Embed Size (px)
Citation preview
1
Spin Model Checker
Samaneh NavabpourElectrical and Computer Engineering DepartmentUniversity of WaterlooSE-464Summer 2011
2
Common Design Flaws
Deadlock Livelock, Starvation Under-specification Over-specification Violation of Constraints Etc. Most of the errors caused by these flaws
can be detected by model checking.
3
Model Checking and Spin
Model Checking: Is an automated technique that, given a finite
model of a system and a logical property, systematically checks whether this property holds for that model.
Spin is a well known classical model checker. Aims towards concurrent systems Only checks functional properties Does not model real-time, but is capable of
modeling timeouts.
DesignAbstract Verification
ModelImplementation
Model Checkerabstraction refinement
4
Material which needs to be covered Spin Architecture
We wont cover JSpin
How to install How to use it
Promela Basic building blocks
5
jSpin
Install Create a directory for mingw, and install
mingw in that directory. Create separate directory for Jspin.
Download executable for Jspin in directory, and run executable.
Running jSpin -javaw –jar jSpin.jar (with optional Promela
file). Demo jspin
6
jSpin
Check Runs a syntax check.
Random Runs a random simulation.
Interactive Runs an interactive simulation.
Guided Runs a guided simulation using the trail file
created by the execution of the analyzer.
Verification with jSpin
With LTL formulas: formula must be converted to an automaton
written as a Promela never claim. Remember to do Translate. Translated LTL formula's will be saved in a *.ltl
file. Original LTL formulas can be saved in*.prp.
7
Verification with jSpin
Without LTL formulas: Safety Properties
Using assertions Acceptance cycles:
Testing for acceptance cycles is generally testing for the absence of unwanted infinite behavior.
Acceptance cycle is a cycle that infinitely often visits an acceptance state.
Non-Progress cycles: Progress is the guarantee of wanted infinite behavior. Non-progress cycle is a cycle that does not visit a
progress state infinitely often.
8
Promela
Promela consists of: Processes
Describes the behavior of the system. Channels
Define the environment in which the processes run.
Variables Define the environment in which the processes
run. The scope of a variable is global if it is declared
outside all process declarations, and local if it is declared within a process declaration.
9
10
Promela
Statements in Promela: Are all conditional: A statement will only be
executed if the condition of its execution is satisfied. Hence: Statement is either Executable or Blocked.Example: (a == b) is similar to While(a != b){
// Skip}
Promela cant have unbounded Data, Channels, Processes, Process Creation.
11
Promela-variables
Basic Types: Bit Bool Byte Short Int
Arrays Byte test[9]
Record Typedef test {int test1, byte test2}
12
Promela-variables
Message type mtype mtype {int, byte}
Channels chan toR = [6] of {mtype, bit}
Global Variables
Variables can be given values by: assignment, argument passing and message passing.
13
Promela-processes
Processes
Can be created by run or active. Can be created at any point. Processes can interact via channels or global
variables. The run statement can pass parameter values of
all basic data types to the new process.
byte state;active [2] proctype P() { (state == 1) -> state = 3}
namenumberexecution proctype P() {…
}
Init{Int pid2 = run P();}
OR
14
Promela- Advanced Topics
atomic: Statements in atomic are executed as one
indivisible unit, non-interleaved with any other processes.
d_step: Similar to atomic Does not save intermediate states Can not contain non-determinism or blocking
statements
proctype P(){ atomic { (state==1) -> state = state+1 }}
15
Promela-Statements
If-statement:
If more than one guard is satisfied, we have non- determinism.
If all guards are un-executable the process will block until at least one of them can be selected.
There is no restriction on the type of statements that can be used as a guard.
if:: (a >= b ) -> Stmt1 ; Stmt2 ; …:: (a < b ) -> Stmt3 ; Stmt4 ; …:: (a == b ) -> Stmt5 ; Stmt6 ; …:: else -> Stmt7fi
if:: count = count + 1:: count = count – 1fi
if:: count = count + 1:: count = count – 1fi
16
Promela-Statements
Do-statement
Same as if-statement, only in a while loop.
do:: (a >= b ) -> Stmt1 ; Stmt2 ; …:: (a < b ) -> Stmt3 ; Stmt4 ; …:: (a == b ) -> Stmt5 ; Stmt6 ; …:: else -> Stmt7od
do:: count = count + 1:: count = count – 1:: (count == 0) -> breakod
do:: count = count + 1:: count = count – 1:: (count == 0) -> breakod
Promela-Communication
Processes can communicate in two ways: Global variables Channels:
chan <name> = [<dim>] of {<type1>, <type2>, ..,<typen>} Example: chan toR = [2] of {int, int}
Asynchronously : dimension > 0 Synchronously : dimension = 0 Actions:
Sending : ch ! <expr_1>, ..,<expr_n> Receiving: ch ? var_1,..,var_n
If send and receive can not happen, process will block.
17
toR!(1,5)…….toR?(x1,x2)
toR!(1,5)…….toR?(x1,x2)
18
Promela-Statements
Special Statements: goto skip: same as 1 or true, run assert (<expr>)
check whether certain properties hold. Gives an error if violated.
19
Promela- Advanced Topics
Timeout Promela has no real-time features The timeout statement can only be executed when no
other statement in the system can be executed Can help get out of deadlock The timeout models a special condition that allows a
process to abort the waiting for a condition that may never become true, e.g. an input from an empty channel.
Example:do:: guard1 -> Stmt1; …:: timeout -> break ;…od
20
Conclusion
Spin is suitable for concurrent systems Can not model time JSpin is easy to install and use via the
graphical interface Promela is similar to C, therefore easy
to cope with. Beware of state explosion Need basic knowledge of LTL.
21
References
Spin official page http://spinroot.com
Spin online tutorials http://spinroot.com/spin/Man/index.html
Jspin http://stwww.weizmann.ac.il/g-cs/benari/spin
Erigone http://stwww.weizmann.ac.il/g-cs/benari/
erigone
