the spin model checker
DESCRIPTION
The SPIN Model Checker. Frederico Araujo CS6362 – Fall 2010. Outline. What is model checking? Why model checking? SPIN Basic Concepts Promela Promela Model Correctness Claims JSpin Case Studies. What is model checking?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/1.jpg)
Frederico Araujo
CS6362 – Fall 2010
The SPIN Model Checker
![Page 2: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/2.jpg)
Outline
2
What is model checking?Why model checking?SPIN
Basic ConceptsPromela
Promela ModelCorrectness Claims
JSpinCase Studies
![Page 3: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/3.jpg)
What is model checking?
3
“Model checking is an automated technique that, given a finite-state model of a system and a logical property, systematically checks whether this property holds for (a given initial state in) that model.”
Clarke & Emerson 1981
Model Checker
A (S, S0,L,T,F)
Requirement
Yes or No plus a system run violating the requirement
![Page 4: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/4.jpg)
What is model checking?
4
(Initial) Design
Abstract Verification
Model
Implementation
Model Checker
abstraction
refinement
Verification Model Abstraction of a design
simplification Express assumptions about the
environment and correctness properties
![Page 5: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/5.jpg)
Why model checking?
5
It serves to prove that the design principles are soundCan predict wheter a model is valid or not
before its implementationNot expected to be part of the final
implementation of a systemIt anticipates design defects discovery
Potential to reduce costs related to rework and risks of failures in mission-critical systems
![Page 6: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/6.jpg)
SPIN Introduction
6
SPIN (Simple Promela Interpreter) is a popular open-source model checker that can be used for the formal verification of asynchronous and distributed software systems.
Developed at Bell Labs, starting in 1980.Free, since 1991All Spin software is written in ANSI standard C,
and is portable across multiple platformsSPIN homepage is www.spinroot.com2002 ACM software system award for 2001
![Page 7: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/7.jpg)
SPIN Introduction
7
Common flaws that occur in design of distributed software systems:DeadlockLivelock, starvationUnderspecificationOverspecification
![Page 8: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/8.jpg)
SPIN Basic Concepts
8
Spin can be used in 2 basic modes :as a simulator to get a quick impression of
the behavior captured by the system model:guided simulationrandom and interactive simulation
as a verifier: when a counterexample is generated, it uses simulation to step through the trace
![Page 9: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/9.jpg)
SPIN Basic Concepts
9
SPIN verification: prove correctness of process interactions
Processes refer to system components that communicate with each other
Communication rendezvous primitives (synchronous)buffered channels (asynchronous )shared variables
![Page 10: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/10.jpg)
SPIN Basic Concepts
10
SPIN provides:An intuitive, C-like notation (Promela) for
specifying the finite-state abstraction of a system unambiguously
A notation for expressing general correctness requirements as LTL (Linear Temporal Logic) formulae
![Page 11: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/11.jpg)
Promela Introduction
11
PROMELA (Process Meta-language), served as input to SPIN
Non-deterministic , guarded command language for specifying the system behavior of a distributed system
Systems of interacting, asynchronous threads of execution
It brings ideas from:CSP process algebra by Hoare for input/outputC language in some of the syntax and notational
conventionsa non-deterministic guarded command language
![Page 12: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/12.jpg)
Promela Introduction
12
The properties define the
real objectif of a
verification
Behavior specicification (what is possible)• process behavior• variables, data types• message channelsLogical correctness properties (what is valid)• assertions• end-state, progress-state, and acceptance state labels• never claims (LTL formulae)• trace assertions• default properties:• absence of system deadlock• absence of unreachable code
![Page 13: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/13.jpg)
Promela Model
13
Consists ofProcessData objectsMessage channels
Corresponds to a FSMEvery object is bounded
Process 255*
Message channels 255*
Data data type dependent* For current versions of SPIN
mytype = {MSG, ACK};chan toS=…chan toR=…bool flag;active proctype Sender(){…process body…}active proctype Receiver(){…process body…}
![Page 14: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/14.jpg)
Promela Processes
14
Basic structureproctype Sender(chan in; chan out){
... process body ...}
Process creationinit and active
proctype You_run(){
... process body ...}init {
run You_run();}
active proctype You_run(){ ... process body ...}active [2] proctype You_run_b(){ ... process body ...}
![Page 15: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/15.jpg)
Promela Processes
15
There can be more than one process inside a Promela model
A process executes concurrently with other processes.
A process also communicates with other processes by sending/receiving messages across channels by using shared (global) variables with other processes
Local state of a process is defined by process counter (defines the location of the process) and the values of the local variables of the process.
![Page 16: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/16.jpg)
Promela Data Objects
16
Variables can be local or globalDefault initial value of both local and global
variables is 0Variables can be assigned a value by an
assignment, argument passing or message passing
Variables can be used in expressions which includes most arithmetic, relational and logical operators of C
![Page 17: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/17.jpg)
Promela Basic Types
17
Basic Types
Array DeclarationArray Access
Records type definition
Record declarationRecord Access
Enumeration type for messagesFrom Verification Techniques lecture notes, Uppsala Universitet, Sweden
![Page 18: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/18.jpg)
Promela Expressions
18
Operators
Conditional expressions
Operations on channels identifiers
From Verification Techniques lecture notes, Uppsala Universitet, Sweden
![Page 19: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/19.jpg)
Promela Message Channels
19
Communication between processes through channels
FIFODeclared as arraysThere can be two types of communications:
Message-passing or asynchronousRendezvous or synchronous (channel of
dimension 0)
![Page 20: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/20.jpg)
Promela Message Channels
20
Declarationchan qname = [16] of {short, byte, bool}
Sending messageqname!expr1, expr2, expr3
Receiving messageqname?var1, var2, var3constrained qname?cons1,var2,var3
To test if a send receive can be executable without side effectqname?[var1, var2, var3]
![Page 21: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/21.jpg)
Promela Message Channels
21
Asynchronous communicationmtype = { msg0, msg1, ack0, ack1 };chan to_sndr = [2] of { mtype };chan to_rcvr = [2] of { mtype };active proctype Sender(){again: to_rcvr!msg1;
to_sndr?ack1;to_rcvr!msg0;to_sndr?ack0;goto again
}active proctype Receiver(){again: to_rcvr?msg1;
to_sndr!ack1;to_rcvr?msg0;to_sndr!ack0;goto again
}
![Page 22: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/22.jpg)
Promela Message Channels
22
Synchronous communication (rendezvous)mtype = { msgtype };chan name = [0] of { mtype, byte };active proctype A(){
name!msgtype(124);name!msgtype(121)
}active proctype B(){
byte state;name?msgtype(state)
}
![Page 23: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/23.jpg)
Promela Message Channels
23
Synchronous communication (rendezvous)mtype = { msgtype };chan glob = [0] of { chan };active proctype A(){
chan loc = [0] of { mtype, byte };glob!loc;
loc?msgtype(121)}active proctype B(){
chan who;glob?who;who!msgtype(121)
}
![Page 24: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/24.jpg)
Promela Statements
24
Statements are separated by a semi-colonAssignments and expressions are statementsskip statement: does nothing, only changes the
process counterprintf statement: not evaluated during verificationassert(expr): Assert statement is used to check if
the property specified by the expression expr is valid within a state. If expr evaluates to 0, it implies that it is not valid and SPIN will exit with an error.
![Page 25: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/25.jpg)
Promela Statements
25
if statementif:: choice1 -> stat1.1; stat1.2;:: choice2 -> stat2.1; stat2.2;:: …:: choicen -> statn.1; statn.2;fi;
if statement is executable if there is at least one choice which is executable and is blocked if none of the choices are executable
If more than one choice is executable, SPIN non-deterministically chooses one of the executable choices
![Page 26: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/26.jpg)
Promela Statements
26
do statementdo:: choice1 -> stat1.1; stat1.2;:: choice2 -> stat2.1; stat2.2;:: …:: choicen -> statn.1; statn.2;od;
do statement behaves in the same way as if statement in terms of choice selection but, executes the choice selection repeatedly
break statement can be used to come out of a do loop transferring control to the statement just outside the loop
![Page 27: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/27.jpg)
Promela Atomic operator
27
A process whose control is inside
atomic{ }
executes without being interrupted by other processes
From Verification Techniques lecture notes, Uppsala Universitet, Sweden
![Page 28: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/28.jpg)
Promela Correcteness Claims
28
Basic assertions (checked during simulation run)
End-state labelsProgress-state labelsAccept-state labels checked during
verification runNever claimsTrace assertions
![Page 29: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/29.jpg)
Promela Correcteness Claims
29
safety property“nothing bad ever happens”
invariantx is always less than 5
deadlock freedomthe system never reaches a state
where no actions are possibleSPIN
find a trace leading to the “bad” thing. If there is not such a trace, the property is satisfied.
liveness property
“something good will eventually happen”
terminationthe system will eventually
terminate response
if action X occurs then eventually action Y will occur
SPINfind a (infinite) loop in which the “good” thing does not happen. If there is not such a loop, the property is satisfied.
![Page 30: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/30.jpg)
Promela Correcteness Claims
30
Correctness properties can be expressed:as properties of reachable states (generic safety properties)as properties of sequences of states (generic liveness properties)
In Promela:
properties of states
assertionslocal process assertionssystem invariants
end-state labelsto define proper termination
points of processesaccept-state labels
when looking for acceptance cyclesprogress-state labels
when looking for non-progress cyclesnever claims (optionally derived from LTL formulae)trace assertions
properties ofsequencesof states
![Page 31: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/31.jpg)
Promela Correcteness Claims
31
Assertionbyte state = 1;active proctype A(){
(state == 1) -> state++;assert(state== 2)
}active proctype B(){
(state == 1) -> state--;assert(state== 0)
}
pan: assertion violated (state==2) (at depth 6)pan: wrote assertion-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed
+ Partial Order ReductionFull statespace search for:
never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states - (disabled by -E
flag)State-vector 16 byte, depth reached 6, ••• errors: 1 ••• 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)
![Page 32: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/32.jpg)
Promela Correcteness Claims
32
Assertionbyte state = 1;active proctype A(){
(state == 1) -> state++;assert(state== 2)
}active proctype B(){
(state == 1) -> state--;assert(state== 0)
}
pan: assertion violated (state==2) (at depth 6)pan: wrote assertion-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed
+ Partial Order ReductionFull statespace search for:
never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states - (disabled by -E
flag)State-vector 16 byte, depth reached 6, ••• errors: 1 ••• 10 states, stored 0 states, matched 10 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)
What is the problem with this
model?
![Page 33: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/33.jpg)
Promela Correcteness Claims
33
Assertionbyte state = 1;active proctype A(){atomic {(state == 1) -> state++; } assert(state== 2)}active proctype B(){atomic{(state == 1) -> state--;} assert(state== 0)}
(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction
Full statespace search for:never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states - (disabled by -E
flag)State-vector 16 byte, depth reached 3, ••• errors: 0 ••• 6 states, stored 0 states, matched 6 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype A
(0 of 5 states)unreached in proctype B
(0 of 5 states)
![Page 34: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/34.jpg)
Promela Correcteness Claims
34
End-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){end: do :: sem!p-> sem?v od}active [5] proctype user(){end: do :: sem?p; count++; /* critical section */ count--; sem!v od}
(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction
Full statespace search for:never claim - (none specified)assertion violations +cycle checks - (disabled by -
DSAFETY)invalid end states +
State-vector 36 byte, depth reached 5, ••• errors: 0 ••• 16 states, stored 5 states, matched 21 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype semaphore
line 9, state 6, "-end-"(1 of 6 states)
unreached in proctype userline 19, state 8, "-end-"(1 of 8 states)
![Page 35: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/35.jpg)
Promela Correcteness Claims
35
Progress-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){end: do :: sem!p-> progress: sem?v od}active [5] proctype user(){end: do :: sem?p; count++; /* critical section */ count--; sem!v od}
(Spin Version 4.3.0 -- 22 June 2007)+ Partial Order Reduction
Full statespace search for:never claim +assertion violations + (if within scope
of claim)non-progress cycles +
(fairness disabled)invalid end states - (disabled by
never claim)State-vector 44 byte, depth reached 9, ••• errors: 0 ••• 21 states, stored 5 states, matched 26 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)unreached in proctype semaphore
line 10, state 6, "-end-"(1 of 6 states)
unreached in proctype userline 20, state 8, "-end-"(1 of 8 states)
Non-progress verification
![Page 36: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/36.jpg)
Promela Correcteness Claims
36
SPIN’s automata for semaphore problemEnd: End:
Progress:
![Page 37: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/37.jpg)
Promela Correcteness Claims
37
Fairness finite progress assumptionwhen a process can make progress, it eventually will
1. weak fairness:if a statement is executable infinitely long, it will eventually be executed
2. strong fairness:if a statement is executable infinitely often, it will eventually be executed
fairness can be applied tonon-deterministic statement selection within a processnon-deterministic statement selection between processes
![Page 38: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/38.jpg)
Promela Correcteness Claims
38
Accept-statemtype= { p, v };chan sem= [0] of { mtype};byte count;active proctype semaphore(){do:: sem!p-> sem?vod}active [5] proctype user(){do:: sem?p->accept: count++;/* critical section */count--;sem!vod}
pan: acceptance cycle (at depth 0)pan: wrote _accept-example.pml.trail(Spin Version 4.3.0 -- 22 June 2007)Warning: Search not completed
+ Partial Order ReductionFull statespace search for:
never claim - (none specified)assertion violations +acceptance cycles + (fairness
disabled)invalid end states +
State-vector 40 byte, depth reached 5, ••• errors: 1 ••• 4 states, stored 0 states, matched 4 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)2.302 memory usage (Mbyte)
Acceptance verification
![Page 39: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/39.jpg)
Promela Correcteness Claims
39
SPIN’s counterexample for acceptance example
Implicit meaning: there should not exist any executions that can pass through an accept-state infinitely often
![Page 40: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/40.jpg)
Promela Correcteness Claims
40
Linear Temporal Logic (LTL) and Buchi Automata never { /* <>(p&&[]!q) */
T0_init:if:: (! ((q)) && (p)) -> goto accept_S4:: (1) -> goto T0_initfi;
accept_S4:if:: (! ((q))) -> goto accept_S4fi;
}
Temporal logic operators:
eventually always
From Verification Techniques lecture notes, Uppsala Universitet, Sweden
![Page 41: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/41.jpg)
Promela Correcteness Claims
41
Never claimNeeded capability for
defining more precise checks
Implicit meaning: specifies finite or infinite behavior that should never occur
Note: p and q need to be defined as macros: #define p (x>10)#define q (x<100)
never { /* <>(p&&[]!q) */T0_init:
if:: (! ((q)) && (p)) -> goto accept_S4:: (1) -> goto T0_initfi;
accept_S4:if:: (! ((q))) -> goto accept_S4fi;
}
![Page 42: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/42.jpg)
JSpin
42
It is a java based GUI for SPIN model checker
Adapted from Theo C. Ruys - SPIN Beginners' Tutorial
JSpin
![Page 43: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/43.jpg)
Case Studies
43
peterson’s mutual exclusion algorithmpaper: Towards a Methodology for Formal
Design and Analysis of Agent Interaction Protocols
![Page 44: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/44.jpg)
References
44
Gerard J. Holzmann.The SPIN model checker: primer and reference guide, Addison-Wesley, September 2003
G. Holzmann, The Model Checker Spin ,IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295
SPIN page: http://spinroot.comTheo C. Ruys. SPIN Beginners’ Tutorial, SPIN Workshop
2002, Grenoble, France, 2002Wei Jun, Cheung Shing-Chi, Wang Xul. Towards a
Methodology for Formal Design and Analysis of Agent Interaction Protocols - An Investigation in Electronic Commerce, Wuhan University Journal of Natural Sciences Vol. 6 No. 1-2, 2001
![Page 45: The SPIN Model Checker](https://reader036.vdocuments.site/reader036/viewer/2022081421/56816419550346895dd5cef0/html5/thumbnails/45.jpg)
45
Questions?