Introduction to Spin and Promela

1
Introduction to Spin and Promela

• Sagar Chaki
• CMU

2
Roadmap

• Historical perspective
• Overview of Spin
• Overview of Promela
• Simulation with Spin
• Overview of LTL
• Verification with Spin

3
Part III Overview of LTL
4
Basic concepts

• Set of propositions P
• P a,b,c
• Infinite trace t over P
• t0,t1,t2,
• ti subset of P for i 0
• ti denotes infinite trace ti,ti1,
• b,a,c,,a,b,c,a,
• Set of all infinite traces over P G(P)

5
LTL syntax

• f p proposition
• true
• false
• (f)
• f binop f
• unop f

6
LTL syntax

• unop always (G)
• ltgt eventually (F)
• X next time
• ! logical negation
• binop U strong until
• logical AND
• logical OR
• -gt implication
• lt-gt equivalence

7
LTL semantics

• An infinite trace t (over P) either satisfies or
  does not satisfy an LTL formula f (over P)
• Satisfaction denoted by t ² f

8
LTL semantics

• Given an infinite trace t t0,t1,t2, and a LTL
  formula f we can decide if
• t ² f depending on the structure of f
• t ² p iff p belongs to t0
• Always t ² true
• Never t ² false
• t ² (f) iff t ² f

9
LTL semantics

• t ² f iff ti ² f forall i 0
• t ² ltgt f iff exists i 0 s.t. ti ² f
• t ² X f iff t1 ² f
• t ² !f iff NOT(t ² f)
• t ² f1 U f2 iff exists i 0 s.t. tj ² f1 for 0
  j lt i and ti ² f2

10
LTL semantics

• t ² f1 f2 iff t ² f1 AND t ² f2
• t ² f1 f2 iff t ² f1 OR t ² f2
• t ² f1 -gt f2 iff t ² f1 IMPLIES t ² f2
• t ² f1 lt-gt f2 iff t ² f1 IFF t ² f2

11
LTL semantics

• An LTL formula can also be looked at as the set
  of infinite traces that satisfy it
• Note the striking similarity with the case of
  regular expressions and finite strings over an
  alphabet S
• If S is the set of traces that satisfy f then
  G(P)\S is the set of traces that satisfy !f

12
Examples

• a,b,a,b,
• (a -gt Xb) (a lt-gt Xb)
• (b -gt Xa) (b lt-gt Xa)
• (a -gt (b U a))
• (a -gt (a U b))

13
Things to remember

• Every LTL formula represents the set of infinite
  traces which satisfy it

14
Buchi automata

• Recall the similarity of LTL with regular
  expressions
• Regular languages are accepted by finite automata
• Are there automata for LTL
• Turns out there are
• They are called Buchi automata

15
Buchi automata

• Fix an alphabet S
• Buchi automaton is a 4-tuple ltQ,I,d,Fgt
• Q set of states
• I initial state
• d transition relation subset of QX S XQ
• F set of accepting states
• In our case S is 2P

16
Example
17
Buchi automata

• A run is an infinite sequence of state s0,s1,s2,
  such that
• s0 I
• Exists ai ? S s.t. (si,ai,si1) ? d for i 0
• A run is an accepting run iff it visits some
  accepting state infinitely often

18
Buchi automata

• Given a run s s0,s1,s2, a trace t t0,t1,t2,
  is said to correspond to s iff (si,ti,si1) ? d
  for i 0
• The language of a Buchi automaton is the set of
  traces corresponding to its accepting runs
• LTL also corresponds to a set of traces

19
Example

• Traces a,b,a,b,

20
Cute results

• BA are closed under complementation
• For every Buchi automaton A there exists another
  Buchi automaton B such that the language of A is
  the complement of the language of B
• Here complement means set difference from G(P)

21
Cute results

• BA are closed under intersection and union
• Checking if the language of a Buchi automaton is
  empty is decidable
• Can check if the langauges of two Buchi automata
  have a non-empty intersection

22
Cute results

• Buchi automata are not always determinisable
• There exists a non-deterministic Buchi automaton
  A such that there is no deterministic Buchi
  automaton with the same language as A
• Non-deterministic means some states have multiple
  outgoing transitions with same label

23
Cute results

• The set of languages accepted by Buchi automata
  is called the set of
• w-regular languages
• This is a strict superset of LTL
• Every LTL corresponds to some BA
• There exists a BA whose language does not
  correspond to any LTL formula

24
Things to remember

• Every LTL formula represents the set of infinite
  traces which satisfy it
• Every LTL formula has a corresponding Buchi
  automaton

25
Kripke structure

• Is a 4-tuple ltS,I,d,Lgt
• S set of states
• I initial state
• d transition relation subset of S X S
• L labeling function S -gt 2P

26
Computations and Traces

• A computation is an infinite sequence of states
  s0,s1,s2,
• s0 I
• (si,si1) ? d for i 0
• Given a computation s0,s1,s2, the corresponding
  trace is
• L(s0), L(s1), L(s2),

27
Kripke and Buchi

• Kripke looks different from Buchi
• Labels are on states not transitions
• No accepting states
• Nevertheless
• For every Kripke structure K there exists a Buchi
  automaton which accepts exactly the set of traces
  corresponding to computations of K

28
Kripke to Buchi
c
a
b
S2
S0
S1
I S0
29
Kripke to Buchi
30
Kripke to Buchi
a
S3
I S3, F S0,S1,S2,S3
31
Things to remember

• Every LTL formula represents the set of infinite
  traces which satisfy it
• Every LTL formula has a corresponding Buchi
  automaton
• Every Kripke structure has a corresponding Buchi
  automaton

32
What do we really want?

• Kripke (M) ² LTL (f)
• Traces of M contained in traces of f
• Language of Buchi of M contained in language of
  Buchi of f
• Language of Buchi of M has empty intersection
  with language of Buchi of !f
• This is decidable

33
LTL model checking

• Two ways to do it
• Convert Kripke to Buchi
• Convert claim (LTL) to Buchi
• Check language inclusion
• OR
• Convert Claim (LTL) to Buchi
• Check empty intersection

34
What Spin does

• Checks non-empty intersection
• Requires very little space in best case
• Works directly with Promela
• No conversion to Kripke or Buchi
• Must provide Spin with negation of property you
  want to prove

35
Time for example 5
36
References

• http//cm.bell-labs.com/cm/cs/what/spin/
• http//cm.bell-labs.com/cm/cs/what/spin/Man/Manual
  .html
• http//cm.bell-labs.com/cm/cs/what/spin/Man/Quick.
  html