1 / 7

CSE 503 – Software Engineering Lecture 6: Practice with the Spin model checker Rob DeLine

CSE 503 – Software Engineering Lecture 6: Practice with the Spin model checker Rob DeLine 14 Apr 2004. Matching channel contents. Channels support primitive pattern matching mtype = { START, STOP } // these are constants chan msgs = [10] of {byte} proctype Fetch () { do

patrickpaul
Download Presentation

CSE 503 – Software Engineering Lecture 6: Practice with the Spin model checker Rob DeLine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE 503 – Software Engineering • Lecture 6: Practice with the Spin model checker • Rob DeLine • 14 Apr 2004

  2. Matching channel contents • Channels support primitive pattern matching • mtype = { START, STOP } // these are constants • chan msgs = [10] of {byte} • proctype Fetch () { • do • :: msgs?START -> /* do start command */ • :: msgs?STOP -> /* do stop command */ • od • } • Channel data must equal constant for receive to be executable • You can also match channel data against the value of a variable: • proctype A (byte b) { do :: msgs?eval(b) -> ... } • init { run A(0); run A(1); }

  3. Checking properties • Easiest way to check safety properties: use assert • Spin also has built-in checks • deadlocks (every process blocked on another process) • unreachable code • livelocks (processes are busy, but no “progress”) • Spin also checks properties in linear temporal logic (LTL) • Temporal logics are a huge field by themselves • We’ll stick to basic formulae in this class

  4. ... S0 S1 S2 S3 S4 S5 LTL describes traces • LTL formulae are defined over traces of system states • Spin “state” consists of globals, process locals, channel contents • Due to nondeterminism, there are many possible traces • LTL talks about one trace at a time • (A different logic, CTL, talks about all traces at once) • LTL built on top of atomic propositions • With Spin, these are Promela expressions, given names with #define • We’ll label a state with a proposition that holds in that state P

  5. ... ... ... ... ... P P P P P P P P P Q P P P LTL temporal operators • P P holds in the initial state • X P P holds in the next state (not in Spin) • □ P P holds in all states (a.k.a. G P) • ◊ P P holds in some future state (a.k.a. F P) • P U Q P holds until Q holds

  6. LTL “patterns” • Certain cliches appear again and again • See Dwyer, Avrunin, and Corbett, “Patterns in Property Specifications for Finite-State Verification”, 1999 • Universal property (P always holds) • [] P • Response property (Q always happens after P happens) • [] P -> <> Q • Precedence property (S always precedes P) • <> P -> (!P U (S && !P))

  7. Let’s practice with elevators • We’ll model an elevator in an N-floor building • On each floor there’s a door and a button. • Pressing the button sends a request for the elevator to come to that floor. • To enter the elevator, the door must be open when the elevator is at that floor. • The door must not be open when the elevator is not on that floor. • A controller on each floor controls the door. • The elevator moves only in response to requests. Syntax reminder: chan c = [2] of {int} int i = 0; proctype Loopy (int n) { int i=0, j=0; do :: i < n -> i--; :: c?j -> i = i + j; od } proctype Send (int n) { if :: n < 0 -> n = -n; c!n; :: n >= 0 -> c!n; fi } init { run Loopy(3); }

More Related