering
Lecture 5: An introduction to the Spin model checker Rob DeLine 12 Apr 2004

2 Exploring state Using Alloy to explore state
Model system state using sets and relations Define state changing operations declaratively as functions Use asserts to test properties of particular operation sequences Alloy tries to find states that break asserts Using Promela (language)/Spin (tool) to explore state Model system using processes with local variables and channels Define state changing operations imperatively as algorithms Use temporal logic formulae/asserts to specify states that we want/don’t want the system to reach Spin tries to find operation sequences that break formulae/asserts Today: Promela syntax and semantics, use of Spin Wed: Case studies

3 Promela data types Basic types (integers of various widths)
bit, bool 1-bit, unsigned byte 8-bit, unsigned short 16-bit, signed int 32-bit, signed Arrays (index starts at zero) bit[8] Records typedef Header { bit flag0, flag1; byte dest; } Enumerated types (underlying type is byte) mtype = { ack, nack }

4 Variable declarations and assignments
int x; // basic types initialize to zero by default byte b = 123; byte[3] array; byte[3] initArray = 1; // all elements initialized to 1 Header h; // apparently, no initializer allowed byte msgtype = ack; // mtypes are just bytes Assignment has C’s syntax x = 3; array[2] = y;

5 Expressions Promela has many expressions from C
Arithmetic: a+b, a-b, a*b, a/b, a%b Comparisons: a==b, a!=b, a<b, a<=b, a>b, a>=b Logicals: a&&b, a||b,! a Bit-level: a&b, a|b, a^b, ~a, a<<b, a>>b Side-effecting: a++, a-- (postfix only) Plus other Promela-specific expressions (more later)

6 Process declarations Promela program consists of one or more processes
Program begins with distinguished process “init” (no parameters) Start a process with “run” command, which returns a process id A process is defined with “proctype” proctype Hello () { printf(“hi\n”); } init { run Hello(); } Process != procedure No return value, no call stack if A “runs” B, then A and B execute concurrently However, process cannot end until all processes that it runs end

7 Control statements Conditionals (execute any branch whose condition is true) if :: condition0 -> statements0 :: conditionn -> statementsn fi Loops do od Unconditional jumps: break (leave nearest do); goto label assert(cond) means crash if cond isn’t true

8 Executability Expressions as statements
Like C, an expression can be used as a statement Unlike C, an expression statement is blocked until it is true This is useful for making a process wait for a condition Conditionals and loops revisted General forms if :: statements0 :: ... :: statementsn fi do :: statements0 :: ... :: statementsn od S -> T is equivalent to S; T if/do nondeterministically choose any executable statement Timeout Special statement “timeout” is executable iff every process is blocked at a non-executable statement

9 What does this print? Two answers int i = 0; proctype A () { do
:: i == 10 -> break; :: i % 2 == 0 -> printf(“%d\n”, i); i++; :: i % 2 == 1 -> i++; od } init { run A(); } Two answers 0, 2, 4, 6, 8 all even naturals

10 Concurrency Processes run concurrently
Execution is interleaved on the statement level You can force multiple statements to be interleaved as one atomic { statements } Two forms of interaction between processes Global variables Shared communication channels

11 Producer/consumer using globals
int buffer[10]; int i = 0; proctype Consumer () { int x; do :: i > 0 -> i--; x = buffer[i]; od } proctype Producer () { int item; do :: i < 10 -> buffer[i] = item; item++; i++; od init { run Consumer(); run Producer(); } Can any items get lost?

12 Oops! Race condition! initial Producer: buffer[i] = item; Producer: i++; Producer: buffer[i] = item; Producer: i++; Consumer: i--; Consumer: x = buffer[i]; Producer: buffer[i] = item; Consumer: i--; Consumer: x = buffer[i]; Producer: i++; Producer: buffer[i] = item; 1 1 1 1 2 2 3

13 Repaired producer/consumer
int buffer[10]; int i = 0; proctype Consumer () { int x; do :: i > 0 -> atomic { i--; x = buffer[i]; Use(x); } od } proctype Producer () { int item; do :: i < 10 -> atomic { buffer[i] = item; item++; i++; } od init { run Consumer(); run Producer(); }

14 Interaction using channels
A channel is a fixed-size buffer for communication Channels are named and contain typed data chan name = [size] of { type0, ..., typen } Process can read channel data, which blocks when channel empty name?var0,...,varn Process can write channel data, which blocks when channel full name!expr0,...,exprn Channels can be global or local Channels can be passed as process parameters

15 Producer/consumer with channels
chan buffer = [10] of {int} proctype Consumer () { int x; do :: buffer?x -> Use(x); od } proctype Producer () { int item; do :: buffer!item -> item++; od init { run Consumer(); run Producer(); } Let’s see Spin in action!

Download ppt "CSE 503 – Software Engineering"

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.

The SPIN System. What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
ICE1341 Programming Languages Spring 2005 Lecture #13 Lecture #13 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #13 Lecture #13 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.

Formal verification in SPIN Karthikeyan Bhargavan, Davor Obradovic CIS573, Fall 1999.
/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct 2007 08:021PROMELA Semantics.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.
An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.

An Overview of PROMELA. A protocol Validation Language –A notation for the specification and verification of procedure rules. –A partial description of.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo Sawai.

The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};

Example: Infinite Split and Merge #define N 128 #define size 16 chan in = [size] of {short}; chan large = [size] of {short}; chan small = [size] of {short};
© 2011 Carnegie Mellon University SPIN: Part 2 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki November 2, 2011.
© 2011 Carnegie Mellon University SPIN: Part 1 15-414 Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.

© 2011 Carnegie Mellon University SPIN: Part Bug Catching: Automated Program Verification and Testing Sagar Chaki October 31, 2011.
ISBN 0-321-19362-8 Chapter 8 Statement-Level Control Structures.

ISBN Chapter 8 Statement-Level Control Structures.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
ISBN 0-321-19362-8 Chapter 8 Statement-Level Control Structures.

ISBN Chapter 8 Statement-Level Control Structures.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 3: The PROMELA Semantics.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 3: The PROMELA Semantics.
Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements Control is the general study of the semantics of execution.

Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements "Control" is the general study of the semantics of execution.

Similar presentations

Ads by Google