Model Checking with SPIN Modeling and Verification with SPIN

1
Model Checking with SPINModeling and
Verification with SPIN

• by
• Wishnu Prasetya wishnu_at_cs.uu.nl
• www.cs.uu.nl/docs/vakken/pv

2
Overview

• Architecture a bit more about SPIN
• Examples
• Some language aspects
• Some SPIN optimizations

3
Reference and acknowledgement

• Some of the coming slides are taken and adapted
  from Jinfengs SPIN slides, PV-2004, and Theo
  Ruyss SPIN Tutorials.

4
Spin and Promela

• SPIN Simple Promela Interpreter
• Promela Process Meta LanguageThe modeling
  language of SPIN
• So it is not a language to build an application!
  
• Strong features
• Powerful constructs to synchronize concurrent
  processes
• Cutting edge model checking technology
• Simulation to support analysis (of the models)

5
Frontend XSpin
6
(X)SPIN Architecture
7
System, process, and action.

• A system in SPIN consists of a set of interacting
  and concurrent processes.
• Each process is sequential, but possibly
  non-deterministic.
• Each process is built from atomic actions
  (transition).
• Concurrent execution is modeled by interleaving.
• Fairness can be impossed.

8
Recall interleaving model of concurency
x
x
P
print x
Q
P Q
9
Example of Promela program
active proctype scheduler() do
request ? REQ1 ? (rstatus0)
granted1?GRANTED request ? REQ2 ? ...
od active proctype client1() do
request ! REQ1 granted1 ?
GRANTED ... / using a shared
recourse / rstatus 0 / after
some time, free the resource again /
skip / do something else / od active
proctype client2 ...
10
Data types

• Bit 0,1
• Bool true,false
• Byte 0..255
• Short -215 .. 215-1
• Int -231 .. 231-1
• Pid 0..255
• Mtype 0..255 // user-def. enumeration
• Chan 0..255
• One dimensional array
• Record

11
(Enabledness) Expression

• Example
• This process has 3 atomic actions.
• The action y0
• only enabled in a state where the expression is
  true
• it can only be executed when it is enabled the
  effect is skip
• so, as long as it is disabled, the process will
  block
• if it is not enabled in the current state, due to
  the interleaving semantics it may become enabled
  in the next state (by a transition caused by
  another process)
• even if it is enabled in the current state, there
  is no guarantee the action will be selected for
  execution but there is a way in SPIN to impose
  fairness.

active proctype P x (y0) x--
12
Example

• Use it to synchronize between processes
  
• // both will terminate, but forcing Q to
  finish last

byte x0 , y0 active proctype P x (ygt0)
x-- active proctype Q (xgt0) y
(x0) y--
13
Multiprogramming is tricky.

• E.g. one or more processes can become stuck
  (deadlocked)
• (hence the need for verification!)

byte x0 , y0 active proctype P x
(ygt0) x-- (y0) active proctype Q y
(xgt0) (x0) y--
14
loop do-statement
do stmt1 stmtn od

• The alternatives do not have to be atomic!
• The first action in an alternative acts as its
  guard, which determines if the alternative is
  enabled on a given state.
• At each iteration, non-deterministically choose
  one enabled alternatives.
• If there is none, the entire loop blocks.
• So, in principle the loop goes on forever to
  exit you have explicitly do a break.

15
loop do-statement

• So, this is how to do a traditional iteration
  
• But we can also do this

do (igt0) i-- (i0) break
do
do (igt0) ? i-- (i0) ? break do
do (igt0) ? i-- break
// non-deterministically break anytime do
16
Non-determinism

• Non-determinism can be used to abstractly model
  alternate behavioractive proctype client1()
  do r ! REQ1 // spamming requests
• g1 ? GRANTED ... rstatus 0
• g1 ? GRANTED rstatus err //
  sometimes error break // sometimes
  customer is impatient od ...

17
Conditional
if stmt1 stmtn fi

• Non-deterministically select one enabled
  alternatives.
• If none exists, the whole if blocks.

18
Label and jump
L0 (x0) if goto L0 fi

• Labels can also be useful in specification,
  e.g. (P_at_critical ? ?Q_at_critical)
• Referring to labels as above goes actually via a
  mechanism called remote reference, which can
  also be used to inspect the value of local
  variables for the purpose of specification.

19
Exception/Escape

• S unless E
• Statement! Not to be confused with LTL unless.
• If E ever becomes enabled during the execution of
  S, then S is aborted and the execution continues
  with E.More precisely check manual.

20
Scope

• There are only 2 levels of scope
• global var (visible in the entire sys)
• local var (visible only to the process that
  contains the declaration)
• there is no inner blocks

21
Channels
chan c 0 of bit chan d
2 of mtype, bit, byte chan e2
1 of mtype, record

• for exchanging messages between processes
• finite sized and asynchronously, unless you set
  it to size 0 ? synchronous channel
• Syntax c ! 0 sending over channel
  c blocking if c is full c ? x receives
  from c, transfer it to x blocking if c is empty
• There are some more exotic channel operations
  checking empty/full, testing head-value, copying
  instead of receiving, sorted send, random receive
  ... ? check out the Manual

22
Predefined variables in Promela

• _pid current process instantiation
  number
• _nr_pr the number of active processes
• np_ true when the model is not in a
  progress state
• _last the pid of process that
  executed last
• else true if no statement in the
  current process is executable
• timeout true if no statement in the system
  is executable

23
timeout

• timeout becomes executable if there is no other
  process the system is executable/enabled
• so, it models a global timeout
• useful as a mechanism to avoid deadlock
• beware of statements that are always executable

if c ? MSG, m ? ... //
pattern matching with MSG , transfer to m c
? ACK ? ... timeout
// exit the if when
timeout fi
the timeout will never fire because the assert
in M is always executable
suppose we have another process active
proctype M assert (xgt0)
24
Assertion

• As usual we can insert assertions they will be
  checked by the simulator and verifier
• // when Q terminates, both x and y will be 0

active proctype P active proctype Q
assert (x0 y0)
25
Assertion

• Thanks to built-in non-determinism in the
  interleaving semantics, we can also use assertion
  to specify a global invariant !
  // implying that at any time during the
  run x is either 0 or 1
  

byte x0 , y0 active proctype P x (ygt0)
x-- active proctype Q (xgt0) y (x0)
y-- active proctype Monitor assert ((x0
x1))
26
End state

• When a process P fails to reach its terminal
  (end) state
• Then it was locked ? error.
• Maybe this P is not supposed to reach end-state ?
  suppress end-state checking with SPIN option.
• The terminal state is by default just the textual
  end of of Ps code.
• You can specify additional terminal states by
  using end-label
• Of the form end

27
Progress state

• We can mark some states as progress states
• Using progress labels
• An infinite execution that never visit any
  progress state may indicate possible starvation.
• We can ask SPIN (with an option) to verify no
  such execution exists.

28
Data structures involved in SPIN DFS

• We need
• something to hold each state.
• Stack
• To remember where to backtrack in DFS
• It corresponds to the current execution that is
  being inspected ? used for reporting.
• Something to hold Statespace

29
State

• Each (global) state of a system is a product of
  the states of its processes.
• E.g. Suppose we have
• One global var byte x
• Process P with byte y
• Process Q with byte z
• Each system state should describe
• all these variables
• Program counter of each process
• Other SPIN predefined vars
• Represent each global state as a tuple this
  tuple can be quite big.

30
Watch out for state explosion!
int x,y,z P do x od Q do y
od R do x/y ? z od

• Size of each state gt 96 bits
• Number of possible states ? (232) 3 296
• Far too huge
• Focus on the critical aspect of your model
  abstract from data when possible.

31
The stack

• To save space SPIN does not keep a stack of
  states (large!), but rather a stack of action-IDs
  (small!)
• Though this requires computing action-undo when
  backtracking

32
Hash table
The list of visited states is maintained by a
Hash-table. So matching if a state occuring in
the table is fast!
Optimization bit state hashing ?
33
Verifiers output
assertion violated !((crit0crit1)) (at
depth 5) // computation depth ... Warning
Search not completed Full statespace search
for ... never-claim
- (not selected) assertion violations
invalid endstates State-vector 20 byte,
depth reached 7, errors 1 // max.
stack depth 24 states, stored
// states
stored in hash table 17 states, matched
//
states found re-revisited 41 transitions (
storedmatched) 0 atomic steps hash
conflicts 0 (resolved) (max size 219
states) 2.542 memory usage (Mbyte)
34
Specifying LTL properties

• In Xspin via the LTL manager available operators
  somewhat silly interface
• SPIN then generates the Buchi automaton for this
  LTL formula called Never Claim in SPIN.

(ok1 !ok2) define ok1 crit1 define
ok2 crit2
35
Example of a Never Claim

• Here is the never-claim of ltgtp (the
  Buchi of ? ltgtp ltgt?p)
• This is automatically generated by SPIN

never do !p break
skip od accept do !p skip
od
Error if accept is reachable in the lock-step
execution, and from there a cyclic run can be
found.
36
You can also manually write your custom NC
never accept do (x0) (x1)
od

• recognize an execution where (x0)(x1) holds
  alternatingly.

37
Optimization Partial Order Reduction

• The validity of a property ? is often insensitive
  to the order in which independent actions are
  interleaved. e.g. stutter invariant ? (does not
  contain X) that only refers to global variables,
  is insensitive to the relative order of actions
  that only access local variables.
• Idea if in some global state, a process P can
  execute only actions updating local variables,
  always do these actions first (so they will not
  be interleaved!)
• We can also do the same with actions that
• receive from a queue, from which no other process
  receives
• send to a queue, to which no other process sends

38
Reduction Algorithms

• Partial Order Reduction

39
Results on Partial Order Reduction
This result is from Holzmann Peled in 1994, on
a Sparc-10 workstation with 128Mbyte of RAM.
(about 40 mhz so 1 mips??)
40
Imposing a coarser grain atomicity
atomic guard ? stmt_1 ... stmt_n

• more abstract, less error prone, but less
  parallelims
• executable if the guard statement is executable
• none of stmt-i should be blocking or rather if
  any of then blocks, atomicity is lost

active proctype P x (ygt0) x--
vs active proctype P x atomic ygt0 ?
x--
41
d_step sequences
d_step guard ? stmt_1 ... stmt_n

• like an atomic, but must be deterministic and may
  not block anywhere
• atomic and d_step sequences are often used as a
  model reduction method, to lower complexity of
  large models (improving tractability)

d_step / reset array elements to 0 / i
0 do i lt N -gt xi 0 i
else -gt break od i 0
42
atomic vs d_step

• They are also different in the way the verifier
  treats it
• d_step the entire sequence is executed as one
  single transition, and is deterministic.
• atomic the sequence is executed step-by-step,
  but without interleaving, it can make
  non-deterministic choices
• caution
• infinite loops inside d_step sequences are not
  detected !

43
execution without atomics or d_steps
44
execution with one atomic sequence
45
execution with a d_step sequence