1 / 35

OOTI Workshop on Model Checking and Static Analysis

OOTI Workshop on Model Checking and Static Analysis. Dragan Bošnački Eindhoven University of Technology The Netherlands. Some Practical Information. Lecturer: Dragan Bošnački WH 3.101 (BME), LaQuSo (CS) dragan@win.tue.nl D.Bosnacki@tue.nl Spin web page: http://spinroot.com

fritzi
Download Presentation

OOTI Workshop on Model Checking and Static Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OOTI Workshop onModel Checking and Static Analysis Dragan Bošnački Eindhoven University of Technology The Netherlands

  2. Some Practical Information • Lecturer: • Dragan Bošnački • WH 3.101 (BME), LaQuSo (CS) • dragan@win.tue.nl • D.Bosnacki@tue.nl • Spin web page: • http://spinroot.com • Workshop web page: • http://www.win.tue.nl/~dragan/OOTI2009 • Literature: • The Spin Model Checker by Gerard Holzmann, IEEE Trans. on Software Engineering, Vol. 23, No. 5, May 1997, pp. 279-295.

  3. Outline for Today • About the course • Brief Introduction: Formal Methods, Model Checking, Spin  • A quick start with Spin: a Mutual Exclusion Protocol and  The Pathfinder • Study on-line documentation • Exercises

  4. Schedule • Tuesday, 21/4, morning: lectures+exercises • Wednesday, 22/4, morning: exercises, afternoon: lectures+excercises • Thursday, 23/4, morning: lectures, afternoon: assignment 1 • Friday, 24/4, morning: lectures+exercises, afternoon: assignment2 • Monday, 27/4, morning: lectures, afternoon: working on assignment 2 • Tuesday, 28/4, afternoon: working on assignment 2 • (Wednesday, 29/4, afternoon: working on assignment 2)

  5. Evaluation • Mark based on • One smaller assignment (25%) • Final assignment (75%)

  6. Workshop Topics • Formal Methods, Model Checking • The Model Checker Spin • The language Promela • Verifying safety properties (assertions, deadlocks) with Spin • Linear Temporal Logic, Buechi Automata • Verifying liveness properties (LTL formulae) with Spin • Hands-on exercises with Spin • Extension of Spin with discrete time • Advanced Static Analysis (“Syntactic” Model Checking) • Principles of Static Analysis via Model Checking • Hands-on exercises with UNO

  7. Objectives of the Workshop (Model Checking) • At the end of the lectures the student: • has a general picture about Model Checking • has overview of Spin and Promela • has a basic practical knowledge of Spin • is able to write models in Promela • is able to verify safety properties (assertions, deadlocks) with Spin • knows the basics of Linear Temporal Logic • has informal knowledge about Buechi automata • is able to verify liveness properties expressed as LTL formulae with Spin • knows the main advantages and drawbacks of Model Checking and Spin

  8. Objectives of the Workshop (Static Analysis) • At the end of the lectures the student: • has a general picture about Static Analysis • Knows the basics of performing Static Analysis via Model Checking • has a basic practical knowledge of UNO • is able to check dynamic properties (e.g. race conditions, blocking)

  9. Formal Methods • The need for formal methods • Every mature engineering discipline features • Abstraction • “Modeling” (mathematical or executable models/design prototype) • Analysis • “Model checking” (manual or automated) • In hardware and software design • trial and error -- (testing, simulation), • duplication (adjusting earlier designs, peer review) • Formal methods aim to replace the second set with the first set • Good methodology and tools needed

  10. Model Checking: The Glorious Side • Honors and awards • Turing Award 2007 • E.M. Clarke, E.A. Emerson and J. Sifakis • ACM System Software Award • SPIN, G.J. Holzmann • System Software Award • … and many others ACM and IEEE awards

  11. But, Is It Really Used? • Micorsoft • SDV, SLAM, Zink • Bell Labs (AT&T, Alcatel-Lucent) • SPIN, COSPAN, FeaVer, VerySoft • Siemens • Intel • Migrating from academia to industry • “Still work to do before Software Model Checking for the masses” • (P. Godefroid)

  12. What is Model Checking Good For? • Model checking useful in safety critical systems • e.g. aviation industry, medical equipment, nuclear plants, telecommunication • Some Spin success stories • Storm surge barrier • Lucent PathStar phone switch • NASA mission critical software (Deep Space 1, Cassini, Mars Exploration Rovers) • With the proliferation of embedded software its importance will increase also in everyday’s applications

  13. Slide by G.J. Holzmann

  14. New Horizons • Emerging parallel hardware technology • multi-core processors • general purpose graphics processing units (GPGPUs) • Parallel programs notoriously difficult to write • Excellent opportunity for model checking • Verificationof new parallel technologies using the power of these technologies

  15. Model Checking • Widespread techniquefor the debugging and verification of concurrent/reactive systems • Relatively easy to use • Success due to: • Similarity with programming • Automation, speed, counter-examples • Formality (striving after verification) • - Clear semantics of the model and the properties

  16. satisfies p property System S Model M f Formal property (Modeling Language) (Temporal Logic) Model Checking (2) State space explosion - reduction techniques needed

  17. Model Checking (3) • Basically (almost) a brute force analysis of the model’s state space • by direct exploration (explicit) • by symbolic exploration • The exploration in both cases is in principle exhaustive. • We will deal mainly with direct (explicit state) model checking

  18. Model Checking Applied in the Earlier Phases analysis requirements specification design coding testing release maintain

  19. A Little Bit of History • APPROVER • probably the first tool for automated verification of concurrent systems • Written by Jan Hajek at TU/e ’77-’79

  20. Approver Paper

  21. Jan Hajek

  22. Protocols Verified with Approver (1978)

  23. Model Checking Tools • SPIN • created by Gerard Holzmann in Bell Labs in the end of 80s • Many other model checking tols • SMV, NuSMV, mCRL2, COSPAN, SLAM, BLAST, Zink, Java PathFinder, Bandera, Bogor, Divine, …

  24. Spin, Promela, Xspin • Spin Process Global variable Channel (buffered) Channel (rendez-vous) • Promela: • C, CSP-like communications, Dijkstra’s guarded commands

  25. Two Computer Scientists • E.W. Dijkstra C.A.R. Hoare

  26. Spin, Promela, Xspin (2) • buffered and synchronous communication • shared memory • asynchronous and interleaved execution of statements • no assumption on the execution speed of the statements

  27. Spin, Promela, Xspin (4) • Depth first search of the state space • Verification of • safety (invalid end-states, assertions) • liveness (non-progress cycles) • never claims (Buechi automata, LTL) • Xspin -graphical interface for Spin • various output formats (e.g. Message Sequence Charts)

  28. Simulation: random, interactive Simulation output guided Model (Promela source) SPIN Error trail Verification Analyzer (C source) C compiler Analyzer (exec) Verification output Spin, Promela, XSpin (3)

  29. Parallel Processes • Prog/Proc A: • Print A1; • Print A2 • Prog/Proc B: • Print B1; • Print B2 Outcomes: A1;A2;B1;B2 A1;B1;B2;A2

  30. Parallel Processes • Proc A: Proc B: • X=1; Y = 0 • Y=4 ; • X = X+Y We want X == 5 after Proc A has ended Solution: Proc A: Proc B: Block(Y); X=1; Y = 0 Y=4 ; X = X+Y; Release(Y)

  31. Parallel Processes • Proc A: Proc B: • X= … ; Y=… ; • Y=… ; X=… ; Proc A: Proc B: Block X; Block Y; Block Y; Block X; X= … ; Y=… ; Y=… ; X=… ; Release Y; Release X; Release X Release Y

  32. Parallel Processes Proc A: Proc B: Block X; Block Y; Block Y; Block X; X= … ; Y=… ; Y=… ; X=… ; Release Y; Release X; Release X Release Y Trouble – besides the “normal” execution A: Block X; A: Block Y; A: Release Y; A: Release X; B: … there is also a blocking one A: Block X; B: Block Y;Deadlock!

  33. Quick Start with Spin • A Mutual Exclusion Protocol • Mars Pathfinder

  34. Reduction Techniques • Tackling the state-explosion problem • Partial Order Reduction • Approximation Techniques (Bit-State Hashing, Hash Compact) • Abstractions • Symbolic Techniques (Minimized Automaton)

  35. Proc B Proc A s0 s0r0 s0r0 r0 a1 b1 b1 a1 a1 s1 a2 r1 b2 s0r1 s1r0 s1r0 a1 b2 a2 a2 b1 s2 r2 s0r2 s1r1 s2r0 s2r0 a1 b2 b1 b1 a2 s1r2 s2r1 s2r1 a2 b2 b2 s2r2 s2r2 Partial Order Reduction Proc A || B

More Related