A Practical approach on Model checking with Modex and Spin
|
|
- Clement Briggs
- 6 years ago
- Views:
Transcription
1 International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 1 A Practical approach on Model checking with Modex and Spin Muhammad Iqbal Hossain #1, Nahida Sultana Chowdhury *2 # Computer Science and Engineering, Kyungpook National University Daegu, South Korea 1 milon_mi7@yahoo.com * Computer Science and Engineering, Kyungpook National University Daegu, South Korea 2 nahida_uap@yahoo.com Abstract Software verication methods are used widely in commercial and industrial development. To formally very a large software application we can extract a model from the source code and very that model with any verication mechanism or human contribution. So there are two things extraction and verication. There are two main problems in this approach. The first problem is verication process by human is no longer reliable because in manual verication the error rate can be higher and that can decrease the functionalities of the whole process. The second problem is the effort to extract or very the model can take a considerable investment of time and expertise. For a large system manual verication can take a great effort and the performance of humans. In this paper we have tried to represent the whole process in an automatic way. And also we have tried to ignore the manual contribution of human to make the whole procedure faster and reliable. For this purpose we choose an automated model extractor method: Modex and an automated verier to extrac model: Spin. Firstly we have applied MODEX to automated the model extractor method and then we used SPIN to automatically very the extracted model. mere guiding mental image in the mind of a de-signer. The purpose of a model is to facilitate analysis, either explicitly or implicitly. Models are abstractions of real world artacts. A designer only takes the trouble to build a model when it is easier, cheaper, or faster to analyse the model than it is to analyse the real world artact itself. A model that is more complex than the artact that it describes would be comparable to the summary of a book that is longer than the book. The effective use of abstraction is the key to the successful construction of models. The construction of an abstract model, in turn, is the key to successful analysis. A model should not only be simpler than the artact being modeled, it should also be simpler to construct than that artact. If the construction of a model is perceived to be too complex, it will be all too tempting to forgo the construction of the model, and make do with more basic types of analysis [2]. Index Term MODEX, SPIN, Model Extraction, Model Verication I. INTRODUCTION There are many techniques for evaluating code quality and for reducing the expected number of residual bugs, manual code walkthrough, and peer review and of course plain old unit and integration testing. There is no question that these methods work, they catch bugs but they are not perfect. Conventional verication technique has some restriction that limit the number of bugs that can be caught in this way. This is sometimes called the ceiling that is imposed by standard verying technique. To very a piece of code either in isolation or in a given context, a verier usually creates a test harness, special instrument that is used to efficiently and reproducibly administer a series of tests and evaluate the result[1]. In this paper we divide the whole procedure in two steps: model extractor and model verication. Models are widely used in most engineering disciplines. A model can be a mathematical theory, a physical entity an image or shape, a Fig. 1. The verication process II. MODEL EXTRACTION: MODEX Modex is a tool that can be used to mechanically extract high-level verication models from implementation level C code. Modex itself is written in ANSI-C, and its application domain is also restricted to ANSI-C code (i.e., it does not handle C++). Model extraction and abstraction are also very much still in the domain of research, not of push-button application. So, as a minor disclaimer, you plan to use these tools, be prepared to spend some time to learn how
2 International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 2 everything is meant to work. The documentation gives a good head-start. Experience with the application of the tools, building test harnesses, and verying applications, will do the rest. Experience with the effective use of these tools comes slowly but surely, so be patient! After these somewhat discouraging notes, it is also good to add that the reward for finally mastering the use of these tools can be very substantial. Our own experience to date indicates that these tools, used right, allow us to very software applications, or portions thereof, with a thoroughness that cannot be achieved by any other testing or verication method [3, 5]. The procedure to run modex has shown below: Spin is written in C and is distributed as a single executable fi le for Windows and Linux. One way that Spin achieves efficiency is that it does not perform the model checking itself; instead, it generates a highly optimized model checking program in C for each model and each correctness claim to be veried. The user need not look at this C code, although to use Spin you need to have a C compiler installed. A verication in Spin can be run with a three-line script (generate the verier, compile it and run it); alternatively, a development environment can be used. We can generate dferent kind of model to better understand the flow of datas, procedures, error Spin can be run in four modes [6]: 1. Random simulation mode uses a random number generator to resolve the non-determinism inherent in a concurrent program as well as the possible non-determinism in the guarded commands of a single process. 2. Interactive simulation mode enables the user to choose the next instruction to be executed. Interactive simulation is also supported in concurrency simulators and is essential for demonstrating scenarios (such as those for starvation or fairness) that are very unlikely to occur randomly. 3. In verication mode, Spin systematically searches the entire state space looking for a counter example, a computation that violates a correctness specication. 4. If a counterexample is found, a trail of the incorrect computation can be used in guided simulation mode to recreate the computation to the user to examine. The verication process with SPIN has shown below Fig. 2. Run MODEX III. MODEL VERIFICATION: SPIN Spin is a model checker [2] that has been developed at Bell Labs in the original UNIX group of the computer Science research centre. It is originally designed for verying communications protocols and later it become most widely used verication tools. Spin is particularly suited for modeling concurrent and distributed systems that are based upon interleaving of atomic instruction. Models, written in simple language called Promela, can be simulated randomly or interactively [6]. Spin can generate efficient veriers that search for a counter example to correctness specication applied to a model. Unlike many modelcheckers, SPIN does not actually perform model-checking itself, but instead generates C sources for a problem-specic model checker [4]. This technique saves memory and improves performance, while also allowing the direct insertion of chunks of C code into the model. SPIN also offers a large number of options to further speed up the model-checking process and save memory, such as: Partial order reduction; State compression; Bitstate hashing (instead of storing whole states, only their hash code is remembered in a bitfield; this saves a lot of memory but voids completeness); Weak fairness enforcement Fig. 3. Verication of the model with SPIN IV. IMPLEMENTATION AND RESULT To implement our procedure, we have to write a C code and that will be veried through modex and spin. At the first step we have to extract a model from the existing or newly created C code. The basic idea of model extraction is converting ANSI C code to promela code. The branching
3 International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 3 instructions are somewhat equivalent to promela. In this extraction procedures are not really supported. We can use inlining or link to external procedure, by the conversion table we can generate the basic statements. A test harness [7] is created associated with the C code. Test harness is used to specy the details of system verication. All the test harness specications are stored in a single file, with the suffix.prx, grouped into dferent commands, each dealing with dferent aspect to the verication setup. Figure 4 represents the c code of the program. This is a simple mutual exclusion code. We attempt to extract a model from this code by the help of modex cat mutex.c /* Bad Mutex Algorithm */ int x, y, z; void lock(int Pid) { busywait: x = Pid; (y!= 0 && y!= Pid) z = Pid; (x!= Pid) y = Pid; (z!= Pid) void unlock() { x = 0; y = 0; z = 0; Fig. 4. C code of mutual exclusion Figure 5 represented the extracted model from the C code using modex. The test harness file also executed automatically during the model extraction. We will not discuss about the test harness file (.prx) to generate the model there are some specic command: modex mutex.c cpp E P _modex_.run > model cat model $ cat model int x; int y; int z; int w64; int builtin_va_list; byte cnt; proctype lock(int Pid; chan q) { busywait: c_code { now.x=plock->pid; ; :: c_expr { ((now.y!=0)&&(now.y!=plock->pid)) ; c_code { now.z=plock->pid; ; :: c_expr { (now.x!=plock->pid) ; c_code { now.y=plock->pid; ; :: c_expr { (now.z!=plock->pid) ; ; q!0 active [2] proctype user() { chan q = [0] of { byte ; run lock(_pid, q); q?0; cnt++; assert(cnt == 1); cnt--; c_code { now.x=0; ; c_code { now.y=0; ; c_code { now.z=0; ; ; Fig. 5. Extracted model from source code The c_code primitive supports the use of embed-ded C code fragments inside PROMELA models. The code must be syntactically valid C, and must be terminated by a semicolon (a required statement terminator in C). If an expression is specied, its value will be evaluated as a general C expression before the C code fragment inside the curly braces is executed. If the result of the evaluation is non-zero, the c_code fragment is executed. If the result of the evaluation is zero, the code between the curly braces is ignored, and the statement is treated as an assertion violation. The typical use of the expression clause is to add checks for nil-pointers or for bounds in array indices. A c_expr can be used to express guard conditions that are not necessarily expressible in PROMELA with its more restrictive data types and language constructs. There are two forms of the c_expr primitive: with or without an additional assertion expression in square brackets. A missing assertion expression is equivalent to [1]. If an assertion expression is specied, its value is evaluated as a general C expression before the code inside the curly braces is evaluated. The normal (expected) case is that the assertion expression evaluates to a non-zero value. If so, the C code between the curly braces is evaluated next to determine the executability of the c_expr as a whole. If the evaluation value of the assertion expression is zero (equivalent to false), the code between the curly braces is ignored and the statement is treated as an assertion violation [1]. Now we will use spin for the verication of the model extracted by mutex. Figure 6, 7 and 8 show dferent type of
4 International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: 05 4 verication model generated by Spin. When a PROMELA model contains embedded C code, SPIN cannot simulate its execution in the normal way because it cannot directly interpret the embedded code fragments. If we try to run a simulation anyway, SPIN will make a best effort to comply, but it will only print the text of the c_expr and c_code fragments that it encounters, without actually executing them. To faithfully execute all embedded C code fragments, we must first generate the pan files and compile them. We now rely on the standard C compiler to interpret the contents of all embedded code as part of the normal compilation process. $ spin -a model $ cc -o pan pan.c $./pan hint: this search is more efficient pan.c is compiled - DSAFETY pan:1: assertion violated (cnt==1) (at depth 23) pan: wrote model.trail (Spin Version May 2011) Warning: Search not completed + Partial Order Reduction Full statespace search for: never claim - (none specied) assertion violations + acceptance cycles - (not selected) invalid end states + State-vector 64 byte, depth reached 34, errors: 1 58 states, stored 19 states, matched 77 transitions (= stored+matched) 0 atomic steps hash conflicts: 0 (resolved) Stats on memory usage (in Megabytes): equivalent memory usage for states (stored*(state-vector + overhead)) actual memory usage for states (unsuccessful compression: %) state-vector as stored = 5208 byte + 16 byte overhead memory used for hash table (-w19) memory used for DFS stack (-m10000) total actual memory usage pan: elapsed time 0 seconds Fig. 6. Creating pan through spin $./pan -r 1: proc 1 (user) model:34 (state 1) [(run 2: proc 0 (user) model:34 (state 1) [(run 3: proc 3 (lock) model:11 (state 1) [now.x=plock- 4: proc 3 (lock) model:13 (state 5) [else] 5: proc 3 (lock) model:17 (state 7) [now.z=plock- 6: proc 3 (lock) model:19 (state 11) [else] 7: proc 3 (lock) model:23 (state 13) [now.y=plock- 8: proc 3 (lock) model:25 (state 17) [else] 9: proc 3 (lock) model:30 (state 19) [q!0] 10: proc 0 (user) model:34 (state 2) [q?0] 11: proc 3 (lock) -:0 (state 0) [-end-] 12: proc 2 (lock) model:11 (state 1) [now.x=plock- 13: proc 2 (lock) model:13 (state 5) [else] 14: proc 2 (lock) model:17 (state 7) [now.z=plock- 15: proc 2 (lock) model:19 (state 11) [else] 16: proc 2 (lock) model:23 (state 13) [now.y=plock- 17: proc 2 (lock) model:25 (state 17) [else] 18: proc 2 (lock) model:30 (state 19) [q!0] 19: proc 1 (user) model:34 (state 2) [q?0] 20: proc 2 (lock) -:0 (state 0) [-end-] 21: proc 1 (user) model:35 (state 3) [cnt = (cnt+1)] 22: proc 1 (user) model:36 (state 4) 23: proc 0 (user) model:35 (state 3) [cnt = (cnt+1)] pan:1: assertion violated (cnt==1) (at depth 24) spin: trail ends after 24 steps #processes 2: 24: proc 0 (user) model:36 (state 4) (invalid end state) assert((cnt==1)) 24: proc 1 (user) model:37 (state 5) (invalid end state) cnt = (cnt-1) global vars: int x: 1 int y: 1 int z: 1 int w64: 0 int builtin_va_list: 0 byte cnt: 2 local vars proc 0 (user): chan q (=1): len 0: local vars proc 1 (user): chan q (=2): len 0:. Fig. 7. output generated by./pan r $ spin -t -p model Starting lock with pid 2 1: proc 1 (user) model:34 (state 1) [(run Starting lock with pid 3 2: proc 0 (user) model:34 (state 1) [(run c_code1: { now.x=plock->pid; 3: proc 3 (lock) model:11 (state 1) [{c_code1] 4: proc 3 (lock) model:15 (state 4) [else] c_code3: { now.z=plock->pid; 5: proc 3 (lock) model:17 (state 7) [{c_code3] 6: proc 3 (lock) model:21 (state 10) [else] c_code5: { now.y=plock->pid; 7: proc 3 (lock) model:23 (state 13) [{c_code5] 8: proc 3 (lock) model:27 (state 16) [else] 9: proc 3 (lock) model:30 (state 19) [q!0]
5 International Journal of Electrical & Computer Sciences IJECS-IJENS Vol: 11 No: : proc 0 (user) model:34 (state 2) [q?0] 11: proc 3 terminates c_code1: { now.x=plock->pid; 12: proc 2 (lock) model:11 (state 1) [{c_code1] 13: proc 2 (lock) model:15 (state 4) [else] c_code3: { now.z=plock->pid; 14: proc 2 (lock) model:17 (state 7) [{c_code3] 15: proc 2 (lock) model:21 (state 10) [else] c_code5: { now.y=plock->pid; 16: proc 2 (lock) model:23 (state 13) [{c_code5] 17: proc 2 (lock) model:27 (state 16) [else] 18: proc 2 (lock) model:30 (state 19) [q!0] 19: proc 1 (user) model:34 (state 2) [q?0] 20: proc 2 terminates 21: proc 1 (user) model:35 (state 3) [cnt = (cnt+1)] 22: proc 1 (user) model:36 (state 4) 23: proc 0 (user) model:35 (state 3) [cnt = (cnt+1)] spin: model:36, Error: assertion violated spin: text of failed assertion: assert((cnt==1)) 24: proc 0 (user) model:36 (state 4) spin: trail ends after 24 steps #processes: 2 x = 0 y = 0 z = 0 w64 = 0 builtin_va_list = 0 cnt = 2 24: proc 1 (user) model:37 (state 5) 24: proc 0 (user) model:37 (state 5) 4 processes created. Fig. 8. The verier produced the above information with./pan t t model Model checking is a formal method that can facilitate learning important CS concepts like concurrency, verication, and nodeterminism. Just as importantly, model checking can motivate the study of discrete mathematics and theoretical computer science by showing how they are used in a real-world application: automata theory, logic, graph theory, hashing functions, and data compression. Although Spin is a professional software tool widely used in industry, the simple and clean syntax and semantics of Promela, and the ease of running simulations and verications make it ideal as a teaching tool, and there are some other tools such as ispin, jspin and Erigone to simply the use of model checking even further. In MODEX, still there have some limitations present in the translation process from C to Promela code. So, we need to consider this issue more carefully to make it more reliable and efficient for SPIN model checker. REFERENCES [1] Holzmann, G.J, From code to models, Application of Concurrency to System Design, Proceedings.2001 International Conference on Digital Object.Publication Year: 2001,Page(s): [2] G.J. Holzmann, The model checker Spin, IEEE Trans. On Software Engineering, Vol. 23, No. 5, May 1997, pp [3] GERARD J. HOLZMANN and MARGARET H. SMITH Software Model Checking Invited paper to the FORTE/PSTV Conference, October 1999, Beijing, China. [4] Spin home page: [5] modex home page: [6] Mordechai (Moti) Ben-Ari A primer on model checking. ACM Inroads 1(1), 2010, [7] An automated verication method for distributed systems software based of model extraction by Gerard J. Holzmann and Margaret H. Smith, IEEE transaction on software Engineering Vol. 28, No. 4 April 2002 [8] S. Burckhardt. Memory Model Sensitive Analysis of Concurrent Data Types. PhD thesis, Univ. of Pennsylvania, In figure 8, the assertion is violated at the end, but this is merely because it was hardwired to fail. None of the C data objects referenced were ever created during this run, and thus none of them had any values that were effectively assigned to them at the end. Note also that the text of the c_code fragment that is numbered c_code5 here is printed out, but that the print statement that it contains is not itself executed, or else the values printed would have shown up in the output near this line. V. CONCLUSIONS The method we have pronounced for verying reactive software applications combines data abstraction with implementation level verication. The user provides a test harness, written in the language of the model checker, that non-deterministically selects inputs for the application that can drive it through all its relevant states. Correctness properties can be veried in the usual way: by making logical statements about reachable and unreachable states, or about feasible or infeasible executions. The state tracking capability allows us to perform full temporal logic verication on implementation level code.
EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:
EMBEDDED C CODE 17 The purpose of analysis is not to compel belief but rather to suggest doubt. (Imre Lakatos, Proofs and Refutations) SPIN Version 4 supports the inclusion of embedded C code into PROMELA
More informationThe SPIN Model Checker
The SPIN Model Checker Metodi di Verifica del Software Andrea Corradini Lezione 1 2013 Slides liberamente adattate da Logic Model Checking, per gentile concessione di Gerard J. Holzmann http://spinroot.com/spin/doc/course/
More informationComputer Lab 1: Model Checking and Logic Synthesis using Spin (lab)
Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu Calornia Institute of Technology AFRL, 25 April 2012 Outline Spin model checker: modeling
More informationPatrick Trentin Formal Methods Lab Class, March 03, 2017
Spin: Introduction Patrick Trentin patrick.trentin@unitn.it http://disi.unitn.it/trentin Formal Methods Lab Class, March 03, 2017 These slides are derived from those by Stefano Tonetta, Alberto Griggio,
More informationPatrick Trentin Formal Methods Lab Class, Feb 26, 2016
Spin: Introduction Patrick Trentin patrick.trentin@unitn.it http://disi.unitn.it/~trentin Formal Methods Lab Class, Feb 26, 2016 These slides are derived from those by Stefano Tonetta, Alberto Griggio,
More informationThe Spin Model Checker : Part I/II
The Spin Model Checker : Part I/II Moonzoo Kim CS Dept. KAIST Korea Advanced Institute of Science and Technology Motivation: Tragic Accidents Caused by SW Bugs 2 Cost of Software Errors June 2002 Software
More informationSPIN: Introduction and Examples
SPIN: Introduction and Examples Alessandra Giordani agiordani@disi.unitn.it http://disi.unitn.it/~agiordani Formal Methods Lab Class, September 28, 2014 *These slides are derived from those by Stefano
More informationMP 6 Modeling in Promela and SPIN
MP 6 Modeling in Promela and SPIN CS 477 Spring 2018 Revision 1.0 Assigned April 23, 2018 Due May 2, 2018, 9:00 PM Extension 48 hours (penalty 20% of total points possible) 1 Change Log 1.0 Initial Release.
More informationFormal Methods for Software Development
Formal Methods for Software Development Verification with Spin Wolfgang Ahrendt 07 September 2018 FMSD: Spin /GU 180907 1 / 34 Spin: Previous Lecture vs. This Lecture Previous lecture Spin appeared as
More informationModel-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner
Model-Checking Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at 1.
More informationThe SPIN Model Checker
The SPIN Model Checker Metodi di Verifica del Software Andrea Corradini GianLuigi Ferrari Lezione 3 2011 Slides per gentile concessione di Gerard J. Holzmann 2 the do-statement do :: guard 1 -> stmnt 1.1
More informationINF5140: Specification and Verification of Parallel Systems
INF5140: Specification and Verification of Parallel Systems Lecture 09 Defining Correctness Claims Gerar Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerar Schneider (Ifi,
More informationModel-Checking Concurrent Systems
Model-Checking Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang
More informationThe Spin Model Checker : Part I. Moonzoo Kim KAIST
The Spin Model Checker : Part I Moonzoo Kim KAIST Hierarchy of SW Coverage Criteria Complete Value Coverage CVC (SW) Model checking Complete Path Coverage CPC Concolic testing All-DU-Paths Coverage ADUP
More informationUsing Spin to Help Teach Concurrent Programming
Using Spin to Help Teach Concurrent Programming John Regehr May 1, 1998 1 Introduction and Motivation Writing correct concurrent programs is very difficult; race conditions, deadlocks, and livelocks can
More informationTool demonstration: Spin
Tool demonstration: Spin 1 Spin Spin is a model checker which implements the LTL model-checking procedure described previously (and much more besides). Developed by Gerard Holzmann of Bell Labs Has won
More informationThe Design of a Distributed Model Checking Algorithm for Spin
The Design of a Distributed Model Checking Algorithm for Spin Gerard J. Holzmann http://eis.jpl.nasa.gov/lars http://spinroot.com/gerard/ Presented at FMCAD 2006, San Jose, California November 14, 2006
More informationFormal Specification and Verification
Formal Specification and Verification Model Checking with Temporal Logic Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State of Baden-Württemberg
More informationPromela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN
Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH Promela and SPIN Promela (Protocol Meta Language): Language for modelling discrete, event-driven
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Prof. Dr. Bernhard Beckert Dr. Vladimir Klebanov SS 2012 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationA Tutorial on Model Checker SPIN
A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Prof. Dr. Bernhard Beckert Dr. Vladimir Klebanov SS 2010 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationDistributed Systems Programming (F21DS1) SPIN: Formal Analysis I
Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Introduce
More informationCS477 Formal Software Development Methods / 32
CS477 Formal Software Development Methods 2112 SC, UIUC egunter@illinois.edu http://courses.engr.illinois.edu/cs477 SPIN Beginners Tutorial April 13, 2018 Assertion Violation: mutextwrong1.pml bit flag;
More informationFormal Methods for Software Development
Formal Methods for Software Development Model Checking with Temporal Logic Wolfgang Ahrendt 21st September 2018 FMSD: Model Checking with Temporal Logic /GU 180921 1 / 37 Model Checking Check whether a
More informationCopyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology
The Spin Model Checker : Part I Copyright 2008 CS655 System Korea Advanced Institute of Science and Technology System Spec. In Promela Req. Spec. In LTL Overview of the Spin Architecture Spin Model pan.c
More informationTesting Concurrent Programs: Model Checking SPIN. Bengt Jonsson
Testing Concurrent Programs: Model Checking SPIN Bengt Jonsson Model Checking Section Weeks 15 and 16. Goal: Understand and use the basics of Model checking, using state space exploration Modeling parallel
More informationFormal Specification and Verification
Formal Specification and Verification Introduction to Promela Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification and Verification:
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationFormal Modeling for Persistence Checking of Signal Transition Graph Specification with Promela
, March 15-17, 2017, Hong Kong Formal Modeling for Persistence Checking of Signal Transition Graph Specification with Promela Kanut Boonroeangkaow, Arthit Thongtak and Wiwat Vatanawood Abstract Signal
More informationProving Dekker with SPIN and PROMELA
15-410...fairness disabled... Proving Dekker with SPIN and PROMELA Joshua Wise With help from Greg Hartman L36_SPIN 1 Synchronization Project 4 due Wednesday Everyone having fun? Kernel interviews If you
More informationSoftware Engineering using Formal Methods
Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt & Richard Bubel & Reiner Hähnle & Wojciech Mostowski 31 August 2011 SEFM: Promela /GU 110831 1 / 35 Towards Model Checking
More informationComputer Lab 1: Model Checking and Logic Synthesis using Spin (lab)
Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu California Institute of Technology EECI 19 Mar 2013 Outline Spin model checker: modeling
More informationPrinciples of Protocol Design. MVP10 plan. What is a protocol? Typical SPIN applications. The three parts of a protocol description
Principles of Protocol Design MVP10 plan Protocol design principles with examples: Lynch s protocol Tanenbaum protocol 2 Tanenbaum protocol 4 Mutual exclusion in a distributed environment: Lamports algorithm
More informationSoftware Engineering using Formal Methods
Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt 03 September 2015 SEFM: Promela /GU 150903 1 / 36 Towards Model Checking System Model Promela Program byte n = 0; active
More informationLecture 3 SPIN and Promela
Lecture 3 SPIN and Promela 1 What is SPIN(Simple Promela INterpreter) A tool for analyzing mels of concurrent systems Mels described in Promela Language with concurrent processes Communication via shared
More informationCS477 Formal Software Development Methods / 39
CS477 Formal Software Development Methods 2112 SC, UIUC egunter@illinois.edu http://courses.engr.illinois.edu/cs477 SPIN Beginners Tutorial April 11, 2018 Hello World /* A "Hello World" Promela model for
More informationINF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen
INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network
More informationWhat is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model
What is SPIN(Simple Promela Interpreter) Lecture 3 SPIN and Promela A tool for analyzing mels of reactive systems Mels described in Promela Language with concurrent processes, Communication via channels,
More informationWhat is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model
What is SPIN(Simple Promela Interpreter) Lecture XX SPIN and Promela A tool for analyzing mels of reactive systems Mels described in Promela Language with concurrent processes, Communication via channels,
More informationSPIN, PETERSON AND BAKERY LOCKS
Concurrent Programs reasoning about their execution proving correctness start by considering execution sequences CS4021/4521 2018 jones@scss.tcd.ie School of Computer Science and Statistics, Trinity College
More informationFormal Verification by Model Checking
Formal Verication by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artacts Spring 2006 1 CTL Model Checking
More informationNetwork Protocol Design and Evaluation
Network Protocol Design and Evaluation 05 - Validation, Part I Stefan Rührup Summer 2009 Overview In the last lectures: Specification of protocols and data/message formats In this chapter: Building a validation
More informationAutomated Reasoning. Model Checking with SPIN (II)
Automated Reasoning Model Checking with SPIN (II) Alan Bundy page 1 Verifying Global Properties Assertions can be used to verify a property locally For example, place assert(memreturned) at the end of
More informationDistributed Systems Programming (F21DS1) SPIN: Formal Analysis II
Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Introduce
More informationOn Nested Depth First Search
DIMACS Series in Discrete Mathematics and Theoretical Computer Science Volume 32, 1997 On Nested Depth First Search Gerard J. Holzmann, Doron Peled, and Mihalis Yannakakis The SPIN. ABSTRACT. We show in
More informationLogic Model Checking
Logic Model Checking Lecture Notes 17:18 Caltech 101b.2 January-March 2005 Course Text: The Spin Model Checker: Primer and Reference Manual Addison-Wesley 2003, ISBN 0-321-22862-6, 608 pgs. checking omega
More informationSPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University
SPIN: Part 1 15-414/614 Bug Catching: Automated Program Verification Sagar Chaki November 12, 2012 What is This All About? Spin On-the-fly verifier developed at Bell-labs by Gerard Holzmann and others
More informationSpin: Overview of PROMELA
Spin: Overview of PROMELA Patrick Trentin patrick.trentin@unitn.it http://disi.unitn.it/trentin Formal Methods Lab Class, March 10, 2017 These slides are derived from those by Stefano Tonetta, Alberto
More informationDistributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter
Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview
More informationSpin: Overview of PROMELA
Spin: Overview of PROMELA Patrick Trentin patrick.trentin@unitn.it http://disi.unitn.it/~trentin Formal Methods Lab Class, Mar 04, 2016 These slides are derived from those by Stefano Tonetta, Alberto Griggio,
More informationModel Driven Code Checking
Model Driven Code Checking Gerard J. Holzmann, Rajeev Joshi, Alex Groce Laboratory for Reliable Software Jet Propulsion Laboratory, 4800 Oak Grove Drive, Pasadena, CA 91109, USA Abstract. Model checkers
More informationIntroduction to Model Checking
Introduction to Model Checking René Thiemann Institute of Computer Science University of Innsbruck WS 2007/2008 RT (ICS @ UIBK) week 4 1/23 Outline Promela - Syntax and Intuitive Meaning Promela - Formal
More informationMotivation was to facilitate development of systems software, especially OS development.
A History Lesson C Basics 1 Development of language by Dennis Ritchie at Bell Labs culminated in the C language in 1972. Motivation was to facilitate development of systems software, especially OS development.
More informationPrinciples of Protocol Design MVP 10A 1
Principles of Protocol Design MVP 10A 1 MVP10 plan Protocol design principles with examples: Lynch s protocol Tanenbaum protocol 2 Tanenbaum protocol 4 Mutual exclusion in a distributed environment: Lamports
More informationAutomata-Theoretic LTL Model Checking. Emptiness of Büchi Automata
Automata-Theoretic LTL Model Checking Graph Algorithms for Software Model Checking (based on Arie Gurfinkel s csc2108 project) Automata-Theoretic LTL Model Checking p.1 Emptiness of Büchi Automata An automation
More informationDesign of Internet Protocols:
CSCI 234 Design of Internet Protocols: George Blankenship George Blankenship 1 Outline Verication and Validation History and motivation Spin Promela language Promela model George Blankenship 2 Verication
More informationFORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY
FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY Pamela Zave AT&T Laboratories Research Florham Park, New Jersey, USA
More informationSPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa
SPIN part 2 Verification with LTL Jaime Ramos Departamento de Matemática, Técnico, ULisboa Borrowed from slides by David Henriques, Técnico, ULisboa LTL model checking How Spin works Checks non-empty intersection
More informationMulti-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN
EEC 421/521: Software Engineering Model Checking using SPIN 4/29/08 EEC 421/521: Software Engineering 1 Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; thread_1(void) /* initialize p, q, and
More informationModel checking Timber program. Paweł Pietrzak
Model checking Timber program Paweł Pietrzak 1 Outline Background on model checking (spam?) The SPIN model checker An exercise in SPIN - model checking Timber Deriving finite models from Timber programs
More informationT Parallel and Distributed Systems (4 ECTS)
T 79.4301 Parallel and Distributed Systems (4 ECTS) T 79.4301 Rinnakkaiset ja hajautetut järjestelmät (4 op) Lecture 3 4th of February 2008 Keijo Heljanko Keijo.Heljanko@tkk.fi T 79.4301 Parallel and Distributed
More informationFormal Verification of Process Communications in Operational Flight Program for a Small-Scale Unmanned Helicopter
Formal Verication of Process Communications in Operational Flight Program for a Small-Scale Unmanned Helicopter Dong-Ah Lee 1, Junbeom Yoo 2 and Doo-Hyun Kim 3 1, 2 School of Computer Science and Engineering
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationLecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking Instructor: Tevfik Bultan Buchi Automata Language
More informationProgram Correctness and Efficiency. Chapter 2
Program Correctness and Efficiency Chapter 2 Chapter Objectives To understand the differences between the three categories of program errors To understand the effect of an uncaught exception and why you
More informationHSF-SPIN User Manual
HSF-SPIN User Manual Institut für Informatik Albert-Ludwigs-Universität Georges-Köhler-Allee D-79110 Freiburg email: {edelkamp,lafuente}@informatik.uni-freiburg.de March 22, 2006 Contents 1 Introduction
More informationMapping of UML Diagrams to Extended Petri Nets for Formal Verification
Grand Valley State University ScholarWorks@GVSU Masters Theses Graduate Research and Creative Practice 8-2013 Mapping of UML Diagrams to Exted Petri Nets for Formal Verification Byron DeVries Grand Valley
More informationStanford University Computer Science Department CS 295 midterm. May 14, (45 points) (30 points) total
Stanford University Computer Science Department CS 295 midterm May 14, 2008 This is an open-book exam. You have 75 minutes. Write all of your answers directly on the paper. Make your answers as concise
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Computer Systems Engineering: Spring Quiz I Solutions
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.033 Computer Systems Engineering: Spring 2011 Quiz I Solutions There are 10 questions and 12 pages in this
More informationDesign and Analysis of Distributed Interacting Systems
Design and Analysis of Distributed Interacting Systems Lecture 5 Linear Temporal Logic (cont.) Prof. Dr. Joel Greenyer May 2, 2013 (Last Time:) LTL Semantics (Informally) LTL Formulae are interpreted on
More informationSource Code Formal Verification. Riccardo Sisto, Politecnico di Torino
Source Code Formal Verification Riccardo Sisto, Politecnico di Torino Formal Verification: Not Just High-Level Models How to improve correctness up to the coding phase? Possible solutions: Automatic code
More informationDirected Model Checking for PROMELA with Relaxation-Based Distance Functions
Directed Model Checking for PROMELA with Relaxation-Based Distance Functions Ahmad Siyar Andisha and Martin Wehrle 2 and Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany {andishaa,westphal}@informatik.uni-freiburg.de
More informationModel Checking DSL-Generated C Source Code
Model Checking DSL-Generated C Source Code Martin Sulzmann and Axel Zechner Informatik Consulting Systems AG, Germany {martin.sulzmann,axel.zechner}@ics-ag.de Abstract. We report on the application of
More informationVerification Using Static Analysis
Verification Using Static Analysis Outline Today we will discuss static analysis and how it differs from dynamic analysis We will also look at the different types of static analysis including: Control
More informationA Short Summary of Javali
A Short Summary of Javali October 15, 2015 1 Introduction Javali is a simple language based on ideas found in languages like C++ or Java. Its purpose is to serve as the source language for a simple compiler
More information[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION
v1.0 20130407 Programmazione Avanzata e Paradigmi Ingegneria e Scienze Informatiche - UNIBO a.a 2013/2014 Lecturer: Alessandro Ricci [module 2.2] MODELING CONCURRENT PROGRAM EXECUTION 1 SUMMARY Making
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationData-Flow Analysis Foundations
CS 301 Spring 2016 Meetings April 11 Data-Flow Foundations Plan Source Program Lexical Syntax Semantic Intermediate Code Generation Machine- Independent Optimization Code Generation Target Program This
More informationLTL Reasoning: How It Works
Distributed Systems rogramming F21DS1 LTL Reasoning: How It Works Andrew Ireland School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Distributed Systems rogramming F21DS1 2 Overview
More informationJava PathFinder JPF 2 Second Generation of Java Model Checker
Java PathFinder JPF 2 Second Generation of Java Model Checker Guenther Brand Mat. Nr. 9430535 27. 06. 2003 Abstract This essay is based on the papers Java PathFinder, Second Generation of Java Model Checker
More informationCS558 Programming Languages
CS558 Programming Languages Winter 2017 Lecture 7b Andrew Tolmach Portland State University 1994-2017 Values and Types We divide the universe of values according to types A type is a set of values and
More informationSingle-pass Static Semantic Check for Efficient Translation in YAPL
Single-pass Static Semantic Check for Efficient Translation in YAPL Zafiris Karaiskos, Panajotis Katsaros and Constantine Lazos Department of Informatics, Aristotle University Thessaloniki, 54124, Greece
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationDepartment of Computer Science. COS 122 Operating Systems. Practical 3. Due: 22:00 PM
Department of Computer Science COS 122 Operating Systems Practical 3 Due: 2018-09-13 @ 22:00 PM August 30, 2018 PLAGIARISM POLICY UNIVERSITY OF PRETORIA The Department of Computer Science considers plagiarism
More informationCS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol
CS5232 Formal Specification and Design Techniques Using PAT to verify the Needham-Schroeder Public Key Protocol Semester 2, AY 2008/2009 1/37 Table of Contents 1. Project Introduction 3 2. Building the
More informationGuidelines for Writing C Code
Guidelines for Writing C Code Issue 01-bugfix Martin Becker Institute for Real-Time Computer Systems (RCS) Technische Universität München becker@rcs.ei.tum.de June 9, 2014 Contents 1 Introduction 1 2 Pragmatic
More informationTOWARDS AUTOMATED VERIFICATION OF WEB SERVICES
TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES Cátia Vaz INESC-ID Lisboa, ISEL-IPL Rua Alves Redol 9, 1000-029 Lisboa cvaz@cc.isel.ipl.pt Carla Ferreira INESC-ID, IST-UTL Rua Alves Redol 9, 1000-029 Lisboa
More informationNetwork Protocol Design and Evaluation
Network Protocol Design and Evaluation 05 - Validation, Part III Stefan Rührup Summer 2009 Overview In the first parts of this chapter: Validation models in Promela Defining and checking correctness claims
More informationMotivation was to facilitate development of systems software, especially OS development.
A History Lesson C Basics 1 Development of language by Dennis Ritchie at Bell Labs culminated in the C language in 1972. Motivation was to facilitate development of systems software, especially OS development.
More informationLeveraging DTrace for runtime verification
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties System Every request gets
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationType Checking and Type Equality
Type Checking and Type Equality Type systems are the biggest point of variation across programming languages. Even languages that look similar are often greatly different when it comes to their type systems.
More informationDealing with Issues for Interprocess Communication
Dealing with Issues for Interprocess Communication Ref Section 2.3 Tanenbaum 7.1 Overview Processes frequently need to communicate with other processes. In a shell pipe the o/p of one process is passed
More informationModeling and Verification of Extensible Authentication Protocol for Transport Layer Security in Wireless LAN Environment
Modeling and Verification of Extensible Authentication Protocol for Transport Layer Security in Wireless LAN Environment Humayra Binte Ali School of CSEM, Flinders University ali0041@flinders.edu.au Manzur
More informationThe Maude LTL Model Checker and Its Implementation
The Maude LTL Model Checker and Its Implementation Steven Eker 1,José Meseguer 2, and Ambarish Sridharanarayanan 2 1 Computer Science Laboratory, SRI International Menlo Park, CA 94025 eker@csl.sri.com
More informationSiegfried Loer and Ahmed Serhrouchni. Abstract. SPIN is a tool to simulate and validate Protocols. PROMELA, its
DIMACS Series in Discrete Mathematics and Theoretical Computer Science Volume 00, 19xx Creating Implementations from PROMELA Models Siegfried Loer and Ahmed Serhrouchni Abstract. SPIN is a tool to simulate
More informationSEMANTIC ANALYSIS TYPES AND DECLARATIONS
SEMANTIC ANALYSIS CS 403: Type Checking Stefan D. Bruda Winter 2015 Parsing only verifies that the program consists of tokens arranged in a syntactically valid combination now we move to check whether
More informationLogical Consistency Validation Tools for Distributed Systems
Logical Consistency Validation Tools for Distributed Systems Original Scientific Paper Drago Žagar J. J. Strossmayer University of Osijek, Faculty of Electrical Engineering Kneza Trpimira bb, Osijek, Croatia
More information