1 / 61

SPIN

SPIN. An explicit state model checker. Explict State Model Checker. Represents the system as an finite state machine Visits each reachable state (state space) explicitly Checks some property Property is satisfied Counterexample. DFS. DFS visit of the state space procedure DFS ( s )

Download Presentation

SPIN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SPIN An explicit state model checker

  2. Explict State Model Checker • Represents the system as an finite state machine • Visits each reachable state (state space) explicitly • Checks some property • Property is satisfied • Counterexample

  3. DFS • DFS visit of the state space procedureDFS(s) visited = visited {s}; for each successor s’ of s if s’visitedthen DFS(s’); end if end for end procedure

  4. DFS • How do we: • Represent the transition relation • Store the visited set • Needs fast access (hash table) • State space explosion • Check properties

  5. Promela • Process Algebra • An algebraic approach to the study of concurrent processes. Its tools are algebraical languages for the specification of processes and the formulation of statements about them, together with calculi for the verification of these statements. [Van Glabbeek, 1987] • Describes the system in a way similar to a programming language

  6. Promela • Asynchronous composition of independent processes • Communication using channels and global variables • Non-deterministic choices and interleavings

  7. NC T C An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); }

  8. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); }

  9. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); }

  10. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); }

  11. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); }

  12. An Example mtype = { NONCRITICAL, TRYING, CRITICAL }; show mtype state[2]; proctype process(int id) { beginning: noncritical: state[id] = NONCRITICAL; if :: goto noncritical; :: true; fi; trying: state[id] = TRYING; if :: goto trying; :: true; fi; critical: state[id] = CRITICAL; if :: goto critical; :: true; fi; goto beginning;} init { run process(0); run process(1); } NC T C

  13. Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); }

  14. Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } These statements are enabled only if both a and b are true.

  15. Enabled Statements • A statement needs to be enabled for the process to be scheduled. bool a, b; proctype p1() { a = true; a & b; a = false; } proctype p2() { b = false; a & b; b = true; } init { a = false; b = false; run p1(); run p2(); } These statements are enabled only if both a and b are true. In this case b is always false and therefore there is a deadlock.

  16. Other constructs • Do loops do :: count = count + 1; :: count = count - 1; :: (count == 0) -> break od

  17. Other constructs • Do loops • Communication over channels proctype sender(chan out) { int x; if ::x=0; ::x=1; fi out ! x; }

  18. Other constructs • Do loops • Communication over channels • Assertions proctype receiver(chan in) { int value; out ? value; assert(value == 0 || value == 1) }

  19. Other constructs • Do loops • Communication over channels • Assertions • Atomic Steps int value; proctype increment() { atomic { x = value; x = x + 1; value = x; } }

  20. On-The-Fly • System is the asynchronous composition of processes • The global transition relation is never build • For each state the successor states are enumerated using the transition relation of each process

  21. 0 0 1 1 On-The-Fly 00

  22. 0 0 1 1 On-The-Fly 00 10

  23. 0 0 1 1 On-The-Fly 00 10

  24. 0 0 1 1 On-The-Fly 00 10 11

  25. 0 0 1 1 On-The-Fly 00 10 01 11

  26. 0 0 1 1 On-The-Fly 00 10 01 11

  27. 0 0 1 1 On-The-Fly 00 10 01 11

  28. 0 0 1 1 On-The-Fly 00 10 01 11

  29. 0 0 1 1 On-The-Fly 00 10 01 11

  30. 0 0 1 1 On-The-Fly 00 10 01 11

  31. 0 0 1 1 On-The-Fly 00 10 01 11

  32. 0 0 1 1 On-The-Fly 00 10 01 11

  33. 0 0 1 1 On-The-Fly 00 10 01 11

  34. Visited Set • Represents all the states that have been reached so far • Will eventually become the set of all reachable state (state space) • Test of presence of a state in the set must be efficient • It is performed for each reached state • procedure DFS(s) • visited = visited {s}; • for each successor s’ of s • if s’  visited then • DFS(s’); • end if • end for • end procedure

  35. Visited Set • Hash table • Efficient for testing even if the number of elements in it is very big (≥ 106)

  36. Visited Set • Hash table • Efficient for testing even if the number of elements in it is very big (≥ 106) • Reduce memory usage • Compress each state When a transition is executed only a limited part of the state is modified

  37. Visited Set • Hash table • Efficient for testing even if the number of elements in it is very big (≥ 106) • Reduce memory usage • Compress each state • Reduce the number of states • Partial Order Reduction

  38. State Representation • Global variables • Processes and local variables • Queues Processes Global Variables Queues

  39. Compression • Each transition changes only a small part of the state • Assign a code to each element dynamically • Encoded states + basic elements use considerably less spaces than the uncompressed states

  40. 3 3 2 2 1 1 0 0 0 Compression i=0 j=0 P0 x=0 P0 x=1 Q0 {1} P0 x=0 P1 y=0 0 0 1 0 0 2 3 2 P1 y=0 1 P0 x=1 i=0 j=0 P0 x=0 Q0 {1}

  41. 3 3 2 2 1 1 0 0 0 Compression i=0 j=0 P0 x=0 P0 x=1 Q0 {1} Q0 {} P0 x=0 P0 x=1 P1 y=0 0 0 1 1 0 0 1 2 q ? x 3 2 P1 y=0 1 P0 x=1 Q0 {} i=0 j=0 P0 x=0 Q0 {1}

  42. Hash Compaction • Uses a hashing function to store each state using only 2 bits

  43. Hash Compaction • Uses a hashing function to store each state using only 2 bits • There is an non-zero probability that two states are mapped into the same bits

  44. Hash Compaction • Uses a hashing function to store each state using only 2 bits • There is an non-zero probability that two states are mapped into the same bits • If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts

  45. Hash Compaction • Uses a hashing function to store each state using only 2 bits • There is an non-zero probability that two states are mapped into the same bits • If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts • The result is not (always) 100% correct!

  46. Minimized Automata Reduction • Turns the state in a sequence of integers

  47. Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set

  48. Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD)

  49. Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD) • The variables are the components of the state

  50. Minimized Automata Reduction • Turns the state in a sequence of integers • Constructs an automata which accepts the states in the visited set • Works like a BDD but on non-binary variables (MDD) • The variables are the components of the state • The automata is the minimal automata

More Related