12 verify with spin

8/8/2019 12 Verify With Spin

http://slidepdf.com/reader/full/12-verify-with-spin 1/95

Formal Specication and VericationIntroduction to Spin

Bernhard Beckert

Based on a lecture by Wolfgang Ahrendt and Reiner Hahnle atChalmers University, Goteborg

Formal Specication and Verication: Spin B. Beckert 1 / 47



Spin : Previous Lecture vs. This Lecture

Previous lectureSpin

appeared as aPromela

simulatorThis lecture

Intro to Spin as a model checker




What Does A Model Checker Do?

A Model Checker (MC) is designed to prove the user wrong.

MC tries its best to nd a counter example to the correctness properties.It is tuned for that.

MC does not try to prove correctness properties.It tries the opposite.








But why then can a MC also prove correctness properties?








But why then can a MC also prove correctness properties?

MC’s search for counter examples is exhaustive.




What does ‘exhaustive search’ mean here?

exhaustive search=

resolving non-determinism in all possible ways




What does ‘exhaustive search’ mean here?

exhaustive search=

resolving non-determinism in all possible ways

For model checking Promela code,two kinds of non-determinism to be resolved:

explicit, local:if / do statements

:: guardX -> ....

:: guardY -> ....implicit, global:scheduling of concurrent processes(see next lecture)




Model Checker for This Course: Spin

Spin : “Simple Promela Interpreter”






If this was all, you would have seen most of it already.The name is a serious understatement!







Main functionality of Spin :

simulating a model (randomly/interactively)generating a verier









verier generated by Spin is a C program performing










model checking:










model checking:exhaustively checks Promela model against correctness properties










model checking:exhaustively checks Promela model against correctness propertiesin case the check is negative:generates a failing run of the model


d l h k f h







simulating a model (randomly/interactively/ guided)generating a verier


model checking:exhaustively checks Promela model against correctness propertiesin case the check is negative:generates a failing run of the model, to be simulated by Spin


S i W k O i



Spin Workow: Overview

SPIN

modelname.pml

correctnesspropertiescorrectness

ro erties

verierpan.c Ccompiler

executableverier

pan

“errors: 0 ”failing

runname.pml.trail

interactive /random/ guidedsimulation

-a

o r

e i t

h e r

-i-t


Pl i Si l i i h S i



Plain Simulation with Spin

SPIN

modelname.pml


ro erties

verierpan.c

Ccompiler

executableverier

pan


runmodel.trail


-i


R h l Si l ti D



Rehearsal: Simulation Demo

run example, random and interactiveinterleave.pml , zero.pml




Meaning of Correctness wrt Properties



Meaning of Correctness wrt. Properties

GivenPromela

model M , and correctness properties C 1, . . . , C n .Be R M the set of all possible runs of M .For each correctness property C i ,R M

,C i is the set of all runs of M satisfying C i .

(R M ,C i ⊆ R M )

M is correct wrt. C 1, . . . , C n iff (R M ,C 1 ∩ . . . ∩ R M

,C n ) = R M .

If M is not correct, theneach r ∈(R M \ (R M

,C 1 ∩ . . . ∩ R M

,C n )) is a counter example.






GivenPromela



(R M ,C i ⊆ R M )


,C n ) = R M .


,C 1 ∩ . . . ∩ R M


We know how to write models M .






GivenPromela



(R M ,C i ⊆ R M )


,C n ) = R M .


,C 1 ∩ . . . ∩ R M


We know how to write models M .But how to write Correctness Properties?


Stating Correctness Properties




modelname.pml


ro erties





modelname.pml


ro erties

Correctness properties can be stated within, or outside, the model.

stating properties within model , usingassertion statements






modelname.pml


ro erties


stating properties within model , usingassertion statementsmeta labels

end labels

accept labelsprogress labels






modelname.pml


ro erties


stating properties within model , usingassertion statementsmeta labels

end labels


stating properties outside model , usingnever claimstemporal logic formulas






modelname.pml


ro erties


stating properties within model , usingassertion statements (today)meta labels

end labels (today)


stating properties outside model , usingnever claimstemporal logic formulas


Assertion Statements




Denition (Assertion Statements)

Assertion statements in Promela are statements of the formassert ( expr )

were expr is any Promela expression.








Typically, expr is of type bool .









Assertion statements can appear anywhere where a Promela statementis expected.










. . .s tmt1;a s s e r t ( max == a );s tmt2;. ..










. . .s tmt1;a s s e r t ( max == a );s tmt2;. ..

. . .

i f :: b1 -> stmt3 ;a s s e r t (x < y)

:: b2 -> stmt4.. .


Meaning of Boolean Assertion Statements



g

assert ( expr )has no effect if expr evaluates to truetriggers an error message if expr evaluates to false

This holds in both, simulation and model checking mode.


Meaning of General Assertion Statements



assert ( expr )has no effect if expr evaluates to non-zero valuetriggers an error message if expr evaluates to 0








Recall:

bool true false is syntactic sugar for







Recall:

bool true false is syntactic sugar forbit 1 0







Recall:

bool true false is syntactic sugar forbit 1 0

⇒ general case covers Boolean case


Instead of using ‘printf’s for Debugging ...



/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */i f :: a >= b -> max = a ;:: a <= b -> max = b ;

f i ;p r i n t f ( " the maximum of %d and %d is %d\n" ,

a , b , max );


Instead of using ‘printf’s for Debugging ...



/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */i f :: a >= b -> max = a ;:: a <= b -> max = b ;


a , b , max );

Command Line Execution

(simulate, inject faults, add assertion, simulate again)> spi n max . p ml


... we can employ Assertions



quoting from le max.pml :/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */i f

:: a >= b -> max = a ;:: a <= b -> max = b ;

f i ;a s s e r t ( a > b -> max == a : max == b )






:: a >= b -> max = a ;:: a <= b -> max = b ;


Now, we have a rst example with a formulated correctness property .






:: a >= b -> max = a ;:: a <= b -> max = b ;


Now, we have a rst example with a formulated correctness property .

We can do model checking, for the rst time!


Generate Verier in C



SPIN

modelmax.pml


ro erties

verierpan.c

-a

Command Line ExecutionGenerate Verier in C

> spin -a max . pml

Spin generates Verier in C , called pan.c(plus helper les)




Compile To Executable Verier



verierpan.c

Ccompiler

executableverierpan

Command Line Executioncompile to executable verier

> gcc -o pan pan .c

C compiler generates executable verier pan


Compile To Executable Verier



verierpan.c

Ccompiler

executableverierpan

Command Line Executioncompile to executable verier

> gcc -o pan pan .c

C compiler generates executable verier pan

pan : historically “protocol analyzer”, now “process analyzer”


Run Verier (= Model Check)



executable

verierpan


runmax.pml.trail

either or

Command Line Executionrun verier pan

> ./ p an





executable

verierpan


runmax.pml.trail

either or


> ./ p an

prints “errors: 0 ”





executable

verierpan


runmax.pml.trail

either or


> ./ p an

prints “errors: 0 ” ⇒ Correctness Property veried!





executable

verierpan


runmax.pml.trail

either or


> ./ p an

prints “errors: 0 ”, orprints “errors: n” (n > 0)





executable

verierpan


runmax.pml.trail

either or


> ./ p an

prints “errors: 0 ”, orprints “errors: n” (n > 0) ⇒ counter example found!





executable

verierpan


runmax.pml.trail

either or


> ./ p an

prints “errors: 0 ”, orprints “errors: n” (n > 0) ⇒ counter example found!

records failing run inmax.pml.trailFormal Specication and Verication: Spin B. Beckert 24 / 47

Guided Simulation



To examine failing run: employ simulation mode, “guided” by trail le.

SPIN

failingrun

max.pml.trailguided

simulation

-t

Command Line Executioninject a fault, re-run verication, and then:

> spin - t -p - l max . pml


Output of Guided Simulation



can look like:

St ar tin g P with pid 01: proc 0 (P) l ine 8 " max .pml " ( state 1) [ a = 1 ]

P(0) : a = 12: proc 0 ( P) l ine 14 " max . pml " ( state 7) [ b = 2]

P(0) : b = 2

3: p ro c 0 ( P ) l in e 23 " m ax . p ml " ( s ta te 1 3) [((a<=b))]3: proc 0 ( P) l ine 23 " max . pml " ( state 14) [ max = a]P(0) : max = 1

spi n : l in e 25 " max . pml " , E rr or : a ss er ti on v io la te ds pi n : t ex t of f ai le d a ss er ti on :

a s s e r t (( (( a> b) ) -> (( max == a) ) : (( max == b) ) ) )





can look like:



P(0) : b = 2




assignments in the run





can look like:



P(0) : b = 2




assignments in the runvalues of variables whenever updated


What did we do so far?following whole cycle (most primitive example assertions only)



following whole cycle (most primitive example, assertions only)

SPIN

modelname.pml


ro erties


executableverier

pan


runname.pml.trail


-a

o r

e i t

h e r

-i-t


What did we do so far?following whole cycle (most primitive example assertions only)



following whole cycle (most primitive example, assertions only)

SPIN

modelname.pml


ro erties


executableverier

pan


runname.pml.trail


-p -l -g ...

-a

o r

e i t

h e r

-i-t


Further Examples: Integer Division



i n t d iv id en d = 15;i n t divisor = 4;i n t quotient , remainder ;

q uo ti en t = 0;r em ai nd er = d iv id en d ;do

:: r em ai nd er > d iv is or ->quot ient++;r em ai nd er = r em ai nd er - d iv is or

:: e l s e ->break

od ;p r i n t f ( "%d div ided by %d = %d, remainder = %d\n" ,

dividend , d ivisor , quotient , remainder) ;


Further Examples: Integer Division



i n t d iv id en d = 15;i n t divisor = 4;i n t quotient , remainder ;

q uo ti en t = 0;r em ai nd er = d iv id en d ;do

:: r em ai nd er > d iv is or ->quot ient++;r em ai nd er = r em ai nd er - d iv is or

:: e l s e ->break

od ;p r i n t f ( "%d div ided by %d = %d, remainder = %d\n" ,dividend , d ivisor , quotient , remainder) ;

simulate, put assertions, verify, change values, ...


Further Examples: Greatest Common Divisor



i n t x = 15 , y = 20;i n t a , b ;a = x ; b = y ;do

:: a > b -> a = a - b:: b > a -> b = b - a

:: a == b -> breakod ;p r i n t f ( " Th e GC D of % d a nd % d = %d \ n" , x , y, a )






:: a > b -> a = a - b:: b > a -> b = b - a


full functional verication not possible here (why?)






:: a > b -> a = a - b:: b > a -> b = b - a



still, assertions can perform sanity check






:: a > b -> a = a - b:: b > a -> b = b - a



still, assertions can perform sanity check

⇒ typical for model checking


Typical Command Lines



typical command line sequences:

random simulationspin name.pml







interactive simulationspin -i name.pml







interactive simulationspin -i name.pml

model checkingspin -a name.pmlgcc -o pan pan.c./pan




Spin Reference Card



Ben-Ari produced Spin Reference Card, summarizing

typical command line sequencesoptions forSpin

gccpan

Promeladatatypesoperatorsstatementsguarded commands

processeschannels

temproal logic syntax


Why Spin ?



Spin targets software, instead of hardware vericationbased on standard theory of ω -automata and linear temporal logic2001 ACM Software Systems Award (other winning software systemsinclude: Unix, TCP/IP, WWW, Tcl/Tk, Java)used for safety critical applicationsdistributed freely as research tool, well-documented, activelymaintained, large user-base in academia and in industryannual Spin user workshops series held since 1995


Why Spin ? (Cont’d)



Promela and Spin are rather simple to usegood to understand a few system really well, rather than many

systems poorlyavailability of good course book (Ben-Ari)availability of front end jSpin (also Ben-Ari)


What is jSpin ?



graphical user interface for Spin

developed for pedagogical purposeswritten in Java

simple user interfaceSpin options automatically suppliedfully congurablesupports graphics output of transition system




jSpin Demo



Command Line Executioncalling jSpin

> java - jar / usr / l o c a l / jSp in / jSp in . ja r

(with path adjusted to to your setting)

or use shell script:

> j sp in


jSpin Demo



Command Line Executioncalling jSpin

> java - jar / usr / l o c a l / jSp in / jSp in . ja r

(with path adjusted to to your setting)

or use shell script:

> j sp in

play around with similar examples ...


Catching A Different Type of Error

quoting from le max2.pml :



q g p/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */i f

:: a >= b -> max = a ;:: b <= a -> max = b ;


a , b , max );




q g p/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */i f

:: a >= b -> max = a ;:: b <= a -> max = b ;


a , b , max );

simulate a few times⇒ crazy “timeout ” message sometimes






/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */i f

:: a >= b -> max = a ;:: b <= a -> max = b ;


a , b , max );


generate and execute pan

Formal Specication and Verication: Spin B Beckert 42 / 47






:: a >= b -> max = a ;:: b <= a -> max = b ;


a , b , max );


generate and execute pan⇒ reports “errors: 1 ”







:: a >= b -> max = a ;:: b <= a -> max = b ;


a , b , max );



????






/* a ft er c ho os in g a , b fr om {1 , 2 ,3} */

i f :: a >= b -> max = a ;:: b <= a -> max = b ;


a , b , max );



Note: no assert in max2.pml .





Further inspection of pan output:

. . .pan: i n v a l i d e n d s t a t e ( at depth 1)pan : wro te max2 .pml . t r a il. . .


Legal and Illegal Blocking



A process may legally block,as long as some other process can proceed.






Blocking for letting others proceed is useful, and typical,for concurrent and distributed models (i.p. protocols).







Butit’s an error if a process blocks while no other process can proceed








⇒ “Deadlock”








⇒ “Deadlock”

in max1.pml , no process can take over.


Valid End States

D iti (V lid E d St t )



Denition (Valid End State)

An end state of a run is valid iff the location counter of each processes isat an end location.


Valid End States






Denition (End Location)End locations of a process P are:

P’s textual end

Formal Specication and Verication:Spin

B Beckert 46 / 47

Valid End States







P’s textual endeach location marked with an end label: “end xxx : ”


B Beckert 46 / 47

Valid End States







P’s textual endeach location marked with an end label: “end xxx : ”

End labels are not useful inmax1.pml , but elsewhere, they are.Example: end.pml


B Beckert 46 / 47

Literature for this Lecture



Ben-Ari Chapter 2, Sections 4.7.1, 4.7.2

F l S i ti d V i tiSpin

B B k t 47 / 47

12 verify with spin

Documents