the model checker spin
DESCRIPTION
Shin Hong, KAIST17 th April,2007. The Model Checker SPIN. Contents. Introduction PROMELA Linear Temporal Logic Automata-theoretic software verification Example : Simple Elevator. SPIN is a software system to verify asynchronous process system model. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/1.jpg)
Shin Hong, KAIST 17th April,2007
1/33Provable Software Laboratory, CS KAIST
![Page 2: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/2.jpg)
Contents
Introduction
PROMELA
Linear Temporal Logic
Automata-theoretic software
verification
Example : Simple ElevatorProvable Software Laboratory, CS KAIST /33 2
![Page 3: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/3.jpg)
SPIN is a software system to verify asynchronous process system model.
3Provable Software Laboratory, CS KAIST /33
![Page 4: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/4.jpg)
Introduction Software have taken big portion of
system. These software should fulfill its
responsibility.
Failure of System Software might Failure of System Software might be a disaster.be a disaster. 4Provable Software Laboratory, CS KAIST
/33
![Page 5: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/5.jpg)
Introduction To avoid software system failure, We want to prove correctness of a
system software.→ Verification of software is needed.
5Provable Software Laboratory, CS KAIST /33
![Page 6: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/6.jpg)
Introduction Testing
Operate the program in some representative situation and verify whether it behaves as expected.
Dictum of Dijkstra
“ Program testing can be used to show the presence of bugs, but never to show their absence. ”
Model Checking Describing a system as an FSM and
verifying whether the system’s behavior satisfies the desired properties.
6Provable Software Laboratory, CS KAIST /33
![Page 7: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/7.jpg)
Peterson’s mutex
Provable Software Laboratory, CS KAIST /33 7
2 processes3 processes
4 processes
http://www.pst.ifi.lmu.de/~hammer/statespaces/peterson/index.html
![Page 8: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/8.jpg)
Introduction We want to prove correctness of system
software . Concurrency→ concurrent software may involve
asynchrony.→ Extremely complex.
Embedded System→ Completeness of verification is needed.
Model checking is more suitable for verification of system software. 8Provable Software Laboratory, CS KAIST
/33
![Page 9: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/9.jpg)
Introduction Model Checking
Requirements System ↓ modeling languages ↓
Requirements properties System model
Model Checking
(State Exploration)
Okay Counterexample
SatisfiedNot satisfied
9Provable Software Laboratory, CS KAIST /33
![Page 10: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/10.jpg)
Introduction Model Checking
Requirements System ↓ ↓
Requirements properties System model
Model Checking
(State Exploration)
Okay Counterexample
SatisfiedNot satisfied
State Explosion
10Provable Software Laboratory, CS KAIST /33
![Page 11: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/11.jpg)
Introduction SPIN is designed to provide
An intuitive, program-like notation for specifying
design choices unambiguously withoutimplementation detail. Powerful, concise, notation for
expressing general correctness requirements.
Scalability : Reduce limitation of problem size, machine memory size, maximum runtime.
11Provable Software Laboratory, CS KAIST /33
![Page 12: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/12.jpg)
Introduction Model Checker SPIN
Requirements System ↓ Linear Temporal LogicLinear Temporal Logic ↓
PROMELAPROMELA Requirements properties System model
Model Checking
(State Exploration)
Okay Counterexample
Satisfied
Not satisfied
On-the-fly On-the-fly verificationverificationNegative ClaimNegative ClaimAlgorithmsAlgorithms
12Provable Software Laboratory, CS KAIST /33
![Page 13: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/13.jpg)
PROMELA (1/5)
Process Meta Language Describes the behavior of systems of
potentially interacting processes. Processes , Objects, Message
channels
13Provable Software Laboratory, CS KAIST /33
![Page 14: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/14.jpg)
PROMELA (2/5)
Process Is instantiations of ‘proctype’ defines behavior of system. is consisted of declaration+statements
Data Object Basic data types : bool, byte, mtype, pid, int,
etc. Two levels of scope only : Global and Process
local Data structure using ‘typedef’ Array
14Provable Software Laboratory, CS KAIST /33
![Page 15: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/15.jpg)
PROMELA (3/5)
Message channels model the exchange of data between
processes declared by ‘chan’ .
Provable Software Laboratory, CS KAIST /33 15
![Page 16: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/16.jpg)
PROMELA (4/5) Statements
Assignments and Expressions Deterministic steps Non-deterministic steps Selection Repetition I/O
Communication Message channel
Provable Software Laboratory, CS KAIST /33 16
![Page 17: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/17.jpg)
PROMELA (5/5)chan STDIN ;proctype Euclid(int x, y){
do:: (x > y) -> x = x – y:: (x < y) -> y = y – x:: (x == y) -> goto donedo ;
done:printf(“answer: %d\n”, x) }
init { int a , b ;STDIN?a ; STDIN?b;run Euclid(a,b)}Provable Software Laboratory, CS KAIST
/33 17
Message channel & Standard InputCreating process RepetitionSelection
Standard output
Declaration of data objectsCommunication through channelInstantiate a proctype
![Page 18: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/18.jpg)
Automata-Theoretic Software Verification
Linear Temporal Logic (1/3) Fixed set of atomic formulas and
temporal connectives. Syntax
Φ ::= T | F | p | ! Φ | Φ^ Φ | Φ∨Φ | X Φ| ΦU Φ
18Provable Software Laboratory, CS KAIST /33
![Page 19: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/19.jpg)
Automata-Theoretic Software Verification
Linear Temporal Logic (2/3)
an infinite word ξ=x0x1… over alphabet P(Prop)
ξ |= q iff q∈x0, for q ∈P,ξ |= ¬ Φ iff not ξ |= Φ,
ξ |= Φ1^ Φ2 iff ξ |= Φ1 and ξ |= Φ2
ξ |= Φ1∨ Φ2 iff ξ |= Φ1 or ξ |= Φ2
ξ |= XΦ iff ξ1 |= Φ
ξ |= Φ1UΦ2
iff there is an i≥0 s.t. ξi|= Φ 1 and ξj|= Φ 1 for all 0 ≤ j < i
19Provable Software Laboratory, CS KAIST /33
![Page 20: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/20.jpg)
Automata-Theoretic Software Verification
Linear Temporal Logic (3/3) Safety Property Liveness Property
20Provable Software Laboratory, CS KAIST /33
![Page 21: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/21.jpg)
Automata-Theoretic Software Verification
Finite State Program P = (Q, q0, R, V) Q : a finite set of states. q 0 : initial state R ⊆ Q X Q : accessibility relation,
allowing non-determinism.Assume that R is total so that
a terminate d execution as repeating forever its last st ate.
V : Q → P(Prop)
21Provable Software Laboratory, CS KAIST /33
![Page 22: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/22.jpg)
Automata-Theoretic Software Verification
Büchi automatonA generalized Büchi automaton A = (Σ, Q, Q0, ρ , F) where
Σ : alphabet Q : a finite set of states, Q0⊆ Q : initial states ρ ⊆ Q X Σ X Q : transition relation F ⊆ P(P(Q)) : a set of sets of accepting states.
An accepting execution σ is an execution such that
for each acceptance set Fi∈F, there exists at least one state q∈Fi that appears infinitely often in σ.
22Provable Software Laboratory, CS KAIST /33
![Page 23: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/23.jpg)
Automata-Theoretic Software Verification
A finite state program P=(W,w0, →,V) can be viewed as a Büchi automaton
Ap=(∑,W,{w0}, ρ,W) where ∑=P(Prop)
s’∈ρ(s,a) iff s →s’ and a=V(s)
Any infinite run of the automaton is accepting
23Provable Software Laboratory, CS KAIST /33
![Page 24: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/24.jpg)
Automata-Theoretic Software Verification
Global reachability graph : Asynchronous product of processes
Requirement properties
Provable Software Laboratory, CS KAIST 24/34
![Page 25: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/25.jpg)
Automata-Theoretic Software Verification
For a finite-state program P and LTL formula Ψ ,
There exists a Büchi automaton A Ψ that accept exactly the computations satisfying ψ.
The verification problem is to verify that all infinite words accepted by the automaton AP satisfy the formula Ψ.
Lω(AP)⊆L ω (AΨ) ~ L ω (AP) ∩ L ω(A Ψ ) = φ
25Provable Software Laboratory, CS KAIST /33
![Page 26: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/26.jpg)
Automata-Theoretic Software VerificationL ω (A) = L ω (A1) ∩ L ω(A 2 ) let A1=(Σ,Q1,Q0
1,ρ1,F1),A2=(Σ,Q2, Q02,ρ2,F2)
Let A=(Σ,Q1,Q0,ρ,F) where
Q=Q1XQ2X{1,2} , Q0=Q01XQ0
2X{1},F=F1XS2X{1}
(s’, t’, j)∈ρ((s,t,i),a) if s’∈ρ1(s,a), t’ ∈ρ2(s,a)and i=j
unless i=1 and s∈F1, in which case j=2
or i=2 and t∈F2, in which case j=1.
The acceptance condition guarantee that both tracks visit accepting state infinitely often if and only if it goes infinitely often through F1XS2X{1}.
26Provable Software Laboratory, CS KAIST /33
![Page 27: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/27.jpg)
Simple Elevator
3 floor, 1 elevator The elevator goes up until 3rd floor
and then goes down until 1st floor. Each floor has its door to elevator.
Each door may open when elevator is at the same floor.
Provable Software Laboratory, CS KAIST /33 27
3rd floor
2nd floor
1st floor
door3
door2
door1 from “System and Software
Verification” by B’erard et al
![Page 28: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/28.jpg)
Simple Elevator
3 floor, 1 elevator The elevator goes up until 3rd floor
and then goes down until 1st floor. Each floor has its door to elevator.
Each door may open when elevator is at the same floor.
Provable Software Laboratory, CS KAIST /33 28
3rd floor
2nd floor
1st floor
door3
door1
door2
![Page 29: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/29.jpg)
Simple Elevator
3 floor, 1 elevator The elevator goes up until 3rd floor
and then goes down until 1st floor. Each floor has its door to elevator.
Each door may open when elevator is at the same floor.
Provable Software Laboratory, CS KAIST /33 29
3rd floor
2nd floor
1st floor
door2
door1
door3
![Page 30: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/30.jpg)
Simple Elevator::C#define OPENED 1 #define CLOSED 1sem_t openclosedoor[3] ;static byte whatfloor ;static byte doorisopen[3] ;
void door(byte floor) { while(1) { sem_acquire(openclosedoor[floor-
1]) ; doorisopen[floor-1] = OPENED ; doorisopen[floor-1] = CLOSED ; sem_release(openclosedoor[floor-1]) ;}
}
Provable Software Laboratory, CS KAIST /33 30
void elevator(){ byte floor = 1 ;
while(1) { if ((rand() % 2) == 0) {
if (floor != 3) floor++ ; else if (floor != 1) floor-- ; } else { sem_release(openclosedoor[floor-1]) ; sem_acquire(openclosedoor[floor-1]) ; } }}
![Page 31: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/31.jpg)
Simple Elevator::Cvoid main(){
int i ; byte * temp ; pid_t pid ;sem_init(openclosedoor[0], 0) ;sem_init(openclosedoor[1], 0) ;sem_init(openclosedoor[2], 0) ;
for (i = 0 ; i < 3 ; i++) {temp = (byte *)malloc(sizeof(byte)) ;*temp = i ;pid = thread_create(door, temp) ;thread_join(pid) ;
}}
Provable Software Laboratory, CS KAIST /33 31
![Page 32: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/32.jpg)
Simple Elevator::PROMELAbit doorisopen[3] ;
chan openclosedoor=[0] of {byte, bit}
proctype door(byte i)
{
do
:: openclosedoor?eval(i), 1 ;
doorisopen[i-1] = 1 ;
doorisopen[i-1] = 0 ;
openclosedoor!i,0
od
}
Provable Software Laboratory, CS KAIST /33 32
proctype elevator(){
byte floor = 1 ;do:: (floor != 3) -> floor++:: (floor != 1) -> floor—:: openclosedoor!floor,1 ; openclosedoor?
eval(floor),0;do
}
init { atomic{ run door(1) ; run door(2) ; run door(3) ; run elevator() ; }}
![Page 33: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/33.jpg)
Simple Elevator::Verification assert(
doorisopen[i-1]&&!doorisopen[i%3]&&!doorisopen[(i+1)%3]);
#define open1 doorisopen[0] #define open2 doorisopen[1]
#define open3 doorisopen[2] #define close1 !doorisopen[0]
#define close2 !doorisopen[1] #define close3 !doorisopen[2]
[](open1 -> X closed1) [](open2 -> X closed2) [](open3 -> X closed3) <>(open1 || open2 || open3)
Provable Software Laboratory, CS KAIST /33 33
![Page 34: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/34.jpg)
Further Reading
ω-language Partial order reduction Memory management technique in
SPIN
Provable Software Laboratory, CS KAIST /33 34
![Page 35: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/35.jpg)
References
[1] The Model Checker SPIN, G.J.Holzmann.
[2] The SPIN model checker, G.J.Holzmann.
[3] Systems and Software Verification, Berard et al.
[4] Simple On-the-fly automatic verification of Linear temporal logic, Vardi et al.
[5] An Automata-Theoretic Approach to Linear Temporal Logic, M.Y.Vardi.
[6] Moonzoo Kim’s lecture notes on CS750 Fall2006, CS KAIST.
Provable Software Laboratory, CS KAIST /33 35
![Page 36: The Model Checker SPIN](https://reader035.vdocuments.mx/reader035/viewer/2022062221/56813e00550346895da7dbab/html5/thumbnails/36.jpg)
Discussion
Provable Software Laboratory, CS KAIST /33 36