formal methods & tools.

Similar documents
HIGH-PERFORMANCE SYMBOLIC MODEL CHECKING 10 YEARS OF LTSmin

Proceedings of the 12th International Workshop on Automated Verification of Critical Systems (AVoCS 2012)

Partial-Order Reduction for Multi-Core LTL Model Checking

LTSmin: High-Performance Language-Independent Model Checking

LTSMIN: Distributed and Symbolic Reachability

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Multi-Core Reachability for Timed Automata

Parallel Model Checking of ω-automata

The Spin Model Checker : Part I/II

Logic Model Checking

The SPIN Model Checker

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

A Tutorial on Model Checker SPIN

Distributed LTL Model Checking with Hash Compaction 1

arxiv: v2 [cs.ds] 14 May 2011

Modeling a Cache Coherence Protocol with the Guarded Action Language

Programming Assignment

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Multi-core Reachability for Timed Automata

Model-Checking Concurrent Systems

Design and Analysis of Distributed Interacting Systems

THE MODEL CHECKER SPIN

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

The Spin Model Checker : Part I. Moonzoo Kim KAIST

The Maude LTL Model Checker and Its Implementation

Distributed Binary Decision Diagrams for Symbolic Reachability

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Sylvan: Multi-core Decision Diagrams

Temporal Logic and Timed Automata

Network Protocol Design and Evaluation

The SpinJ Model Checker

CAV th July 2013 Saint Petersburg, Russia. PSyHCoS. Parameter Synthesis for Hierarchical Concurrent Real-Time Systems

The Parallelization of Binary Decision Diagram operations for model checking

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Multi-core SCC-Based LTL Model Checking

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

Network Protocol Design and Evaluation

UPPAAL. Verification Engine, Options & Patterns. Alexandre David

SPIN s Promela to Java Compiler, with help from Stratego

Tutorial on Model Checking Modelling and Verification in Computer Science

Computer Aided Verification 2015 The SPIN model checker

arxiv: v2 [cs.dc] 5 May 2010

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Symbolic Model Checking of Timed Automata using LTSmin

CS477 Formal Software Development Methods / 39

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

Context-Switch-Directed Verification in DIVINE

Software Engineering using Formal Methods

Combining Complementary Formal Verification Strategies to Improve Performance and Accuracy

SPIN: Introduction and Examples

Tagged BDDs: Combining Reduction Rules from Different Decision Diagram Types

Formal Specification and Verification

CS477 Formal Software Development Methods / 32

A Verification Approach for GALS Integration of Synchronous Components

Formal Verification by Model Checking

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

Software Engineering using Formal Methods

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

Bonsai: Cutting Models Down to Size

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Model checking Timber program. Paweł Pietrzak

SPIN, PETERSON AND BAKERY LOCKS

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Modelling Without a Modelling Language

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

The Design of a Distributed Model Checking Algorithm for Spin

Directed Model Checking for PROMELA with Relaxation-Based Distance Functions

Tool demonstration: Spin

Lecture 3 SPIN and Promela

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:

INF5140: Specification and Verification of Parallel Systems

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

A Case Study for CTL Model Update

A Concurrent Bidirectional Linear Probing Algorithm

Towards Promela verification using VerICS

Model Requirements and JAVA Programs MVP 2 1

Spin: Overview of PROMELA

Improving Parallel State-Space Exploration Using Genetic Algorithms

Improved BDD-based Discrete Analysis of Timed Systems

Applying Multi-Core Model Checking to Hardware-Software Partitioning in Embedded Systems

Design of Internet Protocols:

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

TRIAL-EXAM Software Engineering using Formal Methods TDA293 (TDA292) / DIT270. Only dictionaries may be used. Other aids are not allowed!

Applications of Formal Verification

Using Decision Diagrams to Compactly Represent the State Space for Explicit Model Checking

Spin: Overview of PROMELA

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

Transforming UML Collaborating Statecharts for Verification and Simulation

Efficient Large-Scale Model Checking

Applications of Formal Verification

Context-Switch-Directed Verification in DIVINE

Building Graphical Promela Models using UPPAAL GUI

Source Code Formal Verification. Riccardo Sisto, Politecnico di Torino

Applications of Formal Verification

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Towards an Explicit-State Model Checking Framework

Distributed Memory LTL Model Checking

Transcription:

UNIVERSITY OF TWENTE. formal methods & tools. SpinS: Extending LTSmin with Promela through SpinJa Alfons Laarman Joint with Freark van der Berg Sept 17, 2012 Imperial College, London, UK

Spin Model Checker Process Meta-Language (Promela) Spin s strengths Popular tool - early adopter of latest techniques Highly optimized C code UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 2 / 19

Spin Model Checker Process Meta-Language (Promela) Spin s strengths Popular tool - early adopter of latest techniques Highly optimized C code Weakness Hard to extend UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 2 / 19

SpinJa Model Checker A Java reimplementation of Spin by Mark de Jonge & Theo Ruys - University of Twente Strengths Layered OO Design - Easier to maintain & extend UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 3 / 19

SpinJa Model Checker A Java reimplementation of Spin by Mark de Jonge & Theo Ruys - University of Twente Strengths Layered OO Design - Easier to maintain & extend Weaknesses No parallel algorithms, no state compression, etc At least a factor 5 slower UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 3 / 19

Introducing the LTSmin Model Checker Initially, an LTS manipulation tool (explore, store, minimize). Developed at University of Twente Grown to a full-blown model checking tool set: Multi-core, Distributed, Symbolic, Sequential (algorithmic backends) LTL, CTL, µ-calculus, invariants, etc (properties) POR, state compression, saturation, chaining (optimizations) µcrl, mcrl2, DVE (DiVinE), UPPAAL, PBES, ETF (language frontends) UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 4 / 19

Goals LTSmin s goals 1 develop new model checking algorithms 2 reuse existing model checking algorithms 3 compare model checking algorithms UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 5 / 19

Goals LTSmin s goals 1 develop new model checking algorithms 2 reuse existing model checking algorithms 3 compare model checking algorithms Good Promela support enables reuse of our algorithms and a multitude of comparisons! UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 5 / 19

Approach SpinJa s and SpinS workflow: generate compile Model.prom parse SpinJa Model.java Model.class load SpinJa verify result

Approach SpinJa s and SpinS workflow: generate compile Model.prom parse SpinJa Model.java Model.class load SpinJa verify result generate compile parse load verify Model.prom SpinS Model.c Model.spins LTSmin result

Approach SpinJa s and SpinS workflow: generate compile Model.prom parse SpinJa Model.java Model.class load SpinJa verify result generate compile parse load verify Model.prom SpinS Model.c Model.spins LTSmin result pins UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 6 / 19

The Partitioned Next-State Interface pins defines: A state vector type: S : s 1,..., s n An initial state function: initial(): S A k-partitioned next-state function: next-state i (S): S A dependency matrix: D k n with D i,j 2 {read,write UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 7 / 19

The Partitioned Next-State Interface pins defines: A state vector type: S : s 1,..., s n An initial state function: initial(): S A k-partitioned next-state function: next-state i (S): S A dependency matrix: D k n with D i,j 2 {read,write A few additional dependency matrixes with guard-information for partial order reduction. UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 7 / 19

Promela Example (simplified) int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 8 / 19

From Promela to a pins state vector int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 9 / 19

From Promela to a pins state vector int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; typedef struct state s { int x; struct proctype p1 { int pc; p1; struct proctype p2 { int pc; char y; p2; struct proctype init { init; state t; int pc; UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 9 / 19

From Promela to a pins state vector int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; typedef struct state s { int x; struct proctype p1 { int pc; p1; struct proctype p2 { int pc; char y; p2; struct proctype init { init; state t; int pc; state t initial() { state t s = malloc(sizeof(state t)); s->x = 0; s->p1. pc = 0; s->p2. pc = 1; s->p2.y = 1; s->init. pc = 0; return s; UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 9 / 19

From Promela to a pins next-state and dependencies int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 10 / 19

From Promela to a pins next-state and dependencies int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; x=x+y run x>0 c? c! p1 0 p1 0 p2 0 p2 1 p2 2 init 0 init 1 init 2 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 10 / 19

From Promela to a pins next-state and dependencies int x = 0; chan c; active proctype p1() { c?; proctype p2() { byte y = 1; c!; x = x + y; init { run p2(); x > 0; x=x+y run x>0 c? c! p1 0 p1 0 c p2 0 p2 1 p2 2 c init 0 init 1 init 2 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 10 / 19

From Promela to a pins next-state and dependencies c?/c! x=x+y run x>0 p* 0 p* 1 p2 2 init 0 init 1 init 2 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 11 / 19

From Promela to a pins next-state and dependencies c?/c! x=x+y run x>0 p* 0 p* 1 p2 2 (1) (2) (3) (4) init 0 init 1 init 2 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 11 / 19

From Promela to a pins next-state and dependencies c?/c! x=x+y run x>0 p* 0 p* 1 p2 2 (1) (2) (3) (4) state t next state(int i, state t in) { switch (i) {... case 2: if (in->p2. pc == 1) { state t out = malloc(sizeof(state t)); memcpy(out, in, sizeof(state t)); out->p2. pc = 2; out->x = out->x + out->p2.y; return out; break;... init 0 init 1 init 2 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 11 / 19

From Promela to a pins next-state and dependencies c?/c! x=x+y run x>0 p* 0 p* 1 p2 2 (1) (2) (3) (4) state t next state(int i, state t in) { switch (i) {... case 2: if (in->p2. pc == 1) { state t out = malloc(sizeof(state t)); memcpy(out, in, sizeof(state t)); out->p2. pc = 2; out->x = out->x + out->p2.y; return out; break;... init 0 init 1 init 2 Dependency matrix: x p1 p2 y init 1 rw rw 2 rw rw r 3 rw rw 4 r rw UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 11 / 19

SpinS Extends SpinJa We extended SpinJa with: channel operations (empty, full, etc) user-defined structures (typedef) pre-defined variables ( pid and nr pr) channel polling and random receives (?[] and??), remote references (@) preprocessor (#if, #ifdef, #define f(a,b), inline, and #include) and others UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 12 / 19

SpinS Extends SpinJa We extended SpinJa with: channel operations (empty, full, etc) user-defined structures (typedef) pre-defined variables ( pid and nr pr) channel polling and random receives (?[] and??), remote references (@) preprocessor (#if, #ifdef, #define f(a,b), inline, and #include) and others We were able to correctly compile and verify: protocols BRP, Needham, I-protocol, Snoopy, SMCS, Chappe, x509 academic DBM, Phils, Peterson, pxxx, Bakery.7, Lynch, Chain, Sort controller FGS, Zune, Elevator2.3 and Relay BEEM all translated models from the BEEM database huge GARP protocol [Konnov, Vienna] UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 12 / 19

Experiments (Scalability with Multi-Core) Reachability with DiVinE, Spin and LTSmin using 48 cores Speedup 40 30 20 Legend divine table ltsmin cleary tree ltsmin table ltsmin tree spin hc spin nohc 10 0 0 10 20 30 40 50 Threads UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 13 / 19

Experiments (Scalability with Multi-Core) Reachability with DiVinE, Spin and LTSmin using 48 cores Speedup 40 30 20 10 0 Legend divine table ltsmin cleary tree ltsmin table ltsmin tree spin hc spin nohc 0 10 20 30 40 50 Threads 1.8 sec 6.3 sec 20 sec 100 sec UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 13 / 19

Experiments (Scalability with Multi-Core) Reachability with DiVinE, Spin and LTSmin using 48 cores Speedup 40 30 20 Legend divine table ltsmin cleary tree ltsmin table ltsmin tree spin hc spin nohc 1.8 sec 10 0 0 10 20 30 40 50 Threads 6.3 sec 20 sec 100 sec Promela model: Bakery protocol, other results: http://wwwhome.cs.utwente.nl/ laarman/papers/pdmc2012/ UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 13 / 19

Experiments (Memory usage) Compression tree: 8 byte per state cleary-tree: 4 byte per state hc: 4 byte per state (lossy) UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 14 / 19

Experiments (Memory usage) Compression tree: 8 byte per state cleary-tree: 4 byte per state hc: 4 byte per state (lossy) UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 14 / 19

Experiments (Memory usage) Compression tree: 8 byte per state cleary-tree: 4 byte per state hc: 4 byte per state (lossy) Spin DiVinE LTSmin hc nohc collapse table table tree cleary GARP1 1.5e+4 1.4e+5 4.9e+4 n/a 8.7e+3 1.1e+3 9.0e+2 Bakery.7 1.3e+4 9.0e+4 6.4e+3 4.8e+3 2.8e+3 4.0e+2 2.5e+2 Peterson4 5.7e+3 4.4e+4 5.5e+3 n/a 1.3e+3 1.5e+2 1.0e+2 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 14 / 19

Experiments (LTL with Multi-Core) LTL with DiVinE (owcty), Spin (piggybag) and LTSmin (cndfs) using 48 cores Speedup 40 30 20 Legend divine owcty ltsmin cndfs spin pb 10 0 0 10 20 30 40 50 Threads UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 15 / 19

Experiments (LTL with Multi-Core) LTL with DiVinE (owcty), Spin (piggybag) and LTSmin (cndfs) using 48 cores Speedup 40 30 20 10 0 Legend divine owcty ltsmin cndfs spin pb 0 10 20 30 40 50 Threads Properties distr. on-the-fly exact cndfs - - ++ y owcty ++ + y piggybag + - - n UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 15 / 19

Experiments (LTL with Multi-Core) LTL with DiVinE (owcty), Spin (piggybag) and LTSmin (cndfs) using 48 cores Speedup 40 30 20 10 0 Legend divine owcty ltsmin cndfs spin pb 0 10 20 30 40 50 Threads Properties distr. on-the-fly exact cndfs - - ++ y owcty ++ + y piggybag + - - n Promela model: Elevator controllor http://wwwhome.cs.utwente.nl/ laarman/papers/pdmc2012/ UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 15 / 19

Experiments (Symbolic) Promela model: GARP protocol [Konnov, Vienna] LTSmin completely explored all 3.11 10 11 states in under 3 minutes using only 300MB. Next step: use CTL to verify liveness properties UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 16 / 19

Experiments (Partial order reduction) No POR LTSmin POR Spin POR Model States Transitions Time States Trans Time States Trans Time GARP 48,363,145 247,135,869 95.6 4% 1% 45.2 18% 9% 15.5 i-protocol2 14,309,427 48,024,048 15.5 16% 10% 18.7 24% 16% 4.5 Peterson4 12,645,068 47,576,805 13.8 3% 1% 2.3 5% 2% 0.3 BRP 3,280,269 7,058,556 3.7 100% 100% 7.0 58% 39% 1.6 Sort 659,683 3,454,988 1.9 19% 5% 2.6 0% 0% 0.0 X.509 9,028 35,999 0.1 62% 36% 0.0 68% 34% 0.0 DBM 5,112 20,476 0.0 100% 100% 0.1 100% 100% 0.0 SMCS 5,066 19,470 0.0 28% 14% 0.1 25% 11% 0.0 Needham2 4,143 10,752 0.0 100% 100% 0.0 100% 100% 0.1 UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 17 / 19

Conclusions Evaluation with little effort we could extend LTSmin with Promela Promela verification benefits from LTSmin s capabilities we compared hc vs tree compression and cndfs vs pg vs owcty UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 18 / 19

LTSmin Bibliography & Acknowledgements Multi-core: table tree cleary cleary-tree cndfs UPPAAL Laarman, van de Pol & Weber. Boosting Multi-Core Reachability Performance with Shared Hash Tables. FMCAD 10 Laarman, van de Pol & Weber. Parallel Recursive State Compression for Free. SPIN 11 Laarman & van der Vegt. A Parallel Compact Hash Table. MEMICS 11 van der Berg & Laarman. SpinS: Extending LTSmin with Promela through SpinJa. PDMC 12 Evangelista, Laarman, Petrucci & van de Pol. Improved Multi-Core Nested Depth-First Search. ATVA 12 Dalsgaard, Laarman, Larsen, Olesen & van de Pol. Multi-Core Reachability for Timed Automata. FORMATS 12 Distributed & symbolic: Blom, van de Pol & Weber. LTSmin: Distributed and Symbolic Reachability. CAV 10 van Dijk, Laarman & van de Pol. Multi-core BDD Operations for Symbolic Reachability. PDMC 12 Siaw. Saturation for LTSmin. 2012. Thesis Other techniques: Elwin Pater. Partial Order Reduction for pins. 2011. Thesis (to TACAS 13) PBES GARP Kant & van de Pol. Efficient Instantiation of Parameterised Boolean Equation Systems to Parity Games. Graphite 12 Konnov & Letichevsky Jr. Model Checking GARP Protocol using Spin and VRS. AAIT 10. Download LTSmin 2.0 from: http://fmt.cs.utwente.nl/tools/ltsmin/ Thanks to LTSmin crew: Jaco van de Pol, Michael Weber, Stefan Blom, Elwin Pater, Tom van Dijk, Gijs Kant and Jeroen Ketema UNIVERSITY OF TWENTE. SpinS: Extending LTSmin with Promela through SpinJa Sept 17, 2012 19 / 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback