Http://duc/paradis/1 The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo...

transcript

http://www.logos.ic.i.u-tokyo.ac.jp/~duc/paradis/ 1

The Spin Model CheckerPromela Introduction

50374 Nguyen Tuan Duc

50378 Shogo Sawai

What is model checking?

Complex system design Too complex to verify the system. Because of too many states

Especially concurrent system Some systems are non-deterministic

How to verify??? Model of the system

Abstraction ( system activities ) Enable arithmetic verification

Spin Model Checker

SPIN ( Simple Promela Interpreter ) Efficient software verification

Use to trace logical design errors in distributed system design, ( deadlock , race condition , etc…)

Works on-the-fly A full LTL(Linear Time Temporal Logic) Mode

l Checking system Supports random, interactive and guided sim

ulation

global stateinitial state

・・・

How does spin check a model?

Promela

Promela (PROtocol/PROcess MEta LAnguage) Syntax is very similar to C language. Easy to model

Specification of processes and communication between processes.

Synchronizaiton, atomicity Diffucult to describe

Arithmetic operations ( no floating point… )

Outline

1. An Overview of Model Checking

2. The Spin Model Checker

3. Promela Introduction

4. Promela Syntax

5. Correctness claims

6. Examples

Promela syntax

Hello, World Object types Variable’s scope Rules for executability Compound statements

Hello, World!/* hello.pml */ active proctype Hello() {

printf( “Hello, World!\n” );}

$spin hello.pmlHello, World!

1 process created

Object types

A Promela model is contructed from 3 basic types of objects: Processes Data objects Message channels

Processes

Processes are instances of proctypes proctype Hello() { … }

Proctype body ::= (data_declaration | statement)*

Proctype prefixed by active keyword is automatically activatedactive proctype Hello() {

printf( “Hello, World!\n” );}

Another way to start process is using “run” operator with proctype object as operand inside a running process: run Hello();

Data objects Basic data types:

bit(0,1), bool(true, false), byte(0..255) chan (channel) mtype (symbolic constant, likes enum in C) pid (process id) short, int

Data structures typedef Complex {

int real;int img;

} Arrays

byte x[5] = 1; /* all elements initialized to 1 */

Message channels

Message channels are used to model the exchange of data between processes chan qname = [16] of { short, byte, bool }

qname is a channel with buffer size of 16 messages and each message is a tuple of (short, byte, bool)

Operations: Blocking send: qname!expr1, expr2, expr3 Blocking receive: qname?var1, var2, var3

By default, send/receive buffers are FIFO

Example using Send/Receivemtype = { msg0, msg1, ack0, ack1 };chan to_sndr = [2] of { mtype };chan to_rcvr = [2] of { mtype };active proctype Sender(){ again: to_rcvr!msg1;

to_sndr?ack1; to_rcvr!msg0; to_sndr?ack0; goto again;

}active proctype Receiver(){ again: to_rcvr?msg1;

to_sndr!ack1; to_rcvr?msg0; to_sndr!ack0;goto again;

Rendezvous communication

Channel with buffer size of 0 can be used as rendezvous port 0 buffer channel can pass, but not store message chan port = [0] of { mtype }

Message interactions via rendezvous ports are synchronous

Variable’s scope Only 2 levels of scope exist in Promela

Model global variables Process local variables

Process local variables can be used after declarations and valid until process terminates proctype Hello(){

int x;{

int y;x = 5; y = 6;

}printf( “%d\n”, y );

}y stills valid outside the block

y is declared inside a block

Rules for executability

Depending on system state, any statement is either executable or blocked

Expressions can be used as if they were statements Expressions are “executable” (passable) if and

only if they evaluate to true or non-zero (x==y); /* block until x equals y */

Print statements, assignment statements are always executable

Example of executability

proctype proc1()

x = 1;

printf( “reached here\n” );

(x == y); /* block until x equals y */

always executable

Process executability

Process is executable if at least one executable statement exists No executable statement block active proctype block_proc() {

(1+1 == 3);

printf( “Can not reach here!\n” );

Compound statements

Atomic sequences Deterministic steps Selections Repetitions Escape sequences

Atomic sequences

Execution of atomic sequence is uninterruptible (atomic, no interleaving) atomic {

tmp = b;

b = a;

a = tmp;

Deterministic steps

D_step sequence is always executed as if it were a single statement For defining new types of primitive statements

d_step {tmp = b;b = a;a = tmp;

} Not be interrupted by blocking statements (error if

blocking statement inside an executing d_step) Deterministic

Selections

if:: guard1 -> stmt1; stmt2; …; stmt_n;:: guard2 -> stmt1; stmt2;…; stmt_m;

………:: guardn -> stmt….

fi Selection contains sequences begin with “::” Guard_i is “guard” statement, sequence can be

executed if guard statement is executable If more than one sequence can execute then the oracle choose one (non-deterministic)

Repetition do

:: guard1 -> stmts:: guard2 -> stmts….

od proctype Euclide(int x, y) {

do:: ( x > y ) -> x = x – y:: ( x < y ) -> y = y – x:: else -> goto done

oddone:

printf( “answer: %d\n” , x );

Escape sequences

{ P } unless { E } P’s statements are executed while the first

statements in E is not executable When the first statement in E becomes

executable, control changes to E and execution continues as defined for E

Correctness claims

Correctness claims are used to verify the system

Basic types of claims: Basic assertions End-state labels Progress-state labels Never claims Trace assertion

Basic assertions assert( expression ); Similar to C language assertion Example: Increasing common variables int c, x, y; /* initialized to 0 */

active proctype procA() {atomic { c++; x++ }assert( c == x + y );

}active proctype procB() {

atomic { c++; y++ }assert( c == x + y );

End state

Labels beginning with “end” (end, end1, .. ) are end-state labels

End-state labels declare a valid end-state Default end-state is end of code End-state labels can be used to declare other

additional end state

Progress state label

Progress labels begin with “progress” (progress, progress1, progression … )

Every potentially infinite execution cycle permitted by a model passes through at least one of the progress labels in that model. To verity the executing process is making

effective progress Example: semaphore with progress label

Never claims

A never claim is used to specify either finite or infinite system behavior that should never occur Verify system-wide (not only process level)

property Example: Updating 2 variables

Trace assertions

Trace assertions verify valid/invalid operations of message channels

trace {

:: q1!a; q2?b

Send operations on channel q1 alternate with receive operations on q2,

and all messages of q1 have type a, q2 have type b

Examples

Dining Philosophers Mutual exclusion Producers consumers

Http://duc/paradis/1 The Spin Model Checker Promela Introduction 50374 Nguyen Tuan Duc 50378 Shogo...

Documents