applications of formal verification - model checking - kit
TRANSCRIPT
![Page 1: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/1.jpg)
KIT – INSTITUT FUR THEORETISCHE INFORMATIK
Applications of Formal VerificationModel Checking: Introduction to PROMELA
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov | SS 2012
KIT – University of the State of Baden-Wurttemberg and National Large-scale Research Center of the Helmholtz Association
![Page 2: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/2.jpg)
Literature
THE COURSE BOOK:Ben-Ari Mordechai Ben-Ari: Principles of the Spin Model
Checker, Springer, 2008(!).Authored by receiver of ACM award for outstandingContributions to CS Education. Recommended byG. Holzmann. Excellent student text book.
further reading:Holzmann Gerard J. Holzmann: The Spin Model Checker,
Addison Wesley, 2004.
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 2/37
![Page 3: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/3.jpg)
A Major Case Study with SPIN
Checking feature interaction for telephone call processingsoftware
Software for PathStarTM server from Lucent TechnologiesAutomated abstraction of unchanged C code into PROMELA
Web interface, with SPIN as back-end, to:track properties (ca. 20 temporal formulas)invoke verification runsreport error traces
Finds shortest possible error trace, reported as C execution traceWork farmed out to 16 computers, daily, overnight runs18 months, 300 versions of system model, 75 bugs foundstrength: detection of undesired feature interactions(difficult with traditional testing)Main challenge: defining meaningful properties
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 3/37
![Page 4: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/4.jpg)
Towards Model Checking
System Model
Promela Program
byte n = 0;active proctype P() {
n = 1;}active proctype Q() {
n = 2;}
System Property
[ ] ! (criticalSectP && criticalSectQ)
ModelChecker
48
criticalSectP=0 1 1criticalSectQ=1 0 1
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 4/37
![Page 5: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/5.jpg)
What is PROMELA?
PROMELA is an acronymProcess meta-language
PROMELA is a language for systems
multi-threadedsynchronisation and message passingfew control structures, pure (no side-effects) expressionsdata structures with finite and fixed bound
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 5/37
![Page 6: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/6.jpg)
What is PROMELA?
PROMELA is an acronymProcess meta-language
PROMELA is a language for modeling concurrent systemsmulti-threaded
synchronisation and message passingfew control structures, pure (no side-effects) expressionsdata structures with finite and fixed bound
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 5/37
![Page 7: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/7.jpg)
What is PROMELA?
PROMELA is an acronymProcess meta-language
PROMELA is a language for modeling concurrent systemsmulti-threadedsynchronisation and message passing
few control structures, pure (no side-effects) expressionsdata structures with finite and fixed bound
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 5/37
![Page 8: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/8.jpg)
What is PROMELA?
PROMELA is an acronymProcess meta-language
PROMELA is a language for modeling concurrent systemsmulti-threadedsynchronisation and message passingfew control structures, pure (no side-effects) expressions
data structures with finite and fixed bound
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 5/37
![Page 9: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/9.jpg)
What is PROMELA?
PROMELA is an acronymProcess meta-language
PROMELA is a language for modeling concurrent systemsmulti-threadedsynchronisation and message passingfew control structures, pure (no side-effects) expressionsdata structures with finite and fixed bound
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 5/37
![Page 10: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/10.jpg)
What is PROMELA Not?
PROMELA is not a programming languageVery small language, not intended to program real systems(we will master most of it in today’s lecture!)
No pointersNo methods/proceduresNo librariesNo GUI, no standard inputNo floating point typesFair scheduling policy (during verification)No data encapsulationNon-deterministic
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 6/37
![Page 11: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/11.jpg)
A First PROMELA Program
active proctype P() {printf("Hello world\n")
}
Command Line ExecutionSimulating (i.e., interpreting) a PROMELA program
> spin hello.pmlHello world
First observationskeyword proctype declares process named P
C-like command and expression syntaxC-like (simplified) formatted print
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 7/37
![Page 12: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/12.jpg)
A First PROMELA Program
active proctype P() {printf("Hello world\n")
}
Command Line ExecutionSimulating (i.e., interpreting) a PROMELA program
> spin hello.pmlHello world
First observationskeyword proctype declares process named P
C-like command and expression syntaxC-like (simplified) formatted print
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 7/37
![Page 13: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/13.jpg)
Arithmetic Data Typesactive proctype P() {
int val = 123;int rev;rev = (val % 10) * 100 + /* % is modulo */
((val / 10) % 10) * 10 + (val / 100);printf("val = %d, rev = %d\n", val, rev)
}
ObservationsData types byte, short, int, unsigned with operations+,-,*,/,%
All declarations implicitly at beginning of process(avoid to have them anywhere else!)Expressions computed as int, then converted to container typeArithmetic variables implicitly initialized to 0
No floats, no side effects, C/Java-style commentsNo string variables (only in print statements)
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 8/37
![Page 14: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/14.jpg)
Arithmetic Data Typesactive proctype P() {
int val = 123;int rev;rev = (val % 10) * 100 + /* % is modulo */
((val / 10) % 10) * 10 + (val / 100);printf("val = %d, rev = %d\n", val, rev)
}
ObservationsData types byte, short, int, unsigned with operations+,-,*,/,%
All declarations implicitly at beginning of process(avoid to have them anywhere else!)Expressions computed as int, then converted to container typeArithmetic variables implicitly initialized to 0
No floats, no side effects, C/Java-style commentsNo string variables (only in print statements)
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 8/37
![Page 15: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/15.jpg)
Booleans and Enumerationsbit b1 = 0;bool b2 = true;
Observationsbit is actually small numeric type containing 0,1 (unlike C,JAVA)bool, true, false syntactic sugar for bit, 0, 1
mtype = { red, yellow, green };mtype light = green;printf("the light is %e\n", light)
Observationsliterals represented as non-0 byte: at most 255mtype stands for message type (first used for message names)There is at most one mtype per program
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 9/37
![Page 16: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/16.jpg)
Booleans and Enumerationsbit b1 = 0;bool b2 = true;
Observationsbit is actually small numeric type containing 0,1 (unlike C,JAVA)bool, true, false syntactic sugar for bit, 0, 1
mtype = { red, yellow, green };mtype light = green;printf("the light is %e\n", light)
Observationsliterals represented as non-0 byte: at most 255mtype stands for message type (first used for message names)There is at most one mtype per program
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 9/37
![Page 17: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/17.jpg)
Control Statements
Sequence using ; as separator; C/JAVA-like rulesGuarded Command— Selection non-deterministic choice of an alternative— Repetition loop until break (or forever)
Goto jump to a label
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 10/37
![Page 18: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/18.jpg)
Guarded Statement Syntax
:: guard-statement -> command;
Observationssymbol -> is overloaded in PROMELA
semicolon optionalfirst statement after :: used as guard
:: guard is admissible (empty command)Can use ; instead of -> (avoid!)
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 11/37
![Page 19: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/19.jpg)
Guarded Commands: Selection
active proctype P() {byte a = 5, b = 5;byte max, branch;if:: a >= b -> max = a; branch = 1:: a <= b -> max = b; branch = 2fi
}
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 12/37
![Page 20: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/20.jpg)
Guarded Commands: Selection
active proctype P() {byte a = 5, b = 5;byte max, branch;if:: a >= b -> max = a; branch = 1:: a <= b -> max = b; branch = 2fi
}
Command Line ExecutionTrace of random simulation of multiple runs
> spin -v max.pml> spin -v max.pml> ...
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 12/37
![Page 21: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/21.jpg)
Guarded Commands: Selection
active proctype P() {byte a = 5, b = 5;byte max, branch;if:: a >= b -> max = a; branch = 1:: a <= b -> max = b; branch = 2fi
}
ObservationsGuards may “overlap” (more than one can be true at the sametime)Any alternative whose guard is true is randomly selectedWhen no guard true: process blocks until one becomes true
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 12/37
![Page 22: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/22.jpg)
Guarded Commands: SelectionCont’d
active proctype P() {bool p = ...;if:: p -> ...:: true -> ...fi;
}
active proctype P() {bool p = ...;if:: p -> ...:: else -> ...fi;
}
Second alternative can be se-lected anytime, regardless ofwhether p is true
Second alternative can be se-lected only if p is false
So far, all our programs terminate: we need loops
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 13/37
![Page 23: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/23.jpg)
Guarded Commands: SelectionCont’d
active proctype P() {bool p = ...;if:: p -> ...:: true -> ...fi;
}
active proctype P() {bool p = ...;if:: p -> ...:: else -> ...fi;
}
Second alternative can be se-lected anytime, regardless ofwhether p is true
Second alternative can be se-lected only if p is false
So far, all our programs terminate: we need loops
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 13/37
![Page 24: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/24.jpg)
Guarded Commands: SelectionCont’d
active proctype P() {bool p = ...;if:: p -> ...:: true -> ...fi;
}
active proctype P() {bool p = ...;if:: p -> ...:: else -> ...fi;
}
Second alternative can be se-lected anytime, regardless ofwhether p is true
Second alternative can be se-lected only if p is false
So far, all our programs terminate: we need loops
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 13/37
![Page 25: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/25.jpg)
Guarded Commands: SelectionCont’d
active proctype P() {bool p = ...;if:: p -> ...:: true -> ...fi;
}
active proctype P() {bool p = ...;if:: p -> ...:: else -> ...fi;
}
Second alternative can be se-lected anytime, regardless ofwhether p is true
Second alternative can be se-lected only if p is false
So far, all our programs terminate: we need loops
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 13/37
![Page 26: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/26.jpg)
Guarded Commands: Repetition
active proctype P() { /* computes gcd */int a = 15, b = 20;do
:: a > b -> a = a - b:: b > a -> b = b - a:: a == b -> break
od}
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 14/37
![Page 27: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/27.jpg)
Guarded Commands: Repetition
active proctype P() { /* computes gcd */int a = 15, b = 20;do
:: a > b -> a = a - b:: b > a -> b = b - a:: a == b -> break
od}
Command Line ExecutionTrace with values of local variables
> spin -p -l gcd.pml> spin --help
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 14/37
![Page 28: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/28.jpg)
Guarded Commands: Repetition
active proctype P() { /* computes gcd */int a = 15, b = 20;do
:: a > b -> a = a - b:: b > a -> b = b - a:: a == b -> break
od}
ObservationsAny alternative whose guard is true is randomly selectedOnly way to exit loop is via break or gotoWhen no guard true: loop blocks until one becomes true
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 14/37
![Page 29: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/29.jpg)
Counting Loops
Counting loops such as for-loops as usual in imperative programminglanguages are realized with break after the termination condition:
#define N 10 /* C-style preprocessing */active proctype P() {
int sum = 0; byte i = 1;do:: i > N -> break /* test */:: else -> sum = sum + i; i++ /* body, increment */od
}
ObservationsDon’t forget else, otherwise strange behaviourCan define for(var,start,end) macro, but we adviseagainst:
not a structured command (scope), can cause hard-to-find bugs
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 15/37
![Page 30: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/30.jpg)
Counting Loops
Counting loops such as for-loops as usual in imperative programminglanguages are realized with break after the termination condition:
#define N 10 /* C-style preprocessing */active proctype P() {
int sum = 0; byte i = 1;do:: i > N -> break /* test */:: else -> sum = sum + i; i++ /* body, increment */od
}
ObservationsDon’t forget else, otherwise strange behaviourCan define for(var,start,end) macro, but we adviseagainst:
not a structured command (scope), can cause hard-to-find bugs
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 15/37
![Page 31: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/31.jpg)
Arrays
#define N 5active proctype P() {byte a[N];a[0] = 0;a[1] = 10;a[2] = 20;a[3] = 30;a[4] = 40;byte sum = 0, i = 0;do
:: i > N-1 -> break;:: else -> sum = sum + a[i]; i++
od;}
ObservationsArrays start with 0 as in Java and CArrays are scalar types: a 6=b always different arraysArray bounds are constant and cannot be changedOnly one-dimensional arrays (there is an (ugly) workaround)
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 16/37
![Page 32: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/32.jpg)
Arrays
#define N 5active proctype P() {byte a[N];a[0] = 0;a[1] = 10;a[2] = 20;a[3] = 30;a[4] = 40;byte sum = 0, i = 0;do
:: i > N-1 -> break;:: else -> sum = sum + a[i]; i++
od;}
ObservationsArrays start with 0 as in Java and CArrays are scalar types: a 6=b always different arraysArray bounds are constant and cannot be changedOnly one-dimensional arrays (there is an (ugly) workaround)
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 16/37
![Page 33: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/33.jpg)
Record Types
typedef DATE {byte day, month, year;
}active proctype P() {DATE D;D.day = 1; D.month = 7; D.year = 62
}
ObservationsC-style syntaxCan be used to realize multi-dimensional arrays:
typedef VECTOR {int vector[10]
};VECTOR matrix[5]; /* base type array in record */matrix[3].vector[6] = 17;
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 17/37
![Page 34: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/34.jpg)
Record Types
typedef DATE {byte day, month, year;
}active proctype P() {DATE D;D.day = 1; D.month = 7; D.year = 62
}
ObservationsC-style syntaxCan be used to realize multi-dimensional arrays:
typedef VECTOR {int vector[10]
};VECTOR matrix[5]; /* base type array in record */matrix[3].vector[6] = 17;
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 17/37
![Page 35: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/35.jpg)
Jumps
#define N 10active proctype P() {int sum = 0; byte i = 1;do:: i > N -> goto exitloop;:: else -> sum = sum + i; i++od;
exitloop:printf("End of loop")
}
ObservationsJumps allowed only within a processLabels must be unique for a processCan’t place labels in front of guards (inside alternative ok)Easy to write messy code with goto
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 18/37
![Page 36: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/36.jpg)
Jumps
#define N 10active proctype P() {int sum = 0; byte i = 1;do:: i > N -> goto exitloop;:: else -> sum = sum + i; i++od;
exitloop:printf("End of loop")
}
ObservationsJumps allowed only within a processLabels must be unique for a processCan’t place labels in front of guards (inside alternative ok)Easy to write messy code with goto
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 18/37
![Page 37: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/37.jpg)
Inlining Code
PROMELA has no method or procedure calls
typedef DATE {byte day, month, year;
}inline setDate(D, DD, MM, YY) {
D.day = DD; D.month = MM; D.year = YY}active proctype P() {
DATE d;setDate(d,1,7,62);
}
The inline constructmacro-like abbreviation mechanism for code that occurs multiplycreates new local variables for parameters, but no new scope
avoid to declare variables in inline — they are visible
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 19/37
![Page 38: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/38.jpg)
Inlining Code
PROMELA has no method or procedure calls
typedef DATE {byte day, month, year;
}inline setDate(D, DD, MM, YY) {D.day = DD; D.month = MM; D.year = YY
}active proctype P() {DATE d;setDate(d,1,7,62);
}
The inline constructmacro-like abbreviation mechanism for code that occurs multiplycreates new local variables for parameters, but no new scope
avoid to declare variables in inline — they are visible
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 19/37
![Page 39: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/39.jpg)
Inlining Code
PROMELA has no method or procedure calls
typedef DATE {byte day, month, year;
}inline setDate(D, DD, MM, YY) {D.day = DD; D.month = MM; D.year = YY
}active proctype P() {DATE d;setDate(d,1,7,62);
}
The inline constructmacro-like abbreviation mechanism for code that occurs multiplycreates new local variables for parameters, but no new scope
avoid to declare variables in inline — they are visible
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 19/37
![Page 40: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/40.jpg)
Non-Deterministic Programs
Deterministic PROMELA programs are trivialAssume PROMELA program with one process and no overlappingguards
All variables are (implicitly or explictly) initializedNo user input possibleEach state is either blocking or has exactly one successor state
Such a program has exactly one possible computation!
Non-trivial PROMELA programs are non-deterministic!
Possible sources of non-determinism1 Non-deterministic choice of alternatives with overlapping guards2 Scheduling of concurrent processes
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 20/37
![Page 41: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/41.jpg)
Non-Deterministic Programs
Deterministic PROMELA programs are trivialAssume PROMELA program with one process and no overlappingguards
All variables are (implicitly or explictly) initializedNo user input possibleEach state is either blocking or has exactly one successor state
Such a program has exactly one possible computation!
Non-trivial PROMELA programs are non-deterministic!
Possible sources of non-determinism1 Non-deterministic choice of alternatives with overlapping guards2 Scheduling of concurrent processes
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 20/37
![Page 42: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/42.jpg)
Non-Deterministic Generation ofValues
byte range;if:: range = 1:: range = 2:: range = 3:: range = 4
fi
Observationsassignment statement used as guard
assignment statement always succeeds (guard is true)side effect of guard is desired effect of this alternativecould also write :: true -> range = 1, etc.
selects non-deterministically a value in {1,2,3,4} for range
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 21/37
![Page 43: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/43.jpg)
Non-Deterministic Generation ofValues Cont’d
Generation of values from explicit list impractical for large range
#define LOW 0#define HIGH 9byte range = LOW;do
:: range < HIGH -> range++:: break
od
ObservationsIncrease of range and loop exit selected with equal chanceChance of generating n in random simulation is 2−(n+1)
Obtain no representative test cases from random simulation!Ok for verification, because all computations are generated
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 22/37
![Page 44: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/44.jpg)
Non-Deterministic Generation ofValues Cont’d
Generation of values from explicit list impractical for large range
#define LOW 0#define HIGH 9byte range = LOW;do:: range < HIGH -> range++:: break
od
ObservationsIncrease of range and loop exit selected with equal chanceChance of generating n in random simulation is 2−(n+1)
Obtain no representative test cases from random simulation!Ok for verification, because all computations are generated
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 22/37
![Page 45: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/45.jpg)
Sources of Non-Determinism
1 Non-deterministic choice of alternatives with overlapping guards2 Scheduling of concurrent processes
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 23/37
![Page 46: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/46.jpg)
Concurrent Processes
active proctype P() {printf("Process P, statement 1\n");printf("Process P, statement 2\n")
}
active proctype Q() {printf("Process Q, statement 1\n");printf("Process Q, statement 2\n")
}
ObservationsCan declare more than one process (need unique identifier)At most 255 processes
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 24/37
![Page 47: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/47.jpg)
Execution of Concurrent Processes
Command Line ExecutionRandom simulation of two processes
> spin interleave.pml
ObservationsScheduling of concurrent processes on one processorScheduler selects process randomly where next statementexecutedMany different computations are possible: non-determinismUse -p and -g options to see more execution details
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 25/37
![Page 48: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/48.jpg)
Execution of Concurrent Processes
Command Line ExecutionRandom simulation of two processes
> spin interleave.pml
ObservationsScheduling of concurrent processes on one processorScheduler selects process randomly where next statementexecutedMany different computations are possible: non-determinismUse -p and -g options to see more execution details
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 25/37
![Page 49: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/49.jpg)
Sets of Processes
active [2] proctype P() {printf("Process %d, statement 1\n", _pid);printf("Process %d, statement 2\n", _pid)
}
ObservationsCan declare set of identical processesCurrent process identified with reserved variable _pid
Each process can have its own local variables
Command Line ExecutionRandom simulation of set of two processes
> spin interleave_set.pml
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 26/37
![Page 50: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/50.jpg)
Sets of Processes
active [2] proctype P() {printf("Process %d, statement 1\n", _pid);printf("Process %d, statement 2\n", _pid)
}
ObservationsCan declare set of identical processesCurrent process identified with reserved variable _pid
Each process can have its own local variables
Command Line ExecutionRandom simulation of set of two processes
> spin interleave_set.pml
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 26/37
![Page 51: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/51.jpg)
PROMELA Computations
1 active [2] proctype P() {2 byte n;3 n = 1;4 n = 2;5 }
One possible computation of this program
2, 2
0, 03, 2
1, 03, 3
1, 13, 4
1, 24, 4
2, 2
NotationProgram pointer (line #) for each process in upper compartmentValue of all variables in lower compartment
Computations are either infinite or terminating or blocking
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 27/37
![Page 52: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/52.jpg)
PROMELA Computations
1 active [2] proctype P() {2 byte n;3 n = 1;4 n = 2;5 }
One possible computation of this program
2, 2
0, 03, 2
1, 03, 3
1, 13, 4
1, 24, 4
2, 2
NotationProgram pointer (line #) for each process in upper compartmentValue of all variables in lower compartment
Computations are either infinite or terminating or blocking
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 27/37
![Page 53: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/53.jpg)
PROMELA Computations
1 active [2] proctype P() {2 byte n;3 n = 1;4 n = 2;5 }
One possible computation of this program
2, 2
0, 03, 2
1, 03, 3
1, 13, 4
1, 24, 4
2, 2
NotationProgram pointer (line #) for each process in upper compartmentValue of all variables in lower compartment
Computations are either infinite or terminating or blocking
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 27/37
![Page 54: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/54.jpg)
Admissible Computations:Interleaving
Definition (Interleaving of computations)Assume n processes P1, . . . ,Pn and process i has computationc i = (si
0, si1, si
2, . . .).The computation (s0, s1, s2, . . .) is an interleaving of c1, . . . , cn iff forall sj = si
j′ and sk = sik ′ with j < k it is the case that j ′ < k ′.
The interleaved state sequencerespects the execution order of each process
ObservationsSemantics of concurrent PROMELA program are all itsinterleavingsCalled interleaving semantics of concurrent programsNot universal: in Java certain reorderings allowed
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 28/37
![Page 55: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/55.jpg)
Admissible Computations:Interleaving
Definition (Interleaving of computations)Assume n processes P1, . . . ,Pn and process i has computationc i = (si
0, si1, si
2, . . .).The computation (s0, s1, s2, . . .) is an interleaving of c1, . . . , cn iff forall sj = si
j′ and sk = sik ′ with j < k it is the case that j ′ < k ′.
The interleaved state sequencerespects the execution order of each process
ObservationsSemantics of concurrent PROMELA program are all itsinterleavingsCalled interleaving semantics of concurrent programsNot universal: in Java certain reorderings allowed
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 28/37
![Page 56: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/56.jpg)
Interleaving Cont’dCan represent possible interleavings in a DAG
1 active [2] proctype P() {2 byte n;3 n = 1;4 n = 2;5 }
2, 2
0, 0
3, 2
1, 0
2, 3
0, 1
3, 3
1, 1
4, 2
2, 0
2, 4
0, 2
3, 4
1, 2
4, 3
2, 14, 4
2, 2
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 29/37
![Page 57: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/57.jpg)
Atomicity
At which granularity of execution can interleaving occur?
Definition (Atomicity)An expression or statement of a process that is executed entirelywithout the possibility of interleaving is called atomic.
Atomicity in PROMELA
Assignments, jumps, skip, and expressions are atomicIn particular, conditional expressions are atomic:
(p -> q : r), C-style syntax, brackets required
Guarded commands are not atomic
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 30/37
![Page 58: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/58.jpg)
Atomicity
At which granularity of execution can interleaving occur?
Definition (Atomicity)An expression or statement of a process that is executed entirelywithout the possibility of interleaving is called atomic.
Atomicity in PROMELA
Assignments, jumps, skip, and expressions are atomicIn particular, conditional expressions are atomic:
(p -> q : r), C-style syntax, brackets required
Guarded commands are not atomic
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 30/37
![Page 59: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/59.jpg)
Atomicity Cont’d
int a,b,c;active proctype P() {a = 1; b = 1; c = 1;if
:: a != 0 -> c = b / a:: else -> c = b
fi}active proctype Q() {
a = 0}
Command Line ExecutionInterleaving into selection statement forced by interactive simulation
> spin -p -g -i zero.pml
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 31/37
![Page 60: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/60.jpg)
Atomicity Cont’d
int a,b,c;active proctype P() {a = 1; b = 1; c = 1;if
:: a != 0 -> c = b / a:: else -> c = b
fi}active proctype Q() {
a = 0}
Command Line ExecutionInterleaving into selection statement forced by interactive simulation
> spin -p -g -i zero.pml
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 31/37
![Page 61: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/61.jpg)
Atomicity Cont’d
How to prevent interleaving?1 Consider to use expression instead of selection statement:
c = (a != 0 -> (b / a) : b)
2 Put code inside scope of atomic:
active proctype P() {a = 1; b = 1; c = 1;atomic {if:: a != 0 -> c = b / a:: else -> c = b
fi}
}
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 32/37
![Page 62: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/62.jpg)
Atomicity Cont’d
How to prevent interleaving?1 Consider to use expression instead of selection statement:
c = (a != 0 -> (b / a) : b)
2 Put code inside scope of atomic:
active proctype P() {a = 1; b = 1; c = 1;atomic {if:: a != 0 -> c = b / a:: else -> c = b
fi}
}
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 32/37
![Page 63: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/63.jpg)
Usage Scenario of PROMELA
1 Model the essential features of a system in PROMELAabstract away from complex (numerical) computations
make usage of non-deterministic choice of outcome
replace unbounded data structures with finite approximationsassume fair process scheduler
2 Select properties that the PROMELA model must satisfyGeneric Properties (discussed in later lectures)
Mutal exclusion for access to critical resourcesAbsence of deadlockAbsence of starvation
System-specific propertiesEvent sequences (e.g., system responsiveness)
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 33/37
![Page 64: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/64.jpg)
Formalisation with PROMELA
System
Requirements
FormalExecution
Model
FormalRequirementsSpecification
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 65: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/65.jpg)
Formalisation with PROMELA
System
Requirements
PROMELAModel
FormalProperties
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 66: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/66.jpg)
Formalisation with PROMELA
System
Requirements
C
Code
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 67: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/67.jpg)
Formalisation with PROMELA
Abstraction
System
Requirements
C
Code
PROMELA
Model
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 68: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/68.jpg)
Formalisation with PROMELA
Abstraction
System
Requirements
C
Code
PROMELA
Model
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 69: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/69.jpg)
Formalisation with PROMELA
System
Requirements
C
Code
PROMELA
Model
GenericProperties
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 70: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/70.jpg)
Formalisation with PROMELA
System
Requirements
C
Code
PROMELA
Model
GenericProperties
System
Properties
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 34/37
![Page 71: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/71.jpg)
Usage Scenario of PROMELA Cont’d
1 Model the essential features of a system in PROMELAabstract away from complex (numerical) computations
make usage of non-deterministic choice of outcome
replace unbounded datastructures with finite approximationsassume fair process scheduler
2 Select properties that the PROMELA model must satisfyMutal exclusion for access to critical resourcesAbsence of deadlockAbsence of starvationEvent sequences (e.g., system responsiveness)
3 Verify that all possible runs of PROMELA model satisfy propertiesTypically, need many iterations to get model and properties rightFailed verification attempts provide feedback via counter examples
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 35/37
![Page 72: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/72.jpg)
Verification: Work Flow (Simplified)
PROMELA Program
byte n = 0;active proctype P() {
n = 1;}active proctype Q() {
n = 2;}
Properties
[ ](!csp || !csq)
Spin
48
csp=0 1 1csq=1 0 1
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 36/37
![Page 73: Applications of Formal Verification - Model Checking - KIT](https://reader031.vdocuments.mx/reader031/viewer/2022021007/6203989dda24ad121e4b3e8d/html5/thumbnails/73.jpg)
Literature for this Lecture
Ben-Ari Chapter 1, Sections 3.1–3.3, 3.5, 4.6, Chapter 6Spin Reference card (linked from jSpin website)jSpin User manual, file doc/jspin-user.pdf in distribution
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2012 37/37