9תרגול

META LABELS

Basic types of claims

Set of properties that the system may not violate –

thing that should be avoided

Set of properties that the system must satisfy –

things that capture the required functionality of the system

The verification system cannot determine what is or ,

it only help determine what is .

Type of correctness claims:• –state properties • –path properties

The verification system cannot determine what is or ,

it only help determine what is .

State properties • –should hold in every reachable state of the system

• –should hold only in specific reachable states.

Some type of properties are basic and don’t need to stated explicitly :• The absence of reachable

Basic assertions• Stetment of the form

• Basic assertion are always executable • A failing assertion will trigger an error message

• Can be checked during simulation.• The lack of assertion violation in simulation doesn’t prove

that that the assertions cannot be violated.

Path properties • can be combined to build

Example:

Every visit to state with property must eventually be followed by a visit

to state with property , without in the interim visiting any state with property .

labelsAny statement can be preceded by a label.

The label can be used as a destination of a goto or can be used in a remote reference.

Label names must be unique.

Any number of labels can be attached to a single statement. 

active proctype P() {

S0:

S1: do

:: q!p ->

S2: q?v

:: true

od

/* S3 */

}

Remote reference

use for testing the local control state of an active process• We can check whether two user process are in the critical state

user[1]@critical && user[2]@critical

use for testing the value of a local variable in an active process • We can refer to the variable count in process Dijkstra

Dijkstra : count

Normally reserved for use in never claim (see later)

mtype {p,v}chan sema = [0] of {mtype}

active proctype Dijkstra (){ byte count=1;do:: (count==1)->

sema!p; count=0:: (count==0)->

sema?v; count=1od

}

active [3] proctype user(){do:: sema?p;

critical: skip; sema!v;od

}

Meta labels• There are three type of labels with special meaning when

run in verification mode:

• End states• Progress states• Accept state

End States• The distinguish valid system states from invalid ones.• By default the only valid states are which every process

reached to the end of its code.• Same time process aren’t meant to reach the end of it

code.

• We need to make it clear to the verifier that these alternate end states are valid.

Example

• Spin check for valid end state by default.• If the user is not interesting in these kind of errors , he can

use the run time flag –E.

mtype {p,v}chan sema = [0] of {mtype}

active proctype Dijkstra (){ byte count=1;

end: do:: (count==1)->

sema!p; count=0:: (count==0)->

sema?v; count=1od

}

active [3] proctype user(){do:: sema?p;

critical: skip; sema!v;od

}

Progress states• Mark statements in the model that accomplish something.• require that the progress labels will be visited infinitely

often in any infinite system execution . • Any violation of this requirement can be reported by the

verifier as a non-progress cycle.

Example

• To run a check for the absence of we have to compile the verifier with special option.

active proctype Dijkstra (){ byte count=1;

end: do:: (count==1)->

progress: sema!p; count=0:: (count==0)->

sema?v; count=1od

}

$ spin –a dijkstra.pml$cc –DNP –o pan pan.c$./pan -l

active [3] proctype user(){do:: sema?p;

critical: skip; sema!v;od

}

Another example byte x=2; active proctype A (){ do

:: x=3-x;progress: skip

od}active proctype B (){ do

:: x=3-x; od

}

The out putpan:1: non-progress cycle (at depth 2)pan: wrote fair.pml.trail

(Spin Version 6.2.4 -- 8 March 2013)Warning: Search not completed + Partial Order Reduction

Full statespace search for: never claim + (:np_:) assertion violations + (if within scope of claim) non-progress cycles + (fairness disabled) invalid end states - (disabled by never claim)

State-vector 36 byte, depth reached 5, errors: 1 3 states, stored 0 states, matched 3 transitions (= stored+matched) 0 atomic stepshash conflicts: 0 (resolved)

Stats on memory usage (in Megabytes): 0.000 equivalent memory usage for states (stored*(State-vector + overhead)) 0.292 actual memory usage for states 128.000 memory used for hash table (-w24) 0.534 memory used for DFS stack (-m10000) 128.730 total actual memory usage

The out put

starting claim 2spin: couldn't find claim 2 (ignored)using statement merging 2: proc 1 (B) fair.pml:10 (state 1) [x = (3-x)] <<<<<START OF CYCLE>>>>> 4: proc 1 (B) fair.pml:10 (state 1) [x = (3-x)] 6: proc 1 (B) fair.pml:10 (state 1) [x = (3-x)]spin: trail ends after 6 steps#processes: 2 x = 1 6: proc 1 (B) fair.pml:9 (state 2) 6: proc 0 (A) fair.pml:3 (state 3)2 processes created

Fair cycles• The counterexample shows an infinite execution of the

process of type B alone.• We would be interested in the existence of property

violation under a more realistic fairness assumption

assumption- any process that can execute a statement will eventually proceed with the execution.

• Strong fairness• Weak fairness

The out put

$ spin –a fair.pml$cc –DNP –o pan pan.c$./pan –l -f

The out put(Spin Version 6.2.4 -- 8 March 2013) + Partial Order Reduction

Full statespace search for: never claim + (:np_:) assertion violations + (if within scope of claim) non-progress cycles + (fairness enabled) invalid end states - (disabled by never claim)

State-vector 36 byte, depth reached 7, errors: 0 8 states, stored (10 visited) 7 states, matched 17 transitions (= visited+matched) 0 atomic stepshash conflicts: 0 (resolved)

Stats on memory usage (in Megabytes): 0.000 equivalent memory usage for states (stored*(State-vector + overhead)) 0.292 actual memory usage for states 128.000 memory used for hash table (-w24) 0.534 memory used for DFS stack (-m10000) 128.730 total actual memory usage

unreached in proctype A fair.pml:7, state 6, "-end-" (1 of 6 states)unreached in proctype B fair.pml:12, state 5, "-end-" (1 of 5 states)

Accept states • Find all cycles that do pass through at least one of the .• There should not exist an executions that can pass

thought an accept-state infinitely often. • Normally reserved for use in never claim (see later)

$ spin –a fair_accept.pml$cc –o pan pan.c$./pan –a (or $./pan –a –f for fair accepted cycles only)

Inline- העבר מן חוב• An inline definition works much like a preprocessor macro• An inline definition must appear before its first use, and

must always be defined globally.• An invocation (an inline call) is performed with a syntax

that is similar to a procedure call in C, but it does not define a new variable scope

• a inline cannot return a value to the caller.• An inline definition may itself contain other inline calls, but

it may not call itself recursively.

Examplemtype = { msg0, msg1, ack0, ack1 };

chan sender = [1] of { mtype };

chan receiver = [1] of { mtype };

inline recv(cur_msg, cur_ack, lst_msg, lst_ack) {

do

:: receiver?cur_msg -> sender!cur_ack;

break /* accept */

:: receiver?lst_msg -> sender!lst_ack

od;

}

inline phase(msg, good_ack, bad_ack) {

do

:: sender?good_ack -> break

:: sender?bad_ack

:: timeout -> if

:: receiver!msg;

:: skip /* lose message */

fi;

od

}

active proctype Sender() {do :: phase(msg1, ack1,ack0);

phase(msg0, ack0, ack1) od

} active proctype Receiver() {

do :: recv(msg1, ack1, msg0, ack0); recv(msg0, ack0, msg1, ack1) od

}