Outline

1. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 1 Outline SPIN Introduction SPIN Basic Modes PROMELA Introduction PROMELA Example XSPIN Introduction SPIN Control Window SPIN Simulator SPIN Verifier SPIN LTL Property Manager

2. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 2 SPIN SPIN is a popular open-source software tool that can be used for the formal verification of distributed software systems. The tool was developed at Bell Labs in the original Unix group of the Computing Sciences Research Center, starting in 1980. The software has been available freely since 1991, and continues to evolve to keep pace with new developments in the field. The website of SPIN is found at www.spinroot.com.

3. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 3 SPIN Basic Modes SPIN can be used in three basic modes: as a simulator, allowing for rapid prototyping with a random, guided, or interactive simulations as an exhaustive verifier, capable of rigorously proving the validity of user specified correctness requirements (using partial order reduction theory to optimize the search) as proof approximation system that can validate even very large system models with maximal coverage of the state space. All SPIN software is written in ANSI standard C, and is portable across all versions of Unix, Linux, cygwin, Plan9, Inferno, Solaris, Mac, and Windows.

4. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 4 PROMELA To verify a design, a formal model is built using PROMELA (a PROcess MEta LAnguage), served as input to SPIN. PROMELA is a non-deterministic language, loosely based on Dijkstra's guarded command language notation and borrowing the notation for I/O operations from Hoare's CSP language.

5. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 5 PROMELA Example This go-back-n sliding window protocol p5 follows the description from Tanenbaum. In file L2_gobackn1.txt is the PROMELA specification of that protocol, which includes some annotations to facilitate simulations. #define MaxSeq 3 /* window size */ #define Wrong(x) x = (x+1) % (MaxSeq) #define Right(x) x = (x+1) % (MaxSeq + 1) #define inc(x) Right(x) /* file ex.9 */ chan q[2] = [MaxSeq] of { byte, byte }; /* message channel */ active [2] proctype p5() /* starts two copies of proctype p5 */ { … } The sender’s window size is defined as 3 = 2n -1, where n = 2. In this example, there are 2 processes exchanging messages in bidirectional mode. q is an array of 2 (unidirectional) message channels. Each message channel can store up to 3 messages. Each message consists of 2 bytes.

6. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 6 PROMELA Example active [2] proctype p5() /* starts two copies of proctype p5 */ { byte NextFrame, AckExp, FrameExp, r, s, nbuf, i; chan in, out; in = q[_pid]; out = q[1-_pid]; xr in; xs out; /* partial order reduction claims */ do :: nbuf < MaxSeq -> /* outgoing messages */ … :: q[_pid]?r,s -> /* incoming messages */ … :: timeout -> /* retransmission timeout */ … od } Two channels of array q are assigned to each process as the input and output channels. Inside the loop is something like Dijkstra's guarded command language notation. The I/O operations from Hoare's CSP language notation is used for the incoming/outgoing messages.

7. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 7 PROMELA Example :: nbuf < MaxSeq -> /* outgoing messages */ nbuf++; out!NextFrame , (FrameExp + MaxSeq) % (MaxSeq + 1); inc(NextFrame) :: q[_pid]?r,s -> /* incoming messages */ if :: r == FrameExp -> printf("MSC: accept %d\n", r); inc(FrameExp) :: else /* ignore message */ fi; do :: ((AckExp <= s) && (s < NextFrame)) || ((AckExp <= s) && (NextFrame < AckExp)) || ((s < NextFrame) && (NextFrame < AckExp)) -> nbuf--; inc(AckExp) :: else -> break od Using macro inc(x), a sequence number such as NextFrame, FrameExp, or AckExp can be an integer from 0 to 3.

8. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 8 PROMELA Example :: timeout -> /* retransmission timeout */ NextFrame = AckExp; printf("MSC: timeout\n"); i = 1; do :: i <= nbuf -> out!NextFrame , (FrameExp + MaxSeq) % (MaxSeq + 1); inc(NextFrame); i++ :: else -> break od To simplify the simulation, the start/stop activities of the timer associated with each outstanding message are all ignored in this specification.

9. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 9 XSPIN XSPIN is an optional, but highly recommended, graphical user interface to SPIN, written in Tcl/Tk. The easiest way to get started with SPIN is to use the graphical interface XSPIN. The graphical interface runs independently from SPIN itself, and helps by generating the proper SPIN commands based on menu selections. XSPIN runs SPIN in the background to obtain the desired output, and wherever possible it will attempt to generate a graphical representation of such output. XSPIN knows when and how to compile code for the model checkers that SPIN can generate, and it knows when and how to execute it, so there is less to remember.

10. 8/25/2012 Using SPIN to verify protocols in PROMELA specifications 10 SPIN Control Window