SPIN - PowerPoint PPT Presentation

About This Presentation
Title:

SPIN

Description:

init { run process(0); run process(1); } 9 ... init { a = false; b = false; run p1(); run p2 ... These statements are enabled only if both a and b are true. ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 62
Provided by: flavio7
Learn more at: http://www.cs.cmu.edu
Category:
Tags: spin | run | up

less

Transcript and Presenter's Notes

Title: SPIN


1
SPIN
  • An explicit state model checker

2
Explict State Model Checker
  • Represents the system as an finite state machine
  • Visits each reachable state (state space)
    explicitly
  • Checks some property
  • Property is satisfied
  • Counterexample

3
DFS
  • DFS visit of the state space
  • procedure DFS(s)
  • visited visited ? s
  • for each successor s of s
  • if s ? visited then
  • DFS(s)
  • end if
  • end for
  • end procedure

4
DFS
  • How do we
  • Represent the transition relation
  • Store the visited set
  • Needs fast access (hash table)
  • State space explosion
  • Check properties

5
Promela
  • Process Algebra
  • An algebraic approach to the study of concurrent
    processes. Its tools are algebraical languages
    for the specification of processes and the
    formulation of statements about them, together
    with calculi for the verification of these
    statements. Van Glabbeek, 1987
  • Describes the system in a way similar to a
    programming language

6
Promela
  • Asynchronous composition of independent processes
  • Communication using channels and global variables
  • Non-deterministic choices and interleavings

7
An Example
  • mtype NONCRITICAL, TRYING, CRITICAL
  • show mtype state2
  • proctype process(int id)
  • beginning
  • noncritical
  • stateid NONCRITICAL
  • if
  • goto noncritical
  • true
  • fi
  • trying
  • stateid TRYING
  • if
  • goto trying
  • true
  • fi
  • critical
  • stateid CRITICAL
  • if

8
An Example
  • mtype NONCRITICAL, TRYING, CRITICAL
  • show mtype state2
  • proctype process(int id)
  • beginning
  • noncritical
  • stateid NONCRITICAL
  • if
  • goto noncritical
  • true
  • fi
  • trying
  • stateid TRYING
  • if
  • goto trying
  • true
  • fi
  • critical
  • stateid CRITICAL
  • if

9
An Example
  • mtype NONCRITICAL, TRYING, CRITICAL
  • show mtype state2
  • proctype process(int id)
  • beginning
  • noncritical
  • stateid NONCRITICAL
  • if
  • goto noncritical
  • true
  • fi
  • trying
  • stateid TRYING
  • if
  • goto trying
  • true
  • fi
  • critical
  • stateid CRITICAL
  • if

10
An Example
  • mtype NONCRITICAL, TRYING, CRITICAL
  • show mtype state2
  • proctype process(int id)
  • beginning
  • noncritical
  • stateid NONCRITICAL
  • if
  • goto noncritical
  • true
  • fi
  • trying
  • stateid TRYING
  • if
  • goto trying
  • true
  • fi
  • critical
  • stateid CRITICAL
  • if

11
An Example
  • mtype NONCRITICAL, TRYING, CRITICAL
  • show mtype state2
  • proctype process(int id)
  • beginning
  • noncritical
  • stateid NONCRITICAL
  • if
  • goto noncritical
  • true
  • fi
  • trying
  • stateid TRYING
  • if
  • goto trying
  • true
  • fi
  • critical
  • stateid CRITICAL
  • if

12
An Example
  • mtype NONCRITICAL, TRYING, CRITICAL
  • show mtype state2
  • proctype process(int id)
  • beginning
  • noncritical
  • stateid NONCRITICAL
  • if
  • goto noncritical
  • true
  • fi
  • trying
  • stateid TRYING
  • if
  • goto trying
  • true
  • fi
  • critical
  • stateid CRITICAL
  • if

NC
T
C
13
Enabled Statements
  • A statement needs to be enabled for the process
    to be scheduled.
  • bool a, b
  • proctype p1()
  • a true
  • a b
  • a false
  • proctype p2()
  • b false
  • a b
  • b true
  • init a false b false run p1() run p2()

14
Enabled Statements
  • A statement needs to be enabled for the process
    to be scheduled.
  • bool a, b
  • proctype p1()
  • a true
  • a b
  • a false
  • proctype p2()
  • b false
  • a b
  • b true
  • init a false b false run p1() run p2()

These statements are enabled only if both a and b
are true.
15
Enabled Statements
  • A statement needs to be enabled for the process
    to be scheduled.
  • bool a, b
  • proctype p1()
  • a true
  • a b
  • a false
  • proctype p2()
  • b false
  • a b
  • b true
  • init a false b false run p1() run p2()

These statements are enabled only if both a and b
are true.
In this case b is always false and therefore
there is a deadlock.
16
Other constructs
  • Do loops
  • do
  • count count 1
  • count count - 1
  • (count 0) -gt break
  • od

17
Other constructs
  • Do loops
  • Communication over channels
  • proctype sender(chan out)
  • int x
  • if
  • x0
  • x1
  • fi
  • out ! x

18
Other constructs
  • Do loops
  • Communication over channels
  • Assertions
  • proctype receiver(chan in)
  • int value
  • out ? value
  • assert(value 0 value 1)

19
Other constructs
  • Do loops
  • Communication over channels
  • Assertions
  • Atomic Steps
  • int value
  • proctype increment()
  • atomic
  • x value
  • x x 1
  • value x

20
On-The-Fly
  • System is the asynchronous composition of
    processes
  • The global transition relation is never build
  • For each state the successor states are
    enumerated using the transition relation of each
    process

21
On-The-Fly
0 0
22
On-The-Fly
0 0
1 0
23
On-The-Fly
0 0
1 0
24
On-The-Fly
0 0
1 0
1 1
25
On-The-Fly
0 0
0 1
1 0
1 1
26
On-The-Fly
0 0
0 1
1 0
1 1
27
On-The-Fly
0 0
0 1
1 0
1 1
28
On-The-Fly
0 0
0 1
1 0
1 1
29
On-The-Fly
0 0
0 1
1 0
1 1
30
On-The-Fly
0 0
0 1
1 0
1 1
31
On-The-Fly
0 0
0 1
1 0
1 1
32
On-The-Fly
0 0
0 1
1 0
1 1
33
On-The-Fly
0 0
0 1
1 0
1 1
34
Visited Set
  • Represents all the states that have been reached
    so far
  • Will eventually become the set of all reachable
    state (state space)
  • Test of presence of a state in the set must be
    efficient
  • It is performed for each reached state

procedure DFS(s) visited visited ? s for
each successor s of s if s ? visited then
DFS(s) end if end for end procedure
35
Visited Set
  • Hash table
  • Efficient for testing even if the number of
    elements in it is very big ( 106)

36
Visited Set
  • Hash table
  • Efficient for testing even if the number of
    elements in it is very big ( 106)
  • Reduce memory usage
  • Compress each state

When a transition is executed only a limited part
of the state is modified
37
Visited Set
  • Hash table
  • Efficient for testing even if the number of
    elements in it is very big ( 106)
  • Reduce memory usage
  • Compress each state
  • Reduce the number of states
  • Partial Order Reduction

38
State Representation
  • Global variables
  • Processes and local variables
  • Queues

Processes
Global Variables
Queues
39
Compression
  • Each transition changes only a small part of the
    state
  • Assign a code to each element dynamically
  • Encoded states basic elements use considerably
    less spaces than the uncompressed states

40
Compression
i0 j0
P0 x0
P0 x0
P0 x1
Q0 1
P1 y0
0
0
1
0
0
2
3
P1 y0
2
P0 x1
1
i0 j0
P0 x0
Q0 1
41
Compression
P0 x0
Q0 1
i0 j0
P0 x0
P0 x1
P0 x1
Q0
P1 y0
0
0
0
0
1
2
1
1
q ? x
3
P1 y0
2
P0 x1
1
Q0
i0 j0
P0 x0
Q0 1
42
Hash Compaction
  • Uses a hashing function to store each state using
    only 2 bits

43
Hash Compaction
  • Uses a hashing function to store each state using
    only 2 bits
  • There is an non-zero probability that two states
    are mapped into the same bits

44
Hash Compaction
  • Uses a hashing function to store each state using
    only 2 bits
  • There is an non-zero probability that two states
    are mapped into the same bits
  • If the number of states is quite smaller than the
    number of bits available there is a pretty good
    chance of not having conflicts

45
Hash Compaction
  • Uses a hashing function to store each state using
    only 2 bits
  • There is an non-zero probability that two states
    are mapped into the same bits
  • If the number of states is quite smaller than the
    number of bits available there is a pretty good
    chance of not having conflicts
  • The result is not (always) 100 correct!

46
Minimized Automata Reduction
  • Turns the state in a sequence of integers

47
Minimized Automata Reduction
  • Turns the state in a sequence of integers
  • Constructs an automata which accepts the states
    in the visited set

48
Minimized Automata Reduction
  • Turns the state in a sequence of integers
  • Constructs an automata which accepts the states
    in the visited set
  • Works like a BDD but on non-binary variables (MDD)

49
Minimized Automata Reduction
  • Turns the state in a sequence of integers
  • Constructs an automata which accepts the states
    in the visited set
  • Works like a BDD but on non-binary variables
    (MDD)
  • The variables are the components of the state

50
Minimized Automata Reduction
  • Turns the state in a sequence of integers
  • Constructs an automata which accepts the states
    in the visited set
  • Works like a BDD but on non-binary variables
    (MDD)
  • The variables are the components of the state
  • The automata is the minimal automata

51
Minimized Automata Reduction
  • Turns the state in a sequence of integers
  • Constructs an automata which accepts the states
    in the visited set
  • Works like a BDD but on non-binary variables
    (MDD)
  • The variables are the components of the state
  • The automata is the minimal automata
  • The automata is updated efficiently

52
Partial Order Reduction
  • Some interleavings of processes are equivalent

x0 y0
y
x
x1 y0
x0 y1
y
x
x1 y1
53
Partial Order Reduction
  • Some interleavings of processes are equivalent
  • Computing such interleavings and storing the
    intermediate states is expensive

54
Partial Order Reduction
  • Some interleavings of processes are equivalent
  • Computing such interleavings and storing the
    intermediate states is expensive
  • Partial order reduction defines a reduced system
    which is equivalent to the original system but
    contains less states and transitions

Defines an equivalent relation between states and
computes the quotient of the state transition
graph to obtain a reduced state transition graph.
Properties are true of the reduced state
transition graph if and only if are true of the
original graph.
55
Partial Order Reduction
  • Optimal partial order reduction is as difficult
    as model checking!

56
Partial Order Reduction
  • Optimal partial order reduction is as difficult
    as model checking!
  • Compute an approximation based on syntactical
    information

57
Partial Order Reduction
Access to local variables Receive on exclusive
receive-access queues Send on exclusive
send-access queues
  • Optimal partial order reduction is as difficult
    as model checking!
  • Compute an approximation based on syntactical
    information
  • Independent
  • Invisible
  • Check (at run-time) for actions postponed at
    infinitum

Not mentioned in the property
So called stack proviso
58
Properties
  • Safety properties
  • Something bad never happens
  • Properties of states
  • Liveness properties
  • Something good eventually happens
  • Properties of paths

Reachability is sufficient
We need something more complex to check liveness
properties
59
LTL Model Checking
  • Liveness properties are expressed in LTL
  • Subset of CTL of the form
  • A f
  • where f is a path formula with does not contain
    any quantifiers
  • The quantifier A is usually omitted.
  • G is substituted by ?? (always or box)
  • F is substituted by ? (eventually or diamond)
  • X is substituted by ?? (next)

60
LTL Formulae
  • Always eventually p ? ? p

AGFp in CTL
AG AF p in CTL
  • Always after p there is eventually q ? ( p??
    ( ? q ) )

AG(p?Fq) in CTL
AG(p ?AFq) in CTL
  • Fairness
  • ( ? ? p )?? ?

(AGF p) ? ? in CTL
Cant express it in CTL
61
References
  • http//spinroot.com/
  • Design and Validation of Computer Protocols by
    Gerard Holzmann
  • The Spin Model Checker by Gerard Holzmann
  • An automata-theoretic approach to automatic
    program verification, by Moshe Y. Vardi, and
    Pierre Wolper
  • An analysis of bitstate hashing, by G.J. Holzmann
  • An Improvement in Formal Verification, by G.J.
    Holzmann and D. Peled
  • Simple on-the-fly automatic verification of
    linear temporal logic, by Rob Gerth, Doron Peled,
    Moshe Vardi, and Pierre Wolper
  • A Minimized automaton representation of reachable
    states, by A. Puri and G.J. Holzmann
Write a Comment
User Comments (0)
About PowerShow.com