1 carnegie mellon universityspinflavio lerda spin an explicit state model checker
Post on 20-Dec-2015
221 views
TRANSCRIPT
![Page 1: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/1.jpg)
1
Carnegie Mellon University SPINFlavio Lerda
SPIN
An explicit state model checker
![Page 2: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/2.jpg)
2
Carnegie Mellon University SPINFlavio Lerda
Explict State Model Checker
• Represents the system as an finite state machine
• Visits each reachable state (state space) explicitly
• Checks some property– Property is satisfied– Counterexample
![Page 3: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/3.jpg)
3
Carnegie Mellon University SPINFlavio Lerda
DFS
• DFS visit of the state space
procedure DFS(s)visited = visited {s};for each successor s’ of s
if s’ visited then DFS(s’);end if
end forend procedure
![Page 4: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/4.jpg)
4
Carnegie Mellon University SPINFlavio Lerda
DFS
• How do we:– Represent the transition relation– Store the visited set
• Needs fast access (hash table)• State space explosion
– Check properties
![Page 5: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/5.jpg)
5
Carnegie Mellon University SPINFlavio Lerda
Promela
• Process Algebra– An algebraic approach to the study of
concurrent processes. Its tools are algebraical languages for the specification of processes and the formulation of statements about them, together with calculi for the verification of these statements. [Van Glabbeek, 1987]
• Describes the system in a way similar to a programming language
![Page 6: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/6.jpg)
6
Carnegie Mellon University SPINFlavio Lerda
Promela
• Asynchronous composition of independent processes
• Communication using channels and global variables
• Non-deterministic choices and interleavings
![Page 7: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/7.jpg)
7
Carnegie Mellon University SPINFlavio Lerda
An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:
state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;
trying:state[id] = TRYING;if:: goto trying;:: true;fi;
critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}
init { run process(0); run process(1); }
NC
C
T
![Page 8: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/8.jpg)
8
Carnegie Mellon University SPINFlavio Lerda
An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:
state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;
trying:state[id] = TRYING;if:: goto trying;:: true;fi;
critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}
init { run process(0); run process(1); }
![Page 9: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/9.jpg)
9
Carnegie Mellon University SPINFlavio Lerda
An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:
state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;
trying:state[id] = TRYING;if:: goto trying;:: true;fi;
critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}
init { run process(0); run process(1); }
![Page 10: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/10.jpg)
10
Carnegie Mellon University SPINFlavio Lerda
An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:
state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;
trying:state[id] = TRYING;if:: goto trying;:: true;fi;
critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}
init { run process(0); run process(1); }
![Page 11: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/11.jpg)
11
Carnegie Mellon University SPINFlavio Lerda
An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:
state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;
trying:state[id] = TRYING;if:: goto trying;:: true;fi;
critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}
init { run process(0); run process(1); }
![Page 12: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/12.jpg)
12
Carnegie Mellon University SPINFlavio Lerda
An Examplemtype = { NONCRITICAL, TRYING, CRITICAL };show mtype state[2];proctype process(int id) {beginning:noncritical:
state[id] = NONCRITICAL;if:: goto noncritical;:: true;fi;
trying:state[id] = TRYING;if:: goto trying;:: true;fi;
critical:state[id] = CRITICAL;if:: goto critical;:: true;fi;goto beginning;}
init { run process(0); run process(1); }
NC
C
T
![Page 13: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/13.jpg)
13
Carnegie Mellon University SPINFlavio Lerda
Enabled Statements
• A statement needs to be enabled for the process to be scheduled.
bool a, b;
proctype p1()
{
a = true;
a & b;
a = false;
}
proctype p2()
{
b = false;
a & b;
b = true;
}
init { a = false; b = false; run p1(); run p2(); }
![Page 14: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/14.jpg)
14
Carnegie Mellon University SPINFlavio Lerda
Enabled Statements
• A statement needs to be enabled for the process to be scheduled.
bool a, b;
proctype p1()
{
a = true;
a & b;
a = false;
}
proctype p2()
{
b = false;
a & b;
b = true;
}
init { a = false; b = false; run p1(); run p2(); }
These statements are enabled only if both a and b are true.
![Page 15: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/15.jpg)
15
Carnegie Mellon University SPINFlavio Lerda
Enabled Statements
• A statement needs to be enabled for the process to be scheduled.
bool a, b;
proctype p1()
{
a = true;
a & b;
a = false;
}
proctype p2()
{
b = false;
a & b;
b = true;
}
init { a = false; b = false; run p1(); run p2(); }
These statements are enabled only if both a and b are true.
In this case b is always false and therefore there is a deadlock.
![Page 16: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/16.jpg)
16
Carnegie Mellon University SPINFlavio Lerda
Other constructs
• Do loopsdo
:: count = count + 1;
:: count = count - 1;
:: (count == 0) -> break
od
![Page 17: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/17.jpg)
17
Carnegie Mellon University SPINFlavio Lerda
Other constructs
• Do loops
• Communication over channelsproctype sender(chan out)
{
int x;
if
::x=0;
::x=1;
fi
out ! x;
}
![Page 18: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/18.jpg)
18
Carnegie Mellon University SPINFlavio Lerda
Other constructs
• Do loops
• Communication over channels
• Assertionsproctype receiver(chan in)
{
int value;
out ? value;
assert(value == 0 || value == 1)
}
![Page 19: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/19.jpg)
19
Carnegie Mellon University SPINFlavio Lerda
Other constructs
• Do loops
• Communication over channels
• Assertions
• Atomic Stepsint value;
proctype increment()
{ atomic {
x = value;
x = x + 1;
value = x;
} }
![Page 20: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/20.jpg)
20
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly
• System is the asynchronous composition of processes
• The global transition relation is never build
• For each state the successor states are enumerated using the transition relation of each process
![Page 21: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/21.jpg)
21
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
![Page 22: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/22.jpg)
22
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 0
![Page 23: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/23.jpg)
23
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 0
![Page 24: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/24.jpg)
24
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
1 0
![Page 25: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/25.jpg)
25
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 26: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/26.jpg)
26
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 27: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/27.jpg)
27
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 28: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/28.jpg)
28
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 29: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/29.jpg)
29
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 30: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/30.jpg)
30
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 31: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/31.jpg)
31
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 32: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/32.jpg)
32
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 33: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/33.jpg)
33
Carnegie Mellon University SPINFlavio Lerda
On-The-Fly0
1
0
1
0 0
1 1
0 11 0
![Page 34: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/34.jpg)
34
Carnegie Mellon University SPINFlavio Lerda
Visited Set
• Represents all the states that have been reached so far
• Will eventually become the set of all reachable state (state space)
• Test of presence of a state in the set must be efficient– It is performed for each reached state
procedure DFS(s)visited = visited {s};for each successor s’ of s
if s’ visited then DFS(s’);end if
end forend procedure
![Page 35: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/35.jpg)
35
Carnegie Mellon University SPINFlavio Lerda
Visited Set
• Hash table– Efficient for testing even if the number of
elements in it is very big (≥ 106)
![Page 36: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/36.jpg)
36
Carnegie Mellon University SPINFlavio Lerda
Visited Set
• Hash table– Efficient for testing even if the number of
elements in it is very big (≥ 106)
• Reduce memory usage– Compress each state When a transition is executed only a
limited part of the state is modified
![Page 37: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/37.jpg)
37
Carnegie Mellon University SPINFlavio Lerda
Visited Set
• Hash table– Efficient for testing even if the number of
elements in it is very big (≥ 106)
• Reduce memory usage– Compress each state
• Reduce the number of states– Partial Order Reduction
![Page 38: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/38.jpg)
38
Carnegie Mellon University SPINFlavio Lerda
State Representation
• Global variables
• Processes and local variables
• Queues
Global Variables Processes Queues
![Page 39: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/39.jpg)
39
Carnegie Mellon University SPINFlavio Lerda
Compression
• Each transition changes only a small part of the state
• Assign a code to each element dynamically
• Encoded states + basic elements use considerably less spaces than the uncompressed states
![Page 40: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/40.jpg)
40
Carnegie Mellon University SPINFlavio Lerda
Compression
i=0 j=0P0x=0
P0x=0
P0x=1
Q0{1}
P1y=0
i=0 j=0P0x=0
P0x=1
Q0{1}
P1y=0
0
3
2
1
0
3
2
1
3
2
1
0 0 1 0 0 2
0
![Page 41: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/41.jpg)
41
Carnegie Mellon University SPINFlavio Lerda
0 0
P0x=0
Q0{1}
Compression
i=0 j=0P0x=0
P0x=1
P0x=1
Q0{}
P1y=0
i=0 j=0P0x=0
P0x=1
Q0{1}
P1y=0
0
3
2
1
0
3
2
1
3
2
1
0 0 1 2
0
Q0{}
1 1
q ? x
![Page 42: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/42.jpg)
42
Carnegie Mellon University SPINFlavio Lerda
Hash Compaction
• Uses a hashing function to store each state using only 2 bits
![Page 43: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/43.jpg)
43
Carnegie Mellon University SPINFlavio Lerda
Hash Compaction
• Uses a hashing function to store each state using only 2 bits
• There is an non-zero probability that two states are mapped into the same bits
![Page 44: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/44.jpg)
44
Carnegie Mellon University SPINFlavio Lerda
Hash Compaction
• Uses a hashing function to store each state using only 2 bits
• There is an non-zero probability that two states are mapped into the same bits
• If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts
![Page 45: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/45.jpg)
45
Carnegie Mellon University SPINFlavio Lerda
Hash Compaction
• Uses a hashing function to store each state using only 2 bits
• There is an non-zero probability that two states are mapped into the same bits
• If the number of states is quite smaller than the number of bits available there is a pretty good chance of not having conflicts
• The result is not (always) 100% correct!
![Page 46: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/46.jpg)
46
Carnegie Mellon University SPINFlavio Lerda
Minimized Automata Reduction
• Turns the state in a sequence of integers
![Page 47: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/47.jpg)
47
Carnegie Mellon University SPINFlavio Lerda
Minimized Automata Reduction
• Turns the state in a sequence of integers
• Constructs an automata which accepts the states in the visited set
![Page 48: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/48.jpg)
48
Carnegie Mellon University SPINFlavio Lerda
Minimized Automata Reduction
• Turns the state in a sequence of integers
• Constructs an automata which accepts the states in the visited set
• Works like a BDD but on non-binary variables (MDD)
![Page 49: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/49.jpg)
49
Carnegie Mellon University SPINFlavio Lerda
Minimized Automata Reduction
• Turns the state in a sequence of integers
• Constructs an automata which accepts the states in the visited set
• Works like a BDD but on non-binary variables (MDD)– The variables are the components of the state
![Page 50: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/50.jpg)
50
Carnegie Mellon University SPINFlavio Lerda
Minimized Automata Reduction
• Turns the state in a sequence of integers
• Constructs an automata which accepts the states in the visited set
• Works like a BDD but on non-binary variables (MDD)– The variables are the components of the state– The automata is the minimal automata
![Page 51: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/51.jpg)
51
Carnegie Mellon University SPINFlavio Lerda
Minimized Automata Reduction
• Turns the state in a sequence of integers
• Constructs an automata which accepts the states in the visited set
• Works like a BDD but on non-binary variables (MDD)– The variables are the components of the state– The automata is the minimal automata– The automata is updated efficiently
![Page 52: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/52.jpg)
52
Carnegie Mellon University SPINFlavio Lerda
Partial Order Reduction
• Some interleavings of processes are equivalent
x=0y=0
x=1y=0
x=0y=1
x=1y=1
x++y++
y++x++
x=1y=0
x=1y=0
![Page 53: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/53.jpg)
53
Carnegie Mellon University SPINFlavio Lerda
Partial Order Reduction
• Some interleavings of processes are equivalent
• Computing such interleavings and storing the intermediate states is expensive
![Page 54: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/54.jpg)
54
Carnegie Mellon University SPINFlavio Lerda
Partial Order Reduction
• Some interleavings of processes are equivalent
• Computing such interleavings and storing the intermediate states is expensive
• Partial order reduction defines a reduced system which is equivalent to the original system but contains less states and transitions
Defines an equivalent relation between states and computes the quotient of the state transition graph to obtain a reduced state transition graph.
Properties are true of the reduced state transition graph if and only if are true of the original graph.
![Page 55: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/55.jpg)
55
Carnegie Mellon University SPINFlavio Lerda
Partial Order Reduction
• Optimal partial order reduction is as difficult as model checking!
![Page 56: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/56.jpg)
56
Carnegie Mellon University SPINFlavio Lerda
Partial Order Reduction
• Optimal partial order reduction is as difficult as model checking!
• Compute an approximation based on syntactical information
![Page 57: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/57.jpg)
57
Carnegie Mellon University SPINFlavio Lerda
Partial Order Reduction
• Optimal partial order reduction is as difficult as model checking!
• Compute an approximation based on syntactical information– Independent– Invisible– Check (at run-time) for actions postponed at
infinitum
Access to local variablesReceive on exclusive receive-access queues
Send on exclusive send-access queues
Not mentioned in the property
So called stack proviso
![Page 58: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/58.jpg)
58
Carnegie Mellon University SPINFlavio Lerda
Properties
• Safety properties– Something bad never happens– Properties of states
• Liveness properties– Something good eventually happens– Properties of paths
Reachability is sufficient
We need something more complex to check liveness properties
![Page 59: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/59.jpg)
59
Carnegie Mellon University SPINFlavio Lerda
LTL Model Checking
• Liveness properties are expressed in LTL– Subset of CTL* of the form:
• A f
where f is a path formula with does not contain any quantifiers
• The quantifier A is usually omitted.• G is substituted by (always or box)• F is substituted by (eventually or diamond)• X is substituted by (next)
![Page 60: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/60.jpg)
60
Carnegie Mellon University SPINFlavio Lerda
LTL Formulae
• Always eventually p: p AGFp in CTL*
AG(pFq) in CTL*
• Fairness:
( p )
AG(p AFq) in CTL
AG AF p in CTL
(AGF p) in CTL*
Can’t express it in CTL
• Always after p there is eventually q: ( p ( q ) )
![Page 61: 1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker](https://reader030.vdocuments.mx/reader030/viewer/2022032800/56649d425503460f94a1dda8/html5/thumbnails/61.jpg)
61
Carnegie Mellon University SPINFlavio Lerda
References• http://spinroot.com/ • Design and Validation of Computer Protocols by Gerard
Holzmann• The Spin Model Checker by Gerard Holzmann• An automata-theoretic approach to automatic program
verification, by Moshe Y. Vardi, and Pierre Wolper • An analysis of bitstate hashing, by G.J. Holzmann • An Improvement in Formal Verification, by G.J. Holzmann
and D. Peled • Simple on-the-fly automatic verification of linear temporal
logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper
• A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann