spin-slides - University of Waterloo
Download
Report
Transcript spin-slides - University of Waterloo
Spin Model Checker
Samaneh Navabpour
Electrical and Computer Engineering Department
University of Waterloo
SE-464
Summer 2011
1
Common Design Flaws
Deadlock
Livelock, Starvation
Under-specification
Over-specification
Violation of Constraints
Etc.
Most of the errors caused by these flaws can be
detected by model checking.
2
Model Checking and Spin
Model Checking:
Is an automated technique that, given a finite model of a system and
a logical property, systematically checks whether this property holds
for that model.
Spin is a well known classical model checker.
Aims towards concurrent systems
Only checks functional properties
Does not model real-time, but is capable of modeling timeouts.
Abstract Verification
Model
Design
abstraction
Implementation
refinement
Model Checker
3
Material which needs to be covered
Spin Architecture
JSpin
We wont cover
How to install
How to use it
Promela
Basic building blocks
4
jSpin
Install
Running jSpin
Create a directory for mingw, and install mingw in that
directory.
Create separate directory for Jspin. Download executable
for Jspin in directory, and run executable.
-javaw –jar jSpin.jar (with optional Promela file).
Demo jspin
5
jSpin
Check
Random
Runs a random simulation.
Interactive
Runs a syntax check.
Runs an interactive simulation.
Guided
Runs a guided simulation using the trail file created by the
execution of the analyzer.
6
Verification with jSpin
With LTL formulas:
formula must be converted to an automaton written as a
Promela never claim.
Remember to do Translate.
Translated LTL formula's will be saved in a *.ltl file.
Original LTL formulas can be saved in*.prp.
7
Verification with jSpin
Without LTL formulas:
Safety Properties
Acceptance cycles:
Using assertions
Testing for acceptance cycles is generally testing for the absence of
unwanted infinite behavior.
Acceptance cycle is a cycle that infinitely often visits an acceptance
state.
Non-Progress cycles:
Progress is the guarantee of wanted infinite behavior.
Non-progress cycle is a cycle that does not visit a progress state
infinitely often.
8
Promela
Promela consists of:
Processes
Channels
Describes the behavior of the system.
Define the environment in which the processes run.
Variables
Define the environment in which the processes run.
The scope of a variable is global if it is declared outside all
process declarations, and local if it is declared within a
process declaration.
9
Promela
Statements in Promela:
Are all conditional: A statement will only be executed if the
condition of its execution is satisfied. Hence:
Statement is either Executable or Blocked.
Example: (a == b) is similar to
While(a != b)
{
// Skip
}
Promela cant have unbounded
Data, Channels, Processes, Process Creation.
10
Promela-variables
Basic Types:
Arrays
Bit
Bool
Byte
Short
Int
Byte test[9]
Record
Typedef test {int test1, byte test2}
11
Promela-variables
Message type mtype
mtype {int, byte}
Channels
chan toR = [6] of {mtype, bit}
Global Variables
Variables can be given values by: assignment,
argument passing and message passing.
12
Promela-processes
Processes
name
execution number
byte state;
active [2] proctype P() {
(state == 1) -> state = 3
}
proctype P() {
…
}
OR
Init{
Int pid2 = run P();
}
Can be created by run or active.
Can be created at any point.
Processes can interact via channels or global variables.
The run statement can pass parameter values of all basic data
types to the new process.
13
Promela- Advanced Topics
atomic:
Statements in atomic are executed as one indivisible unit, noninterleaved with any other processes.
d_step:
proctype P()
{ atomic {
(state==1) -> state = state+1
}
}
Similar to atomic
Does not save intermediate states
Can not contain non-determinism or blocking statements
14
Promela-Statements
If-statement:
if
:: (a >= b ) -> Stmt1 ; Stmt2 ; …
:: (a < b ) -> Stmt3 ; Stmt4 ; …
:: (a == b ) -> Stmt5 ; Stmt6 ; …
:: else -> Stmt7
fi
if
:: count = count + 1
:: count = count – 1
fi
If more than one guard is satisfied, we have nondeterminism.
If all guards are un-executable the process will block until at
least one of them can be selected.
There is no restriction on the type of statements that can be
used as a guard.
15
Promela-Statements
Do-statement
do
:: (a >= b ) -> Stmt1 ; Stmt2 ; …
:: (a < b ) -> Stmt3 ; Stmt4 ; …
:: (a == b ) -> Stmt5 ; Stmt6 ; …
:: else -> Stmt7
od
do
:: count = count + 1
:: count = count – 1
:: (count == 0) -> break
od
Same as if-statement, only in a while loop.
16
Promela-Communication
Processes can communicate in two ways:
Global variables
Channels:
chan <name> = [<dim>] of {<type1>, <type2>, ..,<typen>}
Asynchronously : dimension > 0
Synchronously : dimension = 0
Actions:
Example: chan toR = [2] of {int, int}
Sending : ch ! <expr_1>, ..,<expr_n>
Receiving: ch ? var_1,..,var_n
toR!(1,5)
…….
toR?(x1,x2)
If send and receive can not happen, process will block.
17
Promela-Statements
Special Statements:
goto
skip: same as 1 or true,
run
assert (<expr>)
check whether certain properties hold. Gives an error if
violated.
18
Promela- Advanced Topics
Timeout
Promela has no real-time features
The timeout statement can only be executed when no other statement in
the system can be executed
Can help get out of deadlock
The timeout models a special condition that allows a process to abort the
waiting for a condition that may never become true, e.g. an input from an
empty channel.
Example:
do
:: guard1 -> Stmt1; …
:: timeout -> break ;…
od
19
Conclusion
Spin is suitable for concurrent systems
Can not model time
JSpin is easy to install and use via the graphical
interface
Promela is similar to C, therefore easy to cope with.
Beware of state explosion
Need basic knowledge of LTL.
20
References
Spin official page
Spin online tutorials
http://spinroot.com/spin/Man/index.html
Jspin
http://spinroot.com
http://stwww.weizmann.ac.il/g-cs/benari/spin
Erigone
http://stwww.weizmann.ac.il/g-cs/benari/erigone
21