Temporal Logic Model-checking with SPIN

1
Temporal Logic Model-checking with SPIN

• COMP6004
• Stéphane Lo Presti
• splp_at_ecs.soton.ac.uk

2
Introduction (1)

• SPIN (Simple Promela INterpreter) was created by
  Bell Labs in the 80s, publicly available in 1991
• Gerard J. Holzmann
• http//www.spinroot.com
• GUI Xspin

3
Introduction (2)

• Originally for analyzing distributed protocols
• Greatly improved over the years
• Applied to many concrete problems IEEE LLC
  802.2, parts of TCP/IP

4
SPIN

• Design and verification of distributed systems
• Design PROMELA (a PROcess MEta LAnguage)
• Verification simulation (animation) or automated
  proof of correctness

5
General structure
Xspin
LTL parser and translator
PROMELA parser
Verifier (analyzer) generator
Simulation
C Pre-processor/Compilation
Counter-example
Execution
6
SPIN models

• Bounded systems (state-space explosion)
• Communicating processes
• Synchronous (rendez-vous) or asynchronous
  (message-passing via buffered channels, shared
  variables) communication
• Modelling language PROMELA (C, Dijkstra/Hoare
  Guarded Command, CSP)

7
PROMELA (quick)

• Process templates and instantiation
• Local and global variables
• Statements and conditions are the same
  (executability)
• Control flow (including non-determinism)
  statements
• Buffered communication channels

8
Simulation

• 3 modes
• Interactive
• Random
• Guided
• Provides immediate (and intuitive) feedback
• Can be viewed as executing the model

9
Automated proof

• By automatically exploring the state space
  corresponding to the model in a particular search
  mode to check some correctness properties
• Output model is correct or counter-example

10
Correctness properties (1)

• Safety or liveness
• Specified in the model
• Assertions (local, global)
• Labels progress (starvation), acceptance
  (deadlock), end (livelock)
• Specified outside the model LTL Formula/Büchi
  automata/never claim

11
Correctness properties (2)

• Assertion
• ...
• assert( var value)
• ...

12
Correctness properties (3)

• Label
• progress
• ...
• accept
• ...
• end
• ...

13
Correctness properties (4)

• LTL Formula/Büchi automata/never claim

(p U q)
G (p U q)
p
T0
never( T0 if (p) -gt goto T0 (q) -gt
goto accept fi ...
q
accept
14
Process interleaving (1)

• Processes run concurrently
• Their individual statements are interleaved

4
1
4
1
2
5
5
3
6
6
2
3
15
Process interleaving (2)

• Furthermore, some statements are
  non-deterministic
• if
• statement1
• statement2
• fi

16
Process interleaving (3)

• All possible (asynchronous) interleaving
  state-space (reachability graph)
• SPIN internally manages Büchi automatons using
  hashtables (state compression)

17
Property transformation

• Correctness claims are translated into Büchi
  automatons
• SPIN computes the (synchronous) product of the
  state-space and this automaton
• The resulting Büchi automaton accepts a language
  that describes the counter-examples (cycles
  breaking the properties)

18
State-space search modes

• Exhaustive all possible states are visited by
  enumerating the possible behaviors
• supertrace (bit-state hashing) high-coverage
  approximation
• partial order reduction reduce the state-space

19
Search algorithm (1)

• By default nested depth-first
• Does not use SCC (Strongly Connected Components)
• Two depth-first seach
• accepting states reachable from initial state
• accepting cycle starting from the previously
  found states

20
Search algorithm (2)

• Modify the default search algorithm
• Atomic sequences (transition coarsening)
• Breadth-first
• Short paths
• Weak fairness

21
State-space explosion

• Generally in the model because usual correctness
  properties are short
• Must be dealt with
• Rewriting the model
• Simplifying the correctness properties
• Verifying each property independantly
• Memory/CPU-time management