SPIN
Download
1 / 61

SPIN - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

SPIN. An explicit state model checker. Explict State Model Checker. Represents the system as an finite state machine Visits each reachable state (state space) explicitly Checks some property Property is satisfied Counterexample. DFS. DFS visit of the state space procedure DFS ( s )

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SPIN' - nam


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

SPIN

An explicit state model checker


Explict state model checker
Explict State Model Checker

  • Represents the system as an finite state machine

  • Visits each reachable state (state space) explicitly

  • Checks some property

    • Property is satisfied

    • Counterexample


DFS

  • DFS visit of the state space

    procedureDFS(s)

    visited = visited {s};

    for each successor s’ of s

    if s’visitedthen

    DFS(s’);

    end if

    end for

    end procedure


DFS

  • How do we:

    • Represent the transition relation

    • Store the visited set

      • Needs fast access (hash table)

      • State space explosion

    • Check properties


Promela
Promela

  • Process Algebra

    • An algebraic approach to the study of concurrent processes. Its tools are algebraical languages for the specification of processes and the formulation of statements about them, together with calculi for the verification of these statements. [Van Glabbeek, 1987]

  • Describes the system in a way similar to a programming language


Promela1
Promela

  • Asynchronous composition of independent processes

  • Communication using channels and global variables

  • Non-deterministic choices and interleavings


An example

NC

T

C

An Example

mtype = { NONCRITICAL, TRYING, CRITICAL };

show mtype state[2];

proctype process(int id) {

beginning:

noncritical:

state[id] = NONCRITICAL;

if

:: goto noncritical;

:: true;

fi;

trying:

state[id] = TRYING;

if

:: goto trying;

:: true;

fi;

critical:

state[id] = CRITICAL;

if

:: goto critical;

:: true;

fi;

goto beginning;}

init { run process(0); run process(1); }


An example1
An Example

mtype = { NONCRITICAL, TRYING, CRITICAL };

show mtype state[2];

proctype process(int id) {

beginning:

noncritical:

state[id] = NONCRITICAL;

if

:: goto noncritical;

:: true;

fi;

trying:

state[id] = TRYING;

if

:: goto trying;

:: true;

fi;

critical:

state[id] = CRITICAL;

if

:: goto critical;

:: true;

fi;

goto beginning;}

init { run process(0); run process(1); }


An example2
An Example

mtype = { NONCRITICAL, TRYING, CRITICAL };

show mtype state[2];

proctype process(int id) {

beginning:

noncritical:

state[id] = NONCRITICAL;

if

:: goto noncritical;

:: true;

fi;

trying:

state[id] = TRYING;

if

:: goto trying;

:: true;

fi;

critical:

state[id] = CRITICAL;

if

:: goto critical;

:: true;

fi;

goto beginning;}

init { run process(0); run process(1); }


An example3
An Example

mtype = { NONCRITICAL, TRYING, CRITICAL };

show mtype state[2];

proctype process(int id) {

beginning:

noncritical:

state[id] = NONCRITICAL;

if

:: goto noncritical;

:: true;

fi;

trying:

state[id] = TRYING;

if

:: goto trying;

:: true;

fi;

critical:

state[id] = CRITICAL;

if

:: goto critical;

:: true;

fi;

goto beginning;}

init { run process(0); run process(1); }


An example4
An Example

mtype = { NONCRITICAL, TRYING, CRITICAL };

show mtype state[2];

proctype process(int id) {

beginning:

noncritical:

state[id] = NONCRITICAL;

if

:: goto noncritical;

:: true;

fi;

trying:

state[id] = TRYING;

if

:: goto trying;

:: true;

fi;

critical:

state[id] = CRITICAL;

if

:: goto critical;

:: true;

fi;

goto beginning;}

init { run process(0); run process(1); }


An example5
An Example

mtype = { NONCRITICAL, TRYING, CRITICAL };

show mtype state[2];

proctype process(int id) {

beginning:

noncritical:

state[id] = NONCRITICAL;

if

:: goto noncritical;

:: true;

fi;

trying:

state[id] = TRYING;

if

:: goto trying;

:: true;

fi;

critical:

state[id] = CRITICAL;

if

:: goto critical;

:: true;

fi;

goto beginning;}

init { run process(0); run process(1); }

NC

T

C


Enabled statements
Enabled Statements

  • A statement needs to be enabled for the process to be scheduled.

    bool a, b;

    proctype p1()

    {

    a = true;

    a & b;

    a = false;

    }

    proctype p2()

    {

    b = false;

    a & b;

    b = true;

    }

    init { a = false; b = false; run p1(); run p2(); }


Enabled statements1
Enabled Statements

  • A statement needs to be enabled for the process to be scheduled.

    bool a, b;

    proctype p1()

    {

    a = true;

    a & b;

    a = false;

    }

    proctype p2()

    {

    b = false;

    a & b;

    b = true;

    }

    init { a = false; b = false; run p1(); run p2(); }

These statements are enabled only if both a and b are true.


Enabled statements2
Enabled Statements

  • A statement needs to be enabled for the process to be scheduled.

    bool a, b;

    proctype p1()

    {

    a = true;

    a & b;

    a = false;

    }

    proctype p2()

    {

    b = false;

    a & b;

    b = true;

    }

    init { a = false; b = false; run p1(); run p2(); }

These statements are enabled only if both a and b are true.

In this case b is always false and therefore there is a deadlock.


Other constructs
Other constructs

  • Do loops

    do

    :: count = count + 1;

    :: count = count - 1;

    :: (count == 0) -> break

    od


Other constructs1
Other constructs

  • Do loops

  • Communication over channels

    proctype sender(chan out)

    {

    int x;

    if

    ::x=0;

    ::x=1;

    fi

    out ! x;

    }


Other constructs2
Other constructs

  • Do loops

  • Communication over channels

  • Assertions

    proctype receiver(chan in)

    {

    int value;

    out ? value;

    assert(value == 0 || value == 1)

    }


Other constructs3
Other constructs

  • Do loops

  • Communication over channels

  • Assertions

  • Atomic Steps

    int value;

    proctype increment()

    { atomic {

    x = value;

    x = x + 1;

    value = x;

    } }


On the fly
On-The-Fly

  • System is the asynchronous composition of processes

  • The global transition relation is never build

  • For each state the successor states are enumerated using the transition relation of each process


On the fly1

0

0

1

1

On-The-Fly

00


On the fly2

0

0

1

1

On-The-Fly

00

10


On the fly3

0

0

1

1

On-The-Fly

00

10


On the fly4

0

0

1

1

On-The-Fly

00

10

11


On the fly5

0

0

1

1

On-The-Fly

00

10

01

11


On the fly6

0

0

1

1

On-The-Fly

00

10

01

11


On the fly7

0

0

1

1

On-The-Fly

00

10

01

11


On the fly8

0

0

1

1

On-The-Fly

00

10

01

11


On the fly9

0

0

1

1

On-The-Fly

00

10

01

11


On the fly10

0

0

1

1

On-The-Fly

00

10

01

11


On the fly11

0

0

1

1

On-The-Fly

00

10

01

11


On the fly12

0

0

1

1

On-The-Fly

00

10

01

11


On the fly13

0

0

1

1

On-The-Fly

00

10

01

11


Visited set
Visited Set

  • Represents all the states that have been reached so far

  • Will eventually become the set of all reachable state (state space)

  • Test of presence of a state in the set must be efficient

    • It is performed for each reached state

  • procedure DFS(s)

  • visited = visited {s};

  • for each successor s’ of s

  • if s’  visited then

  • DFS(s’);

  • end if

  • end for

  • end procedure


Visited set1
Visited Set

  • Hash table

    • Efficient for testing even if the number of elements in it is very big (≥ 106)


Visited set2
Visited Set

  • Hash table

    • Efficient for testing even if the number of elements in it is very big (≥ 106)

  • Reduce memory usage

    • Compress each state

When a transition is executed only a limited part of the state is modified


Visited set3
Visited Set

  • Hash table

    • Efficient for testing even if the number of elements in it is very big (≥ 106)

  • Reduce memory usage

    • Compress each state

  • Reduce the number of states

    • Partial Order Reduction


State representation
State Representation

  • Global variables

  • Processes and local variables

  • Queues

Processes

Global Variables

Queues


Compression
Compression

  • Each transition changes only a small part of the state

  • Assign a code to each element dynamically

  • Encoded states + basic elements use considerably less spaces than the uncompressed states


Compression1

3

3

2

2

1

1

0

0

0

Compression

i=0 j=0

P0

x=0

P0

x=1

Q0

{1}

P0

x=0

P1

y=0

0

0

1

0

0

2

3

2

P1

y=0

1

P0

x=1

i=0 j=0

P0

x=0

Q0

{1}


Compression2

3

3

2

2

1

1

0

0

0

Compression

i=0 j=0

P0

x=0

P0

x=1

Q0

{1}

Q0

{}

P0

x=0

P0

x=1

P1

y=0

0

0

1

1

0

0

1

2

q ? x

3

2

P1

y=0

1

P0

x=1

Q0

{}

i=0 j=0

P0

x=0

Q0

{1}


Hash compaction
Hash Compaction

  • Uses a hashing function to store each state using only 2 bits


Hash compaction1
Hash Compaction

  • Uses a hashing function to store each state using only 2 bits

  • There is an non-zero probability that two states are mapped into the same bits


Hash compaction2
Hash Compaction

  • Uses a hashing function to store each state using only 2 bits

  • There is an non-zero probability that two states are mapped into the same bits

  • If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts


Hash compaction3
Hash Compaction

  • Uses a hashing function to store each state using only 2 bits

  • There is an non-zero probability that two states are mapped into the same bits

  • If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts

  • The result is not (always) 100% correct!


Minimized automata reduction
Minimized Automata Reduction

  • Turns the state in a sequence of integers


Minimized automata reduction1
Minimized Automata Reduction

  • Turns the state in a sequence of integers

  • Constructs an automata which accepts the states in the visited set


Minimized automata reduction2
Minimized Automata Reduction

  • Turns the state in a sequence of integers

  • Constructs an automata which accepts the states in the visited set

  • Works like a BDD but on non-binary variables (MDD)


Minimized automata reduction3
Minimized Automata Reduction

  • Turns the state in a sequence of integers

  • Constructs an automata which accepts the states in the visited set

  • Works like a BDD but on non-binary variables (MDD)

    • The variables are the components of the state


Minimized automata reduction4
Minimized Automata Reduction

  • Turns the state in a sequence of integers

  • Constructs an automata which accepts the states in the visited set

  • Works like a BDD but on non-binary variables (MDD)

    • The variables are the components of the state

    • The automata is the minimal automata


Minimized automata reduction5
Minimized Automata Reduction

  • Turns the state in a sequence of integers

  • Constructs an automata which accepts the states in the visited set

  • Works like a BDD but on non-binary variables (MDD)

    • The variables are the components of the state

    • The automata is the minimal automata

    • The automata is updated efficiently


Partial order reduction

x=1

y=0

x=1

y=0

Partial Order Reduction

  • Some interleavings of processes are equivalent

x=0

y=0

x++

y++

x=1

y=0

x=0

y=1

y++

x++

x=1

y=1


Partial order reduction1
Partial Order Reduction

  • Some interleavings of processes are equivalent

  • Computing such interleavings and storing the intermediate states is expensive


Partial order reduction2
Partial Order Reduction

  • Some interleavings of processes are equivalent

  • Computing such interleavings and storing the intermediate states is expensive

  • Partial order reduction defines a reduced system which is equivalent to the original system but contains less states and transitions

Defines an equivalent relation between states and computes the quotient of the state transition graph to obtain a reduced state transition graph.

Properties are true of the reduced state transition graph if and only if are true of the original graph.


Partial order reduction3
Partial Order Reduction

  • Optimal partial order reduction is as difficult as model checking!


Partial order reduction4
Partial Order Reduction

  • Optimal partial order reduction is as difficult as model checking!

  • Compute an approximation based on syntactical information


Partial order reduction5
Partial Order Reduction

Access to local variables

Receive on exclusive receive-access queues

Send on exclusive send-access queues

  • Optimal partial order reduction is as difficult as model checking!

  • Compute an approximation based on syntactical information

    • Independent

    • Invisible

    • Check (at run-time) for actions postponed at infinitum

Not mentioned in the property

So called stack proviso


Properties
Properties

  • Safety properties

    • Something bad never happens

    • Properties of states

  • Liveness properties

    • Something good eventually happens

    • Properties of paths

Reachability is sufficient

We need something more complex to check liveness properties


Ltl model checking
LTL Model Checking

  • Liveness properties are expressed in LTL

    • Subset of CTL* of the form:

      • A f

        where f is a path formula with does not contain any quantifiers

  • The quantifier A is usually omitted.

  • G is substituted by  (always or box)

  • F is substituted by  (eventually or diamond)

  • X is substituted by  (next)


Ltl formulae
LTL Formulae

  • Always eventually p:   p

AGFp in CTL*

AG AF p in CTL

  • Always after p there is eventually q:  ( p (  q ) )

AG(pFq) in CTL*

AG(p AFq) in CTL

  • Fairness:

    (   p ) 

(AGF p)   in CTL*

Can’t express it in CTL


References
References

  • http://spinroot.com/

  • Design and Validation of Computer Protocols by Gerard Holzmann

  • The Spin Model Checker by Gerard Holzmann

  • An automata-theoretic approach to automatic program verification, by Moshe Y. Vardi, and Pierre Wolper

  • An analysis of bitstate hashing, by G.J. Holzmann

  • An Improvement in Formal Verification, by G.J. Holzmann and D. Peled

  • Simple on-the-fly automatic verification of linear temporal logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper

  • A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann


ad